Joe Stocker, CISSP, MCITP, VTSP
Patriot Consulting
2
Principal Systems Architect with 17 Years of experience
Technical certifications: MCSE, MCITP Office 365, CISSP
B.S. Biola University.
Microsoft “Virtual Technology Sales Professional” [email protected]
Twitter: @ITGuySoCal
Blog: www.TheCloudTechnologist.com
LinkedIN: https://www.linkedin.com/in/jstocker101
My Company: www.PatriotConsultingTech.com
Microsoft Cloud Evangelist at Patriot Consulting
Top 10 Security Threats and how Azure Security Solutions can help.
Live demonstration of the newest Microsoft Security technologies:
- Azure AD Identity Protection
- Azure AD Privileged Identity Management
- Azure Information Protection
- Cloud App Discovery
- Azure Security Center
- Advanced Security Management
- Advanced Threat Protection
- OMS Security Suite
Targeting
So
ph
isticatio
n
2003–2004 2005–present 2012–beyond
How do I know what apps
are used in my environment?
Shadow IT
How do I ensure appropriate
access to my cloud apps?
Access control
Visibility/reporting
How do I gain visibility into
cloud apps and usage?
How do I prevent
data leakage?
Data protectionThreat prevention
How do I know if my users
have been breached?
How do I address
regulatory mandates?
Compliance
Security Issue #1
Data breaches
involve weak, default, or stolen passwords.
63%
CLOUD-POWERED PROTECTION
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically protects against suspicious logins and compromised credentials
Gain insights from a consolidated view of machine learning based threat detection
Leaked credentials
Infected devices Configuration
vulnerabilities Risk-based
policies
MFA Challenge Risky Logins
Block attacks
Change bad credentials
Machine-Learning Engine
Brute force attacks
Suspicious sign-in activities
Security Issue #2
Attackers target global admins
Privileged
Accounts
CLOUD-POWERED PROTECTION
Discover, restrict, and monitor privileged identities
Enforce on-demand, just-in-time administrative access when needed
Provides more visibility through alerts, audit reports and access reviews
Global Administrator
Billing Administrator
Exchange Administrator
User Administrator
Password Administrator
Security Issue #3
Sensitive
files being
leaked
DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitor &
respond
LABELINGCLASSIFICATION
Classification
& labeling
ENCRYPTION
Protect
ACCESS
CONTROLPOLICY
ENFORCEMENT
Azure InformationProtection DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitor &
respond
LABELINGCLASSIFICATION
Classification
& labeling
ENCRYPTION
Protect
ACCESS
CONTROLPOLICY
ENFORCEMENT
Full Data
Lifecycle
Security Issue #4
Shadow IT
Microsoft Azure Active Directory Cloud app discovery
Source: Help Net Security 2014
as many Cloud apps are in use than IT estimates
• SaaS app category
• Number of users
• Utilization volume
Comprehensivereporting
Discover all SaaS apps in use within your organization
CLOUD-POWERED PROTECTION
Security Issue #5
Spear Phishing
91% of successful data breaches started with a
spear-phishing attack
[Source: Trend Micro]
From: Real CEO’s Full Name [mailto:[email protected]]
Sent: Monday, March 21, 2016 9:53 AM
To: (Unsuspecting End-User – Probably in Accounting
Department) <[email protected]>
Subject: RE: Invoice Payment
Jane,
I need you to process an urgent payment, which needs to go out
today as a same value day payment. Let me know when you are
set to proceed, so i can have the account information forwarded to
you once received.
Awaiting your response.
Regards
Thanks.
Security Issue #6
Detecting
Intrusions
200 days. That’s the average time an attacker goes
undetected.
Gain enhanced visibility and
context into your Office 365
usage and shadow IT – no
agents required.
Identify high-risk and abnormal
usage, security incidents,
and threats
Shape your Office 365
environment with granular
security controls and policies
Security Issue #7
Employee Exits
How do I wipe business data from a personally
owned mobile phone or tablet?
Maximize mobile productivity and protect corporate resources
with Office mobile apps – including multi-identity support
Extend these capabilities to your existing line-of-business
apps using the Intune App Wrapping Tool
Enable secure viewing of content using the Managed Browser,
PDF Viewer, AV Player, and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
Corporate data
Personaldata
Multi-identity policy
Security Issue #8
Conventional
Antivirus is
insufficient10% of viruses get by antivirus “blacklists’
Windows Defender ATP
Security Issue #9
Assume
Breach
There are companies who have been hacked
And companies who don’t know they have been hacked
Advanced Threat Analytics
Microsoft Advanced Threat Analytics
brings the behavioral analytics concept
to IT and the organization’s users.
An on-premises platform to identify advanced security attacks and insider threats before they cause damage
DETECT ATTACKS BEFORE THEY CAUSE DAMAGE
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
Analyze1
DETECT ATTACKS BEFORE THEY CAUSE DAMAGE
ATA Analyzes all Active
Directory-related traffic and
collects relevant events from
SIEM
ATA Builds the organizational security
graph, detects abnormal behavior,
protocol attacks and weaknesses and
constructs an attack timeline
ATA automatically learns all entities’
behaviors
Learn2 Detect3
Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
SAM-R Enumeration
Abnormal working hours
Brute force using NTLM, Kerberos, or LDAP
Sensitive accounts exposed in plain text authentication
Service accounts exposed in plain text authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information (DPAPI) Request
Abnormal authentication requests
Abnormal resource access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
MS14-068 exploit (Forged PAC)
MS11-013 exploit (Silver PAC)
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
Reconnaissance
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance
Security Issue #10
Privilege
Escalation
Mimikatz… nuff said.
http://www.winbeta.org/news/us-department-defense-move-windows-10-february-2017-upgrading-4-million-seats
Azure Security Center vs OMS
So what’s the difference?
VM's patched, running antivirus, using Network Security Groups, any endpoints without access control lists.
OMS Security is a cloud-based service that enables customers to quickly and easily assess the security posture and detect security threats across hybrid cloud environments
Summary
Security Solution Overview
Secure the Enterprise
Protect your users, devices, and apps
Azure
Information
Protection
Detect problems early with visibility
and threat analytics
ATA
INTUNE
Users
Protect your data, everywhere
AZURE ACTIVE
DIRECTORY
IDENTITY
PROTECTION
Extend enterprise-grade security to your cloud and SaaS apps
Protect application access from identity attacks
MICROSOFT
CLOUD APP
SECURITY
Time Limited Access and Just in Time Activation
Privileged
Identity and
Access Mgmt
Administrators