Modern English Part 1

[Aide Broeckel]

Makesure to add the GitHub secrets as outlined in the workflow and adjust paths as needed. For the secrets.MAIN_ENV make sure to base64 encode your environment file like this, "cat .env base64 -w 0 > env.txt" then take the output in env.txt and use it in your secret.

After testing our rule again, we can see an alert fired and can quickly utilize Chronicle SOAR to identify involved entities, domainuser is the attacker, and sqlservice is the service account that is potentially compromised.

This three-part series provides valuable insights and practical guidance for organizations who are interested in implementing a modern Detection Engineering workflow, adopting Detection-as-Code to develop and manage detection content in Chronicle, and how to use free tools to test & validate their monitoring and detection capabilities.

As a reminder, you can find tools, example code, workflows, and more used throughout this project here. These resources are available to the community to help fellow security teams with their Detection Engineering journey. I encourage you to hack away at them and make them fit the needs of your environment.

While this methodology may not be universally applicable, certain components, such as how to test and validate detection rules, managing rules or lists from a repository using software development practices and CI/CD tools for automation, could prove beneficial.

It is important to consider the unique needs and requirements of your organization and determine if this approach is worthwhile. Ultimately, Chronicle offers an exceptional detection management platform within its native user interface, so if Detection-as-Code does not align with your specific requirements, utilizing the Chronicle detection engine in the user interface remains a great option!

I need to use the Events web part, and possibly the News web part on my site's home page, which is apparently a classic page. This is a newly provisioned SharePoint site, and if I create a new page, I have access to all of the new web parts. But for some reason the home page is apparently not a "modern" page.

To my knowledge, when creating a site in SharePoint, there is not yet a template available that includes a Modern page as the homepage--every site needs to have its homepage moved to a newly created Site Page to gain the Modern experience.

The Modern webparts aren't built to work with the old architecture, and while it's inconvenient that there's not a page transformation process from Classic to Modern aside from a rebuild, it is what it is.

Totally agree. If Msft's argument is that there's a different "architecture" involved then this should have been developed differently so you can transition between old and new. In fact that argument is total bs - the same archaic platform is used and not to make a new front end view compatible with the current one is simply laziness or worse stupidity. I'm so tired of Msft transferring the cost of their poor design sense and amateurish approach onto paying customers. Google - please expedite your Sharepoint alternative so we can finally abandon what is probably the worst software ever made which just gets worse everyday.

Opening an old thread here.. but have a customer who's root site is Classic and trying to see how we can make this like a Modern site using Modern pages/web parts and the new experience for lists and libraries.

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

I had not planned to, but during my daily walks, I brooded on it and realized that I did not end that article properly, nor did I choose the right title perhaps. While the title suggested Modern Defense, there was not much modern in the content except perhaps mention of the CMMC.

All other advise have existed for years. Since the very beginning, the CIS Security Controls Top 2 have always been maintaining up to date Hardware and Software inventory. Why? Because that is the foundation. Nothing else works well without that. Similarly, other base recommendations have also always existed for long; like application allow listing, OS and application patching and secure baseline.

While these are NOT modern techniques, these are still extremely important for a good quality cyber defense posture. Modern defense is built over a solid foundation. The basics must be done right before we can enjoy fruits of labour from advanced solutions. We cannot build Taj Mahal on a House of cards. It will always come crashing down.

One such approach is to take a risk based approach and understand what we are defending against. As Rob Joyce, then Chief, Tailored Access Operations, National Security Agency says in his USENIX Enigma 2016 talk on Disrupting Nation State Hackers, successful attackers know their targets better than the defenders. Once they do that, they can use heavily targeted common public exploits to hide their tracks; they do not have to drop zero days all the time.

Unfortunately, I have seen many an enterprise enamoured by the latest shiny solution and invest in them without realizing all the aspects leading to rapid dissatisfaction. So, how do we decide where to invest?

One approach I like a lot is that espoused in the link below. It starts from understanding your current defensive capabilities and map them against MITRE ATT&CK framework. Then layer the same with potential threats to the enterprise and the gaps thus discovered are the areas that should be focused first.

What this does is nicely ties up threats (as represented by Tactics and Techniques) with examples (threat actors actively using it) to detection rules (Sigma), threat hunting logic (Yara) and Red test (to validate your defenses).

Now, I would perhaps take it a few layers deeper. Based on the Sigma and Yara rules, I would identify the log/data sources required and check whether our logging and audit policies are correctly tuned to provide the right logs. I have observed many an enterprise investing in new solutions without first exploring the full capabilities of existing ones.

The above will help an enterprise to identify the critical logs thus helping in correctly sizing the solutions. We do not need to consume everything in our SOCs; we can achieve nearly every objective by being tactical and consuming the right logs/ data.

One common trend quite apparent in the cyber security market is the growing move towards AI based products. Artificial Intelligence (AI) can be found in almost all cyber security product brochures nowadays. Does it work? I just loved the article linked below from 2016 and it is still as relevant today.

But things are not bad. As mentioned in the article above, Machine Learning (ML) has really great use in cyber security and this technology has been revolutionizing the cyber security landscape for last few years. The growing complexity of the cyber landscape has made it nearly impossible for humans to analyse and respond at massive scale. They need assistance from smart solutions that can leverage trends and research to provide better outcomes.

On the one hand, machine learning is definitely not a silver-bullet solution if you want to protect your systems. On the other hand, with the growing amount of data and decreasing number of experts, ML is possibly the only remedy. It works, provided we do not run ahead with our expectations. The article below provides a great overview on the technology.

An aspect to consider with NBA solutions is that, with growing encryption due to privacy, which reduces visibility, some of the capabilities have taken a hit in recent times. With increasing adoption of TLS 1.3, which encrypts even the server certificate, the visibility is further reduced. Whilst investing in such products, it will be wise to explore their capabilities under TLS 1.3, hopefully without traffic decryption, which even the NSA recommends against. See the article below.

My recommended approach is to build up your requirements, understand the visibility gaps and pick the right solutions. Typically, we do not effectively utilize deployed products to their full potential. Explore if the new requirement can be met from within existing solutions natively or by adding capabilities to them. I always prefer that approach since managing another independent solution requires a new set of capabilities, whereas leveraging existing solutions reduces engineering effort.

Endpoint Detection and Response (EDR) are (not so) new breed of capabilities (not products) that can go a long way in reducing attack surface. Most organizations neglect endpoints when it comes to SOC monitoring, but this is where regular users typically interact with the systems and they are the most complex to protect. EDRs take the standard signature based detection (like those in erstwhile Antivirus products) to the next level by looking deeply into many aspects such as memory, processes, behaviours, network connections, and many more to build a more comprehensive protection boundary. Many modern EDR solutions have reached a maturity level where they can replace the traditional EPP products.

These solutions help assess how the overall security architecture is working rather than multiple independent super solutions. In other words, does your team of solutions look like the Avengers team or multiple independent superheroes forced into one room? Do your solutions leverage strengths of each other or just try to shine all by themselves?

Lastly, having an upper hand in knowing the current state of our defensive posture and the past trends goes a long way in improving our prevention, detection and response capabilities. More important than that is the insights these dashboards provide in helping make the next investment decisions.

Please do not try and do everything together. Please draw up a maturity plan and implement solutions in support of the plan at the right time after achieving a satisfactory level of maturity in all solutions implemented before hand.

3a8082e126