Kategoriak: All - security - education - management - insights

arabera Kit Ainscough 1 year ago

99

MS.365

The offering encompasses a comprehensive suite of security and management tools designed for enterprise environments. It includes advanced threat analytics, multifactor authentication, and detailed auditing capabilities.

MS.365

Security

Threat Protection Detect-Respond-Recover

Recommended Approach

Deep Dives

MRCA

SIEM Integration

SIEM

Integrated Toolset

Dark Markets

Pragmatic intel investment

Machine Learning

Behaviour Analysis

Operations

Integrated Automation

Community Effect

Intelligence Integration + Automation

Common Attack Steps

Attack Steps Detail

Typical Kill Chain

Intelligence

Inside

SIEM integration

SOC integration

A Sentinel

Toolset

Trends
Threat evolution acceleration

Corporate SOC

Corporate SOC Evolved

Corporate SOC Upgraded

MS Corporate SOC

SOC Reference Ops Model

SOC Evolution

Data Gravity

SOC Signal Rationalisation

Graph Security

Evolution

Observations

Threat Protection Identify-Protect

Security Recommendations
Windows 10
Progress
Critical Hygiene

Key Recommendations

Securing Priviledged Access

Secure AAD

5 enable end user self service

Implement Azure AD access reviews

Implement self-service group and application access

Implement self-service password reset

4 Utilize cloud intelligence

Audit apps and consented permissions

monitor

AAD Identity Protection events

AAD Connect Health in hybrid environments

3 Automate Response

Implement sign-in risk policy using Azure AD Identity Protection

Implement user risk security policy using Azure AD Identity Protection

2 Reduce attack surface

Implement AAD Privileged Identity Management

Restrict user consent operations

Block invalid authentication entry points

Block legacy authentication

Use Conditional Access

1 Strengthen creds

Implement AD FS extranet smart lockout

Ban

commonly attacked passwords

expiry

password complexity

Implement MFA

Protect against leaked creds

Replace passwords

Windows Hello

0 Implement SSO

Steps

Beyond

Key Protections

Quick Wins

Protect

Privileged Lifecycle

Infrastructure Security (IaaS)

Beyond Quick Wins

First 30 days 4-6

First 30 days 1-3

AHN Approach

Using AHN

Isolate Network

Host Hardening

Isolate Admin interfaces

App/Dev Security (PaaS)

DevSec/PaaS Security

Roadmap

Evolution and Changes
Recommendations

Resources

Roadmap Methodology

Security Hygiene
Compliance Evolution

Cloud

Security Evolution

Cybersecurity Program

Infra Threats

Reference Enterprise Design

O365 Threats

Key Change

Learnings

Integrate AI and ML

Adopt containment strategies

Enable hardware-based assurance

Invest in preventative controls for each attach phase

Identity & Access (ZT User Access)

3rd Party Risk
ZT Architecture
ZT Model

ZT AD conditional access

ZT User Access

Build ID Perimeters

Modernisation

Visibility & Control

Accounts
Eliminate Passwords
Increase attack cost

Biometrics

Hardware Assurances

Virtualisation Based Security (VBS)

Identity Systems
Azure Active Directory (AAD)
Active Directory (AD)
Context
Strategy

Integration

ZT Priorities

Definition & Models

ZT Principles

ZT Access Control Strategy

ZT Access Control Paradigm

History

Suite

Enterprise Mobility Security (EMS)
Azure RMS
Threat Analytics
Azure AD Premium 2

policy driven management

End User self service

Azure IP
Identity Manager
Intune
Windows 10 Enterprise
O365
EOP
Versions

Education

Office365 for Education

Intune for Education

same functionality as Enterprise

Enterprise

E5

myAnalytics

PowerBI

E3

AAD P2

Business

business centre

Connections

online presence

Invoicing

Listings

email marketing

Bookings

automated win10 installation

flow

powerapps

staffhub

<300 users

ASM

Insight into cloud apps

feature subset of MS Cloud App Security

App discovery

Identify Shadow IT

Threat Detection

Anomoly detection policies

identify high risk/abnormal usage

Auditing

Insights

Insight Types

Widgets

Pivoted Insights

Alert Policies

Alert Types

Intel

First Party

Basic

Management Activity API

Policies & Alerts

templates

Anomoly detection

Activity

Threat Intelligence

Threat Dashboard

ATP
M365 admin centre

Admin Centers

Security&Compliance

Service assurance

Advanced eDiscovery

Search

Productivity app discovery

O365 Cloud App Security

Audit log search

Data privacy

GDPR dashboard

Discover

ATP Safe Attachments

ATP Safe Links

ATP Anti-phishing

Anti-malware

Supervision

Data governance

Retention

Archive

Import

Label activity explorer

Dashboard

Toolbox

Records Management

File Plan

App permissions

Sensitivity labels

Retention labels

Exchange

Mail flow

Rules

Create a new rule

Protect against ransomware

Stop auto-forwarding

Users

Active Users

...

Settings

Services & Addins

Microsoft Azure Information Protection

Uses Rights Management

Cloud based office productivity suite

Microsoft Threat Protection (MTP)

Useful
takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities
requires E5 licencing
unified pre and post breach enterprise defense suite
Windows Defender ATP
protects Infrastructure

Windows server

protects Endpoints

Windows10

Smartscreen & App reputation

BitLocker device encryption

SecureBoot

Windows Defender Exploit Guard

Windows Defender Application Controls

MS Defender ATP

Automated Investigations & Remediations

EDR

Next-Gen Protection

Threat & Vulnerability Management

Attack Surface Reduction

Windows Defender Application Guard (WDAC)

Hardware based security

Data Execution Prevention (DEP)

Address Space Layout Randomization (ASLR)

Early Launch Anti Malware (ELAM)

Trusted Boot

Trusted Platform Module (TPM)

root chain of trust for creds and keys

Windows 10 automatic TPM initialization

Generate, store, and limit the use of cryptographic keys

has a unique RSA key burned into it

platform device authentication

a secure crypto-processor

UEFI Secure Boot

helps to protect the startup process and firmware against tampering

UEFI Secure Boot is a security standard for firmware built in to PCs

Azure ATP
protects Identities

Azure AD

https://docs.microsoft.com/en-au/azure/active-directory/

Domain Services

https://docs.microsoft.com/en-au/azure/active-directory-domain-services/overview

Device mangement

https://docs.microsoft.com/en-au/azure/active-directory/devices/overview

Conditional access

https://docs.microsoft.com/en-au/azure/active-directory/conditional-access/overview

B2C

https://docs.microsoft.com/en-au/azure/active-directory-b2c/active-directory-b2c-overview

Customers use social/enterprise/loca accnts to access API/Apps

B2B

https://docs.microsoft.com/en-au/azure/active-directory/b2b/what-is-b2b

Guest user access

Application management

https://docs.microsoft.com/en-au/azure/active-directory/manage-apps/what-is-single-sign-on

SSO

Authentication

https://docs.microsoft.com/en-au/azure/active-directory/authentication/concept-mfa-howitworks

MFA

Hybrid Identity

https://docs.microsoft.com/en-au/azure/active-directory/hybrid/whatis-hybrid-identity

Identity Governance

https://docs.microsoft.com/en-au/azure/active-directory/governance/create-access-review

Identity Protection

https://docs.microsoft.com/en-au/azure/active-directory/identity-protection/overview

Azure Sentinel

https://docs.microsoft.com/en-us/azure/sentinel/overview

MITRE

SIEM + SOAR

Architecture

Azure ATP Cloud service

Azure ATP Portal

Azure ATP sensor

monitors DC resources

monitors DC traffic

domain synchroniser

receives RADIUS traffic

resolves users, groups, computers

inspects Domain Controller traffic

Investigate Alerts and User Activities

Identify Suspicious Activities & Advanced Attacks across Cyber-Attack Kill-Chain

Domain dominance

Lateral movement

Compromised Creds

Reconnaissance

Protect User Identities & Reduce Attack Surface

Monitor and profile User Behaviour

protects cloud apps

MS Cloud App Security

Conduct forensic investigations

Detect Cloud threats, compromised creds, malicious insiders, ransomware

Secure Collaboration with external users

Protect / Block downloads of protected data to risky devices

Enforce DLP & Compliance

Discover, Label, Classify, Protect data

Discover and Assess Cloud Apps

Conditional Access App Control

App Risk Score

O365 ATP
O365 ATP P2

malicious URLs and files in Office docs

Attack Simulator

Automated Investigation & Response

Threat Investigation & Response

Threat Explorer

Threat trackers

O365 ATP P1 + the following

O365 ATP P1

Threat Protection Policies

ATP Anti-Phishing

ATP for SharePoint, OneDrive, Teams

ATP Safe-Links

ATP Safe-Attachments

O365 EOP

use S/MIME

requires

setup Outlook to EAS endpoint to use S/MIME

setup virtual certificate collection

synchronise user certificates from AD DS to AAD (DirSync)

publish user certificate in on-prem AD DS account

AD Certificate Services

digitally sign emails

encrypt emails

cloud-based email filtering service

use directory based Edge Blocking

rejects email sent to invalid recipients

mail flow intelligence

mail sent via connectors

non-delivery report (NDR)

notifications

queueing errors

mail flow rules

properties

priority

test rule

enforce rule

time period

actions

block

insert

add subject prefix

add recipients

redirect

delete

reject

exceptions

conditions

and

or

mail flow thru EOP DC

5 delivery

4 content filtering

3 policy filtering

DLP checks

custom mail flow rules

2 malware filtering

1 checks email sender's reputation

can protect

hybrid deployment

as a part of Exchange Online

stand-alone scenario

Audit logging

Zero-hour auto purge (ZAP)

Anti-Phishing protection

Anti-Malware protection

Anti-Spam protection

protects data

Information Protection

CASB
Monitoring
Discovery
Data
in Use

data kept within a Trusted Execution Environment (TEE)

in Motion

TLS encrypted

at Rest

encrypted

Policy
SCCM
InTune

Security Management

Microsoft security centre
Policies
Classification

labelling

Advanced Hunting

measure of orgs security posture

Action centre

Automated Investigation & Response (AIR)

requires O365 ATP P2

repeat

determines additional investigations need

performs remediation

determines need for action

available to both E3 + E5

Incidents
Home
Governance & Compliance
General Data Protection Regulation (GDPR)

Protection

Sharing

copy & saveas

screenshots

cut & paste

USB ports/drives

Leak

monitor & audit access to data

restrict device sharing

separation

control apps access corp data

remote wipe

corp data encrypted & separated by certificates

personal data untouched

device

protection

application restrictions

encrypted data transfers

employees, devices are mobile

Storage

Auditing to prove compliance

Need to track data breaches & report on them

System for monitoring, managing, reporting

Who will have access

Who is responsible for protection?

Is the data protected?

How and where is data stored?

Data Use

obtained correct consent

archived data methodology

can you respond to requests

update customer data collection media

new data policies, processes, staff training

identify and classify data as personal

applies to old and new data

99 Articles

Increased duty for data protection

International transfer (art 44)

Data Protection impact assessments (art 35)

Data Protection officers (art 37,38,39)

Security (art 32)

Personal data breaches (art 33)

Data protection by design & default (art 25)

Transparent data policies

Code of conduct (art 40,42)

Documentation (art 30)

contracts (art 6)

Accountability & governance (art 34)

Enhanced rights for personal privacy

Lawful basis for processing data (article 6)

Special category data

Criminal offense data

legitimate interests

public task

vital interests

legal obligation

contract

consent

Individual rights (article 12)

children (art 8)

rights related to automated decision making (profiling) (art 22)

right to object (art 21)

right to data portability (art 20)

right to restrict processing (art 18)

right to erasure (art 17)

right of rectification (art 16)

right of access (art 15)

right to be informed (art 13)

Security Transformation
Vulnerability Management

Visibilty & Measurement of Risk

Hybrid Cloud

3rd Party SaaS Risk

Discovery & Risk Assessment

Platform Investments

Software Vulnerabilities

Visibility, Control & Guidance

Imperatives

Guidance

automated remediation (playbooks)

vulnerabilities with Azure resources

security baselines (>180+)

Security & Compliance Centre

Secure Score

Windows Security Analytics

Azure AD Identity Protection Security reports

risk based policies

Remediation recommendations

Controls

deploy partner solutions

Prevention

Applications

Storage & Data

Networking

Compute

General

Security Policy

control security of resources cloud and on-premises

Threat Management

Data Loss Prevention

Permissions

Azure> Device profiles

define Conditional Access

Visibility

Infrastructure

Azure Security Centre

Detection

Security Alerts

monitor security of resources cloud and on-premises

Apps & Data

Cloud App Security

O365 Security & Compliance

Reports

Search & Investigate

Content search

eDiscovery

search Audit logs

Alerts

Devices

Windows Defender Security Centre

Identity

Azure

AD

PIM

Reporting

Usage

Access

Visibility, Control & Recommendations

Success Criteria
Key Principles
Cloud more Secure
Shared Responsibility
Assume Compromise
Productivity & Security
Ruin Attacker ROI

Change Economics