arabera Kit Ainscough 1 year ago
99
Honelako gehiago
Deep Dives
MRCA
SIEM Integration
SIEM
Integrated Toolset
Dark Markets
Pragmatic intel investment
Machine Learning
Behaviour Analysis
Operations
Integrated Automation
Community Effect
Intelligence Integration + Automation
Common Attack Steps
Attack Steps Detail
Typical Kill Chain
Inside
SIEM integration
SOC integration
A Sentinel
Toolset
Corporate SOC
Corporate SOC Evolved
Corporate SOC Upgraded
MS Corporate SOC
SOC Reference Ops Model
Data Gravity
SOC Signal Rationalisation
Graph Security
Observations
Key Recommendations
Secure AAD
5 enable end user self service
Implement Azure AD access reviews
Implement self-service group and application access
Implement self-service password reset
4 Utilize cloud intelligence
Audit apps and consented permissions
monitor
AAD Identity Protection events
AAD Connect Health in hybrid environments
3 Automate Response
Implement sign-in risk policy using Azure AD Identity Protection
Implement user risk security policy using Azure AD Identity Protection
2 Reduce attack surface
Implement AAD Privileged Identity Management
Restrict user consent operations
Block invalid authentication entry points
Block legacy authentication
Use Conditional Access
1 Strengthen creds
Implement AD FS extranet smart lockout
Ban
commonly attacked passwords
expiry
password complexity
Implement MFA
Protect against leaked creds
Replace passwords
Windows Hello
0 Implement SSO
Steps
Beyond
Key Protections
Quick Wins
Protect
Privileged Lifecycle
Beyond Quick Wins
First 30 days 4-6
First 30 days 1-3
AHN Approach
Using AHN
Isolate Network
Host Hardening
Isolate Admin interfaces
DevSec/PaaS Security
Roadmap
Resources
Roadmap Methodology
Cloud
Cybersecurity Program
Infra Threats
Reference Enterprise Design
O365 Threats
Key Change
Integrate AI and ML
Adopt containment strategies
Enable hardware-based assurance
Invest in preventative controls for each attach phase
ZT AD conditional access
ZT User Access
Modernisation
Visibility & Control
Biometrics
Hardware Assurances
Virtualisation Based Security (VBS)
Integration
ZT Priorities
ZT Principles
ZT Access Control Strategy
ZT Access Control Paradigm
policy driven management
End User self service
Education
Office365 for Education
Intune for Education
same functionality as Enterprise
Enterprise
E5
myAnalytics
PowerBI
E3
AAD P2
Business
business centre
Connections
online presence
Invoicing
Listings
email marketing
Bookings
automated win10 installation
flow
powerapps
staffhub
<300 users
Insight into cloud apps
feature subset of MS Cloud App Security
App discovery
Identify Shadow IT
Threat Detection
Anomoly detection policies
identify high risk/abnormal usage
Insights
Insight Types
Widgets
Pivoted Insights
Alert Policies
Alert Types
Intel
First Party
Basic
Management Activity API
Policies & Alerts
templates
Anomoly detection
Activity
Threat Dashboard
Admin Centers
Security&Compliance
Service assurance
Advanced eDiscovery
Search
Productivity app discovery
O365 Cloud App Security
Audit log search
Data privacy
GDPR dashboard
Discover
ATP Safe Attachments
ATP Safe Links
ATP Anti-phishing
Anti-malware
Supervision
Data governance
Retention
Archive
Import
Label activity explorer
Dashboard
Toolbox
Records Management
File Plan
App permissions
Sensitivity labels
Retention labels
Exchange
Mail flow
Rules
Create a new rule
Protect against ransomware
Stop auto-forwarding
Users
Active Users
...
Settings
Services & Addins
Microsoft Azure Information Protection
Uses Rights Management
Windows server
Windows10
Smartscreen & App reputation
BitLocker device encryption
SecureBoot
Windows Defender Exploit Guard
Windows Defender Application Controls
MS Defender ATP
Automated Investigations & Remediations
EDR
Next-Gen Protection
Threat & Vulnerability Management
Attack Surface Reduction
Windows Defender Application Guard (WDAC)
Hardware based security
Data Execution Prevention (DEP)
Address Space Layout Randomization (ASLR)
Early Launch Anti Malware (ELAM)
Trusted Boot
Trusted Platform Module (TPM)
root chain of trust for creds and keys
Windows 10 automatic TPM initialization
Generate, store, and limit the use of cryptographic keys
has a unique RSA key burned into it
platform device authentication
a secure crypto-processor
UEFI Secure Boot
helps to protect the startup process and firmware against tampering
UEFI Secure Boot is a security standard for firmware built in to PCs
Azure AD
https://docs.microsoft.com/en-au/azure/active-directory/
Domain Services
https://docs.microsoft.com/en-au/azure/active-directory-domain-services/overview
Device mangement
https://docs.microsoft.com/en-au/azure/active-directory/devices/overview
Conditional access
https://docs.microsoft.com/en-au/azure/active-directory/conditional-access/overview
B2C
https://docs.microsoft.com/en-au/azure/active-directory-b2c/active-directory-b2c-overview
Customers use social/enterprise/loca accnts to access API/Apps
B2B
https://docs.microsoft.com/en-au/azure/active-directory/b2b/what-is-b2b
Guest user access
Application management
https://docs.microsoft.com/en-au/azure/active-directory/manage-apps/what-is-single-sign-on
SSO
Authentication
https://docs.microsoft.com/en-au/azure/active-directory/authentication/concept-mfa-howitworks
MFA
Hybrid Identity
https://docs.microsoft.com/en-au/azure/active-directory/hybrid/whatis-hybrid-identity
Identity Governance
https://docs.microsoft.com/en-au/azure/active-directory/governance/create-access-review
Identity Protection
https://docs.microsoft.com/en-au/azure/active-directory/identity-protection/overview
Azure Sentinel
https://docs.microsoft.com/en-us/azure/sentinel/overview
MITRE
SIEM + SOAR
Architecture
Azure ATP Cloud service
Azure ATP Portal
Azure ATP sensor
monitors DC resources
monitors DC traffic
domain synchroniser
receives RADIUS traffic
resolves users, groups, computers
inspects Domain Controller traffic
Investigate Alerts and User Activities
Identify Suspicious Activities & Advanced Attacks across Cyber-Attack Kill-Chain
Domain dominance
Lateral movement
Compromised Creds
Reconnaissance
Protect User Identities & Reduce Attack Surface
Monitor and profile User Behaviour
MS Cloud App Security
Conduct forensic investigations
Detect Cloud threats, compromised creds, malicious insiders, ransomware
Secure Collaboration with external users
Protect / Block downloads of protected data to risky devices
Enforce DLP & Compliance
Discover, Label, Classify, Protect data
Discover and Assess Cloud Apps
Conditional Access App Control
App Risk Score
malicious URLs and files in Office docs
Attack Simulator
Automated Investigation & Response
Threat Investigation & Response
Threat Explorer
Threat trackers
O365 ATP P1 + the following
Threat Protection Policies
ATP Anti-Phishing
ATP for SharePoint, OneDrive, Teams
ATP Safe-Links
ATP Safe-Attachments
use S/MIME
requires
setup Outlook to EAS endpoint to use S/MIME
setup virtual certificate collection
synchronise user certificates from AD DS to AAD (DirSync)
publish user certificate in on-prem AD DS account
AD Certificate Services
digitally sign emails
encrypt emails
cloud-based email filtering service
use directory based Edge Blocking
rejects email sent to invalid recipients
mail flow intelligence
mail sent via connectors
non-delivery report (NDR)
notifications
queueing errors
mail flow rules
properties
priority
test rule
enforce rule
time period
actions
block
insert
add subject prefix
add recipients
redirect
delete
reject
exceptions
conditions
and
or
mail flow thru EOP DC
5 delivery
4 content filtering
3 policy filtering
DLP checks
custom mail flow rules
2 malware filtering
1 checks email sender's reputation
can protect
hybrid deployment
as a part of Exchange Online
stand-alone scenario
Audit logging
Zero-hour auto purge (ZAP)
Anti-Phishing protection
Anti-Malware protection
Anti-Spam protection
data kept within a Trusted Execution Environment (TEE)
TLS encrypted
encrypted
labelling
measure of orgs security posture
Automated Investigation & Response (AIR)
requires O365 ATP P2
repeat
determines additional investigations need
performs remediation
determines need for action
available to both E3 + E5
Protection
Sharing
copy & saveas
screenshots
cut & paste
USB ports/drives
Leak
monitor & audit access to data
restrict device sharing
separation
control apps access corp data
remote wipe
corp data encrypted & separated by certificates
personal data untouched
device
protection
application restrictions
encrypted data transfers
employees, devices are mobile
Storage
Auditing to prove compliance
Need to track data breaches & report on them
System for monitoring, managing, reporting
Who will have access
Who is responsible for protection?
Is the data protected?
How and where is data stored?
Data Use
obtained correct consent
archived data methodology
can you respond to requests
update customer data collection media
new data policies, processes, staff training
identify and classify data as personal
applies to old and new data
99 Articles
Increased duty for data protection
International transfer (art 44)
Data Protection impact assessments (art 35)
Data Protection officers (art 37,38,39)
Security (art 32)
Personal data breaches (art 33)
Data protection by design & default (art 25)
Transparent data policies
Code of conduct (art 40,42)
Documentation (art 30)
contracts (art 6)
Accountability & governance (art 34)
Enhanced rights for personal privacy
Lawful basis for processing data (article 6)
Special category data
Criminal offense data
legitimate interests
public task
vital interests
legal obligation
contract
consent
Individual rights (article 12)
children (art 8)
rights related to automated decision making (profiling) (art 22)
right to object (art 21)
right to data portability (art 20)
right to restrict processing (art 18)
right to erasure (art 17)
right of rectification (art 16)
right of access (art 15)
right to be informed (art 13)
Visibilty & Measurement of Risk
Hybrid Cloud
3rd Party SaaS Risk
Discovery & Risk Assessment
Platform Investments
Software Vulnerabilities
Imperatives
Guidance
automated remediation (playbooks)
vulnerabilities with Azure resources
security baselines (>180+)
Security & Compliance Centre
Secure Score
Windows Security Analytics
Azure AD Identity Protection Security reports
risk based policies
Remediation recommendations
Controls
deploy partner solutions
Prevention
Applications
Storage & Data
Networking
Compute
General
Security Policy
control security of resources cloud and on-premises
Threat Management
Data Loss Prevention
Permissions
Azure> Device profiles
define Conditional Access
Visibility
Infrastructure
Azure Security Centre
Detection
Security Alerts
monitor security of resources cloud and on-premises
Apps & Data
Cloud App Security
O365 Security & Compliance
Reports
Search & Investigate
Content search
eDiscovery
search Audit logs
Alerts
Devices
Windows Defender Security Centre
Identity
Azure
AD
PIM
Reporting
Usage
Access
Visibility, Control & Recommendations
Change Economics