mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-05 15:29:01 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,179 @@
|
||||
# Microsegmentation Implementation Workflows
|
||||
|
||||
## Workflow 1: Microsegmentation Deployment Lifecycle
|
||||
|
||||
```
|
||||
┌──────────────────────┐
|
||||
│ 1. Discovery │
|
||||
│ - Deploy agents │
|
||||
│ - Collect traffic │
|
||||
│ telemetry (2-4 wks)│
|
||||
│ - Build flow map │
|
||||
└──────────┬───────────┘
|
||||
v
|
||||
┌──────────────────────┐
|
||||
│ 2. Classification │
|
||||
│ - Assign workload │
|
||||
│ labels (role, app, │
|
||||
│ env, location) │
|
||||
│ - Validate with CMDB │
|
||||
│ - Group by app tier │
|
||||
└──────────┬───────────┘
|
||||
v
|
||||
┌──────────────────────┐
|
||||
│ 3. Policy Design │
|
||||
│ - Define zones │
|
||||
│ - Create allow-list │
|
||||
│ rules per app │
|
||||
│ - Set default-deny │
|
||||
│ - Document exceptions │
|
||||
└──────────┬───────────┘
|
||||
v
|
||||
┌──────────────────────┐
|
||||
│ 4. Test Mode │
|
||||
│ - Enable policies in │
|
||||
│ visibility mode │
|
||||
│ - Monitor would-block │
|
||||
│ events (1-2 weeks) │
|
||||
│ - Refine rules │
|
||||
└──────────┬───────────┘
|
||||
v
|
||||
┌──────────────────────┐
|
||||
│ 5. Enforcement │
|
||||
│ - Enforce per-app, │
|
||||
│ starting low-risk │
|
||||
│ - Monitor 24-48 hrs │
|
||||
│ - Proceed to next app │
|
||||
└──────────┬───────────┘
|
||||
v
|
||||
┌──────────────────────┐
|
||||
│ 6. Continuous Ops │
|
||||
│ - Weekly violation │
|
||||
│ review │
|
||||
│ - Quarterly audits │
|
||||
│ - CI/CD integration │
|
||||
│ - Incident response │
|
||||
└──────────────────────┘
|
||||
```
|
||||
|
||||
## Workflow 2: Policy Creation Flow
|
||||
|
||||
```
|
||||
Identify Application
|
||||
│
|
||||
v
|
||||
┌─────────────────────┐
|
||||
│ Map Dependencies │
|
||||
│ - Inbound sources │
|
||||
│ - Outbound targets │
|
||||
│ - Ports/protocols │
|
||||
│ - Process names │
|
||||
└──────────┬──────────┘
|
||||
v
|
||||
┌─────────────────────┐
|
||||
│ Define Labels │
|
||||
│ Role: web/app/db │
|
||||
│ App: erp/crm/hr │
|
||||
│ Env: prod/dev/stg │
|
||||
│ Loc: dc1/aws/azure │
|
||||
└──────────┬──────────┘
|
||||
v
|
||||
┌─────────────────────┐
|
||||
│ Create Rules │
|
||||
│ Allow: web→app:8080 │
|
||||
│ Allow: app→db:3306 │
|
||||
│ Allow: mon→all:9090 │
|
||||
│ Deny: all other │
|
||||
└──────────┬──────────┘
|
||||
v
|
||||
┌─────────────────────┐
|
||||
│ Test and Validate │
|
||||
│ - Simulate in test │
|
||||
│ - Check flow map │
|
||||
│ - App owner sign-off │
|
||||
└──────────┬──────────┘
|
||||
v
|
||||
┌─────────────────────┐
|
||||
│ Enforce and Monitor │
|
||||
│ - Switch to enforce │
|
||||
│ - Alert on violations│
|
||||
│ - Log to SIEM │
|
||||
└─────────────────────┘
|
||||
```
|
||||
|
||||
## Workflow 3: Ring-Fencing Critical Assets
|
||||
|
||||
```
|
||||
Identify Critical Asset (e.g., PCI CDE Database)
|
||||
│
|
||||
v
|
||||
┌──────────────────────────────────────┐
|
||||
│ 1. Baseline Traffic │
|
||||
│ - Observe all inbound/outbound flows │
|
||||
│ - Document legitimate connections │
|
||||
│ - Identify unnecessary connections │
|
||||
└──────────────┬───────────────────────┘
|
||||
v
|
||||
┌──────────────────────────────────────┐
|
||||
│ 2. Define Ring-Fence Rules │
|
||||
│ - Allow: app-server → db:5432 │
|
||||
│ - Allow: backup-agent → db:5432 │
|
||||
│ - Allow: monitoring → db:9100 │
|
||||
│ - Deny: ALL other inbound │
|
||||
│ - Deny: ALL outbound (except DNS,NTP)│
|
||||
└──────────────┬───────────────────────┘
|
||||
v
|
||||
┌──────────────────────────────────────┐
|
||||
│ 3. Test with Production Traffic │
|
||||
│ - Enable in test mode │
|
||||
│ - Verify zero false positives │
|
||||
│ - Validate backup and monitoring work │
|
||||
└──────────────┬───────────────────────┘
|
||||
v
|
||||
┌──────────────────────────────────────┐
|
||||
│ 4. Enforce and Lock Down │
|
||||
│ - Switch to enforcement │
|
||||
│ - Enable alerting on any violation │
|
||||
│ - Review violations daily │
|
||||
│ - QSA validation for PCI scope │
|
||||
└──────────────────────────────────────┘
|
||||
```
|
||||
|
||||
## Workflow 4: Incident Response with Microsegmentation
|
||||
|
||||
```
|
||||
Alert: Unusual East-West Traffic Detected
|
||||
│
|
||||
v
|
||||
┌─────────────────────────┐
|
||||
│ 1. Investigate │
|
||||
│ - Review flow in console │
|
||||
│ - Check source workload │
|
||||
│ - Identify destination │
|
||||
│ - Cross-ref with SIEM │
|
||||
└──────────┬──────────────┘
|
||||
v
|
||||
┌──────────────────────────────┐
|
||||
│ 2. Contain │
|
||||
│ - Apply quarantine policy │
|
||||
│ (deny all except forensic) │
|
||||
│ - Isolate compromised │
|
||||
│ workload instantly │
|
||||
└──────────┬───────────────────┘
|
||||
v
|
||||
┌─────────────────────────┐
|
||||
│ 3. Assess Impact │
|
||||
│ - Check if lateral move │
|
||||
│ was blocked by policy │
|
||||
│ - Review adjacent zones │
|
||||
│ - Determine blast radius │
|
||||
└──────────┬──────────────┘
|
||||
v
|
||||
┌─────────────────────────┐
|
||||
│ 4. Remediate │
|
||||
│ - Patch/reimagevworkload │
|
||||
│ - Strengthen policies │
|
||||
│ - Remove quarantine │
|
||||
│ - Post-incident review │
|
||||
└─────────────────────────┘
|
||||
```
|
||||
Reference in New Issue
Block a user