Project Sentinel
ICT & Cyber Security
Client company:Curaeos
Samuli Kari
Tymek Angela
Project description
Establish SIEM reporting capabilities in Microsoft Azure to enable IT management to gain more visibility into their current security situation.
Context
The client was a multinational dental care platform company that had most of their existing infrastructure in Microsoft Azure, but identified a lack of reporting on the current situation of IT. The IT management was keen to build this capability to have a better understanding of any weak points in their security and to have a clearer view on the overall security situation. They were aware that Microsoft Sentinel could be set up to handle this type of reporting to provide them with insight, but it had not been utilized previously.
Results
The main results at the end were:
- Threat detection implementations in the client’s environment for four types of threats, for example detecting logins from unusual countries or attempts to bypass script execution policies on devices
- Email reporting capabilities in both scheduled and trigger-based format, along with the related Kusto Query Language queries, alert rules and Azure Logic Apps
- Knowledge transfer document with detailed steps on all main components for the client to replicate what was done and to continue adding more types of threats as needed
- Clinic security assessment report based on a field trip to a physical location
- Dashboard with demonstration visuals and correlation between anomalies
- Multiple presentations with demonstrations
- Recommendations on future expansion and how to continue raising awareness in the organization
These assets were always validated from multiple perspectives. Personal research was complemented with experimentation, seeking for advice from subject matter experts and validating the results with the client to ensure quality.
The added value for the client on the Technology Readiness Level (TRL) scale place around levels 5-7, as our implementation included fully functioning examples of threat detection and reporting in the operational environment, ready to be expanded on by the client.
Methodology
Our project was divided into three sprints with the following themes: sprint 1 was about setting up a foundation, researching various areas necessary and producing research documentation. Sprint 2 was the beginning of the technical part, where the first proof of concept was created and later implemented in the client’s system. Sprint 3 was about re-iterating the process and implementing another PoC, demonstrating results, showing detection findings, and handing over the project.
DOT framework research pattern examples can be found below:
Concept triangle: in sprint 1, researching the relevant threat landscape, identifying more threats on a field trip and compiling findings in a research document
Crossover pattern: in sprint 2, researching how to detect firewall-related threats in Sentinel and reporting them, then creating a proof of concept in a test environment and finally implementing it in the live environment
Validation triangle: at the end of sprint 2, demonstrating the implementation setup, threat detection and reporting to the client to collect feedback and validate the products
About the project group
The project group consisted of two students with a Business background, one from the English stream and one from the Dutch stream. The project was conducted over a period of 4,5 months, divided between 3 sprints and developing the products in an Agile manner.
