Cybersecurity Reference Architecture Incident Response Logs Analytics Managed
Cybersecurity Reference Architecture Incident Response Logs & Analytics Managed Security Provider UEBA Analytics SIEM Security Development Lifecycle (SDL) Investigation and Recovery Active Threat Detection Hunting Enterprise Teams Threat ATA OMS PADS Internet of Things Unmanaged & Mobile Clients NGFW Office 365 ATP • Email Gateway • Anti-malware Detection Colocation Enterprise Servers Shielded VMs VMs Security Appliances IPS Identity & Access Windows Server 2016 Security Shielded VMs, Device Guard, Credential Guard, Just Enough Admin, Hyper-V Containers, Nano server, … SIEM Integration Microsoft Azure AD Multi-Factor Authentication Azure Key Vault Azure App Gateway MIM PAM Azure Antimalware ATA ESAE Active Admin Forest Directory Privileged Access Workstations (PAWs) Io. T Office 365 DLP Azure AD PIM Hello for Business VPN WEF Cloud App Security Azure Information Protection (AIP) • Classify • Label • Protect • Report Hold Your Own Key (HYOK) Network Security Groups Domain Controllers $ Sensitive Workloads Information Protection Identity Protection Azure Security Center • Threat Protection • Threat Detection VPN Extranet Lockbox Conditional Access Edge DLP SSL Proxy ASM Azure Active Directory Intune MDM/MAM On Premises Datacenter(s) Office 365 80% + of employees admit using non-approved Saa. S apps for work (Stratecast, December 2013) Classification Labels Security Operations Center (SOC) Vulnerability Management Software as a Service Managed Clients Windows 10 Legacy Windows Mac EDR - Windows Defender ATP OS EPP - Windows Defender System Center Configuration Manager + Intune Endpoint DLP SQL Encryption & Firewall • • • Windows 10 Security • Device Health Secure Boot Attestation Device Guard Application Guard • Remote Credential Guard Windows Hello Structured Data & 3 rd party Apps Disk & Storage Encryption DDo. S attack mitigation Backup and Site Recovery Last updated March 2017 – latest at http: //aka. ms/MCRA Certification Authority (PKI) Windows Info Protection Nearly all customer breaches that Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR)
Cybersecurity Reference Architecture Mark Simos Sachin Gupta Enterprise Cybersecurity Group
Cybersecurity Reference Architecture Vulnerability Management Security Operations Center (SOC) Active Threat Detection UEBA SIEM NGFW SSL Proxy Enterprise Servers VMs Domain Controllers Io. T Intranet Managed Clients Legacy Windows Mac OS Information Protection Components DLP Extranet $ Sensitive Workloads Identity & Access Azure Active Directory IPS VMs Unmanaged & Mobile Clients Hunting Teams Analytics On Premises Datacenter(s) Office 365 Incident Response Logs & Analytics Managed Security Provider Software as a Service Windows 10 • Network Edge Defenses • Operations, Identity, & Info Protection Functions • Enterprise Servers & VMs • Saa. S adoption (sanctioned or Shadow IT) • Identity Systems including Active Directory • Mix of managed & unmanaged devices • Endpoint and Edge DLP • Highly Sensitive Assets • SIEM & Analytics • Advanced Detection & Response Active Directory Endpoint DLP Certification Authority (PKI)
Identity Embraces identity as primary security perimeter and protects identity systems, admins, and credentials as top priorities SECURE MODERN ENTERPRISE Apps and Data Aligns security investments with business priorities including identifying and securing communications, data, and applications Infrastructure Identity Apps and Data Infrastructure Devices Operates on modern platform and uses cloud intelligence to detect and remediate both vulnerabilities and attacks Devices Secure Platform (secure by design) Accesses assets from trusted devices with hardware security assurances, great user experience, and advanced threat detection
Secure the Pillars Continue building a secure modern enterprise by adopting leading edge technology and approaches: SECURE MODERN ENTERPRISE http: //aka. ms/SPARoadmap Build the Security Foundation Start the journey by getting in front of current attacks • Critical Mitigations – Critical attack protections • Attack Detection – Hunt for hidden persistent adversaries and implement critical attack detection • Roadmap and planning – Share Microsoft insight on current attacks and strategies, build a tailored roadmap to defend your organization’s business value and mission Identity Apps and Data Infrastructure Devices Secure the Pillars Build Security Foundation – Critical Attack Defenses Secure Platform (secure by design) • Threat Detection – Integrate leading edge intelligence and Managed detection and response (MDR) capabilities • Identity and Access Management – continue reducing risk to business critical identities and assets • Information Protection– Discover, protect, and monitor your critical data • Cloud Adoption – Chart a secure path into a cloudenabled enterprise • Device & Datacenter Security – Hardware protections for Devices, Credentials, Servers, and Applications • App/Dev Security – Secure your development practices and digital transformation components
Cybersecurity Reference Architecture Vulnerability Management Security Operations Center (SOC) Incident Response Logs & Analytics Managed Security Provider UEBA Hunting Teams Analytics SIEM On Premises Datacenter(s) NGFW Unmanaged & Mobile Clients Enterprise Threat Detection Identity & Access Major Incident DLP SSL Proxy Credential Theft Mitigations Prevention Extranet • • • Enterprise Servers Privileged Access Workstations Administrative Forest (ESAE) Privileged Access Management MIM PAM Detection VMs • Advanced Threat Analytics • ETD Managed Detection and Response (MDR) Domain Controllers ATA Active Directory Admin Forest Privileged Access Workstations $ Sensitive Workloads Io. T Intranet Information Protection Azure Active Directory IPS VMs Office 365 Investigation and Recovery Active Threat Detection ATA Software as a Service Managed Clients Legacy Windows Mac OS Windows 10 Response • Incident Response Endpoint DLP Certification Authority (PKI) Nearly all customer breaches that Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR)
Shadow IT Persistent Threats Approved Cloud Services Identity Perimeter Office 365 $ $ $ Resources $ $ • Phishing • Credential theft • Data has moved out of the network and its protections • You must establish an Identity security perimeter Network Perimeter $ • Network perimeter repels and detects classic attacks …but is reliably defeated by Unmanaged Devices • Strong Authentication • Monitoring and enforcement of access policies • Threat monitoring using telemetry & intelligence
Shadow IT Saa. S Applications Risky Use of Approved Saa. S Apps Unprotected Sensitive Data Identity Data Apps Infrastructure Devices Phishing Credential Theft & Abuse Unmanaged Devices
Challenges • Phishing reliably gains foothold in environment • Credential Theft allows traversal within environment Microsoft Approach • Time of click (vs. time of Identity send) protection and attachment detonation Phishing Credential Theft & Abuse Office 365 ATP • Email Gateway • Anti-malware Azure AD Identity Protection • Integrated Intelligence, Reporting, Policy enforcement MIM PAM • Securing Privileged ATA Access (SPA) Investigation roadmap Enterprise Threat and Recovery to protect Active Directory Detection and existing infrastructure Privileged Access Workstations Conditional Access Advanced Threat Analytics Admin Forest
Cybersecurity Reference Architecture Vulnerability Management Security Operations Center (SOC) Incident Response Logs & Analytics Managed Security Provider UEBA Analytics SIEM Investigation and Recovery Active Threat Detection Hunting Enterprise Teams Threat ATA OMS PADS Security Development Lifecycle (SDL) Internet of Things Software as a Service Office 365 80% + of employees admit using non-approved Saa. S apps for work (Stratecast, December 2013) Unmanaged & Mobile Clients Identity & Access Information Protection Azure Active Directory Detection Azure AD On Premises Datacenter(s) NGFW Office 365 ATP • Email Gateway • Anti-malware Edge DLP Colocation SSL Proxy IPS Extranet VPN Enterprise Servers VMs Security Appliances SIEM Integration Identity Protection Microsoft Azure Security Center • Threat Protection • Threat Detection Azure AD PIM Multi-Factor Authentication Azure Key Vault Hello for Business Azure App Gateway MIM PAM Azure Antimalware ATA Network Security Groups Domain Controllers ESAE Active Admin Forest Directory VPN Privileged Access Workstations (PAWs) $ Sensitive Workloads WEF Io. T Managed Clients Legacy Windows Mac OS Endpoint DLP SQL Encryption & Firewall Windows 10 Disk & Storage Encryption DDo. S attack mitigation Backup and Site Recovery Certification Authority (PKI) Nearly all customer breaches that Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR)
Challenges • Shadow IT - Unsanctioned cloud services storing and processing your sensitive data • Saa. S Management – Challenging to consistently manage many Software as a Service (Saa. S) Shadow IT Saa. S Applications Risky Use of Approved Saa. S Apps Identity Theft se Microsoft Approach Apps Phishing Cloud App Security Enable Full Security Lifecycle 1. Discover Saa. S Usage 2. Investigate current risk posture 3. Take Control to enforce policy on Saa. S tenants and data 4. Alert and take automatic action on policy violations (e. g. remove public access to sensitive document)
Cybersecurity Reference Architecture Vulnerability Management Security Operations Center (SOC) Incident Response Logs & Analytics Managed Security Provider UEBA Analytics SIEM Investigation and Recovery Active Threat Detection Hunting Enterprise Teams Threat ATA OMS PADS Security Development Lifecycle (SDL) Internet of Things Software as a Service Office 365 80% + of employees admit using non-approved Saa. S apps for work (Stratecast, December 2013) Unmanaged & Mobile Clients Identity & Access Azure Active Directory Detection Information Protection Cloud App Security Azure AD On Premises Datacenter(s) NGFW Office 365 ATP • Email Gateway • Anti-malware Edge DLP Colocation SSL Proxy IPS Extranet VPN Enterprise Servers VMs Security Appliances SIEM Integration Identity Protection Microsoft Azure Security Center • Threat Protection • Threat Detection Azure AD PIM Multi-Factor Authentication Azure Key Vault Hello for Business Azure App Gateway MIM PAM Azure Antimalware ATA Network Security Groups Domain Controllers ESAE Active Admin Forest Directory VPN Privileged Access Workstations (PAWs) $ Sensitive Workloads WEF Io. T Managed Clients Legacy Windows Mac OS Endpoint DLP SQL Encryption & Firewall Windows 10 Disk & Storage Encryption DDo. S attack mitigation Backup and Site Recovery Certification Authority (PKI) Nearly all customer breaches that Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR)
Microsoft Approach • Protect data anywhere it goes Unprotected Sensitive Data Identity Data • Bring or Hold your own Key Credential Theft & Abuse Classification Labels Challenges • Limited visibility and control of sensitive data • Data classification is large and challenging project Azure Information Protection (AIP) • • Classify Label Protect Report Hold Your Own Key (HYOK) • Support most popular formats • Integration with Existing DLP Edge DLP Endpoint DLP
Cybersecurity Reference Architecture Vulnerability Management Security Operations Center (SOC) Incident Response Logs & Analytics Managed Security Provider UEBA Analytics SIEM Investigation and Recovery Active Threat Detection Hunting Enterprise Teams Threat ATA OMS PADS Security Development Lifecycle (SDL) Internet of Things Software as a Service Office 365 80% + of employees admit using non-approved Saa. S apps for work (Stratecast, December 2013) Unmanaged & Mobile Clients ASM Lockbox Identity & Access Azure Active Directory Detection Information Protection Cloud App Security Conditional Access Azure AD NGFW Office 365 ATP • Email Gateway • Anti-malware Edge DLP Colocation SSL Proxy IPS Extranet VPN Enterprise Servers VMs Security Appliances SIEM Integration Microsoft Azure Security Center • Threat Protection • Threat Detection Azure AD PIM Multi-Factor Authentication Azure Key Vault Hello for Business Azure App Gateway MIM PAM Azure Antimalware ATA ESAE Active Admin Forest Directory VPN Privileged Access Workstations (PAWs) WEF Io. T Managed Clients Legacy Windows Mac OS Azure Information Protection (AIP) • Classify • Label • Protect • Report Hold Your Own Key (HYOK) Network Security Groups Domain Controllers $ Sensitive Workloads Classification Labels On Premises Datacenter(s) Office 365 DLP Identity Protection Endpoint DLP SQL Encryption & Firewall Windows 10 Structured Data & 3 rd party Apps Disk & Storage Encryption DDo. S attack mitigation Backup and Site Recovery Certification Authority (PKI) Nearly all customer breaches that Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR)
Challenges • Provide secure PCs and devices for sensitive data • Manage & protect data on non-corporate devices Identity Devices Unmanaged Devices Microsoft Approach • Provide a great user Windows 10 experience, strong Hardwarebased security, and advanced detection + response capabilities • Mobile Device Management and Mobile App Management of popular devices via Intune • Policy enforcement via Conditional Access Windows 10 Conditional Access Intune MDM/MAM
Cybersecurity Reference Architecture Security Operations Center (SOC) Incident Response Logs & Analytics Managed Security Provider UEBA Analytics SIEM Investigation and Recovery Active Threat Detection Hunting Enterprise Teams Threat ATA OMS PADS Security Development Lifecycle (SDL) Internet of Things Unmanaged & Mobile Clients Detection NGFW Office 365 ATP • Email Gateway • Anti-malware Edge DLP Colocation SSL Proxy IPS Extranet VPN Enterprise Servers VMs ASM Lockbox Identity & Access Azure Active Directory Security Appliances SIEM Integration Azure AD Microsoft Azure Security Center • Threat Protection • Threat Detection Azure AD PIM Multi-Factor Authentication Azure Key Vault Hello for Business Azure App Gateway MIM PAM Azure Antimalware ATA ESAE Active Admin Forest Directory Privileged Access Workstations (PAWs) WEF Io. T Office 365 DLP Identity Protection VPN Managed Clients Legacy Windows Mac OS Cloud App Security Azure Information Protection (AIP) • Classify • Label • Protect • Report Hold Your Own Key (HYOK) Network Security Groups Domain Controllers $ Sensitive Workloads Information Protection Conditional Access Intune MDM/MAM On Premises Datacenter(s) Office 365 80% + of employees admit using non-approved Saa. S apps for work (Stratecast, December 2013) Classification Labels Vulnerability Management Software as a Service Endpoint DLP SQL Encryption & Firewall Windows 10 Structured Data & 3 rd party Apps Disk & Storage Encryption DDo. S attack mitigation Backup and Site Recovery Certification Authority (PKI) Nearly all customer breaches that Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR)
Microsoft Threat Detection Deep insight across your environment Azure Security Center Cloud App Security Azure AD Information • Email Gateway • Anti-malware Cloud Infrastructure Advanced Threat ATA Analytics Windows Defender ATP EDR - Powered by the Intelligent Security Graph Enterprise Threat Detection Professional Services Detect Threats with managed detection and response (MDR) service • Threat Protection • Threat Detection Identity Protection Identity Office 365 ATP Security Appliances PADS Hunt for threats and persistent adversaries in your environment Operations Management OMS Suite Private Cloud & On. Premises Infrastructure Investigation and Recovery Respond to Threats with seasoned professionals and deep expertise SIEM
Cybersecurity Reference Architecture Incident Response Logs & Analytics Managed Security Provider UEBA Analytics SIEM Security Development Lifecycle (SDL) Investigation and Recovery Active Threat Detection Hunting Enterprise Teams Threat ATA OMS PADS Internet of Things Unmanaged & Mobile Clients NGFW Office 365 ATP • Email Gateway • Anti-malware Detection Colocation Enterprise Servers Shielded VMs VMs Identity & Access Security Appliances VPN Windows Server 2016 Security Shielded VMs, Device Guard, Credential Guard, Just Enough Admin, Hyper-V Containers, Nano server, … SIEM Integration Microsoft Azure AD Multi-Factor Authentication Hello for Business MIM PAM Azure Antimalware ATA ESAE Active Admin Forest Directory Privileged Access Workstations (PAWs) Io. T Office 365 DLP Azure AD PIM Azure App Gateway VPN WEF Cloud App Security Azure Information Protection (AIP) • Classify • Label • Protect • Report Hold Your Own Key (HYOK) Network Security Groups Domain Controllers $ Sensitive Workloads Information Protection Identity Protection • Hover each item in Azure Security Center presentation mode • to. Threat see. Protection • Threat Detection description Azure Key Vault • Click to go to a webpage IPS Extranet Lockbox Conditional Access Edge DLP SSL Proxy ASM Azure Active Directory Intune MDM/MAM On Premises Datacenter(s) Office 365 80% + of employees admit using non-approved Saa. S apps for work (Stratecast, December 2013) Classification Labels Security Operations Center (SOC) Vulnerability Management Software as a Service Managed Clients Windows 10 Legacy Windows Mac EDR - Windows Defender ATP OS EPP - Windows Defender System Center Configuration Manager + Intune Endpoint DLP SQL Encryption & Firewall • • • Windows 10 Security • Device Health Secure Boot Attestation Device Guard Application Guard • Remote Credential Guard Windows Hello Structured Data & 3 rd party Apps Disk & Storage Encryption DDo. S attack mitigation Backup and Site Recovery Certification Authority (PKI) Windows Info Protection Nearly all customer breaches that Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR)
Cybersecurity Reference Architecture Office 365 Security Operations Center (SOC) Threat Protection and Monitoring Identity & Access • Incident Response and Recovery Services • Visibility across your enterprise assets • Integration with your existing SIEM Azure Active Directory Analytics & Reporting On Premises Datacenter(s) Advanced Email Protection • • • Partnerships Firewall, Proxy Data Loss Prevention (DLP) Intrusion Prevention (IPS) Security Appliances Colocation Advanced Threat Protection and Detection Internet Facing Workloads Extranet Enterprise Servers Microsoft Azure Built-in Security Multi-factor Authentication Privileged Access Management …and more Business Critical Workloads Discover & Secure Saa. S usage Data Protection Full Lifecycle Protections (Classify, Protect, Report, Revoke) Datacenter and Virtualization Security Critical Protections for Privileged Identities | Private Cloud Fabric | Workloads Active Directory Critical Formats DLP integration Privileged Access Workstations (PAWs) $ Internet of Things Conditional Access Information Protection Mobile Device & App Management (MDM/MAM) Managed Clients Mac OS Legacy Windows 10 Security Unmanaged & Mobile Clients • Hardware based protections • Powerful detection and investigation capabilities Protection from DDo. S, Disasters, & Ransomware Compliance Last updated March 2017 – latest at http: //aka. ms/MCRA Nearly all customer breaches involve credential theft (Microsoft Incident Response team)
- Slides: 20