Proactive Intelligent Securitywith Microsoft Enterprise Mobility + Security

Bruce Gagliolo JrSenior Architect, Modern Workplace LeaderCovenant Technology Partners, LLC

We help technology leaders successfully implement business solutions

that achieve significant and sustainable results.

Every project matters…

Our Vision & Mission

Technology is fast reshaping our world and has the potential to change everything – people, businesses,

communities and nations

BT CIO REPORT

PEOPLE WORKING REMOTELY

has increased

4x

of the world’s data was generated over the last 2 years

90%

Add insufficient staff expertise and

increased compliance obligations

through regulations like General

Data Protection Regulation (GDPR)…

Who will fill the gap?

¹Source: https://pages.riskbasedsecurity.com/hubfs/Reports/2016%20Year%20End%20Data%20Breach%20QuickView%20Report.pdf_Date: 2017

²Source: https://www.fireeye.com/blog/threat-research/2017/03/m-trends-2017.html_Date: March 2017

³Source: Cyber crime--a risk you can manage: Information management and governance to protect business innovation business white paper Date: November 2016 Microsoft Document: Office 365

Security and Compliance Infographic, CDOC EBC Presentation

4.2 billionCustomer records compromised1

99 daysFrom breach to detection2

$17 millionAverage cost of a security breach3

The current reality…

Traditionally detecting and responding to cyber threats always relied on understanding precedence, matching patterns, writing definitions and configuring rules based actions for mitigations.

Given the kind of sophistications, polymorphism and expedited rate of change in threat landscape seen nowadays, traditional methods involving human touch at each and every point proving to be inadequate and inefficient.

How can we do better?

Threat Detention and Protection

What is Identity-Driven Security?

In the modern world of cloud and devices, there are few things that we can control to keep the bad guys out. We can no longer rely on a physical perimeter, but we can put controls around identity information. That’s why identity-driven security is so vital. Identity should be at the heart of safeguarding users, devices, apps and data.

Any organization adopting an identity-driven approach to their security, must ask:

• Users – Who is the user? What access should they have?

• Devices – Personal or Corporate? Location? Device Type?

• Apps – Who should have access? What should they have access too?

• Data – What kind of data? Who should have access?

What is Identity-Driven Security?

Organizations have many different scenarios to manage, all of which have their own unique security risks, for example:

Users consuming corporate data on personal devices

Individual users or whole departments consuming cloud services that are not under the control of an organizations IT department (“Shadow IT”)

Organizations adopting multiple cloud services

Users and organizations sharing data with customers and other business partners

Corporate applications and data now live both “inside” and “outside” the organization – so the traditional security approach of “perimeter thinking” is not adequate.

Enterprise-level Identity Protection

Protection at the front door

In more than 63 percent of data breaches, attackers gain corporate network access through weak, default, or stolen user credentials. Microsoft Identity-Driven Security focuses on user credentials, protecting your organization at the front door by managing and protecting your identities—including your privileged and non-privileged identities.

• Block access

• Wipe device

Conditions

• Allow

• Enforce MFA

• Remediate

Actions

Location (IP range)

Device state

User groupUser

MFA

Risk

On-premises

applications

Microsoft Azure

Risk (Low, Medium, High)

You can equip your organization to better manage identity and access controls, and stop

breaches before they escalate in severity.

Do you need help securing the front door:

• Do you know who is accessing their data?

• Can you grant access based on risk in real time?

• Can you quickly identify and react to a breach?

• Are users empowered to work securely anywhere at any time?

of all hacking-

related breaches use

compromised

credentials1

81% of phishing attack

victims fall victim a

second time1

15% of phishing attacks that

led to a breach were

followed by some form

of software

installation1

95% of individuals use

only 3 or 4

passwords across

all of their

accounts2

75%

Enterprise-level identity protection

Identity, security, and productivity all at once

Azure Active Directory (Azure AD) helps you manage user identities and create intelligence-driven access policies to secure your resources. As an integral component of Office 365, Azure and Enterprise Mobility + Security, Azure AD centralizes identity and access management to enable deep security, productivity, and management across devices, data, apps, and infrastructure. Azure AD is built to work for apps in the cloud, on mobile, or on-premises, and you can layer security features such as conditional access to help protect users and your business.

Azure Active Directory (AD) Premium (IDaaS)• Secure single sign-on and self-service identity management capabilities for

1000’s of cloud and on-premises apps with a single identity managed and protected

• Multi-Factor Authentication (MFA) for user sign-ins and transactions to add an additional security layer

• Secure remote access for on-premises apps without using a virtual private network (VPN)

• Identity protection with machine learning-based threat detection and calculations of risk severity for every user and sign-in attempt

• Risk-based conditional access through an intelligent assessment of granting or blocking access and automatic protection from future threats

• Discovery and restriction of privileged identities and their access to resources (i.e. time limited “Just in Time” admin access) with Privileged Identity Management

Azure Active Directory — Manage and control access to corporate resources

In a mobile-first, cloud-first world, IT professionals need to protect corporate assets while empowering user productivity

at any location at any time.

Windows Hello — Authenticate identities without passwords

Password authentication is not sufficient to keep users safe. Users reuse and forget passwords. Passwords are vulnerable

and difficult for users to employ.

Credential Guard — Protect derived domain credentials

Systems are vulnerable to “pass the hash” attacks that exploit user credentials after users have logged in.

Conditional Access — Control access to apps based on specific conditions

Enterprises need control to allow the right people to access resources under certain conditions while blocking access

under other circumstances.

Cloud App Security — Enterprise-grade security for your cloud apps

Bring security capabilities to SaaS cloud applications to gain better visibility and enhanced protection against cloud

security issues.

Microsoft 365 products, services, and Covenant Technology Partners can help you develop solutions focused on

enterprise-level identity protection.

Enterprise-level identity protection

Questions to answer

How do I know what apps are used in my environment?

Shadow IT

How do I ensure appropriate access to my cloud apps?

Access control

Visibility/reporting

How do I gain visibility into cloud apps and usage?

How do I prevent data leakage?

Data protectionThreat prevention

How do I know if my users have been breached?

How do I address regulatory mandates?

Compliance

Protect your data against user mistake

The more visibility and control you have into your environment, the more you can keep it safely secured. Microsoft Identity-Driven Security offers deep visibility and strong data controls for the cloud apps your employees use, giving you complete context and granular-level policies. You gain the ability to classify and label files at creation, track their usage, and change permissions when necessary. And they help you prevent data loss on iOS and Android devices with an unparalleled ability to manage Office mobile apps.

Protect your data against user mistake

How do I gain visibility and control of my cloud apps?

Cloud App Security

• Complete visibility into employee cloud app usage and Shadow IT

• Ongoing risk detection, powerful reporting, and analytics on users, upload/download traffic, usage patterns, and transactions for discovered apps

• Granular-level control and data policies for on-going data protection in cloud apps

What does Cloud App Security provide?

DiscoveryGain complete visibility and

context for cloud usage and

shadow IT—no agents required

Data controlShape your cloud environment with

granular controls and policy setting

for access, data sharing, and DLP

Threat protectionIdentify high-risk usage and security

incidents, detect abnormal user

behavior, and prevent threats

Integrate with existing security, mobility, and encryption solutions

Integrate with existing security, mobility, and encryption solutions

Discovery

• Discover 13,000+ cloud apps in use—no agents required

• Identify all users, IP addresses, top apps, top users

Shadow IT discovery Risk scoring

• Get an automated risk score driven by 60+ parameters

• See each app’s risk assessment based on its security mechanisms and compliance regulations

• Ongoing risk detection, powerful reporting, and analytics on users, usage patterns, upload/download traffic, and transactions

• Ongoing anomaly detection for discovered apps

Ongoing analytics

DLP and data sharingPolicy definition

• Set granular-control security policies for your approved apps

• Use out-of-the-box policies or customize your own

• Prevent data loss both inline and at rest

• Govern data in the cloud, such as files stored in cloud drives, attachments, or within cloud apps

• Use pre-defined templates or extend existing DLP policies

Policy enforcement

• Identify policy violations, investigate on a user, file, activity level

• Enforce actions such as quarantine and permissions removal

• Block sensitive transactions, limit sessions for unmanaged devices

Data control

• Identify anomalies in your cloud environment which may be indicative of a breach

• Leverage behavioral analytics (each user’s interaction with SaaS apps) to assess risk in each transaction

Behavioral analytics Attack detection

• Identify and stop known attack pattern activities originating from risky sources with threat prevention enhanced with vast Microsoft threat intelligence

• Coming soon: send any file through real-time behavioral malware analysis

Threat prevention

Shadow IT

Sanctioned

App Security

Visibility and

control

Compliance and

regulations

Integration with

existing systems and

workflows

Cloud security

expertise

Cloud Discovery

Cloud app security challenge

Cloud App Security Console

Discover

Investigate

Alerts

Control

Cloud App Security Console

Discover

Investigate

Alerts

Control

Cloud App Security Console

Alerts

Discover

Investigate

Control

Cloud App Security Console

Discover

Investigate

Alerts

Control

Architecture and how it worksDiscovery

• Use traffic logs to discover and analyze which cloud apps are in use

• Manually or automatically upload log files for analysis from your firewalls and proxies

Sanctioning and un-sanctioning

• Sanction or block apps in your organization using the cloud app catalog

App connectors

• Leverage APIs provided by various cloud app providers

• Connect an app and extend protection by authorizing access to the app. Cloud App Security queries the app for activity logs and scans data, accounts, and cloud content

App connectors

Cloud discoveryProtected

Cloud apps

Cloud traffic

Cloud traffic logs

Firewalls

Proxies

Your organization from any location

API

Cloud App Security

How do I prevent data leakage from my mobile apps?

Microsoft Intune

Unparalleled management of Office mobile apps with or without device enrollment into MDM

Selective wipe of corporate data (apps, email, data, management policies, and networking profiles) from user devices while leaving personal data intact

Security policy enforcement for mobile devices, apps, and PCs

Mobile application management

PC managementMobile device management

Strategically direct the flow of your mobile ecosystem, giving your end users the experience they expect while ensuring your corporate data is protected

at every turn.

Enterprise mobility management with Intune

Enable your users

Protect your data

Microsoft Intune

User IT

Click to edit Master title styleDelivering on a unified Microsoft vision

Built with EMS, Office and Windows, Intune delivers on a unified Microsoft vision to transform the way enterprise secures mobile productivity.

This combined effort enables awesome end-to-end scenarios.

Control access to your data

Control what happens to your data after it’s been accessed

Modern PC management

Click to edit Master title styleControl access to data based on real-time context

Conditional access allows you to define policies that provide contextual controls at the user, location, device, and app levels. As conditions change, natural user prompts ensure that only the right users on compliant devices can access sensitive data.

Click to edit Master title style

Managed apps

Personal appsPersonal apps

Managed apps

MDM – optional (Intune or 3rd-party)

Our app protection policies allow you to control what happens to docs and data after they’ve been accessed.

• App encryption at rest

• App access control – PIN or credentials

• Save as/copy/paste restrictions

• App-level selective wipe

• Managed web browsing

• Secure viewing of PDFs, images, videos

Control what happens after the data is accessed

Corporate data

Personaldata

Multi-identity policy

Click to edit Master title style

With the different options in Windows 10, plus Configuration Manager and Intune, you have the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.

Everything you need for modern PC management

Click to edit Master title style

How do I control data on-premises and in the cloud?

Azure Information Protection

Persistent data classification and protection that ensures data is protected at all times—regardless of where its stored or with whom its shared

Safe sharing with people inside and outside of your organization

Simple, intuitive controls for data classification and protection

Deep visibility and control of shared data for users and IT

AIP : Data Centric Lifecycle Protection

At data creation

Manual and automatic - as much as possible

Persistent labels

Industry standard thatenables a wide ecosystem

User awareness through visual labels

Data Loss Prevention

Encryption with RMS

Control over data

Policy + Enforcement + Automation

Azure Information Protection

AIP SDKs on popular mobile platforms including Windows, iOS, Android, Windows Phone and Mac OS

Connect to on-premises Exchange and SharePoint for the simplest way to get Rights Management running in your organization

AIP provides the Rights Management capabilities for Office 365, providing easy enablement and enforcement of information protection policies

Connect to Windows Server File Services for FCI and DAC integration

Leverage a common identity across Active Directory and Azure Active Directory

Protect your data throughout its lifecycle

Identify, Classify & Tag Share &Protect Usage Tracking Revoke Access

Enhance on-prem DLP

EXO DLP (in motion)

Cloud DLP (at rest)

Encryption

Access Control

Permissions

Global access tracking

Who / Where / When

Grant / Denied

Revoke Document Identify

Classify

Tag

File access tracking

Who / Where / When

Make private

Quarantine

Encryption / RMS Path

DLP Path

Detect attacks before they cause damage

Microsoft’s comprehensive threat intelligence uses cutting-edge behavioral analytics and anomaly detection technologies to uncover suspicious activity and pinpoint threats—on-premises and in the cloud. That includes known malicious attacks (i.e. Pass the Hash, Pass the Ticket) and security vulnerabilities in your system.

On-premises detection

Microsoft Advanced Threat Analytics (ATA)

• Identification of advanced persistent threats (APTs) on-premises by detecting suspicious user and entity behavior using machine learning and event logs

• Detection of known malicious attacks almost as instantly as they occur

• A simple attack timeline with clear and relevant attack information so you can quickly focus on what is important

Microsoft Advanced Threat Analytics

brings the behavioral analytics concept to

IT and the organization’s users.

Microsoft Advanced Threat Analytics

Behavioral

Analytics

Detection of advanced

attacks and security risks

Advanced Threat

Detection

An on-premises platform to identify advanced security attacks and insider threats beforethey cause damage

Advanced Threat Analytics benefits

Detect threats fast with

Behavioral Analytics

Adapt as fast as your enemies

Focus on what is important fast using the simple attack

timeline

Reduce the fatigue of false

positives

Prioritize and plan for next

steps

Analyze1

How Microsoft Advanced Threat Analytics works

After installation:

• Simple non-intrusive port mirroring, or

deployed directly onto domain controllers

• Remains invisible to the attackers

• Analyzes all Active Directory network traffic

• Collects relevant events from SIEM and

information from Active Directory (titles,

groups membership, and more)

How Microsoft Advanced Threat Analytics works

ATA:

• Automatically starts learning and profiling

entity behavior

• Identifies normal behavior for entities

• Learns continuously to update the activities

of the users, devices, and resources

Learn2

What is entity?

Entity represents users, devices, or resources

Detect3 Microsoft Advanced Threat Analytics:

• Looks for abnormal behavior and identifies

suspicious activities

• Only raises red flags if abnormal activities are

contextually aggregated

• Leverages world-class security research to detect

security risks and attacks in near real-time based on

attackers Tactics, Techniques, and Procedures (TTPs)

ATA not only compares the entity’s behavior

to its own, but also to the behavior of

entities in its interaction path.

How Microsoft Advanced Threat Analytics works

Alert4

How Microsoft Advanced Threat Analytics works

ATA reports all suspicious

activities on a simple,

functional, actionable

attack timeline

ATA identifies

Who?

What?

When?

How?

For each suspicious

activity, ATA provides

recommendations for

the investigation and

remediation

Abnormal resource access

Account enumeration

Net Session enumeration

DNS enumeration

SAM-R Enumeration

Abnormal working hours

Brute force using NTLM, Kerberos, or LDAP

Sensitive accounts exposed in plain text authentication

Service accounts exposed in plain text authentication

Honey Token account suspicious activities

Unusual protocol implementation

Malicious Data Protection Private Information (DPAPI) Request

Abnormal authentication requests

Abnormal resource access

Pass-the-Ticket

Pass-the-Hash

Overpass-the-Hash

MS14-068 exploit (Forged PAC)

MS11-013 exploit (Silver PAC)

Skeleton key malware

Golden ticket

Remote execution

Malicious replication requests

ATA detects a wide range of suspicious activities

Reconnaissance

CompromisedCredential

LateralMovement

PrivilegeEscalation

DomainDominance

▪ Updates and upgrades automatically

with the latest and greatest attack

and anomaly detection capabilities

that our research team adds

Auto updates Integration to SIEM Seamless deployment

▪ Analyzes events from SIEM to enrich

the attack timeline

▪ Works seamlessly with SIEM

▪ Provides options to forward security

alerts to your SIEM or to send

emails to specific people

▪ Software offering that runs on

hardware or virtual

▪ Utilizes port mirroring to allow

seamless deployment alongside AD, or

installed directly on domain controllers

▪ Does not affect existing topology

Key features

Detection in the cloud

Cloud App Security

• Behavioral analytics that assess risk and identify attackers targeting your cloud apps

• Identification of anomalies and policy violations that may be indicative of a security breach

Security reporting and monitoring

Azure Active Directory Premium

• Identity protection that provides a consolidated view of all the risky events and possible configuration vulnerabilities with notifications, analysis, and recommended remediation based on 10 TB of cloud data processed daily

• Advanced security reporting to protect against suspicious behaviors and advanced attacks

• Access and usage reports that give visibility into the integrity and security of your organization’s directory with access and usage reports

Machine learning for building Threat Intelligence

Microsoft continue to evolve security intelligence with real-time insights and predictive intelligence—across their network—that help you stay a step ahead of threats. With Microsoft’s Intelligent Security Graph, formed by trillions of signals from billions of sources, you can better detect attacks, accelerate responses, and prevent modern day threats. The graph uses input they receive across their endpoints, consumer services, commercial services, and on-premises technologies. These and other enhancements help your IT staff enable rapid innovations while protecting corporate data and assets.

Enhanced with the Microsoft Intelligent Security Graph

Microsoft Enterprise Mobility + Security

Intune

Azure Rights Management and

Secure Islands

Protect your users, devices, and apps

Detect problems early with visibility

and threat analytics

Protect your data, everywhere

Extend enterprise-grade security to your cloud and SaaS apps

Manage identity with hybrid integration to protect application

access from identity attacks

Advanced Threat Analytics

Microsoft Cloud App Security

Azure Active Directory Identity Protection

Office 365 Secure Score

Ever wonder how secure your Office 365 organization really is?

Time to stop wondering - the Office 365 Secure Score is here to help. Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security.

Secure Score figures out what Office 365

services you’re using (like OneDrive,

SharePoint, and Exchange) then looks at

your settings and activities and compares

them to a baseline established by

Microsoft. You’ll get a score based on how aligned you are with best security practices.

How will it help me?

Using Secure Score helps increase your organization’s security by encouraging you to use the built-in security features in Office 365 (many of which you already purchased but might not be aware of). Learning more about these features as you use the tool will help give you piece of mind that you’re taking the right steps to protect your organization from threats.

Note: The Secure Score does not express

an absolute measure of how likely you are

to get breached. It expresses the extent to

which you have adopted controls which can

offset the risk of being breached. No

service can guarantee that you will not be

breached, and the Secure Score should not be interpreted as a guarantee in any way.

Ask your client manager about a cloud deployment assessment

including user adoption reports and how to review your secure score.

Your organizational security matters…

Call to Action…

Bruce Gagliolo JrSenior Architect, Modern Workplace Leader

bgagliolo@mailctp.com314-445-5980

Business Intelligence

SQL Server

Azure Services

Microsoft/Office 365

.NET Apps

Project Management

Forms & Workflow

Intranets

Extranets

Websites

SharePoint

Sitecore

HTML5/CSS3

Microsoft Dynamics CRM

Active Directory IDaaS

Enterprise Mobility + Security

System Center & Intune

Single Sign-On (ADFS)

Exchange

Skype for Business

OneDrive for Business

So many products and tools, what are they and what do they do for your business?

Appendix

Office 365 E3