Security Control V2: Incident Response

  • Article

Note

The most up-to-date Azure Security Benchmark is available here.

Incident Response covers controls in the incident response life cycle - preparation, detection and analysis, containment, and post-incident activities. This includes using Azure services such as Azure Security Center and Sentinel to automate the incident response process.

To see the applicable built-in Azure Policy, see Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Incident Response

IR-1: Preparation – update incident response process for Azure

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
IR-1 19 IR-4, IR-8

Ensure your organization has processes to respond to security incidents, has updated these processes for Azure, and is regularly exercising them to ensure readiness.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

IR-2: Preparation – setup incident notification

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
IR-2 19.5 IR-4, IR-5, IR-6, IR-8

Set up security incident contact information in Azure Security Center. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alert and notification in different Azure services based on your incident response needs.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

IR-3: Detection and analysis – create incidents based on high quality alerts

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
IR-3 19.6 IR-4, IR-5

Ensure you have a process to create high quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives.

High quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.

Azure Security Center provides high quality alerts across many Azure assets. You can use the ASC data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.

Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

IR-4: Detection and analysis – investigate an incident

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
IR-4 19 IR-4

Ensure analysts can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference.

The data sources for investigation include the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include:

  • Network data – use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information.

  • Snapshots of running systems:

    • Use Azure virtual machine's snapshot capability to create a snapshot of the running system's disk.

    • Use the operating system's native memory dump capability to create a snapshot of the running system's memory.

    • Use the snapshot feature of the Azure services or your software's own capability to create snapshots of the running systems.

Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

IR-5: Detection and analysis – prioritize incidents

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
IR-5 19.8 CA-2, IR-4

Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.

Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.

Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

IR-6: Containment, eradication and recovery – automate the incident handling

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
IR-6 19 IR-4, IR-5, IR-6

Automate manual repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays, and degrades the ability of analysts to focus effectively on complex tasks. Use workflow automation features in Azure Security Center and Azure Sentinel to automatically trigger actions or run a playbook to respond to incoming security alerts. The playbook takes actions, such as sending notifications, disabling accounts, and isolating problematic networks.

Responsibility: Customer

Customer Security Stakeholders (Learn more):