Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Azure Security Assessments

Teri
April 09, 2019
Technology
0
510

Azure Security Assessments

Find out what you can do to assess the security of your Azure account.

Teri

April 09, 2019
Tweet

More Decks by Teri

See All by Teri
Azure for Auditors
radichel
0
48
Stopping Cloud Breaches
radichel
0
95
Are you ready for a cloud pentest?
radichel
0
190
Top Priorities for Cloud Application Security
radichel
0
39

Other Decks in Technology

See All in Technology
LLM開発・活用の舞台裏@2024.04.25
yushin_n
3
930
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
370
The AI Revolution Will Not Be Monopolized: Behind the scenes
inesmontani
PRO
0
110
Gradle Build Scanを使ってビルドのことを知ろう potatotips #87
tomorrowkey
2
120
現代CSSフレームワークの内部実装とその仕組み
poteboy
8
3.7k
開発生産性大幅アップ!Postman VS Code拡張機能
nagix
2
500
2024春 注目のWeb系 OSS & SaaS 3選
makies
0
110
オーナーシップを持つ領域を明確にする
konifar
13
3.2k
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
760
One engineer company with Ruby on Rails
rstankov
2
310
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
150
require(ESM)とECMAScript仕様
uhyo
4
860

Featured

See All Featured
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
322
20k
Faster Mobile Websites
deanohume
299
30k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
It's Worth the Effort
3n
180
27k
Being A Developer After 40
akosma
61
580k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
The Invisible Side of Design
smashingmag
294
49k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
The Pragmatic Product Professional
lauravandoore
25
5.8k

Transcript

  1. None

  2. DIY Azure Security Assessment Tanya Janca Cloud Advocate @SheHacksPurple Teri

    Radichel CEO 2nd Sight Lab @TeriRadichel

  3. @SheHacksPurple @TeriRadichel Do It Yourself, Security Assessment @SheHacksPurple @TeriRadichel

  4. @SheHacksPurple @TeriRadichel This is me. I’m Tanya Janca. AKA: @SheHacksPurple

    WoSEC

  5. @SheHacksPurple @TeriRadichel ~ 25 years in tech professionally Spammed +

    hacked => security focus Taught myself to program, age 12. Cloud security ~ AWS Hero, SANS Landed in networking + telecom Helped Capital One move to cloud Moved to programming Master of Infosec Engineering, GSE Master of Software Engineering 2nd Sight Lab ~ Cloud Security Web + E-commerce Business Training, Assessments, Pentesting Teri Radichel

  6. @SheHacksPurple @TeriRadichel

  7. @SheHacksPurple @TeriRadichel

  8. Why Do It Yourself?

  9. None

  10. @SheHacksPurple @TeriRadichel Out of Scope (for this talk) Rick Rolling

    X

  11. @SheHacksPurple @TeriRadichel Let’s do this.

  12. @SheHacksPurple @TeriRadichel

  13. @SheHacksPurple @TeriRadichel External Azure

  14. @SheHacksPurple @TeriRadichel

  15. @SheHacksPurple @TeriRadichel https://aka.ms/TurnOnMFA

  16. @SheHacksPurple @TeriRadichel https://aka.ms/AzureADandYou

  17. @SheHacksPurple @TeriRadichel

  18. @SheHacksPurple @TeriRadichel

  19. @SheHacksPurple @TeriRadichel

  20. @SheHacksPurple @TeriRadichel

  21. @SheHacksPurple @TeriRadichel

  22. @SheHacksPurple @TeriRadichel

  23. @SheHacksPurple @TeriRadichel

  24. @SheHacksPurple @TeriRadichel

  25. https://aka.ms/ASC-and-me

  26. None

  27. @SheHacksPurple @TeriRadichel https://aka.ms/subscription-coverage

  28. @SheHacksPurple @TeriRadichel https://aka.ms/custom-policy

  29. @SheHacksPurple @TeriRadichel TRUST

  30. @SheHacksPurple @TeriRadichel

  31. @SheHacksPurple @TeriRadichel

  32. @SheHacksPurple @TeriRadichel

  33. @SheHacksPurple @TeriRadichel

  34. @SheHacksPurple @TeriRadichel

  35. @SheHacksPurple @TeriRadichel

  36. @SheHacksPurple @TeriRadichel

  37. @SheHacksPurple @TeriRadichel

  38. @SheHacksPurple @TeriRadichel

  39. @SheHacksPurple @TeriRadichel

  40. @SheHacksPurple @TeriRadichel https://aka.ms/cloud-native-policy

  41. @SheHacksPurple @TeriRadichel https://aka.ms/JustInTime

  42. @SheHacksPurple @TeriRadichel https://aka.ms/JustInTime

  43. @SheHacksPurple @TeriRadichel https://aka.ms/JustInTime

  44. @SheHacksPurple @TeriRadichel https://aka.ms/Azure-PIM “PIM essentially helps you manage the who,

    what, when, where, and why for resources that you care about. ”

  45. @SheHacksPurple @TeriRadichel (Application Whitelisting for servers) https://aka.ms/Adaptive-Controls

  46. @SheHacksPurple @TeriRadichel https://aka.ms/storage-threats

  47. @SheHacksPurple @TeriRadichel

  48. @SheHacksPurple @TeriRadichel https://aka.ms/storage-threats @SheHacksPurple @TeriRadichel https://aka.ms/storage-threats

  49. @SheHacksPurple @TeriRadichel

  50. @SheHacksPurple @TeriRadichel

  51. @SheHacksPurple @TeriRadichel

  52. @SheHacksPurple @TeriRadichel

  53. @SheHacksPurple @TeriRadichel https://aka.ms/Sentinel-by-Azure

  54. @SheHacksPurple @TeriRadichel https://aka.ms/Data-Security

  55. @SheHacksPurple @TeriRadichel @SheHacksPurple @TeriRadichel https://aka.ms/DB-VA

  56. @SheHacksPurple @TeriRadichel

  57. @SheHacksPurple @TeriRadichel

  58. @SheHacksPurple @TeriRadichel

  59. @SheHacksPurple @TeriRadichel • Set scope; only test what is in

    scope • Verify account structure, Identity and Access Control, follow best practices • Set Azure Policies, according to your org’s needs • Turn on Azure Security Center, for all subscriptions • Use Cloud Native Security features: Threat Detection and Adaptive Application Controls, File Integrity Monitoring, Just in Time (JIT) & PIM • Follow Networking best practices; NSGs, Routes, Access to compute and storage, Network Watcher, Azure Firewall, Express Route and Bastion Host • Always be on top of your alerts and logs for Azure WAF and Sentinel • VA everything, especially your SQL databases • Encryption, for your disks and data (in transit and at rest) • Monitor all that can be monitored • Follow the Azure Security Center Recommendations • THEN call a PenTester. :)

  60. @SheHacksPurple @TeriRadichel WE CAN Do It Ourselves. @SheHacksPurple @TeriRadichel

  61. @SheHacksPurple @TeriRadichel Articles & Videos • https://medium.com/microsoftazure/pentesting-azure-thoughts-before-reading- matts-book-4609d14fb61d • https://medium.com/microsoftazure/pentesting-azure-the-report-3bf32fc3d12e

    • https://youtu.be/NHt9KKP3mPg • https://www.cisecurity.org/cis-benchmarks/ • https://www.cisecurity.org/blog/cis-microsoft-azure-foundations-benchmark-v1-0- 0-now-available/ Resources

  62. @SheHacksPurple @TeriRadichel (Follow us?) Tanya Janca Twitter: @SheHacksPurple medium.com/@SheHacksPurple https://dev.to/SheHacksPurple

    YouTube.com/SheHacksPurple Teri Radichel Twitter: @TeriRadichel medium.com/cloud-security https://2ndsightlab.com slideshare.net/TeriRadichel THANK YOU