Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Zero Trust SecurityGetting the most out of Microsoft 365
Two truths for all businesses
There is at least one employee in every organization who will click on anything.
Employees are busy —getting their jobs done is top-of-mind, and inefficient processes frustrate them.
Legacy, perimeter-centric models of information security are of no use in today’s digital businesses
Forrester Research 2017
“
4
Legacy Perimeter Model Assumptions
Company ServersDMZ & Semi-Secure Network
Remote Users, Partners & Mobile
Low Privileged User Devices
Admin Devices
Fatal Assumptions• All risks are external• Users & devices are not transient• Internal systems are never compromised• Assumes no malicious users• Assumes no malware or phishing
Outside (Untrusted/Less Trusted) Inside (Trusted)
The Kill Chain
6
Lateral Movement Exploitation and Exfiltration
7
Real World Incidents –Phishing Attack Disables Organization
8
New School Cloud-Based Attack Swipes Payroll
Social Engineering
Attacker calls pretending to be Microsoft Support to prep them for critical email. Sends phishing email.
Oauth Trust
User is prompted to trust a “Microsoft Support” app request. It establishes Web API access to users account.
Trusted User Phishing
Attacker sends email from breached user to HR claiming problems opening paystub. PDF contains malicious payload.
HR User Breached
Live off the land attack launched via javascriptembedded in PDF. Powershell is executed behind the scenes to launch next phase.
Payroll Attack
Using HR employee’s SSO access to HR App, direct deposit information is changed.
9
Why a new approach?
Compromised identity is the root of most breaches
Low privileged accounts are exploited to move laterally from device to device, then escalate to high privileges to accomplish mission
Most organizations address North / South threats, but not East / West
Cloud apps, mobile users, laptops, work from home, B2C, and B2B all go beyond the firewall which leads to blind spots and shadow IT
10
Five Tenets of Zero Trust
Access must be earned by all devices every time
1Ensure all data and resources are accessed securely
2User and device location should not decrease security
3Least-Privileged Access and strictly enforced access controls
4Log everything to an immutable destination
5
11
11
Advantages ofZero Trust
Makes lateral breach movement
harderUsers get a unified
experienceAdds consistent
security controls for all endpoints
Removes complexity of solving for both
on-prem and external access
Security is persistent, even if
data is shared externally
Removes need for certain complexities
such as DMZ and VPN in many
scenarios
Enables Digital Transformation by removing security
barriersSay “Yes” more
12
Zero Trust Myths & Misconceptions
You need Zero Trust-
specific products
1You need
entirely new skillsets
2You
must allow BYOD
3
13
Modern Pyramid of Zero Trust Management
Data
Application
Device
Network
Identity
Prioritize & SolveUpwards
14
Control Framework Example
Control Framework
Information Protection
Activity Monitoring
Firewall
Systems Management
Intrusion Detection
Access Control
Content Filtering
Applied Zero Trust
16
Example - Access HR File on SharePoint on Prem w/ iPad
• Containers• Managed Browser• SSO• Sec Policies• Lookout Security
Enroll iPad with Intune
• Ad Hoc SSL Tunneling
• Conditional Access
Azure App Proxy
• Authentication risk policy
• Multi-Factor Auth• Compromised
Account Detection
Risk Based Authentication
• User and Device Behavior Analytics
• Intrusion Detection
Advanced Threat Analytics
• Data Protection• Access Audit Log• Travel-anywhere
access controls• Revocation
Azure Information Protection
• Provides complete event correlation and immutable logs
Azure AD Security Logging
17
The Zero Trust Implementation Process
Identify and Classify
Data
1Map
Sensitive Data Flow
2Define Control
Framework
3Enforce Access Control
4Continuously
Monitor
5
Relevant Tools for Zero Trust Methodology
19
3 Class, Classification Rule: Try To Keep It Simple
20
Example of a network scanner to identify content locations
21
Typical Zero Trust Feature Spread
Identity & Access Management
Systems Management Information Protection Monitoring and
Alerting
Multi-factor authentication Single sign on Risk-based access controls Privileged Account Escalation
Processes Conditional Access to Cloud
and On-Premises Applications
Mobile device management
Systems management Update deployment Endpoint protection Unapproved device
controls Disk encryption
Automatic file classification and encryption
Secure external data sharing
Encrypted email Cloud-based data loss
prevention Application & data
containerization
Intrusion and threat detection
Compromised account detection
Compliance and policy driven alerts
Shadow IT detection Next-gen Firewall
22
Microsoft 365
23
Aligned Layers of Protection
Identity
Network
Device
Application
Data
• Multi-Factor Auth, Azure Identity Protection, Azure Privileged Identity Management, MIM
• Advanced Threat Analytics
• Azure App Proxy
• Intune Device Management, Intune MAM, AppLocker, Cloud App Security
• Cloud App Security
• Azure Information Protection, Azure Rights Management, Data Loss Prevention
2424
Office 365 Hardening & Secure Score
• Baseline — discover your starting point: where you are today.
• See where you should be — target objectives are based on industry best-practices.
• Visualize gaps — see the actions that will improve posture.
• Execute the actions list — implement the action items (like a punch list).
• See the improved score — your score increases to reflect your progress.
An effective way to communicate security state to your business stakeholders!
March 23, 2020
25
Improvement Actions
• View settings — shows you what/who’s impacted, and advice for user impact.
• Resolved thru 3rd party —helpful if you use RSA for MFA.
• Ignore — your business makes the decision that the improvement action item is not suitable for your environment.
26
Setting Your Goal —Catapult’s Recommended Best-Practice
• Regulated Records = 600+FERPA, CUI, CJIS, HIPAA, PCI
• Sensitive Records = 500+PII, Bank Accounts, Tax Information
• Non-Sensitive Records = 350+Non-sensitive information, Internal-Only
Practical Best-Practice
Summarizing Zero Trust
28
Summary and Zero Trust Take-Aways
Zero Trust is a journey,
not a destination
1It’s not about what tools you buy, but how you use them
2It’s about
moving away from white
lists
3Geographic
location or IP address should
never lower your security requirements
4Zero Trust
can improve user
experience
5Zero Trust
enables you to say yes more
6
Q & A
Ed Higgins, cissp, cism, cgeitSecurity and Compliance SolutionsCatapult Systems [email protected]