Zero Trust SecurityGetting the most out of Microsoft 365

Two truths for all businesses

There is at least one employee in every organization who will click on anything.

Employees are busy —getting their jobs done is top-of-mind, and inefficient processes frustrate them.

Legacy, perimeter-centric models of information security are of no use in today’s digital businesses

Forrester Research 2017

“

4

Legacy Perimeter Model Assumptions

Company ServersDMZ & Semi-Secure Network

Remote Users, Partners & Mobile

Low Privileged User Devices

Admin Devices

Fatal Assumptions• All risks are external• Users & devices are not transient• Internal systems are never compromised• Assumes no malicious users• Assumes no malware or phishing

Outside (Untrusted/Less Trusted) Inside (Trusted)

The Kill Chain

6

Lateral Movement Exploitation and Exfiltration

7

Real World Incidents –Phishing Attack Disables Organization

8

New School Cloud-Based Attack Swipes Payroll

Social Engineering

Attacker calls pretending to be Microsoft Support to prep them for critical email. Sends phishing email.

Oauth Trust

User is prompted to trust a “Microsoft Support” app request. It establishes Web API access to users account.

Trusted User Phishing

Attacker sends email from breached user to HR claiming problems opening paystub. PDF contains malicious payload.

HR User Breached

Live off the land attack launched via javascriptembedded in PDF. Powershell is executed behind the scenes to launch next phase.

Payroll Attack

Using HR employee’s SSO access to HR App, direct deposit information is changed.

9

Why a new approach?

Compromised identity is the root of most breaches

Low privileged accounts are exploited to move laterally from device to device, then escalate to high privileges to accomplish mission

Most organizations address North / South threats, but not East / West

Cloud apps, mobile users, laptops, work from home, B2C, and B2B all go beyond the firewall which leads to blind spots and shadow IT

10

Five Tenets of Zero Trust

Access must be earned by all devices every time

1Ensure all data and resources are accessed securely

2User and device location should not decrease security

3Least-Privileged Access and strictly enforced access controls

4Log everything to an immutable destination

5

11

11

Advantages ofZero Trust

Makes lateral breach movement

harderUsers get a unified

experienceAdds consistent

security controls for all endpoints

Removes complexity of solving for both

on-prem and external access

Security is persistent, even if

data is shared externally

Removes need for certain complexities

such as DMZ and VPN in many

scenarios

Enables Digital Transformation by removing security

barriersSay “Yes” more

12

Zero Trust Myths & Misconceptions

You need Zero Trust-

specific products

1You need

entirely new skillsets

2You

must allow BYOD

3

13

Modern Pyramid of Zero Trust Management

Data

Application

Device

Network

Identity

Prioritize & SolveUpwards

14

Control Framework Example

Control Framework

Information Protection

Activity Monitoring

Firewall

Systems Management

Intrusion Detection

Access Control

Content Filtering

Applied Zero Trust

16

Example - Access HR File on SharePoint on Prem w/ iPad

• Containers• Managed Browser• SSO• Sec Policies• Lookout Security

Enroll iPad with Intune

• Ad Hoc SSL Tunneling

• Conditional Access

Azure App Proxy

• Authentication risk policy

• Multi-Factor Auth• Compromised

Account Detection

Risk Based Authentication

• User and Device Behavior Analytics

• Intrusion Detection

Advanced Threat Analytics

• Data Protection• Access Audit Log• Travel-anywhere

access controls• Revocation

Azure Information Protection

• Provides complete event correlation and immutable logs

Azure AD Security Logging

17

The Zero Trust Implementation Process

Identify and Classify

Data

1Map

Sensitive Data Flow

2Define Control

Framework

3Enforce Access Control

4Continuously

Monitor

5

Relevant Tools for Zero Trust Methodology

19

3 Class, Classification Rule: Try To Keep It Simple

20

Example of a network scanner to identify content locations

21

Typical Zero Trust Feature Spread

Identity & Access Management

Systems Management Information Protection Monitoring and

Alerting

Multi-factor authentication Single sign on Risk-based access controls Privileged Account Escalation

Processes Conditional Access to Cloud

and On-Premises Applications

Mobile device management

Systems management Update deployment Endpoint protection Unapproved device

controls Disk encryption

Automatic file classification and encryption

Secure external data sharing

Encrypted email Cloud-based data loss

prevention Application & data

containerization

Intrusion and threat detection

Compromised account detection

Compliance and policy driven alerts

Shadow IT detection Next-gen Firewall

22

Microsoft 365

23

Aligned Layers of Protection

Identity

Network

Device

Application

Data

• Multi-Factor Auth, Azure Identity Protection, Azure Privileged Identity Management, MIM

• Advanced Threat Analytics

• Azure App Proxy

• Intune Device Management, Intune MAM, AppLocker, Cloud App Security

• Cloud App Security

• Azure Information Protection, Azure Rights Management, Data Loss Prevention

2424

Office 365 Hardening & Secure Score

• Baseline — discover your starting point: where you are today.

• See where you should be — target objectives are based on industry best-practices.

• Visualize gaps — see the actions that will improve posture.

• Execute the actions list — implement the action items (like a punch list).

• See the improved score — your score increases to reflect your progress.

An effective way to communicate security state to your business stakeholders!

March 23, 2020

25

Improvement Actions

• View settings — shows you what/who’s impacted, and advice for user impact.

• Resolved thru 3rd party —helpful if you use RSA for MFA.

• Ignore — your business makes the decision that the improvement action item is not suitable for your environment.

26

Setting Your Goal —Catapult’s Recommended Best-Practice

• Regulated Records = 600+FERPA, CUI, CJIS, HIPAA, PCI

• Sensitive Records = 500+PII, Bank Accounts, Tax Information

• Non-Sensitive Records = 350+Non-sensitive information, Internal-Only

Practical Best-Practice

Summarizing Zero Trust

28

Summary and Zero Trust Take-Aways

Zero Trust is a journey,

not a destination

1It’s not about what tools you buy, but how you use them

2It’s about

moving away from white

lists

3Geographic

location or IP address should

never lower your security requirements

4Zero Trust

can improve user

experience

5Zero Trust

enables you to say yes more

6

Q & A

Ed Higgins, cissp, cism, cgeitSecurity and Compliance SolutionsCatapult Systems Ed.Higgins@catapultsystems.com