Document Location: http://aka.ms/Office365SIM P a g e | 2
Document Feedback: cxprad@microsoft.com
Response Management Process
The Office 365 Security team and the service teams work together on and take the same approach to security
incidents, which is based on the NIST 800-61 response management phases:
Figure 1 - NIST 800-61 Response Management Phases
Preparation Refers to the organizational preparation that is needed to be able to respond, including
tools, processes, competencies, and readiness.
Detection & Analysis Refers to the activity to detect a security incident in a production environment
and to analyze all events to confirm the authenticity of the security incident.
Containment, Eradication, Remediation Refers to the required and appropriate actions taken to
contain the security incident based on the analysis done in the previous phase. Additional analysis may
also be necessary in this phase to fully remediate the security incident.
Post-Incident Activity Refers to the post-mortem analysis performed after the remediation of a
security incident. The operational actions performed during the process are reviewed to determine if
any changes need to be made in the Preparation or Detection & Analysis phases.
Federated Security Response Model
Office 365 services include core Microsoft Online Services (Exchange Online, SharePoint Online and Skype for
Business, etc.) as well as other Microsoft cloud services, such as Azure Active Directory, the Microsoft Commerce
Platform, and the MSTIC. These services are operated by separate teams with their own security operational
processes. Other Microsoft teams are also engaged in various security aspects of Office 365. Because of the
multitude of teams working on security operations management for Office 365, Microsoft has implemented a
federated security response model.
Table 3 presents the operational boundaries between the various Office 365 security operations teams and the
Office 365 service teams:
Activity
Office 365 Security Team Operations
Office 365 Service Team Operations
Detection & Analysis
Detection requirements
Security monitoring and analysis
Indicators of compromise (IOC) sweeps
Breach hunt
24x7 security on-call/Incident Response lead
Detection requirements
Monitoring infrastructure deployment
Service analysis and insight
Event and alert triage
24x7 service engineering on-call
Containment
Eradication
Remediation
Incident response lead
Forensics investigation
Security expertise and consult
Remediation guidance
Security incident owner
Service insight and expertise
Execute containment, eradication,
remediation
Post-Incident Activity
Post-Incident analysis lead
Data collection and archival
Lessons learned and bug requests
Incident reporting
Service-side incident analysis
Prioritize follow-up activities
Implement security investments
Service security readiness
Table 3 - Operational boundaries between Office 365 security teams and service teams
剩余11页未读,继续阅读
todd_yx
- 粉丝: 0
- 资源: 3
我的内容管理
展开
最新资源
- 深入理解23种设计模式
- 制作与调试:声控开关电路详解
- 腾讯2008年软件开发笔试题解析
- WebService开发指南:从入门到精通
- 栈数据结构实现的密码设置算法
- 提升逻辑与英语能力:揭秘IBM笔试核心词汇及题型
- SOPC技术探索:理论与实践
- 计算图中节点介数中心性的函数
- 电子元器件详解:电阻、电容、电感与传感器
- MIT经典:统计自然语言处理基础
- CMD命令大全详解与实用指南
- 数据结构复习重点:逻辑结构与存储结构
- ACM算法必读书籍推荐:权威指南与实战解析
- Ubuntu命令行与终端:从Shell到rxvt-unicode
- 深入理解VC_MFC编程:窗口、类、消息处理与绘图
- AT89S52单片机实现的温湿度智能检测与控制系统
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
