Security Q&A: A (Very Slight) Upside to Solorigate and Top Blue Team Attack Tools
Security expert Sergey Chubarov on the current security landscape and how the SolarWinds attack can change cybersecurity for the better.
- By Scott Bekker
Due to widespread deployment, Microsoft 365 is fast becoming one of the most critical attack surfaces, if not the most critical attack surface, in all of IT. That's why Redmond's conference arm, TechMentor, will be holding a two-day hands-on virtual training seminar Feb. 11-12 on "Offensive and Defensive Security of Microsoft 365."
We caught up recently with our expert presenter, Sergey Chubarov, for an e-mail Q&A about the current security landscape.
Redmond: Have the recent SolarWinds/Solorigate attack discoveries changed your attitude about anything related to security, and specifically to Microsoft 365 security?
Chubarov: As a security expert, it is difficult for me to define my attitude to this event. On the one hand, companies suffer financial and reputational losses as a result of a cyberattack, and this is not good. On the other hand, the IT and cybersecurity industry can benefit from this.
In many companies, cybersecurity is reactive. Companies implement security services after some significant events, such as hacking of their infrastructure or massive breaches. I hope now more companies are thinking about using cloud infrastructure and security services
What are your favorite tools for blue team attacks on Microsoft 365/Office 365/Azure/Azure AD and why?
The blue team's main tool is SIEM [security information and event management]. If you want to cover all of the listed data sources, then this is Azure Sentinel. However, the effectiveness of SIEM depends on the quantity and quality of connected sources.
"In many companies, cybersecurity is reactive. Companies implement security services after some significant events, such as hacking of their infrastructure or massive breaches."
My favorite source is Microsoft Defender for Endpoints. According to my research, it has the highest detection and integration with Windows clients/servers.
Do you find the Kali for Windows application a useful pentesting tool, and if so, how do you recommend using it versus a native Kali Linux box or other pentesting platform?
I tried Kali for Windows once in 2018. Microsoft Defender AV killed this application right after I launched it. I prefer native Kali Linux. However, since the target of penetration testing is Windows, Kali is not enough. I am also using Commando VM from FireEye along with MS Visual Studio.
What's the most important theme that you hope attendees of your upcoming security seminar understand about Microsoft 365 security?
When I see "eye-opener" in feedback, I think I have achieved my goal. By using an offensive approach and showing how traditional security tools can be bypassed, I demonstrate the possible flaws in common cybersecurity configuration. The ideal result is change in the attendees' perceptions about the dangers of different security configurations and information on how to fix them.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.