ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
Download as PPTX, PDF5 likes1,252 views
The document discusses Microsoft's cybersecurity reference architecture and how it can help protect organizations by protecting access at the front door, detecting and remediating attacks, and protecting data anywhere through solutions like identity management, threat protection, information protection, and advanced security monitoring. It provides examples of how conditional access policies and user risk assessments can help secure access to applications and detects anomalies and threats across on-premises, cloud, and mobile environments. The reference architecture leverages solutions from Enterprise Mobility and Security to classify and label sensitive data and monitor for policy violations to help organizations discover, protect, and govern their most important information throughout its lifecycle.
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
- 1. MICROSOFT CYBERSECURITY REFERENCE ARCHITECTURE Nicki Borell Regional Director, MVP O365 Apps & Services Consultant www.nickiborell.com
- 2. ♡ DIAMOND AND PLATINUM SPONSORS ♡
- 3.
- 6. Chapter 1: General Provisions Chapter 2: Principles Chapter 3: Rights of the Data Subject Chapter 4: Controller and Processor Chapter 5: Transfer of personal data to third countries of international organizations Chapter 6: Independent Supervisory Authorities Chapter 7: Co- operation and Consistency Chapter 8: Remedies, Liability, and Sanctions Chapter 9: Provisions relating to specific data processing situations Chapter 10: Delegated Acts and Implementing Acts Chapter 11: Final provisions https://www.eugdpr.org/article-summaries.html
- 7. Chapter 1: General Provisions Chapter 2: Principles Chapter 3: Rights of the Data Subject Chapter 4: Controller and Processor Chapter 5: Transfer of personal data to third countries of international organizations Chapter 6: Independent Supervisory Authorities Chapter 7: Co- operation and Consistency Chapter 8: Remedies, Liability, and Sanctions Chapter 9: Provisions relating to specific data processing situations Chapter 10: Delegated Acts and Implementing Acts Chapter 11: Final provisions https://www.eugdpr.org/article-summaries.html
- 8. Chapter 1: General Provisions Chapter 2: Principles Chapter 3: Rights of the Data Subject Chapter 4: Controller and Processor Chapter 5: Transfer of personal data to third countries of international organizations Chapter 6: Independent Supervisory Authorities Chapter 7: Co- operation and Consistency Chapter 8: Remedies, Liability, and Sanctions Chapter 9: Provisions relating to specific data processing situations Chapter 10: Delegated Acts and Implementing Acts Chapter 11: Final provisions Download the Whitepaper and further information: http://www.sharepointtalk.net/search/label/GDPR
- 11. On-premises
- 12. Identity & Access Management Mobile Device & Application Management Data Loss Prevention User & Entity Behavioral Analytics Cloud Access Security Broker Information Rights Management Protect at the front door Detect & remediate attacks Protect your data anywhere Cloud Access Security Broker Mobile Device & App Management Identity & Access Management User & Entity Behavioral Analytics Data Loss Prevention Cloud Access Security Broker
- 13. Mobile device & app management Information protection Identity and access management Threat protection Protect at the front door Detect & remediate attacks Protect your data anywhere
- 14. Protect at the front door Detect & remediate attacks Protect your data anywhere
- 15. Protect at the front door Detect & remediate attacks Protect your data anywhere
- 17. On-premises / Private cloud devices datausers apps
- 20. On-premises / Private cloud ORGANIZATION & SOCIAL IDENTITIES
- 23. IF Privileged user? Credentials found in public? Accessing sensitive app? Unmanaged device? Malware detected? IP detected in Botnet? Impossible travel? Anonymous client? High Medium Low User risk THEN Require MFA Allow access Deny access Force password reset****** Limit access High Medium Low Session risk
- 24. USER Role: Sales Account Rep Group: London Users Client: Mobile Config: Corp Proxy Location: London, UK Last Sign-in: 5 hrs ago CONDITIONAL ACCESS RISK Health:Fully patched Config:Managed Last seen: London, UK High Medium Low Allow access TRAVEL EXPENSE APP
- 25. USER Role: VP Marketing Group: Executive Users Client: Mobile Config: Corp Proxy Location: London, UK Last Sign-in: 5 hrs ago CONDITIONAL ACCESS RISK Health:Fully patched Config:Managed Last seen: London, UK High Medium Low Require MFA CONFIDENTIAL SALES APP CONDITIONAL ACCESS POLICY User is a member of a sensitive group. Application is classified High Business Impact.
- 26. USER Role: Sales Account Representative Group: London Users Client: Mobile Config: Corp Proxy Location: London, UK Last Sign-in: 5 hrs ago SALES APP CONDITIONAL ACCESS RISK Health: Unknown Client: Browser Config: Anonymous Last seen: Asia High Medium Low Anonymous IP Unfamiliar sign-in location for this user Block access Force password reset
- 27. Enforce on-demand,just-in-time administrative access when needed Use Alert, Audit Reports and Access Review Domain User Global Administrator Discover, restrict, and monitor privileged identities Domain User Administrator privileges expire after a specified interval
- 31. Enterprise Mobility + Security Protect at the front door Demo
- 32. Recommendation Finde a pain point Find a quick win
- 33. Protect at the front door Detect & remediate attacks Protect your data anywhere
- 35. SECRET CONFIDENTIAL INTERNAL NOT RESTRICTED IT admin can set policies, templates, and rules. Classifications, labels and encryption can be applied automatically based on file source, context, and content EMS extends Office 365 manual protection of files with automatic protection to ensure policy compliance Encryption stays with the file wherever it goes, internally and externally Files can be tracked by sender and access revoked if needed Classification and labeling Classify data based on sensitivity and add labels—manually or automatically Protection Encrypt sensitive data & define usage rights, add visual markings when needed Monitoring Detailed tracking and reporting to maintain control over shared data
- 36. LabelDiscover Classify Sensitivity Retention Data growing at exponential rate Encryption Restrict Access Watermark Header/Footer Retention Deletion Records Management Archiving Sensitive data discovery Data at risk Policy violations Policy recommendations Proactive alerts Comprehensive policies to protect and govern your most important data – throughout its lifecycle Unified approach to discover, classify & label Automatically apply policy-based actions Proactive monitoring to identify risks Broad coverage across locations Apply label Unified approach Monitor
- 37. CONFIDENTIAL What is a sensitivity label? Tag that is customizable, in cleartext, and persistent. It becomes the basis for applying and enforcing data protection policies. In files and emails, the label is persisted as document metadata In SharePoint Online, the label is persisted as container metadata
- 41. Azure Information Protection vs. OME More Details: http://www.sharepointtalk.net/2018/11/office-365-message- encryption-ome-vs.html
- 42. https://docs.microsoft.com/en-us/azure/information-protection/faqs-rms
- 44. Enterprise Mobility + Security Protect your data anywhere Demo
- 46. Advanced device management Enforce device encryption, password/PIN requirements, jailbreak/root detection, etc. Device security configuration Restrict access to specific applications or URL addresses on mobile devices and PCs. Restrict apps and URLs Managed apps Personal appsPersonal apps MDM (3rd party or Intune) optional Managed apps Corporate data Personal data Multi-identity policy Control company data after it has been accessed, and separate it from personal data. Data control / separation
- 47. Managed apps Personal appsPersonal apps Managed apps ITUser Company Data Private Data Multi-Identity Policy
- 52. USER User is prompted to create a PIN User edits document stored in OneDrive for Business User saves document to… User adds business account to OneDrive app Intune configures app protection policy OneDrive for Business Allow access • Copy/Paste/SaveAs controls • PIN required • Encrypt storage
- 53. User is prompted to enroll device Device checked for compliance Business email account is added User adds business account to email app Intune enrolls device and applies policies CORPORATE EMAIL Allow access • PIN required • Encrypt storage • Image is not jailbroken USER
- 54. Enterprise Mobility + Security Protect your data anywhere Demo
- 55. Recommendation Finde a pain point Find a quick win
- 56. Protect at the front door Detect & remediate attacks Protect your data anywhere
- 57. On-premises abnormal behavior and advanced threat detection Identity-based attack and threat detection Anomaly detection for cloud apps ! ! !
- 58. Time-of-click protection against malicious URLs URL reputation checks along with detonation of attachments at destination URLs. Zero-day protection against malicious attachments Attachments with unknown virus signatures are assessed using behavioral analysis. Critical insights into external threats Rich reporting and tracking features provide critical insights into the targets and categories of attacks. Integrated across apps & services Protection across Exchange Online, SharePoint Online, OneDrive for Business, and Office apps. Intelligence sharing with devices Integration with Windows Advanced Threat Protection to correlate data across users and devices.
- 59. Gain useful insights from user, file, activity, and location logs. Advanced investigation Assess risk in each transaction and identify anomalies in your cloud environment that may indicate a breach. Behavioral analytics Enhance behavioral analytics with insights from the Microsoft Intelligent Security Graph to identify anomalies and attacks. Threat intelligence
- 61. Role: Finance Group: Contoso Finance Office: London, UK INTERNAL Azure information protection Identifies document tagged INTERNAL being shared publicly Move to quarantine Restricted to owner USER Uploaded to public share Admin notified about problem. CLOUD APP SECURITY PORTAL
- 62. Enterprise Mobility + Security Detect & remediate attacks Demo
- 63. Recommendation Finde a pain point Find a quick win
- 65. VISIBILITY CONTROL GUIDANCE Understand the security state and risks across resources Define consistent security policies and enable controls Elevate security through built-in intelligence and recommendations APPS / DATADEVICES Powered by the Intelligent Security Graph IDENTITY INFRASTRUCTURE Enhanced security through simplified and intelligent security management with Microsoft Azure Active Directory Windows Defender Security Center - Office 365 Security & Compliance Center - Microsoft Cloud Application Security Azure Security Center
- 70. Mobile device & app management Information protection Holistic and innovative solutions for protection across users, devices, apps and data Azure Active Directory Premium Microsoft Intune Azure Information Protection Microsoft Cloud App Security Microsoft Advanced Threat Analytics Identity and access management Threat protection
- 71. Technology Benefit E3 E5 Azure Active Directory Premium P1 Secure single sign-on to cloud and on-premises app MFA, conditional access, and advanced security reporting ● ● Azure Active Directory Premium P2 Identity and access management with advanced protection for users and privileged identities ● Microsoft Intune Mobile device and app management to protect corporate apps and data on any device ● ● Azure Information Protection P1 Encryption for all files and storage locations Cloud-based file tracking ● ● Azure Information Protection P2 Intelligent classification and encryption for files shared inside and outside your organization ● Microsoft Cloud App Security Enterprise-grade visibility, control, and protection for your cloud applications ● Microsoft Advanced Threat Analytics Protection from advanced targeted attacks leveraging user and entity behavioral analytics ● ● Identity and access management Managed mobile productivity Information protection Threat protection
- 72. Internet of Things Unmanaged & Mobile Clients Sensitive Workloads Overall Cybersecurity Reference Architecture Extranet Azure Key Vault Microsoft Azure On Premises Datacenter(s) NGFW Nearly all customer breaches that Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR) Colocation $ Mac OS Multi-Factor Authentication MIM PAM Network Security Groups Azure AD PIM Windows Info Protection Enterprise Servers VPN VPN VMs VMs Certification Authority (PKI) Security Operations Center (SOC) WEF SIEM Integration IoT Identity & Access Windows 10Managed Clients Software as a Service ATA Azure Information Protection (AIP) • Classify • Label • Protect • Report Endpoint DLP ClassificationLabels Office 365 Information Protection Legacy Windows Hold Your Own Key (HYOK) 80% + of employees admit using non-approved SaaS apps for work (Stratecast, December 2013) IPS Edge DLP SSL Proxy Azure AD Identity Protection Security Appliances Last updated July 2017 – latest at http://aka.ms/MCRA EPP - Windows Defender AV EDR - Windows ATP Azure SQL Threat Detection Windows Server 2016 Security Shielded VMs, Device Guard, Credential Guard, Just Enough Admin, Hyper-V Containers, Nano server, Defender AV, Defender ATP (Roadmap), and more… Azure App Gateway Azure Antimalware SQL Encryption & Data Masking SQL Firewall Disk & Storage Encryption Conditional Access Office 365 ATP • Email Gateway • Anti-malware • Threat Protection • Threat Detection Azure Security Center (ASC) Analytics / UEBA MSSP Windows Security Center Azure Security Center Vulnerability Management SIEM Office 365 • Security & Compliance • Threat Intelligence Hello for Business Windows 10 Security • Secure Boot • Device Guard • Exploit Guard • Application Guard • Credential Guard • Windows Hello • Remote Credential Guard • Device Health Attestation Security Development Lifecycle (SDL) Cybersecurity Operations Service (COS) Incident Response and Recovery Services Office 365 DLP Cloud App Security Lockbox ASM Intune MDM/MAM DDoS attack mitigation Backup & Site RecoverySystem Center Configuration Manager + Intune Privileged Access Workstations (PAWs) Shielded VMs ESAE Admin Forest Domain Controllers
- 73. 2. Setup your solution for some testuser 2. Testing 3. Evaluate | v2 of your solution 4. Rollout https://www.xpertsatwork.com/workshops