Threat Management Plan Part 2: Threat Investigation and Response

00:00

Welcome back submarines to the M s 3 65 Security Administration course.

00:05

I'm your senator Jim Daniels.

00:07

We're still on Model Three and Mystery 60 Foul threat protection, Threat management.

00:13

And we're gonna cover threat investigation and response

00:17

in this lesson. We're going to go over attacks Simulator.

00:21

We're going to look at automated investigation in response,

00:25

and we're going to look at as our sentinel as a scene

00:31

attacks simulator. Unless you run realistic attacks in areas within your organization,

00:35

you actually get to fish and attack your own users. This helps identify and find vulnerable users

00:43

before a real attack occurs.

00:46

So to get a tax simulator, you have to have the other 3 65 80 p

00:50

playing to his Allah cart

00:52

or is included in the Enterprise and building Security. Five. Sleep

00:57

as well as the M s. 3 65. 5. Sweet.

01:00

The texting letter has four million taxi condone.

01:03

They are spear fishing

01:06

with a credential harvest euro spearfishing with an attachment,

01:11

pastor of spray, same password against multiple accounts and brute force. What actually does a dictionary attack of multiple passwords against multiple accounts

01:22

for the spear phishing attack

01:23

you can use Microsoft template where you can create your own.

01:26

I always advise when you first get started with this.

01:30

Use the Microsoft template

01:33

kind of get used to do a small test group of users, preferably I T. Users

01:38

kind of see how it functions and then customize your own 10 place moving forward.

01:42

Each business will have their own unique points

01:47

that will draw their own users into click

01:51

town of the year. You may have something for tax return. You have something for an election may have something for Christmas.

01:57

Use this template or create your own.

02:00

H e mail is used to create the template body,

02:04

and you do have some variables. User name someone. So for if there's a whole,

02:08

um, template compendium,

02:10

when the Microsoft Support site, where you can get a list of all of the variables you can, including your template

02:15

custom landing page after credential, harvest or attachment open can be specified to direct

02:22

to your security program

02:23

what that means

02:24

when your user close and then there no link

02:27

you can actually take them to the page. When your security awareness program says, Hey,

02:31

I want to brush up

02:34

in these email safety tips.

02:37

You actually have reports. Assistance included success rate, average click time and the list of those compromised users that they went

02:45

all the way if they just click doing it

02:46

or if they went all the way and actually input their credentials.

02:51

Password attacks.

02:52

So passport spray is one passport attempted when any number of accounts

02:57

Dictionary attack is multiple passwords. Want any number of accounts

03:00

Passwords to attempt can be entered manually or for dictionary attacks. You can use the text file

03:07

depending on what kind of in this I sack.

03:12

Yeah,

03:13

security group. You may be part off. There's usually a yearly

03:17

most part of a passport list. You can take that as its X file, and you can actually

03:23

go against your users to see if that is one of their passwords

03:29

for the text file to be applauded for a password attempt,

03:32

it's one password per line.

03:35

The text file has to be less than 10 Meghan size

03:38

and less than 3000 passwords.

03:43

Users were N F. A. Enable will show a failed attempt. Even if the attack said password was successful,

03:50

this is intended and it just reinforces MF A. Because even If you know the users password, you still don't gain access to their account because you don't have that second factor of authentication. So be aware of that

04:03

air.

04:04

Whenever you say air, we hear the word air.

04:08

This is what I think of

04:10

Michael Jeffrey Jordan

04:12

Air Jordan,

04:14

the greatest basketball players of all time.

04:17

And

04:19

so in security.

04:23

We're actually looking at Automated investigation in response and, 03 65 Air

04:29

air capabilities include automated investigation processes in response to a well known threats that exist today.

04:35

In addition of this, it also has remediation actions that await your approval,

04:41

enabling your security up seen to respond to threats.

04:46

The process of air within 3 65 as an alert is triggered,

04:51

applicable security playbooks start.

04:55

It's intelligent because depending on the alert

04:57

is with playbook

04:59

will be turning.

05:00

In this situation, automated investigation can begin.

05:03

Remediation actions are recommended. The security team reviews as recommended actions, approves them or

05:11

rejects. Um,

05:13

all activities are tracked and can be viewed in these security and compliance center.

05:18

Here's an example of the air automated investigations and 03 65

05:24

for this. On the left hand side, this is the list of investigation at ease. So if you want to go directly into the investigation, you just click one the I D. And I'll take you up to the detail page when the very right you have filters

05:38

where you can say the investigation type. If you want a zap malware,

05:43

click on that and you will only see those their filters that you can do based on that, as well as the investigation status. If it's running, if it's starting, if it's pending an action, if it needs a sock team to come in and actually approve

05:58

in action,

05:59

you can filter based on that.

06:00

All right.

06:02

Do you know

06:03

the licensing levels that we talked about for attacks Simulator? Which license is the minimum needed for taxing the letter?

06:12

03 65 80 pp. One

06:15

in a fraud, stability and security E three Sweet

06:17

M s 3. 65 5 Sweet

06:20

office 3 65 e three

06:23

or sequel server 2014.

06:27

So you should just be able to eliminate Dean

06:30

Annie

06:31

so that will use a B and C.

06:35

Which one do you think ISS

06:38

correct? Answer is C. M s 3 65 85.

06:43

Remember, it's the 03 65. 80 p two,

06:47

which is included in the M S 3 65 Responsibly, as well as the enterprising building Security He five. Sweet

06:56

Azure Sentinel is a cloud Native Security information and Event manager Seen platform that uses bill in a. I

07:03

to help analyze large volumes of data across the Enterprise. Sentinel Iron Gates data from many sources, including users, applications,

07:13

servers and devices running on premise or in the cloud

07:16

an enclosed building connectors for on boarding of Popular Security solutions.

07:21

Collect data from any source

07:24

with support for open standard formats like CEF and sits along,

07:29

it allows you cling data at cloud skill

07:31

across all users devices, applications and infrastructure. One. Print and in multiple clouds

07:36

detect previously uncovered threats and minimize false positives. I use the analytics.

07:43

You can investigate threats with AI and hunt suspicious activities of skill.

07:47

You can even respond to incidents rapidly with bill in orchestration and automation of common tasks.

07:56

To recap. Today's lesson Attacks simulator runs realistic tax scenarios in your organization.

08:01

Automated investigation response capabilities include

08:05

automating investigation processes in response to well known threats that exist today

08:11

as your Sentinel is a cloud Native

08:13

Security information and Event manager platform that uses Bill in AI to help analyze large volumes of data across an organization.