Ukhuseleko lwamafu alukho malunga nokucima imililo; imalunga nokuba ulungile phambi kokuba umsi uqalise. Kwindawo yeAzure kunye neMicrosoft 365, isicwangciso sokuphendula isiganeko esifakwe kakuhle Igcina ukomelela, inciphisa ixesha lokuvezwa, kwaye inciphisa umonakalo ngelixa igcina ubungqina be-forensic. Siza kuphumeza konke oku ngendlela esebenzayo ehambelana ne-NIST SP 800-61 sikhokelo: ukulungiswa, ukufumanisa kunye nokuhlalutya, ukunyanzeliswa / ukuphelisa / ukubuyisela, kunye nemisebenzi yokulandelela.
Inkqubo yokhuseleko ebuthathaka iguqulela kwixesha elide labahlaseli, izohlwayo ezilawulayo, kunye nokuhlaselwa okuphindaphindiweyo. Ngoko ke, Isitshixo kukudibanisa izixhobo zomthonyama (i-Defender, iSentinel, i-Azure Monitor) Ngeenkqubo ezicacileyo, i-automation, kunye nolawulo, ndinikezela ngesikhokelo esibanzi, kunye namaqhinga asebenzayo kunye neereferensi kwi-MITER ATT & CK, ngoko ke umbutho wakho awunakusabela kuphela, kodwa uphendule ngobulumko kwaye ngokukhawuleza.
Iziseko zesicwangciso sempendulo yefu
Injongo kukuqulatha kunye nokuchacha ngokukhawuleza, ngelixa ugcina ubungqina be-forensics kunye nokuthotyelwa. Landela umjikelo we-NIST SP 800-61 kwaye uthembele kwiintsika ezintathu: ukulungiswa (izicwangciso, iindima, oonxibelelwano, ukuzenzekelayo), ukufumanisa / ukuhlalutya (izilumkiso zekhwalithi, ukudala iziganeko, uphando), kunye nokugcinwa / ukubuyisela / ukuphuculwa okuqhubekayo (i-SOAR, ukuhlukaniswa kunye nezifundo ezifundiweyo).
Amandla abuthathaka avula umnyango wokuhlala ixesha elide, ilahleko yedatha, kunye nezohlwayo. Kwilifu, uxanduva lwabelwana.Ngoko ke, kuyimfuneko ukubhala ukuba ngubani owenza ntoni (umthengi / umthengisi) kunye nendlela yokunyusa ngeMicrosoft (MSRC, inkxaso yeqonga) ukuphepha ukulahlekelwa yimizuzu ebalulekileyo.
Ukulungiselela (PIR-1): Isicwangciso esicacileyo se-Azure kunye nolawulo
Umgaqo ulula: uxwebhu, uvavanyo kunye nokuphuculaIsicwangciso segeneric asizukusebenza efini: udinga iinkqubo ze-VM snapshots, ukugawulwa kwe-Azure, ukubekwa wedwa okusengqiqweni, kunye nentsebenziswano noMicrosoft. Zilolonge rhoqo kwaye ujonge ukusebenza kwencwadi yakho yokudlala.
Imingcipheko yokunciphisa: isiphithiphithi kwingxaki, ukungabikho kweenkqubo zamafu, ulungelelwaniso olubi kunye nomboneleli, izixhobo ezingavavanywanga, iimpazamo zokuthobela kunye nezenzo zokugcinwa kobungqina ezilambathayo. Impembelelo idla ngokuba nkulu kunokuba kubonakala ukuba akukho sakhiwo kunye noqeqesho.
Imephu yeMITER: Ukuphepha uKhuselo (T1562), ukutshatyalaliswa kwedatha kwimpembelelo (T1485) kunye nokulungiswa kwedatha yokukhutshwa (T1074). Ukuba nesicwangciso kuthintela umchasi ekufumaneni ixesha ngenxa yokungalungelelani kwethu.
I-IR-1.1 (isicwangciso se-Azure): Ichaza uxanduva lwe-IaaS/PaaS/SaaS; isebenzisa iilogi ze-Azure Monitor, uphicotho-zincwadi, kunye neMicrosoft Entra ID yokungena. I-NSG Flow Logs kunye ne-Defender yezilumkiso zefu; ibandakanya ubungqina bokubamba (i-VM snapshots, i-memory dumps, i-PCAP); ichaza indlela yokuvula inkxaso yeMicrosoft/MSRC; kunye namaxwebhu ukuhlukaniswa kwezibonelelo kunye ne-automation (umzekelo, iincwadi zokudlala ezisusa i-VM kwi-balancer yomthwalo).
Ukudityaniswa ne-Defender yeLifu: misela 24/7 abafowunelwa bokhuselekoAmanqanaba obunzima bemephu kumanqanaba akho angaphakathi, izilumkiso ezizenzekelayo kunye nokudalwa kweziganeko nge-Logic Apps, lungiselela iitemplates zesaziso esilawulayo (i-GDPR, i-HIPAA, i-PCI) kwaye ube neenkqubo zokuthumela ngaphandle ubungqina (Ukuthunyelwa ngaphandle okuqhubekayo) kukulungele.
I-IR-1.2 (iqela kunye noqeqesho): ichaza iindima ezicacileyo (abahlalutyi bamafu, abaqulunqi be-Azure, umthetho / ukuthotyelwa, ukuqhubeka, uqhagamshelwano lwangaphandle), ugunyazisa izigqibo kunye qeqesha iqela kwizixhobo zomthonyama (I-Defender, Sentinel, KQL). Iqela eliqeqeshwe kakuhle linciphisa iimpazamo phantsi koxinzelelo.
Umzekelo wokhathalelo lwempilo: Isicwangciso se-Azure + HIPAA, iqela elizinikeleyo elinezatifikethi, abafowunelwa bokhuseleko bacwangcisiwe, Ukulinganisa ngekotaIinkqubo zobungqina (izifinyezo/ukubeka iliso) kunye neendlela zentsebenziswano neMicrosoft. Isiphumo: Ukugqunywa kwe-24/7 kunye nokuphuculwa okuqhubekayo.
Isaziso kunye nokunyuka (IR-2): Musa ukuvumela nabani na ukuba afumanise emva kwexesha
Kufuneka sazise umntu ofanelekileyo ngokukhawuleza. Yenza ngokuzenzekelayo uvuso lwezilumkisoGcina uludwe lwakho lwabafowunelwa lusexesheni kwaye udibanise neenkonzo zikaMicrosoft ukuze ulungelelanise xa kukho iqonga okanye iziganeko zolawulo.
Imingcipheko: ukuqatshelwa kade, ukungaphumeleli ukuhlangabezana nemihla yokugqibela (i-GDPR 72h, i-HIPAA iintsuku ze-60, i-PCI ngokukhawuleza), ulungelelwaniso olubi kunye nomthengisi, umonakalo kwigamaIinzame ezingalungelelanisiweyo kunye nokulibaziseka kokuthintela. Unxibelelwano lugcina imizuzu ebalulekileyo.
I-MITRE: I-C2 ihlala ixesha elide (T1071) ukuba awulungelelanisi inethiwekhi, Ukukhutshwa ngetshaneli C2 (T1041) kunye ne-ransomware (T1486) isasazeka ukuba izaziso kunye nokunyuka kubambekile.
IR-2.1 (abafowunelwa kunye noMicrosoft): Qwalasela abafowunelwa bokhuseleko kwi-Defender ye-Cloud (ephambili/yesibini, multichannel(uvavanyo lwexesha), kwinqanaba lokubhalisa okanye leqela lolawulo, kunye neetemplates kunye nokudala ithikithi ngokuzenzekelayo (i-Azure DevOps / ITSM).
I-IR-2.2 (ukuhamba komsebenzi): Sebenzisa ii-Logic Apps kunye ne-Sentinel playbooks ukuze lumkisa ngomxhuzulane kunye nohlobo lwesiganeko, kunye ne-matrix yabathathi-nxaxheba, ukunyuka kwexesha, iitemplates zokulawula kunye ne-Azure Monitor / Event Hubs connectors, i-imeyile kunye namaQela; idibanisa nezixhobo zangaphandle nge-API.
Umzekelo wezezimali: abafowunelwa abangama-24/7 kwiindawo zokurhweba, ii-Logic Apps ze-SEC/FINRA zokunika ingxelo, iincwadi zokudlala ezinematrix yangaphakathi/yangaphandle yabathathi-nxaxheba, iitemplates ze-8-K kunye nezaziso zikarhulumente, ukuqukuqela komthengi ngokuphononongwa okusemthethweni kunye amatikiti oluzenzekelayoIsiphumo: ixesha elingaphantsi lesaziso kunye neempazamo zabantu ezimbalwa.
Ukufunyanwa kunye nohlalutyo (IR-3): ingxolo encinci, isignali eninzi
Umgangatho wezilumkiso yiyo yonke into: kunciphisa iimpawu zobuxoki Kwaye iqinisekisa ukhuseleko lokwenene. Izenza ngokuzenzekelayo ukudalwa kweziganeko ngokutyebisa kunye nokunyuka. Ngaphandle koko, iqela liyatshiswa kwaye imiba ebalulekileyo ingcwatywe phantsi kwezaziso ezincinci.
Imingcipheko: ukudinwa, izisongelo eziphosiweyo, ulwabiwo olubi, iMTTD/MTTR ephezulu, ubukrelekrele isoyikiso esibi kunye nokudalwa kweziganeko ezingaqhelekanga. Imigaqo yokulinganisa umqondiso ukuya kwingxolo.
I-MITRE: imaski (T1036), ukusetyenziswa kwee-akhawunti ezisebenzayo (T1078) kunye ukuvuna okuzenzekelayo (T1119) kwenzeka ukuba awuhlengahlengisi ubhaqo olusekwe kwindlela yokuziphatha. Ukuphicotha ukufikelela kunye neeakhawunti, jonga izixhobo kwi Uphicotho lukavimba weefayili osebenzayo.
I-IR-3.1 (i-Defender XDR): Unxulumano phakathi kwesiphelo, isazisi, i-imeyile, kunye ne-apps zefu ze iziganeko ezimanyeneyoI-AIR (uPhando oluzenzekelayo kunye neMpendulo); Ukuzingela okuPhezulu nge-KQL; ukuvala imveliso enqamlezileyo; kunye nokuphazamiseka kohlaselo oluzenzekelayo. Idityaniswa ne-Sentinel ngokusebenzisa isinxibelelanisi sasekhaya kumgca omnye kunye nohlalutyo lweqonga.
I-IR-3.2 (i-Defender yeLifu): Yenza izicwangciso ezifanelekileyo (iiseva, iNkonzo ye-App, uGcino, izitya, i-Key Vault), isebenze i-ML/AI, icinezela iimpawu zobuxoki ezaziwayoilungelelanisa ubukhali kwaye udlulisele kwi-XDR kunye ne-Sentinel kunye nemithetho yohlalutyo yesiko kunye Ukoyikisa Ubukrelekrele.
I-IR-3.3 (iziganeko zeSentinel): yenza imithetho yohlalutyo, izilumkiso zeqela Kulawulo lwezehlo, amashishini atyebileyo (abasebenzisi, ababuki zindwendwe, ii-IPs, iifayile), ubukhali bamanqaku asekelwe kukubaluleka kunye nomngcipheko, banike abanini, kwaye banyuke ngexesha. Sebenzisa amaxesha, iincwadi zokukhangela, Amaqela/ServiceNow, kunye neencwadi zamanqaku (SOAR) ukuze ulungelelanise impendulo.
Umzekelo: Ukuvula ngokupheleleyo i-Defender, imithetho ye-KQL ngokweepateni zeshishini, ukwenza isiganeko esizenzekelayo ngokwamaqela kunye nokutyebisa, iincwadana zobungqina / izaziso / ulawulo kunye nokubeka iliso kwi-SLA. Isiphumo: Iimpawu ezingeyonyani ezimbalwa kunye nophando olukhawulezayo.
Uphando (IR-4): Irekhodi, iForensics kunye neChain of Custody
Ngaphandle kweerekhodi ezipheleleyo kunye nokugcinwa ngokungqongqo, akukho phando lusebenzayo. Beka phakathi iinkuni kunye nokubeka emgangathweni iinkqubo zobungqina (iifoto ezifinyeziweyo, iikopi, iinkcukacha ezifakiweyo). Ikhusela umhlaseli ekucimeni umkhondo kwaye ikhusela ukuvunyelwa ngokusemthethweni.
Imingcipheko: ukubonakala kwenxalenye yohlaselo, ukuvezwa kwedatha engaziwayo, iindlela ezifihlakeleyo zokuzingisaukutshatyalaliswa kobungqina, ixesha lokuhlala eliphezulu kunye nokuphindaphinda ngenxa yokulungiswa okungaphelelanga.
I-MITRE: ukupheliswa kwezalathi (T1070 kunye ne-T1070.004), ifayile yokufihla (T1564.001) kunye nokufumanisa ulwazi lwenkqubo (T1082). Ukuphanda kakuhle kuyayigatya inzuzo yako.
I-IR-4.1 (iilogi): iqokelela idatha yophicotho kunye nokungena kwi-ID ye-Entra, i-Azure Activity Log, i-NSG Flow Logs, i-Azure Monitor Agent kwii-VM, app logs kunye neempawu ze-XDR; phanda kwi-Sentinel kunye ne-UEBA, igrafu yophando, iincwadi zokuzingela, isabelo se-MITER kunye nokubonisana phakathi kweendawo zokusebenza.
I-IR-4.2 (i-forensic): i-automates snapshots ye-VM, i-Azure Disk Backup (ukunyusa i-backups), ukulahla imemori, ukuthumela ngaphandle kwelogs ukuya UGcino lweBlob olungaguqukiyo ngokugcinwa okusemthethweni, ukuthatyathwa kwepakethi (Umlindi weNethiwekhi), kunye nokugcinwa kunye ne-hashes kunye neesignesha. Idibanisa izixhobo zangaphandle ze-forensic kwaye iphindaphinda ubungqina ngommandla kunye nolawulo lwe-encryption kunye nokufikelela.
Umzekelo wezezimali: Umkhuseli wesiphelo, iSentinel ene-UEBA yorhwebo olungaqhelekanga, imifanekiso kwi5' Ukulandela isilumkiso esibalulekileyo, ukugcinwa okungaguqukiyo kunye ne-SEC yokubamba ngokusemthethweni, ukuzingela i-XDR yobuqhophololo, kunye ne-PCAP ezenzekelayo. Isiphumo: Ancitshiswe kakhulu amaxesha ophando kunye nokuthotyelwa okuqinisekisiweyo.
Ukubekwa phambili kunye nokuhlelwa (IR-5): gxininisa kwizinto ezibuhlungu ngokwenene
Eyona nto iphambili ayichazwa yi-alam, Ishishini liyayiyalela.Ihlela ngokubaluleka kwe-asethi, impembelelo, ubungqongqo bobugcisa, kunye nezibophelelo zolawulo, kwaye ivumela isikhokelo sokwenza amanqaku okuzenzekelayo ukuba sibeke phi umzamo.
Imingcipheko: ukulibaziseka ukuphendula kwiziganeko ezibalulekileyo, ukusetyenziswa kwemithombo yolwazi kwizilumkiso ezincinci, impembelelo ephezulu kwiinkqubo eziphambili, ukuphulwa kwedatha elawulwayo, ukunxibelelana kakubi kubunkokeli kunye nefestile yokunyakaza kwecala.
I-MITRE: Ukufihla ingxolo ephantsi-phambili ephantsi (T1036), iransomware kwiinkqubo zexabiso eliphezulu (T1486) kunye nentshukumo esecaleni (T1021). Ukubeka phambili kakuhle kuvala loo minyango.
I-IR-5.1 (impembelelo kushishino): Ilebhile izixhobo ezibaluleke kakhulu (Ezibalulekileyo/eziPhakathi/Phakathi/Phantsi), ikhonkco kuhlelo lwedatha lweMicrosoft Purview, ichaza umsebenzi weshishini, umda wolawulo kunye abanini qhagamshelanaSebenzisa i-Defender kwi-inventri ye-Cloud kunye nokuma kwi-cross-reference risk kunye nokuvezwa kwe-intanethi / ilungelo.
IR-5.2 (amanqaku kunye nokulinganisa): kwi-Sentinel, bala umngcipheko wezinto ezininzi (i-asethi, imfihlo, i-IT, ubukrelekrele), isebenzisa uMngcipheko weZiko, inyusa ubungqongqo bokuthotyelwa, kwaye ibangela ukunyuka kwexesha kunye nesaziso solawulo/somthetho xa kufanelekile.
Umzekelo: ubuchule bokulebhile, imithetho yokufumana amanqaku ngokusingqongileyo kunye nefuthe, ukunyuka kwangoku Ulawulo kunye noMthetho lubandakanyeka kwiziganeko ezibalulekileyo, kunye novavanyo lwempembelelo ngokuzenzekelayo kunye namaxesha emizuzu ye-15 (ezibalulekileyo) kunye neeyure ze-4 (eziphezulu). Isiphumo: oovimba abazizibonelelo zijolise apho zibaluleke kakhulu.
I-Containment kunye ne-Automation (IR-6): SOAR ukufumana imizuzu
Uhlaselo oluzenzekelayo alulindi; nawe awufanele. Iincwadi zokudlala zeSentinel + ii-Logic Apps Benza isithintelo, uphando, kunye nokubuyisela kwisantya somatshini kunye nemvume xa kuyimfuneko.
Imingcipheko yokusebenza ngesandla: ixesha elide, iimpazamo phantsi koxinzeleloimpendulo engaqhelekanga, ukukhathala kweqela, isikali esincinci, kunye nokuthintela emva kwexesha elivumela ukunyakaza kwecala okanye ukukhutshwa.
I-MITRE: Ukusetyenziswa kwenkonzo ekude (T1210), i-encryption eyonakalisayo (T1486), kunye ne-automated exfiltration (T1020). Ukuzenzekela kunciphisa ifestile.
I-IR-6.1 (iincwadi zokudlala): rhoxisa ii-akhawunti / ukusetwa kwakhona ngenkani, ukwahlula ii-VM nge-NSG/Firewall, ukuvalwa kwe-malware kunye ne-hash blocking, ukukhuselwa kwedatha (ukurhoxisa ukufikelela / ukujikeleza izitshixo), kunye nezaziso / ukuthotyelwa kokulawula. Idibanisa i-API yeGrafu, i-Defender, i-ARM, i-SOAR yomntu wesithathu, kunye nokuvunywa kwabantu ababini kwiinguqu ezibucayi.
I-IR-6.2 (i-containment): yenza i-NSG / i-Firewall ngokuzenzekelayo, i-VNet segmentation, susa kubalinganisiLungisa i-ExpressRoute/VPN; sebenzisa i-Conditional Access kunye ne-PIM ukurhoxisa amalungelo e-JIT kwii-akhawunti ezisemngciphekweni. Sebenzisa i-runbooks ye-Azure Automation kunye nemigaqo-nkqubo yolungiso oluninzi.
Umzekelo: iincwadi zokudlala zokunqumamisa iiseshoni kunye nokwahlula izixhobo, ii-runbooks zokwahlula ii-VM ngelixa ugcina ubungqina, izaziso ezizenzekelayo kubachaphazelekayo, ukulandeleka okupheleleyo Ukugcina ulungelelwaniso olukhuselekileyo kunye namatikiti adibeneyo. Isiphumo: iiyure ziguqulelwe zibe yimizuzu ngokulandeleka ngokupheleleyo.
Imisebenzi yokulandelela (IR-7): funda, gcina kwaye uphucule
Emva kokuvala isiganeko, izinto ezilungileyo ziqala: izifundo ezifundiweyo nobungqina bolawuloHlaziya oonobangela, uhlaziyo lolawulo kwaye uqeqeshe ngamatyala okwenene, kwaye ugcine ubungqina kwindawo yokugcina engenakuguquguquka kunye netyathanga lokuvalelwa.
Imingcipheko: ukuphindaphinda ngenxa yokusilela ukulungisa, ukutshatyalaliswa kobungqina, iintlawulo zokubamba ngokungafanelekangauphuculo oludikidiki kunye nokulahleka kolwazi lombutho. Ukuvalwa kufuneka kuqinise uphuculo olunokulinganiswa.
I-MITRE: ukuguqulwa kwee-akhawunti (T1098), ukuxhaphaza ngokuphindaphindiweyo yeapps zoluntu (T1190) kunye nokususwa kwezikhombisi (T1070). Ukuphuculwa okuqhubekayo kunciphisa ezi ndlela.
I-IR-7.1 (izifundo ezifundiweyo): Uphononongo lwe-48-72 h kunye nawo onke amaqela, i-Five Whys / i-Fishbone kunye namaxesha, uvavanyo lokufumanisa / ukuphendula / ukunqanda izikhewu, ingxelo evela kwabachaphazelekayo kunye nezenzo kwi-Azure DevOps enemihla emiselweyo kunye neemetrics (MTTD/MTTR). Ibandakanya okufunyenweyo kuqeqesho, kumaxwebhu, kunye nokulinganisa.
I-IR-7.2 (ukugcinwa): isebenzisa imigaqo-nkqubo yoGcino lweBlob engaguqukiyo (ukugcinwa okwethutyana nokubanjwa ngokusemthethweni), ulwahlulo kunye nePurview kunye nemijikelo yobomi, ikhonkco logcino kunye nee-hashes kunye neesignesha, ukuphindaphinda kwengingqi, kunye nesalathisi/ukukhangela. Ukuthobela: I-HIPAA (≈ iminyaka eyi-6), i-SOX (≈7), i-PCI (≥1 unyaka; iinyanga ze-3 kwi-intanethi). Ngaphantsi kwe-GDPR akukho xesha limiselweyo: ukunciphisa kunye nokulungiswa okubhaliweyo kusebenza.
Umzekelo wokhathalelo lwempilo: iikomiti zokuphonononga kwangoko, ukugcinwa okungaguqukiyo iminyaka emi-6 Ngokubanjwa ngokusemthethweni, izinto zokusebenza ze-DevOps, ikhonkco lokugcinwa ngokuzenzekelayo, kunye neemetrics zokuvuthwa; izigqibo eziguqulelwe kuqeqesho lokuqonda kunye nemithambo. Isiphumo: ukuphindaphinda okuncinci kunye nokuphuculwa kokuthotyelwa.
Uluhlu lokukhangela ubuchule: izigqibo, iindima kunye nemithambo
Ngaphaya kwemiba yobugcisa, kukho izigqibo ezinzima ekufuneka kuvunyelwane ngazo kwangaphambili. Sebenzisa imithambo yetafile ezinyanzela ulawulo ukuba lukhethe phakathi kweengozi kunye nokuvavanya iindleko / iinzuzo kwiimeko ezingokoqobo (i-ransomware, i-insider, i-exfiltration).
- Izigqibo zangaphambili: xa unxibelelana namapolisa, uvule abaphenduli bangaphandle, hlawula/ungahlawuli intlawuleloYazisa abaphicothi-zincwadi, amagunya abucala kunye nabalawuli bokhuseleko, yazisa ibhodi kwaye ngubani onokuvala imithwalo ebalulekileyo.
- Gcina amalungelo asemthethweni: Qeqesha iqela ukuba lahlule iinyani kwiingcebiso ezikhethekileyo. Sebenzisa imijelo engatshintshiyo (umzekelo, Amaziko eentlanganiso eMicrosoft) kunye nokulungelelanisa nabacebisi bangaphandle.
- Ulwazi lwangaphakathi: lungiselela izaziso kwibhodi ukunciphisa iingozi zemarike ngamaxesha okuba sesichengeni.
- Iindima ezisisiseko: umphathi wezobugcisa (ulawula izenzo), unxibelelwano lonxibelelwano (abaphathi/abalawuli), umrekhoda (izigqibo zamaxwebhu kunye nobungqina), umcwangcisi oqhubekayo (24-96 h) kunye ne-PR yeemeko ezibonakalayo eziphezulu.
- Ubumfihlo: Incwadana yeSecOps + iOfisi yaBucala yovavanyo olukhawulezayo umngcipheko wolawulo kwiiyure ezingama-72.
- Uvavanyo: Ipentesting eyandisiweyo (ibandakanya ugcino), Amaqela aBomvu / aBlue / Purple / Green kunye ne-Defender simulations (M365 / Endpoint).
- Ukuqhubeka kunye ne-DR: Cwangcisa ubuncinci beemveliso ezisebenzayo, ii-backups, kunye nokubuyisela kwi-Azure. Iziganeko ezisebenzayo/ezenzileyo kunye namaxesha emidlalo; iqinisekisa ubuyiselo kwihardware ehambelanayo.
- Unxibelelwano olulolunye: Ukuba i-imeyile / intsebenziswano iyahla, yiba nayo Abafowunelwa, i-topology, kunye ne-runbooks igcinwe ngaphandle kweintanethi kwaye ayinakuguqulwa.
- Ucoceko kunye nomjikelo wobomi: iikopi ezingaguqukiyo kunye neelog, ulawulo lwehardware olungaxhaswanga, abasebenzi abazinzileyo, kunye nefomathi eqhelekileyo ingxelo yenkqubela (ndenze/ndenze/ndiza kwenza + imihla ebekiweyo).
Ulungelelwaniso noLawulo lweCIS 10.x kwi-Azure
Ukumisa i-CIS kwi-Azure: yenza isikhokelo se-IR (10.1), chaza ukubeka phambili namanqaku (10.2), uvavanye isicwangciso (10.3), uphonononge iziganeko kwaye uqhagamshelane ne-MSRC (10.4), izaziso zokuthumela ngaphandle / iingcebiso kunye Ukuthunyelwa ngaphandle okuqhubekayo Qhagamshelana nayo kwiSentinel (10.5), kwaye uzenzele iimpendulo ngeLogic Apps (10.6). Imirhumo yelebhile (imveliso/engeyomveliso) kunye nemithombo ephethe idatha ebuthathaka.
I-Azure SRE Agent icwangcisa iziganeko
Ukuba usebenzisa i-Azure SRE iarhente yolawulo lwesiganeko, unokwenza izicwangciso zesiko ngezihluzi (uhlobo, inkonzo echaphazelekayo(okuphambili, isihloko), khetha indlela yophumezo (Hlaziya okanye ukuzimela), kwaye wongeze imiyalelo yesiko esekelwe kwimbali ukuze i-arhente ikhethe izixhobo ezifanelekileyo.
Ngokungagqibekanga: iqhagamshelwe kwi-Azure Monitor, iinkqubo iziganeko eziphantsi Ixhasa zonke iinkonzo kwaye iyafumaneka kwimowudi yoPhononongo. Idibanisa kunye nePagerDuty kunye ne-ServiceNow, kwaye ivumela izicwangciso zokuvavanya kunye neziganeko zembali kwimodi yokufunda kuphela.
Ukukhutshwa kunye nezigaba zokusabela zeSDL
Ekukhutshweni, lungiselela inkonzo: uvavanyo lomthwalo kunye noVavanyo lwe-Azure Load, i-WAF ephakathi (iSango leSicelo okanye uMcango oPhambili kunye ne-OWASP CRS), isicwangciso se-IR kunye nophononongo lokugqibela lokhuseleko ngaphambi kokuqinisekisa kunye nokugcinwa kwedatha (ubungqina kunye nezinto zakudala).
Ekuphenduleni, yenza isicwangciso kwaye ubeke iliso: Iingcebiso zeSicelo sokusebenza kunye nokusetyenziswa okuyinyani, kunye Defender for Cloud Ukuma, ukufumanisa, kunye nokuphendula kwi-Azure kunye ne-hybrid.
I-Azure CWPP: uyilo, izakhono kunye nezona ndlela zisebenzayo
Iqonga le-CWPP le-Azure ligquma ii-VM, izikhongozeli, kunye neendawo ezingenaseva. Imiba eqhelekileyo: ukuntsokotha ukusasazwa, ulungelelwaniso olugwenxa, iindleko, ubumfihlo/ukuthotyelwa, ukudityaniswa komntu wesithathu, kunye nokuhambisana notshintsho.
Uyilo oluphambili: iSentinel (SIEM/SOAR), iAzure Firewall, DDoS Protection kunye neVault engundoqo yeemfihlo/izitshixo. Idibanisa i-Azure, kwizakhiwo, kunye neminye imithombo yamafu, iyenza iqheleke kwaye igcine idatha kwiLog Analytics, kwaye iyayityebisa ngobukrelekrele behlabathi jikelele.
Ulawulo olumanyeneyo: Umkhuseli weeprojekthi zefu ukuma, Umgaqo-nkqubo we-Azure Ibeka kwindawo enye ukuthobela, kwaye inkqubo yokwazisa ibeka phambili kwaye iphande. I-Elastic scalability, ukuthunyelwa kwehlabathi jikelele, ukugcinwa kwe-tiered, kunye nokulinganisa umthwalo wokusebenza.
I-Sentinel SIEM / SOAR: izixhumi zedatha, ukuzingela kunye ne-KQL, ulawulo lweziganeko kunye itshathi yophando kunye neempendulo zeencwadi zokudlala ezisekelwe kwi-Logic Apps (ukusuka kwizilumkiso ukuya kwiiakhawunti ezivaliweyo okanye ukubuyisela imimandla emihle eyaziwayo).
Inethiwekhi kunye nedatha: inethiwekhi kunye nokubonwa kwedatha kunye nokulawulaI-JIT ye-VMs, ukuqiniswa okuguquguqukayo (i-NSG iphakanyiswe yi-ML), uguqulelo oluntsonkothileyo ekuphumleniUkufunyanwa kwenaliti ye-SQL, ukhuseleko lokugcinwa (uvavanyo, ukudluliselwa okukhuselekileyo, ukubethelwa, ukufikelela), ukubethela ekuphumleni kunye ne-TLS ekuhambeni, kunye nolawulo oluyimfihlo kunye ne-Key Vault kunye nokujikeleza.
Izikhongozeli kunye neKubernetes: I-ACR enomfanekiso wokuskena kwi-push kunye iingxelo zokuba sesichengeni; ukhuseleko lwexesha lokubaleka (ukubeka iliso, ulwahlulo, inyhweba encinci kunye nempendulo ekhawulezileyo), ukubonwa okuthe ngqo kwe-K8s (ii-API, ii-pods kwiindawo ezibuthathaka), ukuma okuqhubekayo, abalawuli bokungeniswa kunye nemigaqo-nkqubo yenethiwekhi.
Iindlela ezigqwesileyo: Yenza uMkhuseli kuwo wonke umrhumo, hlela kwaye ulinganise izilumkiso, ukubeka iliso kwiNqaku eliKhuselekileyo, chaza kwaye uvavanye isicwangciso se-IR kunye nokwandisa ukusebenza (iindleko / i-telemetry / ukugcinwa).
Unxibelelwano olusemthethweni malunga neziganeko ze-Azure
Ngaphambili: ziqhelanise nayo Impilo yeNkonzo yeAzureQwalasela izilumkiso ngokubhalisela/inkonzo/ummandla (iMiba yeeNkonzo, uLondolozo, iZaziso zoKhuseleko) kwaye usebenzise isisombululo se-Azure Monitor yesiseko sokulumkisa. Gcina abafowunelwa (umlawuli / umnini / ubumfihlo / umqeshi) usesikhathini kwaye usebenzise iziganeko ezicwangcisiweyo ukwazisa abasebenzisi.
Ukuphucula isikhundla: MFA, ufikelelo olunemiqathango kunye nezilumkiso zabasebenzisi abanomngcipheko omkhulu; ulawulo lwentshukumo yokurhuma phakathi kwabalawuli; Incwadi yokuPhonononga eYilwe kakuhle kunye nokuthembeka; imimandla edityanisiweyo kunye nemimandla efumanekayo; ukubekelwa bucala kwee-VM ezibalulekileyo; ulungelelwaniso lolondolozo; I-Azure Chaos Studio; kunye nencwadi yomhlalaphantsi yenkonzo.
Ngexesha: Khangela iMpilo yeNkonzo kwi-portal uhlaziyo, iphepha likawonkewonke azure.status.microsoft Ukuba i-portal ayilayishi, kwaye @AzureSupport kwi-X njenge-backup. Ukuba awuyiboni imeko yakho kwiMpilo yeNkonzo kwaye iyakuchaphazela, vula ithikithi lenkxaso; ukuba ngumba wokhuseleko, bhekisa kwi-ID yokulandela umkhondo.
Okulandelayo: funda i-Post-Incident Review (PIR) kwimbali yolondolozo, yiya kwi Isehlo sangaphambili Ukusasaza xa kufanelekile kwaye ucele ikhredithi ye-SLA ukuba ikhona, ebonisa i-ID yesiganeko.
Ukwenza imephu ukulawula izakhelo
Ngeenjongo zophicotho-zincwadi nokuthobela, yenza imephu yolawulo lwakho: I-NIST SP 800-53 (IR-1..IR-8, SI-4, AU-6/7, CP-9), PCI-DSS (12.10.x, 10.6.x, 5.3.2, 11.5.1), CIS v8.1 (17.x, 8.x, 13.x), NIST CSF v2.0 (PR.IP, RS.CO, DE.CM/AE, RS.AN/MI/IM), ISO 27001: 2022 (A.5.24–A.5.28, A.8.13, A.8.16) kunye ne-SOC 2 (CC7.x, CC9.1, A1.x). Ishiya ukulandeleka kwento inkqubo, isixhobo kunye ne-metric Igubungela yonke imfuneko.
Akukho bullet yesilivere, kodwa ukudibanisa iinkqubo ezicacileyo, i-automation kunye ne-technical-legal governance kwenza isiganeko sibuyisele umva, kungekhona ingxaki. Ngezicwangciso eziqinisekisiweyo, ukuchongwa komgangatho, isiqulatho esizenzekelayo, kunye nokufunda okuqhubekayoI-Azure kunye ne-Microsoft 365 ibe yindawo apho umngcipheko ulawulwa ngedatha, kungekhona ukuzingela.
