Security and Compliance with SharePoint and Office 365

1. Security and Compliance: A Whole New World with SharePoint and Office 365 Presented By: Richard Harbridge (@RHarbridge) #ILTASPS

2. RICHARD HARBRIDGE My twitter handle is @RHarbridge, blog is on http://2toLead.com, and I work at CTO & MVP | SPEAKER & AUTHOR | SUPER FRIENDLY

3. Great, we know who you are, but what do you do on a daily basis? MAXIMIZE SECURITY INVESTMENTS… Typically the work centers around…

4. RICHARD HARBRIDGE My twitter handle is @RHarbridge, blog is on http://2toLead.com, and I work at CTO & MVP | SPEAKER & AUTHOR | SUPER FRIENDLY

5. What are the big trends in security, compliance and transparency? TOP THREE CLOUD CONCERNS… Security 73% of orgs indicated security as a top challenge holding back SaaS adoption Compliance 89% of orgs required to govern content for compliance or business continuity purposes Transparency 63% of orgs state transparency challenges restrict them from growing their cloud usage

6. Let’s Talk About User Control… WHATWEWILLTALKABOUTTODAY… Let’s Talk About Security Services… Let’s Talk About Compliance Services…

7. MANAGING ACCESS & CONTROL… While core documents are managed and controlled many other places like team or departmental collaboration suffer from permission challenges.

8. MANAGING ACCESS & CONTROL… Throughout the Office 365 experience for SharePoint or OneDrive content access control is readily available and easy to understand as an end user.

9. MANAGING ACCESS & CONTROL… We use dynamic groups with membership defined as a rule, rather than as a static list of members. We expire groups (if need not attested). Expiring Groups Admins set a duration after creation when group owners need to attest the continuing need for their group. Else it’s deleted. One Identity Azure Active Directory (AAD) is the master for group identity and membership across Office 365 (Exchange, SharePoint, Yammer, Teams, Planner, Power BI, etc.)

10. MANAGING ACCESS & CONTROL… Make it easy to manage access and ensure the wrong kind of sharing doesn’t take place – whether internal or external.

11. Better site management at a service level makes this easier to target and notify owners based on site activity, classifications, sharing status or more. MANAGING ACCESS & CONTROL…

14. You need both defense in breadth and depth to mitigates product vulnerabilities, user education mitigates human vulnerabilities and continuous monitoring shortens attack times (because at some point, you will be attacked). BEST WAY TO PROTECT YOUR DATA? Breadth Depth User Education Systematic Security

15. Microsoft’s security platform is quite a bit more than just Office 365, and the modern security platform has considerably more capability today. THE BIGGER PICTURE…

16. SECURESCORE… One place to understand your security position and what features you have enabled. Targeted guidance to increase your security level.

17. Broad visibility into attack trends Billions of data points from Office, Windows, and Azure Integrated data from external cyber threat hunters Proactive security policy management Intuitive dashboards with drill-down capabilities THREATINTELLIGENCE… Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization’s users.

18. THREATINTELLIGENCE… Abnormal resource access Account enumeration Net Session enumeration DNS enumeration Directory Services enumeration (ATA 1.7) Abnormal working hours Brute force using NTLM, Kerberos or LDAP Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Information (DPAPI) Request Abnormal authentication Abnormal resource access Pass-the-Ticket Pass-the-Hash Overpass-the-Hash MS14-068 exploit (Forged PAC) MS11-013 exploit (Silver PAC) Skeleton key malware Golden ticket Remote execution Malicious replication requests Reconnaissance Compromised Credential Lateral Movement Privilege Escalation Domain Dominance

19. ADVANCEDTHREATPROTECTION… This is integrated across apps and services (across Exchange Online, SharePoint Online, OneDrive for Business, Office Apps, etc.) Time-of-click protection against malicious URLs URL reputation checks along with detonation of attachments at destination URLs. Zero-day protection against malicious attachments Attachments with unknown virus signatures are assessed using behavioral analysis. Critical insights into external threats Rich reporting and tracking features provide critical insights into the targets and categories of attacks. Intelligence sharing with devices Integration with Windows Advanced Threat Protection to correlate data across users and devices.

20. Dynamic delivery for Safe Attachments URL Detonation (not just links but even files that have links). ADVANCEDTHREATPROTECTION… This is integrated across apps and services (across Exchange Online, SharePoint Online, OneDrive for Business, Office Apps, etc.)

21. SENSITIVECONTENTENCRYPTION… O365 instead of RMS allows us to secure and transfer it but put responsibility on receiving party via secure portal to view, reply (or take). Secure email that works across organizations and with anyone you wish to reach Remove the complexity of getting started Simplify manual or automatic protection Ensure that all recipients can read and respond/

22. ENHANCEDSHARINGCONTROLS… Tenant level, site collection, group, and more control levels. Continuing to improve in terms of capabilities, controls and experiences.

23. Multi-geo support where you can control data residency (store in that geo) & control settings (distinct settings on sharing etc.) WHAT CAN I DO IN THE ADMIN?

24. ADVANCEDSECURITYMANAGEMENT… Advanced security management is a great way to be more pro-active with your policy enforcement and evaluating risks. Threat detection Identify high-risk and abnormal usage, security incidents, and threats. Enhanced control Shape your Office 365 environment with granular security controls and policies. Discovery and insights Gain enhanced visibility and context into your Office 365 usage and shadow IT.

25. ADVANCEDSECURITYMANAGEMENT… Alerts can be extremely powerful in detecting certain patterns to accelerate pro-active and improved security posture.

26. PRODUCTIVITY APPDISCOVERY… Analyze which cloud apps are being used in your organization by importing your traffic logs from firewalls/proxies.

27. Device access = conditional access (by IP, by manage or unmanaged) by blocking, allow read-only capabilities or even specific time out settings. CONDITIONAL ACCESS…

28. POWERBI… It’s not just about enabling the sharing of reports and dashboards. Policy Controls I want to… I should use… Control who uses Power BI Office 365 Portal to assign licenses Prevent access off corp. network AAD Conditional Access View/control usage PBI features Power BI Admin Portal Control usage of mobile features Intune MAM Audit Power BI activity Power BI auditing in Office 365 Portal

31. 50% year over year growth rate in electronic data 45% of orgs state lack of governance opens them to security & compliance risks 41% of orgs state enforcing a governance policy is their biggest issue DATAISGROWING… Achieving organizational compliance is challenging.

32. Preserve vital data Organization needs Find relevant data Monitor activity Data Governance Import, store, preserve and expire data eDiscovery Quickly identify the most relevant data Auditing Monitor and investigate actions taken on data Security & Compliance Center Manage compliance for all your data across Office 365 IN-PLACECOMPLIANCE… Microsoft is evolving beyond the core preservation and monitoring.

33. In-Place Office 365 Data Governance Benefits of In-Place Office over Journaling Location, query or policy based Apply preservation to mailbox or SharePoint site, apply a query to hold less content, or use preservation policies Higher fidelity and lower costs Content stays in Exchange and SharePoint, which results in lower storage costs, and higher fidelity data No impact to users Seamlessly create, edit, and delete without knowing data is being preserved Reduce risk Data is not duplicated to another provider or compliance boundary. Record all actions taken on the data Insights Insights to enable you to keep what’s important, delete what’s not, and to share according to policy IN-PLACEDATALIFE-CYCLE… Microsoft is prioritizing in-place models and offers many capabilities that fit with this model. Going beyond legal hold into preservation policy etc. 4 1

34. COMPLIANCELIFE-CYCLE… You can bring in data today into Office 365 for preservation and to apply compliance. Once it’s in all the in-place capabilities are applicable. 4 2

35. DATALOSSPREVENTION… Protect sensitive information taking into account content, users and the dynamic operating environment. Detailed story for how this can be used. Sophisticated, built-in content protection across Office 365 Insights and automatic safeguards End user empowerment to maintain productivity and enforcement

36. Unified policy definition Unified reporting DATALOSSPREVENTION… DLP can be applied to more targeted and a wider variety of sources. The reporting is also improved and unified.

37. Leverage intelligence to automate data retention Classify data based on age, type, user, or sensitivity Policy recommendations based on machine learning Apply actions to preserve high value data Purge redundant, obsolete, and trivial data ADVANCEDDATAGOVERNANCE… Helping customers understand how to better improve their data governance and giving the tools you need to do it.

38. ADVANCEDDATAGOVERNANCE… Quickly get insights on the dashboard into your data.

39. ADVANCEDDATAGOVERNANCE… When importing get intelligence that helps you improve your data governance.

40. ADVANCEDDATAGOVERNANCE… When importing get intelligence that helps you improve your data governance. Filter and see the impact of your filtering.

41. ADVANCEDDATAGOVERNANCE… When importing get intelligence that helps you improve your data governance. Filter and see the impact of your filtering.

42. ADVANCEDDATAGOVERNANCE… Preserving and retaining content can be user driven, match a query, or be based on advanced rules.

43. AUDITLOG… It’s not just that everything is audited. It’s that we can have alerts, that we can extend this with the API, and that this can be helpful.

44. AUDITLOG… Be sure to use the API to store this data if you want to use it at a later time. Exchange Online Admin activity, end-user (mailbox) activity Security and Compliance Center Admin activity Azure Active Directory Office 365 logins, directory activity Power BI Admin activity SharePoint Online and OneDrive for Business File activity, sharing activity

45. EDISCOVERY… Enabling in-place, intelligent eDiscovery, to quickly identify relevant data while decreasing cost and risk. You can use to find sensitive data too!

46. Identify relevant documents Predictive coding enables you to train the system to automatically distinguish between likely relevant and non-relevant documents. Identify data relationships Use clustering technology to look at documents in context and identify relationships between them. Organize and reduce the data prior to review Use near duplicate detection to organize the data and reconstruct email threads from unstructured data to reduce what’s sent to review. EDISCOVERY… Still an area that is continuing to improve.

47. Last year Feature Pack 1 was released. It improved experiences and hybrid capabilities. It also includes a hybrid auditing capability that is unified w/ O365. Feature pack 2 coming later this fall is all about a better development pattern across on-premises and O365. WHAT ABOUT SHAREPOINT 2016?

48. CUSTOMERLOCKBOX… Can help customers meet compliance obligations by demonstrating that they have procedures in place for explicit data access authorization. Extended access Control Use Customer Lockbox to control access to customer content for service operations Visibility into actions Actions taken by Microsoft engineers in response to Customer Lockbox requests are logged and accessible via the Management Activity API and the Security and Compliance Center Microsoft Engineer Microsoft Manager Microsoft Approved CustomerMicrosoft EngineerLockbox systemCustomer Submits request 100101 011010 100011 Customer Approved “Only time we touch data is when you call with a support incident. Not something everyone needs. Example in a recent month there was ~9 requests (5 were MSFT IT, 4 were customers out of millions and millions of customers).”

49. ENCRYPTIONKEYS… BYOK is for service exit! Remember: Contractual terms have clear obligations with fraud, negligence and breach of contract liabilities.

50. ENCRYPTION KEYS… BYOK is for service exit! Remember: Contractual terms have clear obligations with fraud, negligence and breach of contract liabilities.

51. The Trust Center is still a great resource, but now in your security and compliance center you have all the reports, trust documents, controls and more available for inspection (you can even share access). SERVICE TRUST & TRUST CENTER… Rich information on how Microsoft implements security, privacy and compliance controls including details of testing by independent third- party auditors Third-party audit reports including: SOC 1 / SSAE 16, SOC 2 / AT 101, ISO 27001, ISO 27018 and many more Deep insights into how we implement encryption, incident management, tenant isolation and data resiliency Information on how you can leverage Microsoft cloud security controls and configurations to protect your data

53. There are a few high level recommendations that I wanted to leave you with. • Configure Secure Score: • Weekly performance of activities to increase secure score is highly recommended. • Multi-factor authentication for global/non-global admins is a must! • Recommended weekly report checks also a must. • Increase the target score slider to include a few more defense in breadth activities. • DKIM/DMARC/SPF • Ensure that all three are enabled for the default domain not the onMicrosoft.com domain. • Also, check Spoof mail report weekly (requires E5 or Advanced Threat Protection SKU) • Exchange Online • Weekly checks on all mailboxes with last login date (PowerShell script). • Enable common attachments type filter & notifications for protection > malware • Verify list of allowed/blocked Ips under protection > connection filter. • Verify block/allow list in spam filter policy. • Threat Management (Requires E5) • Check the dashboard and individual reports weekly. • Data Loss Prevention • At minimum, set up a DLP policy for mitigating access to documents that have Personally Identifiable Information (PII). • SharePoint Online • Always use Groups and where possible use dynamic memberships! • If on premises – consider SharePointURLBrute or SharePoint UserDispEnum DEFAULT CONFIGURATION IS NOT ENOUGH…

54. Information protection Identity-driven security Managed mobile productivity Identity and access management Azure Information Protection Premium P2 Intelligent classification and protection for files and emails shared inside and outside your organization (includes all capabilities in P1) Azure Information Protection Premium P1 Manual classification and protection for files and emails shared inside and outside your organization Cloud-based file tracking Microsoft Cloud App Security Enterprise-grade visibility, control, and protection for your cloud applications Microsoft Advanced Threat Analytics Protection from advanced targeted attacks leveraging user and entity behavioral analytics Microsoft Intune Mobile device and app management to protect corporate apps and data on any device Azure Active Directory Premium P2 Identity and access management with advanced protection for users and privileged identities (includes all capabilities in P1) Azure Active Directory Premium P1 Secure single sign-on to cloud and on-premises apps MFA, conditional access, and advanced security reporting EMS E3 EMS E5 UNLOCKMORECAPABILITIES… Understand your current investments and what you already own today!

55. Thank You! BMO’samazingteamformakingthispossible. 100+AwesomePresentationsAt.. Slideshare.Net/RHarbridge 300+PagesOfWhitepapersAt.. 2toLead.com/Whitepapers WhenToUseWhat.com Office365Intranets.com Office365Metrics.com Office365Campaigns.com Office365Extranets.com Office365Resources.com Message Me On LinkedIn or Email Richard@2toLead.com CTO & MVP | SPEAKER & AUTHOR | SUPER FRIEND Twitter: @RHarbridge. More to come on our blog at http://2toLead.com.