Investigation practices should use native tools with deep knowledge of the asset type such as an Endpoint detection and response (EDR) solution, Identity tools, and Microsoft Sentinel.įor more information about monitoring tools, see Security monitoring tools in Azure. Secure email, documents, and sensitive data that you share outside your company. Use security playbook in response to an alert.Įvent logs from application and Azure services. ToolĬentralized Security Information and Event Management (SIEM) to get enterprise-wide visibility into logs.Īlert generation. Here are some Azure tools that a SOC team can use investigate and remediate incidents. For example, skilled enough to evade reactive alerts.įor information about the metrics that the Microsoft's SOC team uses, see Microsoft SOC. This effort will reduce the time that a higher skilled adversary can operate in the environment. Proactively hunt for adversaries as your system matures. Prioritize security investments into systems that have high intrinsic value. Reduce their opportunity time to conduct and attack and reach sensitive systems. Reduce the time to remediate a detected adversary. A detected adversary must not be ignored while defenders are triaging false positives. Recover and restore the confidentiality, integrity, and availability of the workload during and after an attack.įor information about the framework, see NIST Cybersecurity Framework.Īcknowledge an alert quickly. Respond by quickly investigating whether it's an actual attack or a false alarm. Here are some general best practices for conducting security operations:įollow the NIST Cybersecurity Framework functions as part of operations.ĭetect the presence of adversaries in the system. It's important that any communication, investigation, and hunting activities are aligned with the application team. Central SecOps team monitors security-related telemetry data and investigates security breaches. These operations help eliminate false positives and focus on real attacks, reducing the mean time to remediate real incidents. The responsibility of the security operation team (also known as Security Operations Center (SOC), or SecOps) is to rapidly detect, prioritize, and triage potential attacks.
0 kommentar(er)
