Microsoft provides robust Cloud based tools to help protect our data and services in Office 365 from attackers and data breaches. These tools include capabilities for auditing, monitoring, enforcing policies and protecting critical enterprise data. However, Office 365 is not immune to attack. In this session you’ll learn common patterns used by attackers to compromise Office 365 tenants in the real world, how to make use of Microsoft Cloud based tools to protect your Office 365 tenant, and how to investigate and recover from an attack so that you can help prevent it from happening again. Microsoft Premier Field Engineer Theresa Eller and six time Microsoft MVP Antonio Maio share their experiences investigating data breaches, recovering from them and helping Office 365 customers from future data breaches.
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
Learn how to protect against and recover from data breaches in Office 365
1. Learn How to Protect Against and
Recover from Data Breaches in
Office 365
Theresa Eller, Microsoft Premiere Field Engineer
sharepointmadam@anythingbutcode.onmicrosoft.com
Antonio Maio, Protiviti Senior Enterprise Architect & Microsoft MVP
Antonio.Maio@Protiviti.com
4. AGENDA
01 Common Attack Patterns
02 Types of Security Breaches
03 What Does a Security Breach Look Like
04 How to Investigate & Recover from an Attack
05 Protect from Future Attacks
7. PHISHING & SPEAR PHISHING
• One of the Most Common
Attack Vectors
• Targeted Attacks – They are
formatted for you!
• Attackers do their research
• OS-INT
(open source intelligence)
8. PHISHING & SPEAR PHISHING
• Lots of examples…
▪ Someone has accessed your account
▪ Verify your account
▪ Renew your subscription
▪ iTunes Receipt
▪ Replies (subject starting with Re:) when
you never received original
▪ Review your PayPay account
▪ Review this invoice
▪ Urgent action required…
9. CREDENTIAL STUFFING
• So Many Passwords!
• So many its Difficult for us to remember them all!
• Attackers will rely on human nature!
CREDENTIAL STUFFING: Re-using the Same
Passwords Across Multiple
Systems
10. ACCESSING CREDENTIALS & SAVING ON HOME PC
• Exposes Credentials to Home Users
• Exposes Credentials to Software
that Home Users Download
… like malware!
15. WHAT DOES A SECURITY BREACH LOOK LIKE?
• Email anomalies
• Emails from people/groups you don’t
normally communicate with
• Notifications from banks and online
services you don’t normally interact with
• Typos
• Urgent call to action
• Old contact information (old titles)
• Slow computer/Slow web access
37. Security features must be enabled to protect you
>99% of common user compromises are preventable
Most customers enable features after they’re
compromised
Average account secure score today is 14.65/180
Baseline Protection
Simple one-click experience enables our
recommended security configuration and features
Baseline configuration
For admins MFA enabled for Azure AD privileged roles
For all users MFA enabled
Enrolled in the Microsoft authenticator app for MFA
Require MFA when sign-in risk is detected
Block legacy authentication protocols
Block logins from compromised users
39. Microsoft Secure Score
Visibility into your Microsoftsecurity position and how to improve it
Insights into your
security position
Guidance to increase
your security level
40.
41. Identity Secure Score
Checkout your Identity Secure Score now at aka.ms/MyIdentitySecureScore
Insights into your
security posture
Guidance to help
you secure your
organization
42. CONDITIONAL ACCESS APP CONTROL
Microsoft Azure
Active Directory
Analyze Session RiskCheck device
compliance with Intune
Check
location
Check user
behavior
Check user
organization
Enforce Relevant Policies with Conditional Access App Control
Protect downloads
from unmanaged
devices with AIP
Monitor and alert on
actions when user
activity is suspicious
Enforce read-only mode
in applications for
partner (B2B) users
Require MFA and define
session timeouts for
unfamiliar locations
BOX.US.CAS.MS
Cloud App Security integrates with:
• Azure Active Directory
• Azure Information Protection
• Microsoft Intune
to protect any app in your organization.
43. Unusual file share activity
Unusual file download
Unusual file deletion activity
Ransomware activity
Data exfiltration to unsanctioned apps
Activity by a terminated employee
Indicators of a
compromisedsession
Malicious useof
an end-useraccount
Malware implanted in cloud apps
Malicious OAuth application
Multiple failed login attempts to app
Suspicious inbox rules (delete, forward)
Threat delivery
and persistence
!
!
!
Unusual impersonated activity
Unusual administrative activity
Unusual multiple delete VM activity
Malicious useof
a privilegeduser
Activity fromsuspicious IP addresses
Activity fromanonymous IP addresses
Activity froman infrequent country
Impossibletravel between sessions
Logon attempt from a suspicious user agent
44. Brute force attempts
Suspicious groups membership modifications
Honey Token account suspicious activities
Suspicious VPN connection
Abnormal access to AIP protected data
Reconnaissance
(65% of alert volume)
!
!
!
Compromised credentials
(16% of alert volume)
Lateral movement
(11% of alert volume)
Domain dominance
(8% of alert volume)
Golden ticket attack
Skeleton Key
Remote code execution on DC
Service creation on DC
DCShadow
86%
38%
10%
12%
Directoryservices
DNS
Account enumeration
SMB sessionenumeration
Impacted organizations: recon attacks
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
45.
46. MFA reduces the risk of an attack by 99.9%
Have you turned on MFA?
47. Corporate
Network
Geo-location
MacOS
Android
iOS
Windows
Windows
Defender ATP
Client apps
Browser apps
Google ID
MSA
Azure AD
ADFS
Employee & Partner
Users and Roles
Trusted &
Compliant Devices
Location
Client apps &
Auth Method
Conditions
Microsoft
Cloud App Security
Force
password
reset
Require
MFA
Allow/block
access
Terms of Use
******
Limited
access
Controls
Machine
learning
Policies
Real time
Evaluation
Engine
Session
Risk
3
40TB
Effective
policy
49. Enable MFA for your Admin Accounts or,
even better, use PIM
1.7% admins protected by MFA
Monitor your Risk Reports
Use Identity Secure Score
Test passwordless sign-in with Microsoft
Authenticator
Turn on Password Hash Sync
Pull Azure AD Logs into your SIEM
systems
Block Legacy Auth
Modernize your password policy
Block Suspicious IPs
Enable user risk policy
Enable sign-in risk policy
Review app permissions & use MCAS
52
50. Thank you!
Theresa Eller, Microsoft Premiere Field Engineer
sharepointmadam@anythingbutcode.onmicrosoft.com
Antonio Maio, Protiviti Senior Enterprise Architect & Microsoft MVP
Antonio.Maio@Protiviti.com