The document provides details about a Microsoft 365 webinar held in December 2019, covering updates, security challenges, and best practices. Key topics include the increase in identity attacks, securing cloud apps, and features like data loss prevention and encrypted messaging. Resources and links for further information and training on Microsoft 365 are also shared.

1. Need to Know Microsoft 365
Webinar
December 2019
@directorcia
http://about.me/ciaops

2. Web cast has started
Web cast is being recorded
If you can’t hear anything check
your speaker settings

3. For questions after the event:
Email : director@ciaops.com
Twitter : @directorcia

4. Webinar recordings at:
www.ciaopsacademy.com
Free access for CIAOPS patrons

6. Please:
- Turn off your mobile
- Turn off your email
- Have somewhere to
take notes

7. http://www.ciaopslearn.com

9. Agenda
- Microsoft 365 Update
- Securing Microsoft 365
- Q & A

11. News
• Microsoft Video migration timeline
• https://techcommunity.microsoft.com/t5/Microsoft-Stream-Blog/Office-365-Video-Retirement-amp-
Migration-Timelines/ba-p/1072819
• New Australian compliance options in Microsoft 365
• https://news.microsoft.com/en-au/features/compliance-score-streamlines-security-management-for-
australian-enterprises/
• Securing all your cloud apps
• https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Securing-ALL-your-cloud-apps-
with-Microsoft/ba-p/1072310
• The quiet evolution of phishing
• https://www.microsoft.com/security/blog/2019/12/11/the-quiet-evolution-of-phishing/
• Teams now available on Linux
• https://techcommunity.microsoft.com/t5/Microsoft-Teams-Blog/Microsoft-Teams-is-now-available-on-
Linux/ba-p/1056267

12. Securing
Microsoft 365

13. The Security Dilemma

14. Defence in Depth

15. 300%
increase in identity attacks
over the past year.
Phishing
23M
high risk enterprise sign-in
attempts detected in March 2018
Password
Spray
350K
compromised accounts
detected in April 2018
lllllllll
Breach
Replay
4.6B
attacker-driven sign-ins
detected in May 2018
lllllllll

16. The challenge of securing your environment
The digital estate offers
a very broad surface
area that is difficult to
secure
Bad actors are using
increasingly creative
and sophisticated
attacks
Intelligent correlation
and action on signals is
difficult, time-consuming,
and expensive

17. DETECT
PROTECT
CLASSIFYMONITOR
MICROSOFT’S
INFORMATION
PROTECTION
SOLUTIONS
WINDOWS INFORMATION PROTECTION
Separate personal vs. work data on Windows 10 devices and
prevent work data from traveling to non-work locations
OFFICE 365 ADVANCED SECURITY MANAGEMENT
Visibility into Office 365 app usage and potential
data abuse
MICROSOFT CLOUD APP SECURITY
Visibility into 15k+ cloud apps, data access & usage,
potential abuse
MESSAGE ENCRYPTION
Send encrypted emails in Office 365 to anyone –
inside or outside of the company
CONDITIONAL ACCESS
Control access to files based on policy, such as identity,
machine configuration, geo location
OFFICE APPS
Protect sensitive information while working in Excel, Word,
PowerPoint, Outlook
AZURE INFORMATION PROTECTION
Classify, label & protect files – beyond Office 365, including
on-prem & hybrid
OFFICE 365 DLP
Prevent data loss across Exchange Online, SharePoint Online,
OneDrive for Business
ISV APPLICATIONS
Enable ISV partners to consume labels, apply protection
OFFICE 365 ADVANCED DATA GOVERNANCE
Apply retention and deletion policies to sensitive and
important data in Office 365
SHAREPOINT & GROUPS
Protect files in libraries and lists
MICROSOFT’S INFORMATION PROTECTION SOLUTIONS

18. Unique insights, informed by trillions of signals

19. Where should you start?

23. Where will your adversary start?

24. What Is The Issue?

25. • v=spf1 ip4:1.2.5.5 ip4:8.2.7.4 ip4:7.3.2.2 ip4:5.5.1.8
include:_spf.salesforce.com include:spf.protection.outlook.com -allSPF
• "v=DKIM1; p=MIGfMA0GDQEBgQCrZ6z … 6UvqP3QIDAQAB"
DKIM
• v=DMARC1; p=reject; rua=mailto:dmarc@dmarc-aggregator.com;
ruf=mailto:dmarc-ruf@dmarc-aggregator.comDMARC

26. SPF

27. DKIM

28. 6%
3%
31%
60%
Reject
Quarantine
None (take no action on a spoofed
message)
No record published

29. Perimeter
Protection
Email is routed to EOP DC based on
MX record resolution
(Contoso-com.mail.protection.outlook.com)
Virus
Scanning
AV Engine 1
AV Engine 2
AV Engine 3
Spam Protection
Safe Sender/Recipient
Policy
Enforcement
Custom
transport rules
Content scanning and
heuristics
Bulk mail filtering
SPF & Sender ID filter
Quarantine
International spam
Advanced Spam
management
Customer
Feedback
False +ve / -ve
Spam Analysts
Corporate Network
or Exchange Online
IP-based edge
blocks
Envelope blocks
Directory based
edge blocks
Advanced Threat
Protection (ATP)
Safe attachments
policy
Safe links policy

30. Connector-Based
Higher Risk
Delivery Pool
High Score
Outbound Pool
Low Score
Spam Protection
Content scanning and
Heuristics
Advanced Spam
management
Virus
Scanning
AV Engine 1
AV Engine 2
AV Engine 3
Policy Enforcement
Custom transport
rules
Spam Analysts
Corporate Network
or Exchange Online
Customer Delivery
Pool
Outlook Safe Sender

33. https://aka.ms/PasswordSprayBestPractices

34. ✓ Enable Multi-factor authentication
for Office 365 users
✓ Secure your Office 365
environments from leaked
credentials

35. MFA and Password-less

36. ✓ DLP policies- Protection from
information leakage

38. User browses to a
website
Phishing
mail
Opens
attachment
Clicks on a URL
+
Exploitation
& Installation
Command
& Control
Brute force account or
use stolen account credentials
User account
is compromised
Attacker
attempts lateral
movement
Privileged
account
compromised
Domain
compromised
Attacker accesses
sensitive data
Exfiltrate data
Protection across
Azure AD Identity Protection
Identity protection &
conditional access
Cloud App Security
Extends protection & conditional
access to other cloud apps
Azure ATP
Azure AD Identity Protection
Identity protection &
conditional access
Identity protection
Windows Defender
ATP
Endpoint protection
Office 365 ATP
Malware detection, safe links,
safe attachments
Attacker collects recon
and config data

41. Windows Defender ATP

42. Office 365 - Cloud Application
Security (CAS)
✓ Suspicious user activity
✓ New OAuth applications
✓ Addition of mail forwarding
rules

43. Unusual file share activity
Unusual file download
Unusual file deletion activity
Ransomware activity
Data exfiltration to unsanctioned apps
Activity by a terminated employee
Indicators of a
compromised session
Malicious use of
an end-user account
Suspicious inbox rules (delete, forward)
Malware implanted in cloud apps
Malicious OAuth application
Multiple failed login attempts to app
Threat delivery
and persistence
!
!
!
Unusual impersonated activity
Unusual administrative activity
Unusual multiple delete VM activity
Malicious use of
a privileged user
Activity from suspicious IP addresses
Activity from anonymous IP addresses
Activity from an infrequent country
Impossible travel between sessions
Logon attempt from a suspicious user agent

44. Brute force attempts
Suspicious groups membership modifications
Honey Token account suspicious activities
Suspicious VPN connection
Abnormal access to AIP protected data
Reconnaissance
(65% of alert volume)
!
!
!
Compromised credentials
(16% of alert volume)
Lateral movement
(11% of alert volume)
Domain dominance
(8% of alert volume)
Golden ticket attack
Skeleton Key
Remote code execution on DC
Service creation on DC
DCShadow
86%
38%
10%
12%
Directory services
DNS
Account enumeration
SMB session enumeration
Impacted organizations: recon attacks
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash

45. Require MFA
Allow access
Deny access
Force
password reset******
Limit access
Controls
On-premises apps
Web apps
Users
Devices
Location
Apps
Conditions
Policies
Real time
Evaluation
Engine
Session
Risk
3
10TB
Effective
policy
Azure AD Identity Protection + Azure AD conditional access
Maximize Security. Maximize Productivity.
Machine
learning

46. CLOUD-POWERED PROTECTION
How time-limited activation of privileged roles works
MFA is enforced during the activation process
Alerts inform administrators about out-of-band changes
Users need to activate their privileges to perform a task
Users will retain their privileges for a pre-
configured amount of time
Security admins can discover all privileged
identities, view audit reports and review everyone
who has is eligible to activate via access reviews
Audit
SECURITY
ADMIN
Configure Privileged
Identity Management
USER
PRIVILEGED IDENTITY MANAGEMENT
Identity
verificatio
n
Monitor
Access reports
MFA
ALERT
Read only
ADMIN PROFILES
Billing Admin
Global Admin
Service Admin

47. CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically
protects against suspicious logins and
compromised credentials
Gain insights from a consolidated view of
machine learning based threat detection
Leaked
credentials
Infected
devices Configuration
vulnerabilities
Risk-based
policies
MFA Challenge
Risky Logins
Block attacks
Change bad
credentials
Machine-Learning Engine
Brute force
attacks
Suspicious sign-
in activities

48. Resources
• Cyber Security: The Small Business Best Practice Guide -
https://www.asbfeo.gov.au/sites/default/files/documents/ASBFEO-cyber-security-research-report.pdf
• Australian Cyber Security Centre - https://www.cyber.gov.au/
• Office 365 Security and Compliance - https://docs.microsoft.com/en-
us/office365/securitycompliance/
• Microsoft Trust Center - https://www.microsoft.com/en-us/trustcenter/security/office365-security
• Microsoft Secure Score - https://docs.microsoft.com/en-us/office365/securitycompliance/microsoft-
secure-score
• Microsoft 365 for Partners Security - https://www.microsoft.com/microsoft-365/partners/security
• Partner Business Opportunity for Microsoft 365 Security and Compliance Solutions -
https://o365pp.blob.core.windows.net/media/Resources/Partner%20TEI/Forrester%20TEI%20Partner%20
Opportunity%20Study_Microsoft%20365%20SECURITY%20%2B%20COMPLIANCE.pdf

49. CIAOPS Resources
• Blog – http://blog.ciaops.com
• Free SharePoint Training via email – http://bit.ly/cia-gs-spo
• Free Office 365, Azure Administration newsletter – http://bit.ly/cia-o365-tech
• Free Office 365, Azure video tutorials – http://www.youtube.com/directorciaops
• Free documents, presentations, eBooks – http://slideshare.net/directorcia
• Office 365, Azure, Cloud podcast – http://ciaops.podbean.com
• Office 365, Azure online training courses – http://www.ciaopsacademy.com
• Office 365 and Azure community – http://www.ciaopspatron.com
Twitter
@directorcia
Facebook
https://www.facebook.com/ciaops
Email
director@ciaops.com
Skype for Business
admin@ciaops365.com

50. Get access to the latest
information by becoming a
Patron
http://www.ciaopspatron.com

52. That’s all folks!
Thanks for attending