No content

DIY Azure Security Assessment Tanya Janca Cloud Advocate @SheHacksPurple Teri Radichel CEO 2nd Sight Lab @TeriRadichel 

@SheHacksPurple @TeriRadichel Do It Yourself, Security Assessment @SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel This is me. I’m Tanya Janca. AKA: @SheHacksPurple WoSEC 

@SheHacksPurple @TeriRadichel ~ 25 years in tech professionally Spammed + hacked => security focus Taught myself to program, age 12. Cloud security ~ AWS Hero, SANS Landed in networking + telecom Helped Capital One move to cloud Moved to programming Master of Infosec Engineering, GSE Master of Software Engineering 2nd Sight Lab ~ Cloud Security Web + E-commerce Business Training, Assessments, Pentesting Teri Radichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

Why Do It Yourself? 

No content

@SheHacksPurple @TeriRadichel Out of Scope (for this talk) Rick Rolling X 

@SheHacksPurple @TeriRadichel Let’s do this. 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel External Azure 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel https://aka.ms/TurnOnMFA 

@SheHacksPurple @TeriRadichel https://aka.ms/AzureADandYou 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

https://aka.ms/ASC-and-me 

No content

@SheHacksPurple @TeriRadichel https://aka.ms/subscription-coverage 

@SheHacksPurple @TeriRadichel https://aka.ms/custom-policy 

@SheHacksPurple @TeriRadichel TRUST 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel https://aka.ms/cloud-native-policy 

@SheHacksPurple @TeriRadichel https://aka.ms/JustInTime 

@SheHacksPurple @TeriRadichel https://aka.ms/JustInTime 

@SheHacksPurple @TeriRadichel https://aka.ms/JustInTime 

@SheHacksPurple @TeriRadichel https://aka.ms/Azure-PIM “PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. ” 

@SheHacksPurple @TeriRadichel (Application Whitelisting for servers) https://aka.ms/Adaptive-Controls 

@SheHacksPurple @TeriRadichel https://aka.ms/storage-threats 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel https://aka.ms/storage-threats @SheHacksPurple @TeriRadichel https://aka.ms/storage-threats 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel https://aka.ms/Sentinel-by-Azure 

@SheHacksPurple @TeriRadichel https://aka.ms/Data-Security 

@SheHacksPurple @TeriRadichel @SheHacksPurple @TeriRadichel https://aka.ms/DB-VA 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel • Set scope; only test what is in scope • Verify account structure, Identity and Access Control, follow best practices • Set Azure Policies, according to your org’s needs • Turn on Azure Security Center, for all subscriptions • Use Cloud Native Security features: Threat Detection and Adaptive Application Controls, File Integrity Monitoring, Just in Time (JIT) & PIM • Follow Networking best practices; NSGs, Routes, Access to compute and storage, Network Watcher, Azure Firewall, Express Route and Bastion Host • Always be on top of your alerts and logs for Azure WAF and Sentinel • VA everything, especially your SQL databases • Encryption, for your disks and data (in transit and at rest) • Monitor all that can be monitored • Follow the Azure Security Center Recommendations • THEN call a PenTester. :) 

@SheHacksPurple @TeriRadichel WE CAN Do It Ourselves. @SheHacksPurple @TeriRadichel 

@SheHacksPurple @TeriRadichel Articles & Videos • https://medium.com/microsoftazure/pentesting-azure-thoughts-before-reading- matts-book-4609d14fb61d • https://medium.com/microsoftazure/pentesting-azure-the-report-3bf32fc3d12e • https://youtu.be/NHt9KKP3mPg • https://www.cisecurity.org/cis-benchmarks/ • https://www.cisecurity.org/blog/cis-microsoft-azure-foundations-benchmark-v1-0- 0-now-available/ Resources 

@SheHacksPurple @TeriRadichel (Follow us?) Tanya Janca Twitter: @SheHacksPurple medium.com/@SheHacksPurple https://dev.to/SheHacksPurple YouTube.com/SheHacksPurple Teri Radichel Twitter: @TeriRadichel medium.com/cloud-security https://2ndsightlab.com slideshare.net/TeriRadichel THANK YOU