Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Azure Security Assessments

Teri
April 09, 2019
Technology
0
580

Azure Security Assessments

Find out what you can do to assess the security of your Azure account.

Teri

April 09, 2019
Tweet

More Decks by Teri

See All by Teri
Azure for Auditors
radichel
0
48
Stopping Cloud Breaches
radichel
0
98
Are you ready for a cloud pentest?
radichel
0
200
Top Priorities for Cloud Application Security
radichel
0
51

Other Decks in Technology

See All in Technology
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
150
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
160
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
310
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
200
組織成長を加速させるオンボーディングの取り組み
sudoakiy
2
220
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
10
1.3k
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
120
心が動くエンジニアリング ── 私が夢中になる理由
16bitidol
0
100
日経電子版のStoreKit2フルリニューアル
shimastripe
1
150
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
3
640
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
4
240

Featured

See All Featured
Embracing the Ebb and Flow
colly
84
4.5k
10 Git Anti Patterns You Should be Aware of
lemiorhan
655
59k
Happy Clients
brianwarren
98
6.7k
The Cult of Friendly URLs
andyhume
78
6k
Bash Introduction
62gerente
608
210k
Gamification - CAS2011
davidbonilla
80
5k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Why Our Code Smells
bkeepers
PRO
334
57k
A better future with KSS
kneath
238
17k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k

Transcript

  1. None

  2. DIY Azure Security Assessment Tanya Janca Cloud Advocate @SheHacksPurple Teri

    Radichel CEO 2nd Sight Lab @TeriRadichel

  3. @SheHacksPurple @TeriRadichel Do It Yourself, Security Assessment @SheHacksPurple @TeriRadichel

  4. @SheHacksPurple @TeriRadichel This is me. I’m Tanya Janca. AKA: @SheHacksPurple

    WoSEC

  5. @SheHacksPurple @TeriRadichel ~ 25 years in tech professionally Spammed +

    hacked => security focus Taught myself to program, age 12. Cloud security ~ AWS Hero, SANS Landed in networking + telecom Helped Capital One move to cloud Moved to programming Master of Infosec Engineering, GSE Master of Software Engineering 2nd Sight Lab ~ Cloud Security Web + E-commerce Business Training, Assessments, Pentesting Teri Radichel

  6. @SheHacksPurple @TeriRadichel

  7. @SheHacksPurple @TeriRadichel

  8. Why Do It Yourself?

  9. None

  10. @SheHacksPurple @TeriRadichel Out of Scope (for this talk) Rick Rolling

    X

  11. @SheHacksPurple @TeriRadichel Let’s do this.

  12. @SheHacksPurple @TeriRadichel

  13. @SheHacksPurple @TeriRadichel External Azure

  14. @SheHacksPurple @TeriRadichel

  15. @SheHacksPurple @TeriRadichel https://aka.ms/TurnOnMFA

  16. @SheHacksPurple @TeriRadichel https://aka.ms/AzureADandYou

  17. @SheHacksPurple @TeriRadichel

  18. @SheHacksPurple @TeriRadichel

  19. @SheHacksPurple @TeriRadichel

  20. @SheHacksPurple @TeriRadichel

  21. @SheHacksPurple @TeriRadichel

  22. @SheHacksPurple @TeriRadichel

  23. @SheHacksPurple @TeriRadichel

  24. @SheHacksPurple @TeriRadichel

  25. https://aka.ms/ASC-and-me

  26. None

  27. @SheHacksPurple @TeriRadichel https://aka.ms/subscription-coverage

  28. @SheHacksPurple @TeriRadichel https://aka.ms/custom-policy

  29. @SheHacksPurple @TeriRadichel TRUST

  30. @SheHacksPurple @TeriRadichel

  31. @SheHacksPurple @TeriRadichel

  32. @SheHacksPurple @TeriRadichel

  33. @SheHacksPurple @TeriRadichel

  34. @SheHacksPurple @TeriRadichel

  35. @SheHacksPurple @TeriRadichel

  36. @SheHacksPurple @TeriRadichel

  37. @SheHacksPurple @TeriRadichel

  38. @SheHacksPurple @TeriRadichel

  39. @SheHacksPurple @TeriRadichel

  40. @SheHacksPurple @TeriRadichel https://aka.ms/cloud-native-policy

  41. @SheHacksPurple @TeriRadichel https://aka.ms/JustInTime

  42. @SheHacksPurple @TeriRadichel https://aka.ms/JustInTime

  43. @SheHacksPurple @TeriRadichel https://aka.ms/JustInTime

  44. @SheHacksPurple @TeriRadichel https://aka.ms/Azure-PIM “PIM essentially helps you manage the who,

    what, when, where, and why for resources that you care about. ”

  45. @SheHacksPurple @TeriRadichel (Application Whitelisting for servers) https://aka.ms/Adaptive-Controls

  46. @SheHacksPurple @TeriRadichel https://aka.ms/storage-threats

  47. @SheHacksPurple @TeriRadichel

  48. @SheHacksPurple @TeriRadichel https://aka.ms/storage-threats @SheHacksPurple @TeriRadichel https://aka.ms/storage-threats

  49. @SheHacksPurple @TeriRadichel

  50. @SheHacksPurple @TeriRadichel

  51. @SheHacksPurple @TeriRadichel

  52. @SheHacksPurple @TeriRadichel

  53. @SheHacksPurple @TeriRadichel https://aka.ms/Sentinel-by-Azure

  54. @SheHacksPurple @TeriRadichel https://aka.ms/Data-Security

  55. @SheHacksPurple @TeriRadichel @SheHacksPurple @TeriRadichel https://aka.ms/DB-VA

  56. @SheHacksPurple @TeriRadichel

  57. @SheHacksPurple @TeriRadichel

  58. @SheHacksPurple @TeriRadichel

  59. @SheHacksPurple @TeriRadichel • Set scope; only test what is in

    scope • Verify account structure, Identity and Access Control, follow best practices • Set Azure Policies, according to your org’s needs • Turn on Azure Security Center, for all subscriptions • Use Cloud Native Security features: Threat Detection and Adaptive Application Controls, File Integrity Monitoring, Just in Time (JIT) & PIM • Follow Networking best practices; NSGs, Routes, Access to compute and storage, Network Watcher, Azure Firewall, Express Route and Bastion Host • Always be on top of your alerts and logs for Azure WAF and Sentinel • VA everything, especially your SQL databases • Encryption, for your disks and data (in transit and at rest) • Monitor all that can be monitored • Follow the Azure Security Center Recommendations • THEN call a PenTester. :)

  60. @SheHacksPurple @TeriRadichel WE CAN Do It Ourselves. @SheHacksPurple @TeriRadichel

  61. @SheHacksPurple @TeriRadichel Articles & Videos • https://medium.com/microsoftazure/pentesting-azure-thoughts-before-reading- matts-book-4609d14fb61d • https://medium.com/microsoftazure/pentesting-azure-the-report-3bf32fc3d12e

    • https://youtu.be/NHt9KKP3mPg • https://www.cisecurity.org/cis-benchmarks/ • https://www.cisecurity.org/blog/cis-microsoft-azure-foundations-benchmark-v1-0- 0-now-available/ Resources

  62. @SheHacksPurple @TeriRadichel (Follow us?) Tanya Janca Twitter: @SheHacksPurple medium.com/@SheHacksPurple https://dev.to/SheHacksPurple

    YouTube.com/SheHacksPurple Teri Radichel Twitter: @TeriRadichel medium.com/cloud-security https://2ndsightlab.com slideshare.net/TeriRadichel THANK YOU