Identity Driven Security

Daniel Dickinson EMEA Identity and Advanced Security Architecture GBB Cybersecurity Solutions Group

ATTACKERS USING IDENTITY TACTICS

MODERN PERIMETER (Identity Controls) MODERN PERIMETER (Identity Controls) CLASSIC PERIMETER (Network Controls)

Network → Zero Trust Access Control

Conditional Access App Control Traditional Approach In the context of today, who are ‘we’

Microsoft does more than sell software.

We also are: a leading provider of cloud platforms. an operator of many large SaaS applications. a large org, with a complex IT footprint of our own.

We, like you, are deeply responsible for the security of our offerings… We’re doing this for a living too!

YOU (WE) HAVE A PROBLEM INTELLIGENCE TI is acquired from providers, web searches, news feeds, peers, suppliers, etc. Ingestion is difficult, untimely and ad-hoc: DETECTION purchased TI is a ‘lookup resource’ Insights come from logs, support calls, core services, humans, DROWNING IN ‘scanners’, etc. DATA

SIEMS Signals growing far faster than staffing; New sources welcomed with a YOU (WE) HAVE A PROBLEM INTELLIGENCE should be part of the security framework, not just a referenced artefact

DETECTION Detectors should be automated, WHERE WE correlated and interlinked in their NEED TO BE findings

SIEMS Must reduce busy work of incident roll-up, response, and management WHAT IT MEANS FOR YOU Unauthorized data access

System updates

Multi-factor authentication

Spam

THEDevice logEND-ins STATE

Data encryption

User accounts Enterprise security Phishing

Denial of service

Attacks User log-ins Malware THE LANDSCAPE WE ARE ASKED TO PROTECT

YOU ARE HERE THE LANDSCAPE WE ARE ASKED TO PROTECT

Several SaaS apps

Lot of servers/VMs Some partners we collaborate with

Many repositories of sensitive data (HR, Legal, R&D, M&A, Finance)

Lot of users with PCs and devices Managed network gear Several ‘vendors’ working from outside the trust perimeter, with their unmanaged PCs and device CENTRALIZED INTELLIGENCE THE SENSORS FABRIC WE DEPLOY Threat Intelligence (TIaaS)

Data Loss Prevention Cloud (Office IP/DLP) Directory Services Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP/Sonar) (ASC) (AADIP)

Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS)

User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) LOCALIZED INTELLIGENCE Threat Intelligence (TIaaS)

Cloud Data Loss Prevention (Office IP/DLP) Directory Services Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP) (ASC) (AADIP)

Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS)

User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) LOCALIZED INTELLIGENCE Threat Intelligence (TIaaS)

Cloud Data Loss Prevention (Office IP/DLP) Directory Services Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP) (ASC) (AADIP)

Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS)

User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) DISTRIBUTING INTELLIGENCE VIA THE GRAPH Rich interconnection Contextual Deductions Near real time interactions Improved ability to auto-remediate Programmatic Access Security Consoles

Advanced Email / Team Visualizations Security Bots SPECIALISTS PREFER SPECIAL TOOLING Report period: last 30 days

Active users 98,201 Labeled items 8.42M files 14.2M mail items Protected items 869.2k files 2.14MSelect mail Period items Last day Last 7 days Policy enforcement point clients Enforced on Labeled itemsLast 30 days All period Clients 98,201 endpoints 17,200,931 SharePoint Online All sites 5,092,019 Microsoft Exchange Online All mailboxes 2,019,557 Adobe PDF publisher 6,901 endpoints 128,134 Microsoft Cloud App Security 3 sanctioned apps 21,013 Azure SQL 4 tables (/databases?) 48,013 Windows devices 149,293 endpoints 32,010 Azure Information Protection Scanner 2 scanners 8,320,108

Items labeled - by label name Items labeled - my method 1800000 Default label 1600000 1400000 1200000 1000000 Automatic 800000 600000 400000 Manual - set by user Recommended - 200000 set by user 0 Default label Manual - set by user Recommended - set Automatic Non business Public General Confidential Highly Confidential by user Data Discovery and Risk

Show information for Items Discovered Items at Risk Confidential \ 498,709 53,644

Data locations

Analytics 128,790 114,997

Discovery & risk

98,608 67,018 57,214 in 4 tables 32,082 Data Data Data Data at risk at risk at risk 2,408 at risk 25,915 8,716 16,013 1,018

Endpoints On-prem Repositories Share Point Online Exchange SaaS SQL shared externally SECOPS IS A SPECIALIST TOO

A console • anchored in incident management • to navigate ‘fused’ incidents in micrograph form • tuned to facilitate common tasks via actions/runbooks • enables the analyst to provide feedback to the graph (FN/FP) Introducing Azure Sentinel Security Bot | Microsoft Teams Security-focused ChatBot • In-situ assistance for tedious tasks. • CC a Security bot on an email to get an IP address lookup. • Be invited to a chat session to have a richer interaction. • The tedious tasks are greatly streamlined leaving SecOps to work on the hard stuff.

Automating Security Automating Security Workflows Workflows

Centralized alert automation and orchestration with custom workflows and processes across apps, endpoints, identity and more

Conditional actions based on alert details

Automate the triage and investigation of alerts by triggering playbook from any alert

Enables integration with ecosystem of connectors in Microsoft Flow incl. >100 3rd party connectors such as ServiceNow, Jira and DocuSign

100% Fidelity Programmatic Access

• Extends Microsoft Graph • Contributors to the graph (Detectors) create securityDetection nodes • Aggregated detections create and/or extend securityIncident nodes • Storage for each node is the responsibility of the node provider – the graph is NOT a central store of all data; it’s the discovery mechanism and shared lingua franca across all providers. • Enriched nodes only appear if their associated ‘product’ was purchased.

Zero Trust Access Control

Conditional Access App Control Security Operations Center

Provide actionable security alerts, raw logs, or both Office 365 https://aka.ms/MCRA Video Recording Strategies

Securing Privileged Access Dynamics 365 Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya)

Data Loss Protection Data Governance eDiscovery

SQL Encryption & Data Masking

+Monitor Integrated Protection Detection

Azure AD Identity Protection Cloud App Security (portal.cloudappsecurity.com) Identity protection and conditional access Extends protection & conditional access to other cloud apps

Brute force account or use stolen account credentials Phishing Opens Exfiltrate data mail attachment +

Clicks on a URL Exploitation Command & Attacker accesses & Installation Control sensitive data

User browses to a website User account Attacker Privileged Domain is compromised attempts lateral account compromised Office ATP (protection.office.com) movement compromised Extends protection & conditional access to other cloud apps ATP (securitycenter.windows.com) Pre and post-breach protection/detection Azure ATP (portal.atp.azure.com) Identity protection

Azure Sentinel (portal.azure.com) Security Information & Event Management (SIEM), Security Orchestration, Automation & Response (SOAR), Hunting MicrosoftKey Internal Confidential: Do Not Share Externally Attack Timeline Framework – Capability Mapping E3

Security E5

Enter Establish Expand Endgame Compliance E5

Azure (per GB billing) Exchange Online Protection Microsoft Defender Azure Advanced Threat Advanced Threat Advanced e-discovery Protection Protection Office 365 Phishing Azure Active Directory Advanced Threat Attacks Microsoft Defender Azure Privilege Identity Protection Threat Experts Information Protection Management

Azure Active Directory Conditional Access Microsoft Defender Threat Microsoft Cloud Azure Active Directory Vulnerability Management App Security Right Management Service Intellectual Identity Property Theft Azure Active Directory Theft Multi-Factor Authentication Office 365 Data Loss Prevention

Document Malicious Privilege Lateral Azure Active Directory Macros Software Escalation Movement Identity Protection OneDrive for Business File Restore Windows Defender Windows Defender Antivirus Damage Browser Credential Guard And Disruption Windows Defender Exploits Application Guard Windows Windows Defender Windows Defender Information Protection Exploit Guard Network Protection Windows Defender Attack Surface Reduction Windows Defender Mass storage Windows Defender Windows Hello Controlled Folder Access Windows Defender Devices System Guard For Business Application Control

MicrosoftAzure Sentinel Cloud App Security

Microsoft Azure Sentinel Modernize your security operations with Azure Sentinel

Microsoft Azure Sentinel Our next generation SIEM

Event orchestration

Cloud & Hybrid Infrastructure

Azure Security 3rd party Microsoft 365 Security Center Center data sources

Microsoft Threat Protection automation

Identities Endpoints Data & Email Cloud Apps

Azure Active Windows Microsoft Office 365 ATP Directory Defender ATP Cloud App Security

Microsoft Azure ATP Cloud App Security

Microsoft Cloud App Security