Overview

The Security Change Monitor, is a security system deployed by Tribe and powered by our TechOps Team.

The Tribe Technical Delivery team will deploy collectors to site(s) and connect to the various cloud services described to gather and monitor data.

Ongoing, Tribe will capture and respond to alerts created by the Security Change Monitor, the alerts will pass through the Tribe security response process and be actioned by the Tribe Security Team.

The following are the key aspects of what is implemented as part of the Security Change Monitor, and the settings required for Tribe to gather security and documentation information in a customer environment.

Deployed Intelligence Collection and Actions

Microsoft Office 365 – Cloud Collector

Pull data on licencing, users, groups, mail routing, and actionable summary information like security policies and used licence counts.

Implementation:

• Create a New App Registration within Office 365
• Generate a Key for Security Change Monitor
• For security purposes, the key generated will NOT be documented
• Configure Read Only API permissions for the following:
  • Access Review
  • Audit Log
  • Contacts
  • Directory
  • Administration
  • Group
  • Identity Risk Event
  • Identity Risk User
  • Mailbox Settings
  • Member
  • Program Control
  • Reports
  • Security Events
  • Sites
  • Users
  • Grant API permissions for all users
  • Add Application ID / Directory ID / Key into Security Change Monitor

Post Implementation:

• Data will be pulled daily into Security Change Monitor via the Cloud Agent
• Security Change Monitor syncs with ITGlue and ITGlue entries will be updated

Internet Domains – Cloud Collector

Track expirations, changes, and renewals with deep and details web domain, DNS, A, C, MX record details, SSL assessments, and more.

Implementation:

• Each domain will be added to Security Change Monitor

Post Implementation:

• Daily DNS lookups will be performed on the domain by the Cloud Agent
• Data will be pulled daily into Security Change Monitor via the Cloud Agent
• ASI syncs with ITGlue and ITGlue entries will be updated

TLS / SSL – Cloud Collector

Perform a deep inspection of the TLS/SSL certificate, with details on protocols, vulnerabilities, expiration data, and more.

Implementation:

• Each certificate will be added to Security Change Monitor

Post Implementation:

• Daily Certificate lookups will be performed on the domain by the Cloud Agent
• Data will be pulled daily into Security Change Monitor via the Cloud Agent
• Security Change Monitor syncs with ITGlue and ITGlue entries will be updated

Active Directory – AD based Collector

Discover and document users, groups, roles, devices, security policies, and more.

Implementation:

• A Domain Administrator account will be created and used as a service account for the Agent
• For security purposes, the credentials for this account will NOT be documented
• An Agent will be installed on Domain Controller
• The Agent will be linked to Security Change Monitor using APIs

Post Implementation:

• Daily Active Directory scans will be run by the Agent on Domain Controller
• Data will be sent to Security Change Monitor by the Agent
• Security Change Monitor syncs with ITGlue and ITGlue entries will be updated

SQL Server – SQL Collector

Capture details on SQL databases, users, roles, groups, jobs, maintenance plans, backups, and more.

Implementation:

• A SQL Login account will be created on each SQL Server
• The SQL Account will be named RoarAgentSQL and it will be a sysadmin
• The Account will be listed as a db_owner on each database on the server
• For security purposes, the account credentials will NOT be documented
• Monitoring will be done by the Agent on Domain Controller

Post Implementation:

• The SQL Server will be polled daily at 05:00
• Data will be sent to SIS by the Agent on Domain Controller
• ASI syncs with ITGlue and ITGlue entries will be updated

Azure– Cloud Collector (Only applies if customer has any active subscriptions within Azure)

Document virtual machines, Azure AD users and groups, network, security groups, and more.

Implementation:

• For security purposes, a separate App Registration will be created for the Azure Monitoring rather than utilizing the Office 365 Application
• Create a New App Registration within Office 365
• Generate a Key for Security Change Monitor
• Read Only API permissions will be setup for the following:
  • Group
  • User

• IAM Permissions will be granted to the Application for each Azure Subscription
• Azure Inspector will be added to Security Change Monitor

Post Implementation:

• Data will be pulled daily into Security Change Monitor via the Cloud Agent
• Security Change Monitor syncs with ITGlue and ITGlue entries will be updated

Identity Monitoring – AD based Collector

Identify and monitor accounts that have been reported in known data breaches

Implementation:

• An account list will be exported from Office 365 and imported via CSV into Security Change Monitor

Post Implementation:

• Weekly Lookups will be performed via API to see if any email addresses are listed in known breaches on https://haveibeenpwned.com
• Security Change Monitor syncs with ITGlue and ITGlue entries will be updated

Fortigate – AD based Collector

Inspect FortiGate devices to document interfaces, firewall and NAT rules, and more.

Implementation:

• Create a profile on each firewall which allows Read Only access
• Create an API Account on each firewall being monitored and provide it with the Read Only profile
• Logons will be limited to Domain Controller

Post Implementation:

• Firewalls will be polled daily at 05:00 by the Agent on Domain Controller
• Data will be pushed to Security Change Monitor
• Security Change Monitor syncs with ITGlue and ITGlue entries will be updated

Windows – Server based Collector

Inspect a Windows Server to view disk information, file shares, installed software and services, patch levels, and more.

Implementation:

• Enable-PSRemoting will be run on servers to allow remote commands

Post Implementation:

• Monitoring will be done by the Agent and account on Domain Controller
• Data will be pushed to Security Change Monitor
• Security Change Monitor syncs with ITGlue and ITGlue entries will be updated

UniFi – AD based Collector

Inspect a single or multi-tenant UniFi controller, to document details like attached devices, network details including DHCP scopes, and more.

Implementation:

• Create a Read Only account on the Controller
• For security purposes, credentials will NOT be documented
• Inspector will be configured in Security Change Monitor

Post Implementation:

• Controller will be polled daily by the Agent on Domain Controller
• Data will be pushed to Security Change Monitor
• Security Change Monitor syncs with ITGlue and ITGlue entries will be updated

StorageCraft SPX – AD based Collector

Capture data on backup jobs, image chains, volumes protected, and more.

Implementation:

• Remote Access within ShadowProtect on each server
• Remote Access will be configured on TCP 55815
• Inspectors in Security Change Monitor will be configured for each server being monitored

Post Implementation:

• ShadowProtect will be polled daily at 06:00 by the Agent on Domain Controller
• Data will be pushed to Security Change Monitor
• ASI syncs with ITGlue and ITGlue entries will be updated

Network Discovery – AD based Collector

Scan your network to identify network IPs and hosts.

Implementation:

• The Server Subnet will be added to Security Change Monitor
• Common ports will be checked on all detected hosts, this includes:
  • 21
  • 22
  • 80
  • 443

• Reverse DNS Lookups will be enabled
• SNMP Checks will also be performed on all detected hosts

Post Implementation:

• The Network Discovery task will run daily from Domain Controller
• Data will be pushed to Security Change Monitor
• Security Change Monitor syncs with ITGlue and ITGlue entries will be updated

ESXi – AD based Collector

Pull back information about VMs, hosts, datastores, and more.

Implementation:

• SSH will be enabled on each host if it is not already enabled
• An Administrative account will be created on each host
• For security purposes, the credentials for these accounts will NOT be documented

Post Implementation:

• Servers will be polled daily by Domain Controller
• Data will be pushed to Security Change Monitor
• Security Change Monitor syncs with ITGlue and ITGlue entries will be updated