Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Proactive Intelligent Securitywith Microsoft Enterprise Mobility + Security
Bruce Gagliolo JrSenior Architect, Modern Workplace LeaderCovenant Technology Partners, LLC
We help technology leaders successfully implement business solutions
that achieve significant and sustainable results.
Every project matters…
Our Vision & Mission
Technology is fast reshaping our world and has the potential to change everything – people, businesses,
communities and nations
BT CIO REPORT
PEOPLE WORKING REMOTELY
has increased
4x
of the world’s data was generated over the last 2 years
90%
Add insufficient staff expertise and
increased compliance obligations
through regulations like General
Data Protection Regulation (GDPR)…
Who will fill the gap?
¹Source: https://pages.riskbasedsecurity.com/hubfs/Reports/2016%20Year%20End%20Data%20Breach%20QuickView%20Report.pdf_Date: 2017
²Source: https://www.fireeye.com/blog/threat-research/2017/03/m-trends-2017.html_Date: March 2017
³Source: Cyber crime--a risk you can manage: Information management and governance to protect business innovation business white paper Date: November 2016 Microsoft Document: Office 365
Security and Compliance Infographic, CDOC EBC Presentation
4.2 billionCustomer records compromised1
99 daysFrom breach to detection2
$17 millionAverage cost of a security breach3
The current reality…
Traditionally detecting and responding to cyber threats always relied on understanding precedence, matching patterns, writing definitions and configuring rules based actions for mitigations.
Given the kind of sophistications, polymorphism and expedited rate of change in threat landscape seen nowadays, traditional methods involving human touch at each and every point proving to be inadequate and inefficient.
How can we do better?
Threat Detention and Protection
What is Identity-Driven Security?
In the modern world of cloud and devices, there are few things that we can control to keep the bad guys out. We can no longer rely on a physical perimeter, but we can put controls around identity information. That’s why identity-driven security is so vital. Identity should be at the heart of safeguarding users, devices, apps and data.
Any organization adopting an identity-driven approach to their security, must ask:
• Users – Who is the user? What access should they have?
• Devices – Personal or Corporate? Location? Device Type?
• Apps – Who should have access? What should they have access too?
• Data – What kind of data? Who should have access?
What is Identity-Driven Security?
Organizations have many different scenarios to manage, all of which have their own unique security risks, for example:
Users consuming corporate data on personal devices
Individual users or whole departments consuming cloud services that are not under the control of an organizations IT department (“Shadow IT”)
Organizations adopting multiple cloud services
Users and organizations sharing data with customers and other business partners
Corporate applications and data now live both “inside” and “outside” the organization – so the traditional security approach of “perimeter thinking” is not adequate.
Enterprise-level Identity Protection
Protection at the front door
In more than 63 percent of data breaches, attackers gain corporate network access through weak, default, or stolen user credentials. Microsoft Identity-Driven Security focuses on user credentials, protecting your organization at the front door by managing and protecting your identities—including your privileged and non-privileged identities.
• Block access
• Wipe device
Conditions
• Allow
• Enforce MFA
• Remediate
Actions
Location (IP range)
Device state
User groupUser
MFA
Risk
On-premises
applications
Microsoft Azure
Risk (Low, Medium, High)
You can equip your organization to better manage identity and access controls, and stop
breaches before they escalate in severity.
Do you need help securing the front door:
• Do you know who is accessing their data?
• Can you grant access based on risk in real time?
• Can you quickly identify and react to a breach?
• Are users empowered to work securely anywhere at any time?
of all hacking-
related breaches use
compromised
credentials1
81% of phishing attack
victims fall victim a
second time1
15% of phishing attacks that
led to a breach were
followed by some form
of software
installation1
95% of individuals use
only 3 or 4
passwords across
all of their
accounts2
75%
Enterprise-level identity protection
Identity, security, and productivity all at once
Azure Active Directory (Azure AD) helps you manage user identities and create intelligence-driven access policies to secure your resources. As an integral component of Office 365, Azure and Enterprise Mobility + Security, Azure AD centralizes identity and access management to enable deep security, productivity, and management across devices, data, apps, and infrastructure. Azure AD is built to work for apps in the cloud, on mobile, or on-premises, and you can layer security features such as conditional access to help protect users and your business.
Azure Active Directory (AD) Premium (IDaaS)• Secure single sign-on and self-service identity management capabilities for
1000’s of cloud and on-premises apps with a single identity managed and protected
• Multi-Factor Authentication (MFA) for user sign-ins and transactions to add an additional security layer
• Secure remote access for on-premises apps without using a virtual private network (VPN)
• Identity protection with machine learning-based threat detection and calculations of risk severity for every user and sign-in attempt
• Risk-based conditional access through an intelligent assessment of granting or blocking access and automatic protection from future threats
• Discovery and restriction of privileged identities and their access to resources (i.e. time limited “Just in Time” admin access) with Privileged Identity Management
Azure Active Directory — Manage and control access to corporate resources
In a mobile-first, cloud-first world, IT professionals need to protect corporate assets while empowering user productivity
at any location at any time.
Windows Hello — Authenticate identities without passwords
Password authentication is not sufficient to keep users safe. Users reuse and forget passwords. Passwords are vulnerable
and difficult for users to employ.
Credential Guard — Protect derived domain credentials
Systems are vulnerable to “pass the hash” attacks that exploit user credentials after users have logged in.
Conditional Access — Control access to apps based on specific conditions
Enterprises need control to allow the right people to access resources under certain conditions while blocking access
under other circumstances.
Cloud App Security — Enterprise-grade security for your cloud apps
Bring security capabilities to SaaS cloud applications to gain better visibility and enhanced protection against cloud
security issues.
Microsoft 365 products, services, and Covenant Technology Partners can help you develop solutions focused on
enterprise-level identity protection.
Enterprise-level identity protection
Questions to answer
How do I know what apps are used in my environment?
Shadow IT
How do I ensure appropriate access to my cloud apps?
Access control
Visibility/reporting
How do I gain visibility into cloud apps and usage?
How do I prevent data leakage?
Data protectionThreat prevention
How do I know if my users have been breached?
How do I address regulatory mandates?
Compliance
Protect your data against user mistake
The more visibility and control you have into your environment, the more you can keep it safely secured. Microsoft Identity-Driven Security offers deep visibility and strong data controls for the cloud apps your employees use, giving you complete context and granular-level policies. You gain the ability to classify and label files at creation, track their usage, and change permissions when necessary. And they help you prevent data loss on iOS and Android devices with an unparalleled ability to manage Office mobile apps.
Protect your data against user mistake
How do I gain visibility and control of my cloud apps?
Cloud App Security
• Complete visibility into employee cloud app usage and Shadow IT
• Ongoing risk detection, powerful reporting, and analytics on users, upload/download traffic, usage patterns, and transactions for discovered apps
• Granular-level control and data policies for on-going data protection in cloud apps
What does Cloud App Security provide?
DiscoveryGain complete visibility and
context for cloud usage and
shadow IT—no agents required
Data controlShape your cloud environment with
granular controls and policy setting
for access, data sharing, and DLP
Threat protectionIdentify high-risk usage and security
incidents, detect abnormal user
behavior, and prevent threats
Integrate with existing security, mobility, and encryption solutions
Integrate with existing security, mobility, and encryption solutions
Discovery
• Discover 13,000+ cloud apps in use—no agents required
• Identify all users, IP addresses, top apps, top users
Shadow IT discovery Risk scoring
• Get an automated risk score driven by 60+ parameters
• See each app’s risk assessment based on its security mechanisms and compliance regulations
• Ongoing risk detection, powerful reporting, and analytics on users, usage patterns, upload/download traffic, and transactions
• Ongoing anomaly detection for discovered apps
Ongoing analytics
DLP and data sharingPolicy definition
• Set granular-control security policies for your approved apps
• Use out-of-the-box policies or customize your own
• Prevent data loss both inline and at rest
• Govern data in the cloud, such as files stored in cloud drives, attachments, or within cloud apps
• Use pre-defined templates or extend existing DLP policies
Policy enforcement
• Identify policy violations, investigate on a user, file, activity level
• Enforce actions such as quarantine and permissions removal
• Block sensitive transactions, limit sessions for unmanaged devices
Data control
• Identify anomalies in your cloud environment which may be indicative of a breach
• Leverage behavioral analytics (each user’s interaction with SaaS apps) to assess risk in each transaction
Behavioral analytics Attack detection
• Identify and stop known attack pattern activities originating from risky sources with threat prevention enhanced with vast Microsoft threat intelligence
• Coming soon: send any file through real-time behavioral malware analysis
Threat prevention
Shadow IT
Sanctioned
App Security
Visibility and
control
Compliance and
regulations
Integration with
existing systems and
workflows
Cloud security
expertise
Cloud Discovery
Cloud app security challenge
Cloud App Security Console
Discover
Investigate
Alerts
Control
Cloud App Security Console
Discover
Investigate
Alerts
Control
Cloud App Security Console
Alerts
Discover
Investigate
Control
Cloud App Security Console
Discover
Investigate
Alerts
Control
Architecture and how it worksDiscovery
• Use traffic logs to discover and analyze which cloud apps are in use
• Manually or automatically upload log files for analysis from your firewalls and proxies
Sanctioning and un-sanctioning
• Sanction or block apps in your organization using the cloud app catalog
App connectors
• Leverage APIs provided by various cloud app providers
• Connect an app and extend protection by authorizing access to the app. Cloud App Security queries the app for activity logs and scans data, accounts, and cloud content
App connectors
Cloud discoveryProtected
Cloud apps
Cloud traffic
Cloud traffic logs
Firewalls
Proxies
Your organization from any location
API
Cloud App Security
How do I prevent data leakage from my mobile apps?
Microsoft Intune
Unparalleled management of Office mobile apps with or without device enrollment into MDM
Selective wipe of corporate data (apps, email, data, management policies, and networking profiles) from user devices while leaving personal data intact
Security policy enforcement for mobile devices, apps, and PCs
Mobile application management
PC managementMobile device management
Strategically direct the flow of your mobile ecosystem, giving your end users the experience they expect while ensuring your corporate data is protected
at every turn.
Enterprise mobility management with Intune
Enable your users
Protect your data
Microsoft Intune
User IT
Click to edit Master title styleDelivering on a unified Microsoft vision
Built with EMS, Office and Windows, Intune delivers on a unified Microsoft vision to transform the way enterprise secures mobile productivity.
This combined effort enables awesome end-to-end scenarios.
Control access to your data
Control what happens to your data after it’s been accessed
Modern PC management
Click to edit Master title styleControl access to data based on real-time context
Conditional access allows you to define policies that provide contextual controls at the user, location, device, and app levels. As conditions change, natural user prompts ensure that only the right users on compliant devices can access sensitive data.
Click to edit Master title style
Managed apps
Personal appsPersonal apps
Managed apps
MDM – optional (Intune or 3rd-party)
Our app protection policies allow you to control what happens to docs and data after they’ve been accessed.
• App encryption at rest
• App access control – PIN or credentials
• Save as/copy/paste restrictions
• App-level selective wipe
• Managed web browsing
• Secure viewing of PDFs, images, videos
Control what happens after the data is accessed
Corporate data
Personaldata
Multi-identity policy
Click to edit Master title style
With the different options in Windows 10, plus Configuration Manager and Intune, you have the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
Everything you need for modern PC management
Click to edit Master title style
How do I control data on-premises and in the cloud?
Azure Information Protection
Persistent data classification and protection that ensures data is protected at all times—regardless of where its stored or with whom its shared
Safe sharing with people inside and outside of your organization
Simple, intuitive controls for data classification and protection
Deep visibility and control of shared data for users and IT
AIP : Data Centric Lifecycle Protection
At data creation
Manual and automatic - as much as possible
Persistent labels
Industry standard thatenables a wide ecosystem
User awareness through visual labels
Data Loss Prevention
Encryption with RMS
Control over data
Policy + Enforcement + Automation
Azure Information Protection
AIP SDKs on popular mobile platforms including Windows, iOS, Android, Windows Phone and Mac OS
Connect to on-premises Exchange and SharePoint for the simplest way to get Rights Management running in your organization
AIP provides the Rights Management capabilities for Office 365, providing easy enablement and enforcement of information protection policies
Connect to Windows Server File Services for FCI and DAC integration
Leverage a common identity across Active Directory and Azure Active Directory
Protect your data throughout its lifecycle
Identify, Classify & Tag Share &Protect Usage Tracking Revoke Access
Enhance on-prem DLP
EXO DLP (in motion)
Cloud DLP (at rest)
Encryption
Access Control
Permissions
Global access tracking
Who / Where / When
Grant / Denied
Revoke Document Identify
Classify
Tag
File access tracking
Who / Where / When
Make private
Quarantine
Encryption / RMS Path
DLP Path
Detect attacks before they cause damage
Microsoft’s comprehensive threat intelligence uses cutting-edge behavioral analytics and anomaly detection technologies to uncover suspicious activity and pinpoint threats—on-premises and in the cloud. That includes known malicious attacks (i.e. Pass the Hash, Pass the Ticket) and security vulnerabilities in your system.
On-premises detection
Microsoft Advanced Threat Analytics (ATA)
• Identification of advanced persistent threats (APTs) on-premises by detecting suspicious user and entity behavior using machine learning and event logs
• Detection of known malicious attacks almost as instantly as they occur
• A simple attack timeline with clear and relevant attack information so you can quickly focus on what is important
Microsoft Advanced Threat Analytics
brings the behavioral analytics concept to
IT and the organization’s users.
Microsoft Advanced Threat Analytics
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
An on-premises platform to identify advanced security attacks and insider threats beforethey cause damage
Advanced Threat Analytics benefits
Detect threats fast with
Behavioral Analytics
Adapt as fast as your enemies
Focus on what is important fast using the simple attack
timeline
Reduce the fatigue of false
positives
Prioritize and plan for next
steps
Analyze1
How Microsoft Advanced Threat Analytics works
After installation:
• Simple non-intrusive port mirroring, or
deployed directly onto domain controllers
• Remains invisible to the attackers
• Analyzes all Active Directory network traffic
• Collects relevant events from SIEM and
information from Active Directory (titles,
groups membership, and more)
How Microsoft Advanced Threat Analytics works
ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources
Learn2
What is entity?
Entity represents users, devices, or resources
Detect3 Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities are
contextually aggregated
• Leverages world-class security research to detect
security risks and attacks in near real-time based on
attackers Tactics, Techniques, and Procedures (TTPs)
ATA not only compares the entity’s behavior
to its own, but also to the behavior of
entities in its interaction path.
How Microsoft Advanced Threat Analytics works
Alert4
How Microsoft Advanced Threat Analytics works
ATA reports all suspicious
activities on a simple,
functional, actionable
attack timeline
ATA identifies
Who?
What?
When?
How?
For each suspicious
activity, ATA provides
recommendations for
the investigation and
remediation
Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
SAM-R Enumeration
Abnormal working hours
Brute force using NTLM, Kerberos, or LDAP
Sensitive accounts exposed in plain text authentication
Service accounts exposed in plain text authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information (DPAPI) Request
Abnormal authentication requests
Abnormal resource access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
MS14-068 exploit (Forged PAC)
MS11-013 exploit (Silver PAC)
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
ATA detects a wide range of suspicious activities
Reconnaissance
CompromisedCredential
LateralMovement
PrivilegeEscalation
DomainDominance
▪ Updates and upgrades automatically
with the latest and greatest attack
and anomaly detection capabilities
that our research team adds
Auto updates Integration to SIEM Seamless deployment
▪ Analyzes events from SIEM to enrich
the attack timeline
▪ Works seamlessly with SIEM
▪ Provides options to forward security
alerts to your SIEM or to send
emails to specific people
▪ Software offering that runs on
hardware or virtual
▪ Utilizes port mirroring to allow
seamless deployment alongside AD, or
installed directly on domain controllers
▪ Does not affect existing topology
Key features
Detection in the cloud
Cloud App Security
• Behavioral analytics that assess risk and identify attackers targeting your cloud apps
• Identification of anomalies and policy violations that may be indicative of a security breach
Security reporting and monitoring
Azure Active Directory Premium
• Identity protection that provides a consolidated view of all the risky events and possible configuration vulnerabilities with notifications, analysis, and recommended remediation based on 10 TB of cloud data processed daily
• Advanced security reporting to protect against suspicious behaviors and advanced attacks
• Access and usage reports that give visibility into the integrity and security of your organization’s directory with access and usage reports
Machine learning for building Threat Intelligence
Microsoft continue to evolve security intelligence with real-time insights and predictive intelligence—across their network—that help you stay a step ahead of threats. With Microsoft’s Intelligent Security Graph, formed by trillions of signals from billions of sources, you can better detect attacks, accelerate responses, and prevent modern day threats. The graph uses input they receive across their endpoints, consumer services, commercial services, and on-premises technologies. These and other enhancements help your IT staff enable rapid innovations while protecting corporate data and assets.
Enhanced with the Microsoft Intelligent Security Graph
Microsoft Enterprise Mobility + Security
Intune
Azure Rights Management and
Secure Islands
Protect your users, devices, and apps
Detect problems early with visibility
and threat analytics
Protect your data, everywhere
Extend enterprise-grade security to your cloud and SaaS apps
Manage identity with hybrid integration to protect application
access from identity attacks
Advanced Threat Analytics
Microsoft Cloud App Security
Azure Active Directory Identity Protection
Office 365 Secure Score
Ever wonder how secure your Office 365 organization really is?
Time to stop wondering - the Office 365 Secure Score is here to help. Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security.
Secure Score figures out what Office 365
services you’re using (like OneDrive,
SharePoint, and Exchange) then looks at
your settings and activities and compares
them to a baseline established by
Microsoft. You’ll get a score based on how aligned you are with best security practices.
How will it help me?
Using Secure Score helps increase your organization’s security by encouraging you to use the built-in security features in Office 365 (many of which you already purchased but might not be aware of). Learning more about these features as you use the tool will help give you piece of mind that you’re taking the right steps to protect your organization from threats.
Note: The Secure Score does not express
an absolute measure of how likely you are
to get breached. It expresses the extent to
which you have adopted controls which can
offset the risk of being breached. No
service can guarantee that you will not be
breached, and the Secure Score should not be interpreted as a guarantee in any way.
Ask your client manager about a cloud deployment assessment
including user adoption reports and how to review your secure score.
Your organizational security matters…
Call to Action…
Bruce Gagliolo JrSenior Architect, Modern Workplace Leader
Business Intelligence
SQL Server
Azure Services
Microsoft/Office 365
.NET Apps
Project Management
Forms & Workflow
Intranets
Extranets
Websites
SharePoint
Sitecore
HTML5/CSS3
Microsoft Dynamics CRM
Active Directory IDaaS
Enterprise Mobility + Security
System Center & Intune
Single Sign-On (ADFS)
Exchange
Skype for Business
OneDrive for Business
So many products and tools, what are they and what do they do for your business?
Appendix
Office 365 E3