Identity Driven Security
Daniel Dickinson EMEA Identity and Advanced Security Architecture GBB Cybersecurity Solutions Group Microsoft
ATTACKERS USING IDENTITY TACTICS
MODERN PERIMETER (Identity Controls) MODERN PERIMETER (Identity Controls) CLASSIC PERIMETER (Network Controls)
Network → Zero Trust Access Control
Conditional Access App Control Traditional Approach In the context of today, who are ‘we’
Microsoft does more than sell software.
We also are: a leading provider of cloud platforms. an operator of many large SaaS applications. a large org, with a complex IT footprint of our own.
We, like you, are deeply responsible for the security of our offerings… We’re doing this for a living too!
YOU (WE) HAVE A PROBLEM INTELLIGENCE TI is acquired from providers, web searches, news feeds, peers, suppliers, etc. Ingestion is difficult, untimely and ad-hoc: DETECTION purchased TI is a ‘lookup resource’ Insights come from logs, support calls, core services, humans, DROWNING IN ‘scanners’, etc. DATA
SIEMS Signals growing far faster than staffing; New sources welcomed with a
DETECTION Detectors should be automated, WHERE WE correlated and interlinked in their NEED TO BE findings
SIEMS Must reduce busy work of incident roll-up, response, and management WHAT IT MEANS FOR YOU Unauthorized data access
System updates
Multi-factor authentication
Spam
THEDevice logEND-ins STATE
Data encryption
User accounts Enterprise security Phishing
Denial of service
Attacks User log-ins Malware THE LANDSCAPE WE ARE ASKED TO PROTECT
YOU ARE HERE THE LANDSCAPE WE ARE ASKED TO PROTECT
Several SaaS apps
Lot of servers/VMs Some partners we collaborate with
Many repositories of sensitive data (HR, Legal, R&D, M&A, Finance)
Lot of users with PCs and devices Managed network gear Several ‘vendors’ working from outside the trust perimeter, with their unmanaged PCs and device CENTRALIZED INTELLIGENCE THE SENSORS FABRIC WE DEPLOY Threat Intelligence (TIaaS)
Data Loss Prevention Cloud (Office IP/DLP) Directory Services Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP/Sonar) (ASC) (AADIP)
Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS)
User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) LOCALIZED INTELLIGENCE Threat Intelligence (TIaaS)
Cloud Data Loss Prevention (Office IP/DLP) Directory Services Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP) (ASC) (AADIP)
Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS)
User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) LOCALIZED INTELLIGENCE Threat Intelligence (TIaaS)
Cloud Data Loss Prevention (Office IP/DLP) Directory Services Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP) (ASC) (AADIP)
Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS)
User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) DISTRIBUTING INTELLIGENCE VIA THE GRAPH Rich interconnection Contextual Deductions Near real time interactions Improved ability to auto-remediate Programmatic Access Security Consoles
Advanced Email / Team Visualizations Security Bots SPECIALISTS PREFER SPECIAL TOOLING Report period: last 30 days
Active users 98,201 Labeled items 8.42M files 14.2M mail items Protected items 869.2k files 2.14MSelect mail Period items Last day Last 7 days Policy enforcement point clients Enforced on Labeled itemsLast 30 days All period Microsoft Office Clients 98,201 endpoints 17,200,931 SharePoint Online All sites 5,092,019 Microsoft Exchange Online All mailboxes 2,019,557 Adobe PDF publisher 6,901 endpoints 128,134 Microsoft Cloud App Security 3 sanctioned apps 21,013 Azure SQL 4 tables (/databases?) 48,013 Windows devices 149,293 endpoints 32,010 Azure Information Protection Scanner 2 scanners 8,320,108
Items labeled - by label name Items labeled - my method 1800000 Default label 1600000 1400000 1200000 1000000 Automatic 800000 600000 400000 Manual - set by user Recommended - 200000 set by user 0 Default label Manual - set by user Recommended - set Automatic Non business Public General Confidential Highly Confidential by user Data Discovery and Risk
Show information for Items Discovered Items at Risk Confidential \ XBOX 498,709 53,644
Data locations
Analytics 128,790 114,997
Discovery & risk
98,608 67,018 57,214 in 4 tables 32,082 Data Data Data Data at risk at risk at risk 2,408 at risk 25,915 8,716 16,013 1,018
Endpoints On-prem Repositories Share Point Online Exchange SaaS SQL shared externally SECOPS IS A SPECIALIST TOO
A console • anchored in incident management • to navigate ‘fused’ incidents in micrograph form • tuned to facilitate common tasks via actions/runbooks • enables the analyst to provide feedback to the graph (FN/FP) Introducing Azure Sentinel Security Bot | Microsoft Teams Security-focused ChatBot • In-situ assistance for tedious tasks. • CC a Security bot on an email to get an IP address lookup. • Be invited to a chat session to have a richer interaction. • The tedious tasks are greatly streamlined leaving SecOps to work on the hard stuff.
Automating Security Automating Security Workflows Workflows
Centralized alert automation and orchestration with custom workflows and processes across apps, endpoints, identity and more
Conditional actions based on alert details
Automate the triage and investigation of alerts by triggering playbook from any alert
Enables integration with ecosystem of connectors in Microsoft Flow incl. >100 3rd party connectors such as ServiceNow, Jira and DocuSign
100% Fidelity Programmatic Access
• Extends Microsoft Graph • Contributors to the graph (Detectors) create securityDetection nodes • Aggregated detections create and/or extend securityIncident nodes • Storage for each node is the responsibility of the node provider – the graph is NOT a central store of all data; it’s the discovery mechanism and shared lingua franca across all providers. • Enriched nodes only appear if their associated ‘product’ was purchased.
Zero Trust Access Control
Conditional Access App Control Security Operations Center
Provide actionable security alerts, raw logs, or both Office 365 https://aka.ms/MCRA Video Recording Strategies
Securing Privileged Access Dynamics 365 Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya)
Data Loss Protection Data Governance eDiscovery
SQL Encryption & Data Masking
+Monitor Integrated Protection Detection
Azure AD Identity Protection Cloud App Security (portal.cloudappsecurity.com) Identity protection and conditional access Extends protection & conditional access to other cloud apps
Brute force account or use stolen account credentials Phishing Opens Exfiltrate data mail attachment +
Clicks on a URL Exploitation Command & Attacker accesses & Installation Control sensitive data
User browses to a website User account Attacker Privileged Domain is compromised attempts lateral account compromised Office ATP (protection.office.com) movement compromised Extends protection & conditional access to other cloud apps Microsoft Defender ATP (securitycenter.windows.com) Pre and post-breach protection/detection Azure ATP (portal.atp.azure.com) Identity protection
Azure Sentinel (portal.azure.com) Security Information & Event Management (SIEM), Security Orchestration, Automation & Response (SOAR), Hunting MicrosoftKey Internal Confidential: Do Not Share Externally Attack Timeline Framework – Capability Mapping Microsoft 365 E3
Security E5
Enter Establish Expand Endgame Compliance E5
Azure (per GB billing) Exchange Online Protection Microsoft Defender Azure Advanced Threat Advanced Threat Advanced e-discovery Protection Protection Office 365 Phishing Azure Active Directory Advanced Threat Attacks Microsoft Defender Azure Privilege Identity Protection Threat Experts Information Protection Management
Azure Active Directory Conditional Access Microsoft Defender Threat Microsoft Cloud Azure Active Directory Vulnerability Management App Security Right Management Service Intellectual Identity Property Theft Azure Active Directory Theft Multi-Factor Authentication Office 365 Data Loss Prevention
Document Malicious Privilege Lateral Azure Active Directory Macros Software Escalation Movement Identity Protection OneDrive for Business File Restore Windows Defender Windows Defender Antivirus Damage Browser Credential Guard And Disruption Windows Defender Exploits Application Guard Windows Windows Defender Windows Defender Information Protection Exploit Guard Network Protection Windows Defender Attack Surface Reduction Windows Defender Mass storage Windows Defender Windows Hello Controlled Folder Access Windows Defender Devices System Guard For Business Application Control
MicrosoftAzure Sentinel Cloud App Security
Microsoft Azure Sentinel Modernize your security operations with Azure Sentinel
Microsoft Azure Sentinel Our next generation SIEM
Event orchestration
Cloud & Hybrid Infrastructure
Azure Security 3rd party Microsoft 365 Security Center Center data sources
Microsoft Threat Protection automation
Identities Endpoints Data & Email Cloud Apps
Azure Active Windows Microsoft Office 365 ATP Directory Defender ATP Cloud App Security
Microsoft Azure ATP Cloud App Security
Microsoft Cloud App Security