Defending

Infrastructure –
Cybersecurity Threats
and Best Practices
Contents

Introduction 3

Best Practices On Infrastructure Security 4

Guidance on responding to an incident (IR Guidance) 5

Guidance on mitigating the risk of rapid cyberattacks

(ransomware/destructive attacks) 10

Guidance on securing privileged accounts 12

Modernizing Security Operations Centers (SOCs) 18

2 Defending Infrastructure – Cybersecurity Threats and Best Practices

Introduction

Microsoft understands that cybersecurity is complicated. Microsoft security experts have

prepared this document to provide guidance on best practices for infrastructure security and to
help organizations better understand potential threats to their infrastructure.

This document includes guidance to help a variety of organizations proactively address

cybersecurity protections and secure systems commonly targeted by malicious actors. It also
illustrates some of the greatest infrastructure security challenges and provides guidance on how
to plan for effective protections.

It is also essential to know that Microsoft can assist with other security needs beyond the scope of
this document. For example, this document covers modernizing the security operations centers
(SOCs), another relevant conversation on advanced security. We are standing by and prepared
to support business relationship with your organization.

Defending Infrastructure – Cybersecurity Threats and Best Practices 3

 Best Practices On
Infrastructure
Security

4 Defending Infrastructure – Cybersecurity Threats and Best Practices

Guidance on responding to an incident (IR Guidance)

KEY TAKEAWAYS To prepare to respond, Microsoft recommends the

following:
• Preparation pays off – Preparing for a major
incident can reduce damage to the organization, GENERAL PREPARATIONS
as well as reduce incident cost and management
difficulty. Identify High-Value Assets (HVAs) – Organizations
• Operationalize incident management processes need to identify the critically important business
– Managing major cybersecurity incidents must assets and their technical composition (servers,
be part of standard business risk management applications, data files, etc.). This inventory of HVA
processes. components is critical for recovery plans to rapidly
• Coordination is critical – Effective cybersecurity assess, contain/isolate, and recover these critical
incident management requires collaboration assets during an incident that spreads through the
and coordination of technical, operations, production environment. This identification will also
communications, legal, and governance be useful for prioritizing protective and detective
functions. controls for these assets and identifying threats to
• Stay calm and do no harm in an incident them.
– Overreacting can be as damaging as
underreacting. Confirm Reliable Software Deployment – Validate
operations can rapidly execute scripts/installers on
PREPARATION all endpoints. In Microsoft’s experience, incomplete
or unreliable software deployment systems can
This section will help organizations plan key aspects significantly hamper recovery efforts.
of building or updating their enterprise breach
response plan across these key functions: INVESTIGATION PREPARATIONS

• Technology Threat detection and monitoring capabilities

• Operations – Ensure access to tools and skills that allow
• Legal detection of advanced attackers in an organization’s
• Communication environment. These capabilities are constantly
evolving, but an advanced program currently would
Good preparation for responding to a cybersecurity include:
attack can significantly reduce the business risk of an
attack and the difficulty of managing the response • Event correlation and analysis
and recovery. • Integrated threat intelligence
• User and Entity Behavioral Analytics
This section provides what preparation actions have • Ability to detect with both Indicators of
the greatest impact on responding to a cybersecurity Compromise (IOCs) for historical patterns and
attack. Indicators of Attack for evolving techniques
• Machine learning analytics
Technology
The most critical basic detection capabilities are
The preparation for response to and recovery from called specifically in the SPA road map (above).
a major cybersecurity incident should include
proactive steps to defend against, detect, and Investigation and Forensic capabilities – Confirm
respond to such an incident. access to advanced tools and skills to investigate
targeted attacks that include malware analysis
Microsoft recommends following the Securing and attack activity analysis that can produce a
Privileged Access (SPA) guidance as a critical first comprehensive attack timeline. Organizations can
step to establishing security assurances for business get access to these capabilities by purchasing tools
assets in a modern organization. http://aka.ms/ and hiring analysts or retain access via external
sparoadmap entities or professional services.

Defending Infrastructure – Cybersecurity Threats and Best Practices 5

Track and analyze response costs – To enable • Isolate HVAs from other end points in the
better risk management, keep a record of the costs production environment (such as compromised
involved in responding to the incident. This should workstations and servers), if feasible.
include both direct costs (external services, credit
reporting for customers, etc.) and the internal cost Performing password resets and C2 channel
of the time spent on investigation and recovery, as blocking alone is ineffective without also detecting
well as the negative impact on the organization’s and removing attacker malware from hosts.
business and mission.
Operations
RECOVERY PREPARATIONS
Managing a cybersecurity incident is full of technical
Validated backup and recovery capability for complexities, unknown variables, and elevated
critical data – For example, preparing for a emotions. Because of the potentially severe impact
destructive attack that deletes or encrypts data (such on business operations, a clear business case can
as ransomware) requires validated ability to recover be made to divert efforts, resources, and time to
critical data using an offline and/or ransomware conducting the planning and preparation necessary
resistant backup capability (such as Microsoft Azure during a cyber incident.
Backup).
In the recent EY GISS survey, 57% of organizations
Create technical documentation/automation – rated business continuity management (BCM) as
Write and validate technical documentation (and/ their joint top priority, alongside data leakage/data
or automation) for procedures that are frequently loss prevention.
required during a security incident, including:
US NIST has published a useful document with
Compromised account recovery procedures that many important considerations that highlights the
include consideration of: need for preparation:

• Levels of confidence on account compromise From http://nvlpubs.nist.gov/nistpubs/

(active attacker use, account credentials SpecialPublications/NIST.SP.800-61r2.pdf
exposed on known compromised host,
suspicious account behavior, etc.) This section is designed to help reduce organizational
• How to validate whether accounts were risk by sharing learnings and recommended
tampered with using offline backups, change practices for operations.
logs, or other systems of record
• Whether to reset password or rapidly recreate
account
• How to handle potential conflicts/integration
with the Identity Management system during 57%
any account recreation of organizations rated BCM as their
Compromised host recovery procedures for both joint top priority, alongside data
workstations and servers. This should include: leakage/data loss prevention
• Host OS (and Application) rebuild procedures
• Cleaning procedures and criteria for when to
clean vs. rebuild (if “cleaning” a host is deemed CRITICAL PREPARATIONS
acceptable at your organization)
Adopt Incident Command System (ICS) for
Network segregation and isolation procedures Crisis Management – Major incidents represent
including the ability to: an organizational crisis and require a temporary
command structure to manage them (if one doesn’t
• Search and monitor internet egress point already have a permanent function for this). ICS is
logs for attacker Command and Control (C2) used extensively in natural disasters and has proven
channels itself extremely valuable in multiple cybersecurity
• Block attacker C2 channels at internet egress incidents.
points

6 Defending Infrastructure – Cybersecurity Threats and Best Practices

Establish a Framework – Confirm existence of a Technical Readiness for major incidents:
framework that defines incident response program. • Access to technical proficiency with security
systems and business critical systems
Exercise Your Crisis Process – Establish a recurring • Access to experience on operational,
schedule for exercising crisis teams and processes communications, and legal aspects of
on relevant scenarios across all responsibility security incidents (via internal teams and/
levels. This schedule should include exercises of or partnerships/ retainers with external
individual components as well as tabletop exercises organizations)
that include all stakeholders (including legal,
communications, and organizational leadership). KEY LESSONS LEARNED
Organizations should also validate non-intrusive
technical procedures including backup recovery More mature programs have taken into account
and threat detection tools during these exercises. these key lessons:

Emergency Approval Process – Confirm existence • Just buying more tools does not equal better
of a streamlined emergency approval process for security.
handling rapid changes during an emergency/ • Buying tools without having time and skills to
incident (e.g., authority to judge/approve rapid use them is a waste and a distraction.
change proposals and provisions to capture changes • Enabling every log source will only drown
and feedback through process afterward). organizations in data, increasing the size of the
haystack instead of finding more needles.
Establish Clear Guidelines for Escalation • Placing security staff in a dual role with IT
– Document thresholds for when internal operations diminishes their effectiveness.
investigations should escalate to specialists and • Organizations can reduce the cost of an incident
external investigation teams. These can be based on by preparing staff and scheduling availability of
time spent, complexity, unknown malware, specific required resources.
adversary, etc. • Capturing lessons learned is critical to success,
as the same attackers and techniques can be
HALLMARKS OF A STRONG RESPONSE observed over and over again.
PROGRAM
ORGANIZATIONAL PREPAREDNESS SELF-
Because of the complexity of modern organizations, ASSESSMENT
the ideal response program will vary from industry
to industry and organization to organization. The These questions will help identify how ready the
general attributes of a strong incident response and organization is for a managing a major incident.
recovery program are:
CORE STRATEGY AND ALIGNMENT
Strongly integrated with:
• Business priorities and leadership • Does the organization have a good
• IT Operations understanding of its HVAs (processes, data,
• Business Continuity Management and Disaster hardware, identities)?
Recovery • Does the organization currently have enhanced
• Context from internal and external sources controls in place for its HVAs and most likely
avenues of attack?
Continuous learning culture and processes: • What are the high-probability attack vectors?
• Postmortems performed and lessons learned What attacker techniques are most likely to
integrated be used for aggressors to gain initial access
• Regular exercises and red team validation and then begin to attempt secondary levels of
attack to gain persistence or elevated levels of
Documentation: access?
• High level of familiarity with response • Can the organization measure the impact
framework by all stakeholders to business resources and reputation if not
• Detailed technical recovery instructions (or invested in preparation?
automation) for IT and Security Professionals

Defending Infrastructure – Cybersecurity Threats and Best Practices 7

SECURITY OPERATIONS effectively manage the impact of a cyber-attack.
There is a growing consensus that even organizations
• Does the organization have a security operations with highly sophisticated cyber defense systems can
center focused on detecting and responding to be victims of an attack.
cyber threats?
• Does the organization have a designated Effectively communicating during security
security team and response workflows for incidents requires careful planning, as well as an
handling known threats? understanding of the unique dynamics inherent
• Does the organization have a documented, in cybersecurity issues that make them different
socialized and exercised process in place for from other types of crises. Unlike traditional crisis
incident response? issues where transparency and speed are often
• Are staff given the proper training and time to the right course of action, there is great risk in
investigate cyber threats? communicating initial findings and details around
• How effective are the organization’s tools at a cybersecurity incident. Disclosing investigative
detecting cyber threats? information early in the response process may result
in that information being incorrect later. This could
lead to a loss of credibility, additional news cycles,
and increased negative coverage.
64% do not have, or only have
Below are several proactive steps organizations
an informal, threat intelligence should consider taking to be prepared to handle
program. 73% are concerned communications related to a cybersecurity incident.
about poor user awareness and
PRIOR TO AN INCIDENT
behavior around mobile devices.
• Appoint a communications lead to be part of
the core incident response team and confirm
Communications understanding in the response process and
cybersecurity. In the moment of a crisis,
Of all the major costs and risks associated with precious time and energy is spent identifying
managing a security incident, the potential hit to who is leading on communications and who
brand and reputation and loss of customer trust will speak on behalf of an organization. There
could be the most damaging. According to Edelman’s are unique nuances with communicating
security study, 71% of global consumers said they cybersecurity incidents and investigations that
would switch providers after a company they rarely a strong communications lead must understand
used suffered a data breach. Beyond reputational to be effective. By having the communications
impact, poorly managed and communicated lead as part of the core team, communications
security incidents can affect employee morale, as and reputation management is more likely to
well as lead to regulatory pressure and litigation. be properly represented during the decision-
making process.
Expectations are changing as cyber-attacks increase. • Develop a communications portion of
Organizations are not necessarily expected to existing incident response plans, including
prevent security incidents (though this depends clear ownership and approval processes. Many
on the nature of the risk), but they are expected to companies have technical incident response

8 Defending Infrastructure – Cybersecurity Threats and Best Practices

 plans that outline how to investigate and The following are some of the key aspects of
remediate an issue. What’s often missing is a proactive legal workflows in cybersecurity:
communications-centric portion to manage the
complex calculus of deciding what to disclose to • Have an experienced cybersecurity lawyer.
whom and when. Much of cybersecurity incident response
• Map the stakeholders that may need to preparation involves evaluating and managing
receive communications regarding an legal risk. Cybersecurity legal obligations
incident including customers, media, partners, arise out of a myriad of obligations, including
regulators, employees and vendors. This includes contractual, statutory, and regulatory sources. In
confirming the organization understands many instances, the legal obligations are global,
its contractual obligations to inform certain requiring knowledge of multiple jurisdictions
partners or customers. Often incidents may not and cascading consequences. Internal counsel
require disclosure to regulators or consumers, must be sufficiently comfortable with technical
but they still need to be shared with enterprise issues in order to participate competently in the
customers in a timely manner. Understanding response cadence. In some instances, domain
these obligations ahead of an incident can save expertise must require privacy legal knowledge
valuable time during a live incident. in the event a data breach is involved.
• Develop draft media holding statements and • Manage the retention of outside experts. An
other materials for the major types of incidents experienced cybersecurity lawyer should be well-
that are of most concern to the organization. versed in issue spotting and have the ability to pull
These statements are intended to be used in experts from different domains, either internal
with the press during the early stages of an or external, as issues arise. Legal counsel (internal
investigation when many of the details of the and/or external) should also be positioned to
issue are still unknown. It’s also important to “direct” certain incident response preparation
develop key communications considerations activities and to retain outside legal, forensic,
for each of the incidents, which can help guide and communications experts to maximize the
decision-making when an incident occurs. For likelihood that their proactive and reactive work is
example, if and under what circumstances the covered by the attorney client privilege.
organization would pay to remove ransomware • Review Policies and Public Statements. This
and how it would position this decision to key applies not only for public representations (e.g.,
stakeholders. privacy statements, service representations),
• Host a tabletop exercise with members from but also internal security communications
the entire incident response team to test how and policies. These policies and disclosures
they would react to the media, customer, and should be regularly reviewed to represent the
regulator attention due to an incident. These current state and avoid unnecessarily grand or
tabletops are best done in conjunction with definitive statements about an organization’s
outside legal counsel (in order to protect the cybersecurity program (e.g., “we have bank
content under attorney client privilege) and level security” or “we have state-of-the-art
are intended to focus on more than the non- cybersecurity”).
technical aspects of incident response. • Integrate into the Incident Response Plan. Each
company needs an incident response plan. The
Legal Incident Response Plan is the key operational
document that pulls together different aspects
Legal counsel increasingly plays a critical role in of an organization’s response to a security
proactive cybersecurity program development, compromise or data breach. Regulators and
deployment, and execution. Cybersecurity plaintiffs focus on not only the technical security
lawyers provide legal advice regarding statutory, measures in place, but also the speed, efficiency,
contractual, and regulatory duties, as well as and effectiveness of the organization’s response
recommendations on managing and mitigating when facing a cyberattack. Any legally specific
legal risk that may result from audits, investigations, needs should be incorporated into the corporate
or litigation. Experienced regulators now expect incident response plan and applied to each and
that organizations will prepare for an incident and every incident.
will evaluate their regulatory enforcement decisions
through that lens. Customers have an expectation
that contractual commitments will be honored
during an incident and liability risks are important
to keep front of mind.

Defending Infrastructure – Cybersecurity Threats and Best Practices 9

Guidance on mitigating the risk of rapid cyberattacks
(ransomware/destructive attacks)

Because of how critical security hygiene issues have 3. Lateral Traversal / Securing Privileged Access-
become and how challenging it is for organizations to Mitigate ability to traverse (spread) using
follow the guidance and the multiple recommended impersonation and credential theft attacks.
practices, Microsoft is taking a fresh approach to 4. Attack Surface Reduction- Reduce critical risk
solving them. Microsoft is working actively with NIST, factors across all attack stages (prepare, enter,
the Center for Internet Security (CIS), Department of traverse, execute).
Homeland Security (DHS) National Cybersecurity
and Communications Integration Center (NCCIC) We recognize every organization has unique
(formerly US-CERT) , industry partners, and the challenges and investments in cybersecurity
cybersecurity community to jointly develop and (people and technology) and cannot possibly make
publish practical guides on critical hygiene and to every single recommendation a top nor immediate
implement reference solutions starting with these priority. Accordingly, we have broken down the
recommendations on rapid cyberattacks as related primary (default) recommendations for mitigating
to patch management. rapid cyberattacks into three buckets:

Recommended Mitigations (based on the effect 1. Quick wins: what Microsoft recommends
they have on mitigating risk): organizations accomplish in the first 30 days
2. Less than 90 days: what Microsoft recommends
1. Exploit Mitigation- Mitigate software organizations accomplish in the medium term
vulnerabilities that allow worms and attackers 3. Next quarter and beyond: what Microsoft
to enter and/or traverse an environment. recommends organizations accomplish in the
2. Business Continuity / Disaster Recovery (BC/ longer term.
DR)- Rapidly resume business operations after
a destructive attack.

Primary recommendations on how to mitigate attacks:

10 Defending Infrastructure – Cybersecurity Threats and Best Practices

This list has been carefully prioritized based on In prioritizing the quick wins for the first 30 days, the
Microsoft’s direct experience investigating (and primary considerations Microsoft uses are:
helping organizations recover from) these attacks
as well as collaboration with numerous industry 1. Whether the measure directly mitigates a key
experts. This is a default set of recommendations attack component.
and should be tailored to each enterprise based on 2. Whether most enterprises could rapidly
defenses already in place. implement the mitigation (configure, enable,
deploy) without significant impact on existing
user experiences and business processes.

In addition to the primary recommendations, To help organizations overcome challenges with

Microsoft has an additional set of recommendations implementing these recommendations, Microsoft
that could provide significant benefits depending can be engaged to:
on circumstances of the organization:
• Assist with implementing the mitigations
• Ensure outsourcing contracts and SLAs are described in SPA Roadmap and Rapid
compatible with rapid security response Cyberattack Guidance.
• Move critical workloads to SaaS and PaaS as you • Investigate an active incident with enterprise-
are able wide malware hunting, analysis, and reverse
• Validate existing network controls (internet engineering techniques. This includes providing
ingress, internal Lab/ICS/SCADA isolation) tailored cyberthreat intelligence and strategic
• Enable UEFI Secure Boot guidance to harden the environment against
• Complete SPA roadmap Phase 2 (see Guidance advanced and persistent attacks. Microsoft
on securing privileged accounts for more can provide onsite teams and remote support
information) to help organizations investigate suspicious
• Protect backup and deployment systems from events, detect malicious attacks, and respond to
rapid destruction security breaches.
• Restrict inbound peer traffic on all workstations • Proactively hunt for persistent adversaries in
• Use application whitelisting the organization’s environment using similar
• Remove local administrator privileges from methods as an active incident response (above).
end-users
• Implement modern threat detection and
automated response solutions
• Disable unneeded protocols
• Replace insecure protocols with secure
equivalents (Telnet > SSH, HTTP > HTTPS, etc.)

Defending Infrastructure – Cybersecurity Threats and Best Practices 11

Guidance on securing privileged accounts

Securing privileged access is a critical first step to the network and firewalls as the primary security
establishing security assurances for business assets perimeter, but the following two trends have
in a modern organization. The security of most or significantly diminished the effectiveness of
all business assets in an IT organization depends traditional approaches:
on the integrity of the privileged accounts used
to administer, manage, and develop these assets. • Organizations are hosting data and resources
Cyber-attackers often target these accounts and outside the traditional network boundary on
other elements of privileged access to gain access to mobile enterprise PCs, devices like mobile
data and systems using credential theft attacks like phones and tablets, cloud services, and bring
Pass-the-Hash and Pass-the-Ticket. your own devices (BYOD)
• Adversaries have demonstrated a consistent and
Protecting privileged access against determined ongoing ability to obtain access on workstations
adversaries requires you to take a complete and inside the network boundary through phishing
thoughtful approach to isolate these systems from and other web and email attacks.
risks.
These factors necessitate building a modern security
What are privileged accounts? perimeter out of authentication and authorization
identity controls in addition to the traditional
Privileged Accounts, like administrators of Active network perimeter strategy. A security perimeter
Directory Domain Services, have direct or indirect here is defined as a consistent set of controls
access to most or all assets in an IT organization. between assets and the threats to them. Privileged
Consequently, a compromise of these accounts accounts are effectively in control of this new security
would pose a significant business risk. perimeter so it’s critical to protect privileged access.

Why securing privileged access is important?

Cyber-attackers focus on privileged access to

systems like Active Directory (AD) to rapidly gain
access to all of an organization’s targeted data.
Traditional security approaches have focused on

12 Defending Infrastructure – Cybersecurity Threats and Best Practices

An attacker that gains control of an administrative account can use those privileges to increase their impact in
the target organization as depicted below:

The illustration below depicts two paths:

A “blue” path where a standard user account is used for non-privileged access to resources like email and web
browsing and day to day work are completed.
Note: Blue path items described later indicate broad environmental protections that extend beyond the
administrative accounts.

A “red” path where privileged access occurs on a hardened device to reduce the risk of phishing and other web
and email attacks.

Securing privileged access roadmap

The roadmap is designed to maximize the use of Microsoft technologies that you already have deployed,
take advantage of cloud technologies to enhance security, and integrate any 3rd party security tools you may
already have deployed.

The roadmap of Microsoft recommendations is broken into 3 phases:

• Phase 1: First 30 days

• Quick wins with meaningful positive impact.
• Phase 2: 90 days
• Significant incremental improvements.
• Phase 3: Ongoing
• Security improvement and sustainment.

Defending Infrastructure – Cybersecurity Threats and Best Practices 13

The roadmap is prioritized to schedule the most The timelines for the roadmap are approximate and
effective and the quickest implementations first are based on Microsoft’s experience with customer
based on our experiences with these attacks and implementations. The duration will vary in some
solution implementation. organizations depending on the complexity of
the environment and the change management
Microsoft recommends following this roadmap processes.
to secure privileged access against determined
adversaries. Organizations may adjust this roadmap Phase 1: Quick wins with minimal operational
to accommodate existing capabilities and specific complexity
requirements within the organization.
Phase 1 of the roadmap is focused on quickly
Note: Securing privileged access requires a broad mitigating the most frequently used attack
range of elements including technical components techniques of credential theft and abuse. Phase 1 is
(host defenses, account protections, identity designed to be implemented in approximately 30
management, etc.) as well as changes to process, days and is depicted in this diagram:
and administrative practices and knowledge.

1. Separate accounts 2. Just in time local admin passwords

To help separate internet risks (phishing attacks, To mitigate the risk of an adversary stealing a local
web browsing) from privileged access accounts, administrator account password hash from the
create a dedicated account for all personnel with local SAM database and abusing it to attack other
privileged access. Administrators should not be computers, organizations should ensure every
browsing the web, checking their email, and doing machine has a unique local administrator password.
day to day productivity tasks with highly privileged The Local Administrator Password Solution (LAPS)
accounts. More information on this can be found in tool can configure unique random passwords on
the section Separate administrative accounts of the each workstation and server store them in Active
reference document. Directory (AD) protected by an ACL. Only eligible
authorized users can read or request the reset of
Follow the guidance in the article Manage these local administrator account passwords. You
emergency access accounts in Azure AD to create can obtain the LAPS for use on workstations and
at least two emergency access accounts, with servers from the Microsoft Download Center.
permanently assigned administrator rights, in both
the on-premises AD and Azure AD environments. Additional guidance for operating an environment
These accounts are only for use when traditional with LAPS and PAWs can be found in the section
administrator accounts are unable to perform a Operational standards based on clean source
required task such as in the case of a disaster. principle.

14 Defending Infrastructure – Cybersecurity Threats and Best Practices

3. Administrative workstations 4. Identity attack detection

As an initial security measure for those users with Azure Advanced Threat Protection (ATP) is a cloud-
Azure Active Directory and traditional on-premises based security solution that identifies, detects,
Active Directory administrative privileges, ensure and helps you investigate advanced threats,
they are using Windows 10 devices configured compromised identities, and malicious insider
with the Standards for a highly secure Windows 10 actions directed at the organization’s on-premises
device. Privileged administrator accounts should Active Directory environment.
not be members of the local administrator group of
the administrative workstations. Privilege elevation Phase 2: Significant incremental improvements
via User Access Control (UAC) can be utilized
when configuration changes to the workstations Phase 2 builds on the work done in phase 1 and is
is required. Additionally, the Windows 10 Security designed to be completed in approximately 90 days.
Baseline should be applied to the workstations to The steps of this stage are depicted in this diagram:
further harden the device.

1. Require Windows Hello for Business and MFA 2. Deploy PAW to all privileged identity access
account holders
Administrators can benefit from the ease of use
associated with Windows Hello for Business. Admins Continuing the process of separating privileged
can replace their complex passwords with strong accounts from threats found in email, web browsing,
two-factor authentication on their PCs. An attacker and other non-administrative tasks, organizations
must have both the device and the biometric info or should implement dedicated Privileged Access
PIN, it’s much more difficult to gain access without Workstations (PAW) for all personnel with privileged
the employee’s knowledge. More details about access to the organization’s information systems.
Windows Hello for Business and the path to roll Additional guidance for PAW deployment can be
out can be found in the article Windows Hello for found in the article Privileged Access Workstations.
Business Overview.
3. Just in time privileges
Enable multi-factor authentication (MFA) for the
organization’s administrator accounts in Azure To lower the exposure time of privileges and increase
AD using Azure MFA. At minimum enable the visibility into their use, provide privileges just in time
baseline protection conditional access policy (JIT) using an appropriate solution such as the ones
more information about Azure Multi-Factor below or other third-party solutions:
Authentication can be found in the article Deploy
cloud-based Azure Multi-Factor Authentication.

Defending Infrastructure – Cybersecurity Threats and Best Practices 15

For Active Directory Domain Services (AD DS), use protect customers” - Microsoft By the Numbers
Microsoft Identity Manager (MIM)’s Privileged Enable Microsoft Azure AD Identity Protection to
Access Manager (PAM) capability. report on users with leaked credentials so that one
can remediate them. Azure AD Identity Protection
For Azure Active Directory, use Azure AD Privileged can be leveraged to help organizations protect
Identity Management (PIM) capability. cloud and hybrid environments from threats.

4. Enable Windows Defender Credential Guard 6. Azure ATP Lateral Movement Paths

Enabling Credential Guard helps to protect NTLM Ensure privileged access account holders are
password hashes, Kerberos Ticket Granting Tickets, using their PAW for administration only so that a
and credentials stored by applications as domain compromised non-privileged accounts cannot gain
credentials. This capability helps to prevent access to a privileged account via credential theft
credential theft attacks, such as Pass-the-Hash attacks, such as Pass-the-Hash or Pass-The-Ticket.
or Pass-The-Ticket by increasing the difficulty of Azure ATP Lateral Movement Paths (LMPs) provides
pivoting in the environment using stolen credentials. easy to understand reporting to identify where
Information on how Credential Guard works and privileged accounts may be open to compromise.
how to deploy can be found in the article Protect
derived domain credentials with Windows Defender Phase 3: Security improvement and sustainment
Credential Guard.
Phase 3 of the roadmap builds on the steps taken
5. Leaked credentials reporting in Phases 1 and 2 to strengthen the organization’s
security posture. Phase 3 is depicted visually in this
“Every day, Microsoft analyzes over 6.5 trillion diagram:
signals in order to identify emerging threats and

16 Defending Infrastructure – Cybersecurity Threats and Best Practices

These capabilities will build on the steps from 3. Integrate logs with SIEM
previous phases and move an organization’s
defenses into a more proactive posture. This phase Integrating logging into a centralized SIEM tool can
has no specific timeline and may take longer to help the organization to analyze, detect, and respond
implement based on each individual organization. to security events. The articles Monitoring Active
Directory for Signs of Compromise and Appendix
1. Review role-based access control L: Events to Monitor provide guidance on events
that should be monitored in the organization’s
Using the three-tiered model outlined in the article environment.
Active Directory administrative tier model, review
and ensure lower tier administrators do not have This is part of the beyond plan because aggregating,
administrative access to higher tier resources (Group creating, and tuning alerts in a security information
memberships, ACLs on user accounts, etc...). and event management (SIEM) requires skilled
analysts (unlike Azure ATP in the 30-day plan which
2. Reduce attack surfaces includes out of the box alerting)

Harden the organization’s identity workloads 4. Leaked credentials - Force password reset
including Domains, Domain Controllers, ADFS, and
Azure AD Connect as compromising one of these Continue to enhance the organization’s security
systems could result in compromise of other systems posture by enabling Azure AD Identity Protection to
in the organization. The articles Reducing the Active automatically force password resets when passwords
Directory Attack Surface and Five steps to securing are suspected of compromise. The guidance found
your identity infrastructure provide guidance for in the article Use risk events to trigger Multi-Factor
securing the organization’s on-premises and hybrid Authentication and password changes explains how
identity environments. to enable this using a conditional access policy.

In conclusion

The bad guys never stop, so neither can organizations. This roadmap can help organizations protect against
currently known threats, but attackers will constantly evolve and shift. Microsoft recommends organizations
view security as an ongoing process focused on raising the cost and reducing the success rate of adversaries
targeting the environment.

While it is not the only part of the organization’s security program, securing privileged access is a critical
component of the organization’s overall security strategy.

Defending Infrastructure – Cybersecurity Threats and Best Practices 17

Modernizing Security Operations Centers (SOCs)

There is a lot of pressure put on the security Our approach boils down to three things:
operations center. Many organizations rely on the
SOC to defend against all types of threats. In our Tooling: With the overabundance of security
experience working with other organizations and solutions in the market, Microsoft realized that we
their security operations teams, as well as managing need to focus on selecting the right tools for the
cybersecurity within Microsoft, we have observed right job - that enable automation of everything.
several key challenges for today’s SOC.
Culture: There is not enough credence put into the
#1 – Lack of organizational support. SOCs do not importance of working to create a strong culture in
operate in a vacuum. They must interact with every the security operations team. As many if not most
part of the organization which they are protecting organizations are understaffed and overwhelmed,
and all the employees in those parts of the business. getting clear on what the organization stands for,
Without an executive sponsor and support of the how it supports the organization’s strategies, and
SOC’s mission from the entire organization a SOC how people on the team are supposed to contribute
will be ineffective at protecting the business. are critical. This will reduce toil and let people focus
on the most important things.
#2 – Over-reliance on technology. Organizations
often spend most of their security budget on Metrics: A famous business thinker (Peter Drucker)
technology, resulting in improperly staffed/skilled once said, “If you can’t measure it, you can’t improve
operations teams. Staffing the proper skills is it.” There are a wealth of metrics that to choose -
required to achieve the goals of the organization. however, pick the right ones for your organization
Human analytical capability is required to detect - not all.
and respond to modern threats.
Tooling started with SIEM model
#3 – Tool overload. Organizations are overwhelmed
with an influx of tools, data, devices, user IDs, Microsoft used to operate a SIEM centric model
endpoints, etc. similar to most organizations and faced a natural set
of challenges with that model. The SOC referenced
#4 – Attackers never sleep. Outside the walls here is the Microsoft IT operations that is most
of these organizations are further challenges in comparable to SOCs in most organizations. At
attackers and how they operate. Attacker’s interests Microsoft, multiple teams work shoulder to shoulder
don’t align with our goals as a security operations in our CDOC facility to enable collaboration and
center. They are using an array of existing tools, and rapid intelligence sharing between teams protecting
when those are no longer useful, they’re willing to our other environment such as Azure and Office 365.
invest in new tools, but essentially, as organizational
environments become more complex, everything This SOC is cross platform and covers a significant
has become easier for attackers. Trying to keep up population of Linux, Mac, and non-Microsoft
with attackers based upon today’s approach isn’t software (from both acquisitions and organic use of
going to work. these technologies.

Microsoft Approach to Security Operations The challenges we experienced with this model are
similar to those reported by our customers running
As one would expect, Microsoft has a substantial in this SIEM centric model:
security operations footprint. Over the years, as we
have evolved into a cloud provider, our cybersecurity • Event Volume - High volume and growth (on
requirements have dramatically changed. We often the scale of 20 billion events a day currently)
get asked by customers to share our experiences exceeded the capacity of the SIEM to handle it.
modernizing our SOC. We thought it would be • Alert Overload – The static rulesets generated
helpful to focus on those learnings and how to apply excessive false positives that led to alert fatigue
in your organization. • Poor Investigation workflow – Investigation of
events using the SIEM was clunky and required
manual queries and manual switching to
different tools.

18 Defending Infrastructure – Cybersecurity Threats and Best Practices

Modern SOC Model

Today, Microsoft is focusing our tool architecture to optimize operations with both breadth (unified view) and
depth (specialized tooling) capabilities. Now that the Microsoft cloud native SIEM is available, we are operating
this technology in production as a pilot to accelerate transition to this technology. This is a bit simpler for us
as most of the SOC’s log analytics are already using the Azure Monitor technology that powers Azure Sentinel
(technology which was formerly known as Azure Log Analytics and Operations Management Suite (OMS)).

Our SOC analysts have also been contributing heavily to the Azure Sentinel community (queries, dashboards,
etc.) to share knowledge with our customers.

Defending Infrastructure – Cybersecurity Threats and Best Practices 19

© 2020 Microsoft Corporation. All rights reserved. This document is provided “as-is.” Information and views expressed in this document,
including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

Some examples are for illustration only and are fictitious. No real association is intended or inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this
document for your internal, reference purposes.

Defending Infrastructure – Cybersecurity Threats and Best Practices