DoD Cloud Computing Security
Office 365 Anti-Spam and Anti-Malware Protection
- Anti-Spam and Anti-Malware Protection – https://technet.microsoft.com/en-us/library/anti-spam-and-anti-malware-protection-in-eop.aspx (old 2015)
- Exchange Online Advanced Threat Protection Service Description – https://technet.microsoft.com/en-us/library/exchange-online-advanced-threat-protection-service-description.aspx (more recent 2016)
- Office 365 Platform Service Description – https://technet.microsoft.com/en-us/library/office-365-platform-service-description.aspx (newest 2017)
- Exchange Online Protection – Advanced Threat Protection (ATP) cmdlets – https://technet.microsoft.com/EN-US/library/dn621038(v=exchg.160).aspx
Data Breach Infographics
- VERIS – http://vcdb.org/explore.html
- Data Breach – http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
- VERIS framework http://vcdb.org/explore.html
Cyber Security Research Reports
- Trustwave – https://www2.trustwave.com/2017-Global-Security-Report-AD.html?utm_source=google&utm_medium=cpc&utm_campaign=BrandedPhrase2017GSR&gclid=CjwKEAjwvr3KBRD_i_Lz6cihrDASJADUkGCawPVxcHyLwnbHXyBGHTncyqojbBhZeH7wt3XUaBMiwxoCIhfw_wcB
- Cisco 2017 – 2017-Annual-Cybersecurity-Report
- Verizon 2017 – rp_DBIR_2017_Report_en_xg
- Verizon Data Breach rp_DBIR_2016_Report_en_xg
- FBI’s Internet Crime Complaint Center (IC3) – https://www.ic3.gov/media/annualreports.aspx
- Deloitte Privacy Index – https://www2.deloitte.com/au/en/pages/risk/articles/deloitte-australian-privacy-index-2017.html?_lrsc=0cb1c85c-d3c0-4c10-a0e9-74653b66fca5&trk=elevate_li
- Base Image Script Framework – https://www.loginconsultants.com/en/news/all/item/base-image-script-framework-bis-f
- XenApp Automation Framework – http://xenappblog.com/2015/automation-framework-3-0/
The second half of this course includes some important content for improving your Python programming. In particular, Class6 on Functions and Namespaces, Class8 on Modules, and Class9 on Classes and Objects.
In this email of Learning Python we are going to cover the following:
I. Introduction Week6
Length is 3 minutes
II. Functions, Part1
Length is 12 minutes
Length is 10 minutes
IV. Functions, Part2
Length is 12 minutes
Additional content that you may be interested in
There is a good chapter on functions in “Learn Python the Hard Way” (I would stop after you finish, “What You Should See”).
Darren O’Connor has a blog on “Defined Functions – Python”.
Reference code for these exercises is posted on GitHub at:
1. Create a function that returns the multiplication product of three parameters–x, y, and z. z should have a default value of 1.
a. Call the function with all positional arguments.
b. Call the function with all named arguments.
c. Call the function with a mix of positional and named arguments.
d. Call the function with only two arguments and use the default value for z.
2. Write a function that converts a list to a dictionary where the index of the list is used as the key to the new dictionary (the function should return the new dictionary).
3a.Convert the IP address validation code (Class4, exercise1) into a function, take one variable ‘ip_address’ and return either True or False (depending on whether ‘ip_address’ is a valid IP). Only include IP address checking in the function–no prompting for input, no printing to standard output.
3b. Import this IP address validation function into the Python interpreter shell and test it (use both ‘import x’ and ‘from x import y’).
4. Create a function using your dotted decimal to binary conversion code from Class3, exercise1. In the function–do not prompt for input and do not print to standard output. The function should take one variable ‘ip_address’ and should return the IP address in dotted binary format always padded to eight binary digits (for example 00001010.01011000.00010001.00010111). You might want to create other functions as well (for example, the zero-padding to eight binary digits).
5. Write a program that prompts a user for an IP address, then checks if the IP address is valid, and then converts the IP address to binary (dotted decimal format). Re-use the functions created in exercises 3 and 4 (‘import’ the functions into your new program).
A. Why write functions?
II. Functions Part1
A. Function with no parameters
1. Syntax and structure
2. Calling the function
3. Return value
4. Using the return value
B. Function with parameters
2. Default values
C. Various ways of passing arguments to functions
1. Positional arguments
2. Named arguments
3. Mixing positional and named arguments
III. Python Namespaces
A. Functions create their own namespace
B. Name resolution order
IV. Functions Part2
A. Using lists and dicts as function arguments
B. Importing a function
Security operations and analytics platform architecture (SOAPA)
Security information and event management (SIEM) systems have been around for a dozen years or so. During that timeframe, SIEMs evolved from perimeter security event correlation tools, to GRC platforms, to security analytics systems. Early vendors like eSecurity, GuardedNet, Intellitactics, and NetForensics, are distant memories; today’s SIEM market is now dominated by a few leaders: LogRhythm, McAfee (aka: Nitro Security), HP (aka: ArcSight), IBM (aka: QRadar), and Splunk.
Of course, there is a community of innovative upstarts that believe that SIEM is a legacy technology. They proclaim that log management and event correlation can’t keep up with the pace of cybersecurity today, thus you need new technologies like artificial intelligence, machine learning algorithms, and neural networks to consume, process, and analyze security data in real-time.
As an industry analyst, I should be waving my arms around madly, proclaiming that “SIEM is dead,” since that’s what those in my profession tend to do. Sorry, but I don’t think SIEM is dead at all. Instead, enterprise security operations and analytics requirements are forcing rapid consolidation into something new that ESG calls a security operations and analytics platform architecture (SOAPA).
Within SOAPA, SIEM -like functionality still plays a starring role, often aggregating analytics data into a common repository. But unlike the past, SIEM is one of several security tools within SOAPA, and these technologies must be designed for asynchronous cooperation so security analysts can quickly pivot across tools to find data and take action as they need to in real-time.
SOAPA is a dynamic architecture, meaning that new data sources and control planes will be added incrementally overtime. I do believe, however, that today’s SOAPA is built with SIEMs (or similar log management and search products/services) and:
- Endpoint detection/response tools (EDR). Security analysts often want to dig deep into security alerts by monitoring and investigating host behavior so EDR (i.e. CarbonBlack, Countertack, CrowdStrike, Guidance Software, etc.) is an essential component of SOAPA.
- Incident response platforms (IRPs). Aside from collecting, processing, and analyzing security data, cybersecurity professionals want to prioritize alerts and remediate problems as soon as possible. These requirements are giving rise to the rise of IRPs like Hexadite, Phantom, Resilient Systems (IBM), ServiceNow, and Swimlane.
- Network security analytics. SIEM’s log analysis and EDR host behavior monitoring are complemented by flow and packet analysis in SOAPA, provided by vendors like Arbor Networks, Blue Coat/Symantec, Cisco (Lancope), RSA, etc.
- UBA/machine learning algorithms. While these tools have received an inordinate degree of industry hype, there’s little doubt that machine learning will be baked into security analytics henceforth, thus vendors like Bay Dynamics, Caspeda (Splunk), Exabeam, Niara, Sqrrl, and Varonis should be included in SOAPA.
- Vulnerability scanners and security asset managers. Part of security operations is knowing which alerts should be prioritized. These decisions must be driven by solid data from vulnerability management systems (i.e., Qualys, Rapid7, Tanium), and other tools that monitor the state of systems and network configurations (i.e., RedSeal, Skybox, Verodin, etc.).
- Anti-malware sandboxes. This technology represents another key pivot point for understanding targeted attacks that may use zero-day malware. Sandboxes from FireEye, Fidelis, and Trend Micro are definitely part of SOAPA.
- Threat intelligence. Enterprise organizations want to compare internal network anomalies with malicious “in-the-wild” activities so SOAPA extends to threat intelligence sources and platforms (i.e., BrightPoint [ServiceNow], FireEye/iSight Partners, RecordedFuture, ThreatConnect, ThreatQuotient, etc.).
Aside from the technologies themselves, here are a few other thoughts on SOAPA:
- Beyond data exchange between security tools, the next big innovation will be central SOAPA command-and-control for analytics and management (i.e., configuration management, policy management, etc.) of the security infrastructure.
- The market is already moving in SOAPA’s direction. Witness IBM’s acquisition of Resilient Systems for IRP, Splunk’s purchase of Caspida for UBA, and Elastic Search’s acquisition of Prelert.
- Now that McAfee is independent of Intel, look for it to invest in its enterprise security manager (i.e., Nitro). McAfee will also accelerate SOAPA technology integration with its own tools and ecosystem partners, and acquisitions aimed at filling architectural gaps.
- Given the central role that SIEM still plays in SOAPA, someone (CA? Palo Alto? Symantec? Trend Micro?) will buy LogRhythm.
- Each of the technology elements described above could be delivered on-premises or via SaaS options. SOAPA must be flexible to accommodate these options.
- SOAPA must be built for immense scale – especially as organizations increase their use of cloud computing and IoT. It’s likely cloud analytics or storage will become part of the architecture.
- A few vendors may be able to deliver their own proprietary SOAPA solutions but enterprise customers will likely eschew single vendor solutions while anchoring their SOAPAs with lead vendors and ecosystem partners. Small enterprises and SMBs could buy from a single product or SaaS vendor however.
Cyber Security Frameworks
- Intel Tara
- APRA 234 Assessment
- Prudential Practice Guide (CPG234)
- ISO 27001
- Australian Privacy Principles
- ENISA Cloud Computing Risk Assessment – http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
- Jericho Forum Self Assessment Scheme – https://www.opengroup.org/jericho/self-assessment.htm
- Carnegie Mellon OCTAVE Risk Assessment – http://www.cert.org/octave/
- Microsoft STRIDE Threat Model – http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
- Factor Analysis of Information Risk (FAIR) – http://fairwiki.riskmanagementinsight.com/
- Common Assurance Maturity Model – http://common-assurance.com/
- BITS Shared Assessments – http://www.sharedassessments.org/