Microsoft Cybersecurity Solutions Group
Microsoft Cybersecurity Solutions Group
Microsoft Cybersecurity Solutions Group
1 – Cybersecurity Briefing
Expectations
Name Role
for today
“Security is our top priority and
we are committed to working
with others across the industry
to protect our customers.”
Satya Nadella
Chief Executive Officer, Microsoft Corporation
Threat protection
(A) Identify-Protect
(B) Detect-Respond-Recover
Information protection
Joint planning
Platform
Key Strategies
Accelerating
Cybersecurity Resilience Intelligence
Threats
CISO Workshop
Security Hygiene
Technical capabilities
PC & Mobile Software As A Service Information
Identity & Access
Devices (Saas) Protection
Critical Hygiene
Reference Architecture
Cloud Platform IoT And Operational
Security Operations Center Hybrid Cloud Infrastructure
(SOC) Technology
Security
& Trust
Threat evolution is accelerating
Malware-Less Attacks
‘File-less’ Malware
Tailored/Targeted Malware
THREAT
AGES
Malware and Infrastructure Identity and Apps
Your enterprise in transformation
Requires a modern identity and access security perimeter
Cloud Technology
SaaS adoption
On-
Responsibility SaaS PaaS IaaS prem
Applications
Network Controls
MODERNIZE INFRASTRUCTURE SECURITY
Operating system
Physical hosts
Physical network
“TRUST BUT VERIFY” EACH CLOUD PROVIDER
Physical datacenter
Microsoft Customer
Running Dual Perimeters
ATTACKERS
ATTACKERSUSING
USINGIDENTITY
IDENTITYTACTICS
TACTICS
SECURING
SECURINGMODERN
MODERNSCENARIOS
SCENARIOS(CLOUD,
(CLOUD,MOBILE,
MOBILE,IOT)
IOT)
MODERN PERIMETER
(Identity Controls)
CLASSIC PERIMETER
(Network Controls)
FULLY
FULLYZERO
ZEROTRUST
TRUST
Evolution of Roles and Responsibilities
MODERN PERIMETER
Modern Architectures
(Identity Controls)
CLASSIC PERIMETER
Legacy Architectures
(Network Controls)
Information
protection
Built in
Threat
security Platform protection
Security
management
Microsoft Intelligent Security Graph Shared threat data
Unique insights, informed by trillions of signals from partners,
researchers, and law
OneDrive enforcement
Outlook
5B worldwide
threats
detected on
devices every
month
470B
emails 6.5T
analyzed
200+
threat signals
analyzed daily
global cloud consumer Botnet data from
and commercial Microsoft Digital
Windows
services Crimes Unit
Azure
Microsoft
accounts
Board Membership
Key Challenges and Strategic Opportunities
Identity-based attacks
Adopt identity-based protection
are up 300% this year
Information is your
Protect information wherever it goes
most attractive target
Attackers constantly
Detect attacks faster and automate response
evolving techniques
Vuln Cloud App Azure Microsoft Office 365 Azure Customer Lockbox
Security This is interactive! Roadmaps and Guidance
Mgmt Security Center Defender
Classification Labels
Discover
Just in Time VM Access Classify Azure AD PIM
Azure Security Adaptive App Control Protect
NGFW Multi-Factor
Intune MDM/MAM Firewall Appliances Monitor
Extranet
Authentication
Edge DLP Hold Your Own Key (HYOK)
Azure Policy Azure AD B2B
Managed Clients SSL Proxy
AIP Scanner Azure AD B2C
IPS/IDS Azure Key Vault
Express Route Azure WAF Hello for Business
System Center Windows Server 2019 Security Azure Antimalware Office 365 MIM PAM
Configuration Manager
Intranet Servers
Window 10 + Just Enough Admin, Hyper-V Containers, Nano server, and more… • Data Loss Protection
Application & Network • Data Governance
Microsoft Defender ATP Security Groups Azure ATP
Shielded VMs • eDiscovery
VMs
Backup & Site
Azure Stack
Recovery Azure SQL Active Directory
Secure Threat Threat Detection
Privileged Access Workstations (PAWs) Disk & Storage
Score Analytics SQL Encryption & ESAE Admin Forest
Encryption
Data Masking
Confidential
Windows 10 Enterprise Security Included Azure SQL Info
IoT and Operational Technology Computing
with Azure Protection
Network protection App control (VMs/etc.) DDoS attack
Credential protection Isolation
Windows 10 IoT IoT Security Maturity Model Premium Mitigation+Monitor Microsoft Defender ATP
Exploit protection Antivirus
Reputation analysis Behavior monitoring Security
Full Disk Encryption Azure IoT Security Azure Sphere IoT Security Architecture Feature
Attack surface Compliance Manager
reduction
S Mode
Security Development Lifecycle (SDL)
Trust Center Intelligent Security Graph
Identity and Access Management
CHALLENGES MICROSOFT’S APPROACH Azure Active Directory
• LATERAL TRAVERSAL Guidance and Technology for Azure AD PIM Roadmaps and Guidance
ATTACKS using Credential Theft Securing Privileged Access (SPA) Privileged Access Workstations (PAWs) 1. Securing Privileged Access
2. Office 365 Security
Advanced credential theft attack MIM PAM
3. Rapid Cyberattacks (
detection with Azure ATP Azure ATP Wannacrypt/Petya)
• 3RD PARTY ACCOUNT RISK Move 3rd party accounts to Azure AD B2B
B2B/B2C solutions to lower risk
and increase productivity Azure AD B2C
Security Operations Center (SOC)
CHALLENGES MICROSOFT’S APPROACH
• Legacy model results in Assist with Incident Response and
wasted security expertise Recovery as well as proactively
• Analyst Overload - too hunting for adversaries
many false positives Cloud-native SIEM+SOAR for
• Poor Investigation simplifying advanced detection, Security Operations Center (SOC)
Workflow investigation, and remediation Microsoft Threat Experts Incident Response, Recovery, and Hunting Services
365, Active Directory, and Azure Graph Security API – 3rd Party Integration
Tenants. Alert & Log Integration
CHALLENGES
• Manage risk, health, and compliance Clients
Extranet
• Critical Risks - Privilege Cross-Platform and Edge DLP
Azure Policy
Cross-Cloud – security SSL Proxy
management and IPS Azure Key Vault
capabilities
security hygiene critical Express Route
Azure WAF
to enable visibility and
for cloud workloads Windows Server 2016 Security
control Azure Antimalware
Intranet Servers
Window 10 + Just Enough Admin, Hyper-V Containers, Nano server, and more…
Application & Network
Deep Azure Defenses – Shielded VMs Security Groups
VMs
Integrated with platform Azure Stack
Backup & Site
Recovery
to secure Azure
Disk & Storage
workloads, assess Privileged Access Workstations (PAWs)
Encryption
compliance Confidential
Computing
On Premises security Included with DDoS attack
investments to modernize Azure (VMs/etc.)
Premium Security
Mitigation+Monitor
security and leverage Feature
cloud learnings +
Security Development Lifecycle (SDL)
technology
Compliance Manager
Marketplace – Integrate
existing capabilities and
skills
Privilege Management –
Protect against high
Software as a Service (SaaS)
CHALLENGES MICROSOFT’S APPROACH Software as a Service
Office 365
• Governance, Risk, and Platform Security – Deep investments in physical security, Red/Blue
Compliance challenges of Teams, encryption, privileged access, & more
sprawling SaaS estate Dynamics 365
and unsanctioned shadow IT
• Security Operations Center Manage Shadow IT Risk – CAS enables you to discover,
(SOC) requires visibility into SaaS assess, approve, and manage SaaS (via API +Proxy)
activities and threats Cloud App Security
SOC Enablement – Microsoft Cloud App Security (CAS)
provides anomaly detection, alerting, and SIEM integration Office 365
• Office 365 ATP provides advanced security (sandbox Advanced Threat Protection (ATP)
detonation, etc.) for email, SharePoint, Teams, and more
Office 365
• Threat Intelligence provides analytics on attack Security &
Compliance
trends for your tenant and your industry
Compliance – GDPR and NIST compliance visibility on Office 365 Compliance Manager
and Dynamics 365 with Compliance Manager
• End to end approach required for Windows 10 IoT IoT Security Maturity Model
effective IoT security
• Large brownfield of existing devices IoT Security Solutions Azure Sphere IoT Security Architecture
Classification Labels
protect different levels of sensitive Classify
data • DISCOVER existing and newly Protect
created sensitive data Monitor
• Protecting sensitive information
• CLASSIFY automatically + user Hold Your Own
• Challenging to discover and classify Key (HYOK)
control (based on policy), integration
data across mobile devices, SaaS,
with DLP AIP Scanner
cloud infrastructure, and on-premises
• PROTECT the data itself, not just
• Need full lifecycle data protection for
storage or network locations Azure SQL
identified data
Threat Detection
• MONITOR and revocation
SQL Encryption &
capabilities for security and Data Masking
compliance Azure SQL Info
Protection
Endpoint DLP
Next steps
CISO WORKSHOP NEXT STEPS
Your
Your strategy
strategy Recommended
Recommended strategies
strategies
and
and priorities
priorities and
and capabilities
capabilities
Build
Build plan
plan to
to work
work together
together Identify participants
Your priorities
Suggested Stakeholders / Attendees
ALL SESSIONS
• CISO (at least intro/closing) • Security Architect(s)
The information herein is for informational purposes only and represents the current view of Microsoft
Corporation as of the date of this presentation.
INCREASED
RISK FROM
NEW THREATS
SaaS adoption
! ! !
Ruin Their ROI
Changing the economics of cybersecurity
ATTACKERS: MICROSOFT:
MAXIMIZE RETURN ON INVESTMENT (ROI) SIMPLIFY ADVANCED CAPABILITIES
(return may be monetary/political/etc.)
DEFENDERS: across platforms, clouds, and IoT
RUIN ATTACKER ROI
by raising attack cost with protection
+ rapid response/recovery
COST OF
ATTACK
NATION STATE
SIMPLIFICATION
INTEGRATION
DEFENDER ORGANIZED CRIME
INTELLIGENCE
BUDGET
AMATEUR
ATTACKER RESOURCE LEVELS VARY
NOTE: Cost of attack is continuously changing with technical advancement + business model evolution
MINDSET CLOUD HYGIENE
Security Advantages of Cloud Era
TRADITIONAL APPROACH CLOUD-ENABLED SECURITY
Security
Securityisisaachallenging
challengingand
andunder-resourced
under-resourcedfunction
function Cloud
CloudTechnology
Technologyenables
enablessecurity
securityto:
to:
Satisfied responsibility Unmet responsibility Shift commodity responsibilities to provider and re-allocate
your resources
Partially met responsibility Cloud Provider
responsibility Leverage cloud-based security capabilities for more effectiveness
(Trust but verify)
Use Cloud intelligence improve detection/response/time
Real world example – Dofoil / Smoke Loader
Protection in milliseconds
ML
Local ML models, behavior-based detection algorithms,
Just before noon, behavior-based
t
generics, heuristics
en
algorithms detected a massive campaign
Cli
Metadata-based ML models Protection in milliseconds
Most components of the attack were blocked
at first sight by metadata-based ML models
L M
Sample analysis-based
ML models Protection in seconds
ud
Additional Protection was provided by sample
Clo analysis-based ML models for some components
Detonation-
based
ML models
On March 6, Windows Defender Antivirus blocked more
than 400,000 instances of several sophisticated trojans
http://aka.ms/dofoil
Big data
analytics
Other recent cases: Emotet | Bad Rabbit
MINDSET CLOUD HYGIENE
Hygiene
Security
SecurityROI
ROIand
andCost
Costof
ofAttack
Measure Security Success better Attack
https://youtu.be/maQh35MdFKY
https://youtu.be/maQh35MdFKY
Cost of attack
Mean time to remediation
References
Additional Resources
Microsoft Security Blog
https://www.microsoft.com/security/blog
Compliance Manager
https://aka.ms/ComplianceManager
Revenue Reporting
• https://www.microsoft.com/itshowcase/Article/Content/895/Redesigning-our-revenue-reporting-system-for-cloud-architecture
• https://www.microsoft.com/itshowcase/Article/Content/933/Microsoft-reinvents-sales-processing-and-financial-reporting-with-Azure
Tax
• https://www.microsoft.com/itshowcase/Article/Content/759/Microsoft-IT-builds-a-big-data-tax-solution-for-Finance-with-Azure
Forecast
• https://www.microsoft.com/itshowcase/Article/Content/771/Using-predictive-analytics-to-improve-financial-forecasting
• https://www.microsoft.com/itshowcase/Article/Content/770/Predictive-analytics-improves-the-accuracy-of-forecasted-sales-revenue
TRUST BUT VERIFY
Carefully select & monitor cloud providers
Carefully select & monitor cloud providers
Ensure cloud providers (large or small) provide assurances you need
New monetization models just reshuffle priorities of same old hygiene debt
Microsoft Investments into Critical Hygiene
68
Security Must Meet Dual Challenges
Innovation
Adapt to new threats and
cybersecurity capabilities
Hygiene
Prioritize, Implement, and Sustain
well-established best practices
70
cyberhygiene@nist.gov
Increase cybersecurity ecosystem resiliency by
Purpose engaging in activities that help organizations rapidly
and effectively improve security hygiene.
cyberhygiene@nist.gov
Workgroup Progress To Date (May 2018)
72
cyberhygiene@nist.gov
Summary of Key Recommendations
Measures that directly impact the known attack playbook https://aka.ms/rapidattack
Quick wins: 0-30 Days 1 Create destruction-resistant backups of your critical systems and data
2 Immediately deploy critical security updates for OS, browser, & email
DIRECT ATTACK MITIGATION
RAPID ENABLEMENT
3 Isolate (or retire) computers that cannot be updated and patched
4 Implement advanced e-mail and browser protections
5 Enable host anti-malware and network defenses get near-realtime
blocking responses from cloud (if available in your solution)
6 Implement unique local administrator passwords on all systems
7 Separate and protect privileged accounts
Less than 90 Days 1 Validate your backups using standard restore procedures and tools
2 Discover and reduce broad permissions on file repositories
DIRECT ATTACK MITIGATION
LONGER ENABLEMENT
3 Rapidly deploy all critical security updates
4 Disable unneeded legacy protocols
Next Quarter + Beyond 5 Stay current – Run only current versions of operating systems and apps
NIST National Cybersecurity Center of Excellence (NCCoE)
75
CyberHygiene@NIST.gov
• Share your thoughts and feedback
– Organization - How your patch mitigation program works
• Acquisition requirements for vendors
• Patch Deployment processes (stages, speed, criteria)
• Isolation strategies (for unpatchable assets like aging OT/ICS/SCADA/etc.)
• Other insights
– Security Vendor
• Interested in participation in NCCoE lab testing
76
cyberhygiene@nist.gov