What’s New: Azure Sentinel: Zero Trust (TIC3.0) Workbook

Posted by

Mapping technology to Zero Trust frameworks is a challenge in many industries. We need to change our thinking in security assessment as the cloud evolves at the speed of innovation and growth, which often challenges our security requirements. We need a method to map Zero Trust approaches to technology while measuring change over time like a muscle.


 


Azure Sentinel: Zero Trust (TIC 3.0) WorkbookAzure Sentinel: Zero Trust (TIC 3.0) Workbook


The Azure Sentinel: Zero Trust (TIC3.0) Workbook provides an automated visualization of Zero Trust principles cross walked to the Trusted Internet Connections framework. This workbook leverages the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Windows Virtual Desktop, and many more. This workbook enables Implementers, SecOps Analysts, Assessors, Security & Compliance Decision Makers, and MSSPs to gain situational awareness for cloud workloads’ security posture. The workbook features 76+ control cards aligned to the TIC 3.0 security capabilities with selectable GUI buttons for navigation. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, visualizations, tailored recommendations, and respective documentation references.


 


Use Cases


There are several use cases for the Azure Sentinel Zero Trust (TIC 3.0) Workbook depending on user roles and requirements. The graphic below shows how a Security Engineer can leverage the workbook to review controls, evaluate tool efficiency, explore events, and investigate configurations. There are also several additional use cases where this workbook will be helpful:


Roles



  • Implementers: Build/Design

  • SecOps: Alert/Automation Building

  • Assessors: Audit, Compliance, Assessment

  • Security & Compliance Decision Makers: Situational Awareness

  • MSSP: Consultants, Managed Service


Mappings



  • Framework to Requirement to Microsoft Technology


Visualization



  • Hundreds of Visualizations, Recommendations, Queries


Time-Bound



  • Measure Posture Over Time for Maturity


Time-Saving



  • Aggregation & Analysis

  • Capabilities Assessment

  • Navigation

  • Documentation

  • Compliance Mapping

  • Query/Alert Generation


 


Security Engineer Use CaseSecurity Engineer Use Case


Is Zero Trust Equivalent to TIC 3.0?


No, Zero Trust is a best practice model and TIC 3.0 is a security initiative. Zero Trust is widely defined around core principles whereas TIC 3.0 has specific capabilities and requirements. This workbook demonstrates the overlap of Zero Trust Principles with TIC 3.0 Capabilities. The Azure Sentinel Zero Trust (TIC 3.0) Workbook demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All TIC requirements, validations, and controls are governed by the Cybersecurity & Infrastructure Security Agency. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements.


 



 


Deploying the Workbook


It is recommended that you have the log sources listed above to get the full benefit of the Zero Trust (TIC3.0) Workbook, but the workbook will deploy regardless of your available log sources. Follow the steps below to enable the workbook:


Requirements: Azure Sentinel Workspace and Security Reader rights.


1) From the Azure portal, navigate to Azure Sentinel


2) Select Workbooks > Templates


3) Search Zero Trust and select Save to add to My Workbooks


 


Microsoft Offerings Overlay to TIC CapabilitiesMicrosoft Offerings Overlay to TIC Capabilities


Navigating the Workbook


The Legend Panel provides a helpful reference for navigating the workbook with respective colors, features, and reference indicators.


 


Navigating The WorkbookNavigating The Workbook


The Guide Toggle is available in the top left of the workbook. This toggle allows you to view panels such as recommendations and guides, which will help you first access the workbook but can be hidden once you’ve grasped respective concepts.


 


Guide ToggleGuide Toggle


The Resource Parameter Options provide configuration options to sort control cards by Subscription, Workspace, and Time Range. The Parameter Options are beneficial for Managed Security Service Providers (MSSP) or large enterprises that leverage Azure Lighthouse for visibility into multiple workspaces. It facilitates assessment from both the aggregate and individual workspace perspectives. Time range selectors allow options for daily, monthly, quarterly, and even custom time range visibility.


 


Resource Parameter OptionsResource Parameter Options


The Azure Sentinel Zero Trust (TIC3.0) Workbook displays each control in a Capability Card. The Capability Card provides respective control details to understand requirements, view your data, adjust SIEM queries, export artifacts, onboard Microsoft controls, navigate configuration blades, access reference materials, and view correlated compliance frameworks.


 


Capability CardCapability Card


While using Microsoft offerings for the Zero Trust (TIC3.0) Workbook is recommended, it’s not a set requirement as customers often rely on many security providers and solutions. Below is a use-case example for adjusting a Control Card to include third-party tooling. The default KQL query provides a framework for target data, and it is readily adjusted with the desired customer controls/solutions.


 


3rd Party Tool Use Case3rd Party Tool Use Case


Get Started with Azure Sentinel and Learn More About Zero Trust with Microsoft


Below are additional resources for learning more about Zero Trust (TIC3.0) with Microsoft. Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity or visit our website for the latest news and cybersecurity updates.



Disclaimer


The Azure Sentinel Zero Trust (TIC 3.0) Workbook demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All TIC requirements, validations, and controls are governed by the  Cybersecurity & Infrastructure Security Agency. This workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user, and some panels may require additional configurations and query modification for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements.


 


 


 

This articles are republished, there may be more discussion at the original link. But if you found this helpful, you're more than welcome to let us know!

This site uses Akismet to reduce spam. Learn how your comment data is processed.