Endpoint detection tooling is central to establishing a threat detection capability to protect enterprise networks. However, it is expensive and the cost is driven by the type of tooling purchased and the complexity of the corporate network.

Fortunately, we can use Sysmon to build a free endpoint detection solution that, if properly tuned, can broadly match the detection capabilities of paid tools.

As mentioned in part one, our lab is configured to deploy a special Sysmon configuration that collects log data based on known adversary behaviours, as documented within the open-source MITRE ATT&CK framework.

Agile security operations is about implementing an adaptive and iterative approach to monitoring information systems and networks. The goal is to make security operations more adaptable, collaborative and responsive to emerging threats and vulnerabilities.

In the context of security operations, agile can speed up the delivery of impactful monitoring services while maximising value-adding for business stakeholders. Moreover, it can improve alignment with engineering teams so monitoring technologies can continuously evolve.

Security operations centres (SOCs) often operate in the background and within a highly technical context. Moreover, they must deliver operational services under the pressures of service-level objectives. With limited time and visibility, they are always at risk of siloing themselves from the rest of the business.

To be useful, an Azure Sentinel lab must replicate an enterprise network as closely as possible. In the first post of our Azure Sentinel lab-building series, we learned how to automate the deployment of a team lab. In our second post, we learned how to automate user access provisioning. However, to be realistic, we must include an Active Directory Domain Controller.

By including a domain controller (DC), our team will enjoy a realistic, hands-on experience managing and securing centralized authentication, permissions, and user data. The DC will simulate an enterprise environment where users can practice configuring group policies, managing user accounts, and enforcing security protocols.

The fourth quarter is budgeting time for most companies. Equally, most security managers are gearing up to support their CISO with preparing the security budget for the upcoming year.

Security budgeting is an overlooked area in the cybersecurity industry. It’s also an overlooked skill set when hiring and training cybersecurity executives. Yet, it is a crucial aspect of managing a cybersecurity program. Cybersecurity budgeting rests at the crossroads between cybersecurity (as a discipline) and business.