Defenders of the Galaxy - Protecting the (Cloud) galaxy from threats.
In today's cybersecurity galaxy, the landscape has become increasingly sophisticated with cybercriminal activities. We need to work together in new ways to protect the cybersecurity of the planet.
In this session Matthew will discuss
• The threats we need to defend against
• The things in our galaxy that need protecting
• The Defender suite from Microsoft
• The Zero Trust architecture
You will learn 5 basic things you should be doing to protect yourself, and that you are not alone in this galaxy because you can leverage the Defender products from Microsoft to defend you're world.
Defenders of the Galaxy - Protecting the (Cloud) galaxy from threats.pptx
1. Principal Architect at NBConsult
www.nbconsult.co
Enterprise Mobility MVP
Identity and Access (IAM) SME
M365 and Azure Security associate
Organizer –
https://www.meetup.com/Cloud-
Fridays/
Matthew Levy
@skrods
Mattchatt.co.za
3. What to expect
• The threats we need to defend against
• The things in our galaxy that need protecting
• The Defender suite from Microsoft
• The Zero Trust architecture
• 5 basic things you should be doing to protect your
infrastructure
4. To protect
the future we must understand
the threats of the
present.
Today's cybersecurity threats
6. Ransomware and extortion
• Ransomware and extortion is a high-profit, low-cost business which has a
debilitating impact on targeted organizations, national security, economic
security, and public health and safety.
• Ransomware attacks have evolved into human-operated ransomware, also
known as “big game ransomware.”
7. Phishing and other malicious email
• Credentials belonging to unsuspecting victims could be obtained from
phishing websites,
• automatically scraping and parsing logs belonging to infected devices that
record the keys typed on keyboards,
• to guessing where credentials from one breached online service were reused
on another
• Malware through password-protected archive files (zip etc)
• BEC has proven to be the most financially impactful type of cybercrime
8.
9.
10. Malware
• Individualized malware techniques and actions.
• Fileless malware and evasive behaviour
• Now most malware families could potentially be classified as
having botnet components or behaviors.
• Web shells remain popular with advanced persistent threat
(APT) actors of all types, including NOBELIUM and HAFNIUM
nation state activity groups.
11. “Forever” (blockchain) domains
• Some of the bigger threat actors on the internet have started
utilizing blockchain domains as part of their infrastructure.
15. Azure Active Directory
Endpoint
& Server/VM
Office 365
Email and Apps
Cloud
Azure, AWS, GCP,
On Premises &
other 3rd party
clouds
Identity
Cloud &
On-Premises
SaaS
Cloud Apps
Other Tools,
Logs, & Data
Sources
+ More
OT, IoT, SQL,
and more
16. https://aka.ms/MCRA
S3
Azure Active Directory
Azure Key Vault
Azure Backup
GitHub Advanced Security – Secure development and software supply chain
Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM)
B2B B2C
Azure AD App Proxy
Beyond User VPN
Security Documentation
Microsoft Best Practices
Top 10
Benchmarks CAF WAF
Security & Other Services
Discover
Protect
Classify
Monitor
Microsoft Sentinel – Cloud Native SIEM, SOAR, and UEBA for IT, OT, and IoT
Endpoint
& Server/VM
Office 365
Email and Apps
Cloud
Azure, AWS, GCP,
On Premises &
other 3rd party
clouds
Identity
Cloud &
On-Premises
SaaS
Cloud Apps
Other Tools,
Logs, & Data
Sources
+ More
OT, IoT, SQL,
and more
20. Microsoft Zero Trust Principles
To help secure both data and
productivity, limit user access using
• Just-in-time (JIT)
• Just-enough-access (JEA)
• Risk-based adaptive polices
• Data protection against out of
band vectors
Always validate all available data
points including
• User identity and location
• Device health
• Service or workload context
• Data classification
• Anomalies
Minimize blast radius for breaches
and prevent lateral movement by
• Segmenting access by network,
user, devices, and app awareness.
• Encrypting all sessions end to
end.
• Use analytics for threat detection,
posture visibility and improving
defenses
Use least privilege access Assume breach
Verify explicitly
21. Microsoft Zero Trust Capabilities
Endpoints
Identities
Network
Applications
Infrastructure
Data
Microsoft
Azure AD
Microsoft
Defender
for Identity
Microsoft
Information
Protection
Microsoft
Defender for
Cloud Apps
Microsoft Sentinel
Microsoft
Defender
Microsoft
Endpoint
Manager
Posture Management
Microsoft
Defender for
Cloud
24. Closing
• The threats we need to defend against
• The things in our galaxy that need protecting
• The Defender suite from Microsoft
• M365 Defender Demo
• The Zero Trust principals
• 5 basic things you should be doing to protect your
infrastructure
Principal Architect at NBConsult www.nbconsult.coEnterprise Mobility MVPIdentity and Access (IAM) SMEM365 and Azure Security associate
I’ve been in the IT industry for 20+ years. Let’s just leave it at that shall we.Organizer – South African Azure UG, Cloud Fridays UG
Average prices of cybercrime services for sale. Attackers for hire start at $250 USD per job. Ransomware kits are $66 USD or 30% of the profit. Compromised devices start at 13 cents per PC and 82 cents per mobile device. Spear phishing for hire ranges from $100 to $1,000 USD. Stolen username and password pairs begin at 97 cents per 1000 on average.
Organizations now face an industrialized attacker economy with skill specialization and trading of illicit
commodities. As seen in this snapshot of average prices, many commodities that can be purchased in
the dark markets are very inexpensive, making attacks cheaper and easier to conduct (which also drives
up attack volume)
CLICK 1
These charts show the overall increase in ransomware encounters, with notable surge to consumer and commercial encounters in late 2019, when RaaS started to grow, and in early 2020 at the onset of the COVID-19 pandemic.
Whether their goal is to phish credentials, redirect a wire transfer to their own bank account, or download malware onto a machine, attackers are most likely to utilize email as their initial entry vector for a campaign.
Attackers also use consent phishing to send users links that, if clicked, will grant the attacker access and permissions to applications, such as via OAuth 2.0 authorization protocol.
BEC occurs when an attacker pretends to be a legitimate business account—utilizing either a compromised email address, a lookalike domain they have registered, or a free email service such as Hotmail or Gmail—and sends emails designed to trick recipients into taking some financial action
sophisticated kits in which not only are victim credentials sent to the phishers running a phishing campaign, but they are also likely going back to the kit’s originating author or a sophisticated intermediary who has modified the kit with a hidden collection account before redistributing the kit.
While phishing has grown, malware and the cybercrime infrastructure that supports attacks has also continued to evolve.
Individualized malware - specific reconnaissance commands, processes being added to startup folders, scheduled task or registry alterations, and malicious process execution.
“Fileless” malware is malware that derives most of its components from system processes or legitimate tools already on a device, like Cobalt Strike utilizing process injection and in-memory execution.
The adaptation of blockchain technology has skyrocketed across many business verticals. In recent years, we have observed blockchain domains integrated into cybercriminal infrastructure and operations.
Unlike traditional domains that are purchased through internet registrars operating through the ICANN-regulated DNS system, blockchain domains are not governed by any centralized body, limiting the opportunity for abuse reporting and enforcement disruptions.
Machine learning (ML) is an artificial intelligence (AI) technique that can be used in numerous applications, including cybersecurity. In responsible ML innovation, data scientists and developers build, train, and deploy ML models to understand, protect, and control data and processes to build trusted solutions. However, adversaries can attack these ML-driven systems. The methods underpinning the production ML systems are systematically vulnerable to a new class of vulnerabilities across the ML supply chain collectively known as “adversarial ML.”
Microsoft Sentinel is a cloud-native SIEM tool; Microsoft 365 Defender provides XDR capabilities for end-user environments (email, documents, identity, apps, and endpoint); and Microsoft Defender for Cloud provides XDR capabilities for infrastructure and multi-cloud platforms including virtual machines, databases, containers, and IoT.
Licensing requirements
Any of these licenses gives you access to Microsoft 365 Defender features via the Microsoft 365 Defender portal without additional cost:
Microsoft 365 E5 or A5
Microsoft 365 E3 with the Microsoft 365 E5 Security add-on
Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on
Microsoft 365 A3 with the Microsoft 365 A5 Security add-on
Windows 10 Enterprise E5 or A5
Windows 11 Enterprise E5 or A5
Enterprise Mobility + Security (EMS) E5 or A5
Office 365 E5 or A5
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Cloud Apps
Defender for Office 365 (Plan 2)
These are Microsoft’s Zero Trust Principles
These are Microsoft’s Zero Trust Principles
Key Takeaway: Use these resources to learn more about Zero Trust and how Microsoft capabilities can enable it (often using technology that’s already deployed)
Protect against 98% of attacks by utilizing antimalware, applying least privilege access, enabling multifactor authentication, keeping versions up to date, and protecting data. The remaining 2% of the bell curve includes outlier attacks.
How does Ransomware work:
First, cybercriminals will gain access to the victim’s network through phishing, a stolen password, or through an unpatched software vulnerability. Then, the cybercriminals will seek to move laterally within the network to obtain higher level privileges, such as those held by the victim’s IT Administrator, to access the entire network. Cybercriminals will then conduct reconnaissance within the victim’s network, looking for critical systems and sensitive data, in some cases stealing this data, to facilitate an effective ransom demand. Finally, the cybercriminals will leverage this information to install the ransomware on the network that will lock the victim’s files until the ransom is paid.
Once the criminal actor installs the ransomware and uses it to lock the victim’s system, the victim will have access only to a ransom note. The ransom note provides instructions to the victim on how to communicate with the criminal actor.
The example here depicts a negotiation chat with a public school district in which the criminals attempt to extort cash in exchange for a key to unlock the ransomware deployed on its network. The interaction demonstrates the research performed by the criminal in advance of the negotiation, as the criminal actor explained that they had
“examined all financial documents, bank statements for the last year, insurance. And came to the conclusion that you are exaggerating about poor financial condition. We also calculated your possible losses from lawsuits from both your staff and your students for the leakage of their personal data. These fines will exceed $30 million. We are not talking about the loss of reputation, which in our opinion costs more.”
Key Takeaway: These are the organizational functions required to manage information security risk and some insights on how it is changing
Security Leadership includes guiding the organizational culture as well as the authoring or approving of policy and standards. This should be aligned to the mission and risk appetite of the organization, focus on both enabling productivity and securing assets (carefully balancing those when required), and staying agile to meet the continuously evolving environment.
Note: Security Leadership is often supported by a program management office to drive large/ complex programs and measure success (sometimes within the security organization, sometimes provided by another internal group).
CLICK 1
Organizational policy and standards should inform and be informed by both security architecture and compliance requirements. The policy should be designed to meet the organization’s risk appetite and incorporate
Regulatory compliance requirements and current compliance status (requirements met, risks accepted, etc.)
Architectural assessment of current state and what is technically possible to design, implement, and enforce
CLICK 2
The Security Architecture and Compliance requirements are then be designed and implemented in the production environment by specialized security skillsets for each area including people, applications and data, infrastructure and endpoint, Identity & Keys, and Operational Technology (who also provide feedback to improve them) . The technical implementation in these environments is often performed by the IT and OT teams (or application/identity teams) that are responsible for all other aspects of their operation. The People security functions often work through teams like Human Resources and User Education/Training to integrate with their processes.
CLICK 3
The Security Operations functions (sometimes called a security operations center (SOC)) are responsible for responding to and managing incidents detected through both reactive means and proactive threat hunting. Organizations should also have an incident preparation capability to conduct practice exercises that build organizational muscle memory for major incidents and incorporate real world risk scenarios.
CLICK 4
Threat Intelligence acts as a kind of nervous system for the organization, gleaning learnings from previous incidents in the organization and from others in the community and informing the various stakeholders within security. This is analogous to the problem management discipline in ITIL that ensures active learning is applied through a feed back process. While this function often starts with tactical level technical insights, it should grow and mature to provide strategic insights for security leadership and business leadership over time.
This function is particularly important in cybersecurity because of the speed that attackers change tactics and the need to provide insights to different levels of the organizations in order to effectively managed cybersecurity risk.
CLICK 5
Posture Management is an emerging discipline that has long been envisioned as “continuous monitoring” but only recently become practical as cloud-based security technology has matured. This includes several components that enables organizations to rapidly discover and mitigate risk in a complex environment that is constantly changing.
Zero Trust Policy Enforcement – via Azure AD conditional access (or 3rd party capabilities)
Real Time Risk Discovery and Scoring – via Secure Score, compliance score, Defender for Cloud Apps sharing risks, and similar
Real time context enrichment – via threat and vulnerability management integration with incident investigations in M365 defender
While this builds on existing disciplines like vulnerability management, assigning this function challenges norms for the organization because
It crosses technology boundaries (often managed by separate teams)
It connects traditionally separate functions together in realtime (e.g. security operations, compliance, and architecture/engineering) that often have limited interactions
It instantly surfaces configuration issues that were previously only found during audits, penetration tests, and special assessments
While the long-term placement of this function isn’t yet clear, we are seeing an early trend emerge where this function is hosted in the program management office (PMO) because of these factors.
As the mechanisms to manage compliance with external and internal requirements will use the same or similar cloud-based tooling over time, we expect this discipline to become closer to (and potentially merge with) compliance monitoring and reporting functions.
Key Takeaway: This shows how security roles map to business outcome enablement
Business and technology outcomes are traditionally driven using a plan/build/run framework (which is becoming increasingly agile for digital transformation with rapid iteration through all stages)
Security Outcomes are driven through a similar framework of governance, prevention and response that maps to that framework. This also maps to the NIST Cybersecurity framework of identify, protect, detect, respond, and recover functions.
CLICK 1 – Leadership
Security Leadership Roles and Security Architect Roles provide vision, guidance, and coordination across the organization and technical estate
CLICK 2 - Governance
Security Posture and Compliance Roles focus on identifying security risks across the enterprise and work with subject matter experts to ensure the top risks are mitigated. The responsibility of these roles typically includes Security Compliance Management, Policy and Standards, and Posture management
CLICK 3 - Prevention
Platform Security Engineers are security subject matter experts (SMEs) that focus on enterprise-wide systems like identity and key management, and various infrastructure and endpoint disciplines like Network security, Server/VM security, and Client endpoints/devices.
App Security Engineer are security SMEs that focus on securing individual workload and applications, often as they are developed. These responsibilities include per-workload application of infrastructure and endpoint skills as well as application security & DevSecOps and Data security. We expect that demand will continue to increase for these skillsets as digital transformation increases adoption of Cloud technology, DevOps/DevSecOps models, and Infrastructure as Code approaches.
People Security is an emerging discipline that focuses on educating people, protecting them, and protecting the organization against insider risks.
CLICK 4 - Response
The operational phase is executed by a combination of operations teams who are responsible for the production environments (IT & OT Operations, DevOps) + Security Operations teams.
Security Operations typically focuses on reactive Incident monitoring & response and proactive Threat Hunting for adversaries that slipped past detections. Threat Intelligence and Incident preparation functions are often incubated in security operations, but then shift to a broader scope as they mature and become integrated into technology and organizational processes.
Creating a healthy Feedback loop is critical to effectiveness in all parts of security (and in maturing security processes).
We expect the relationship between prevention and response to continue to get closer as teams increasingly automate technical processes and adopt DevOps style processes focused on rapid agile iteration.
Additional Information
NIST Cybersecurity Framework - https://www.nist.gov/cyberframework
Key Takeaway – This is a summary of Microsoft’s current multi-cloud and cross-platform capabilities
CLICK 1 – Endpoint and Cloud Management
Microsoft’s cross-platform/cloud security starts with endpoints and cloud visibility and control:
Endpoint management across Mac, Android, iOS, and Windows operating systems
Cloud Security Posture Management (CSPM) that provides insight across your multi-cloud and on-premises datacenter estate as well as Cloud Workload Protection capabilities (aka CWPP)
CLICK 2 – SIEM and XDR Strategy
Microsoft provides integrated capabilities for the Security Operations / SOC to get the broad and deep visibility needed to rapidly detect, hunt for, and respond/recover to threats across clouds and platforms:
Broad – Security Information and Event Management (SIEM) – Microsoft Sentinel ingests any logs from any source, correlates them, and reasons over them with machine learning (ML) and user and entity behavioral analytics (UEBA), and automates response with Security Orchestration, Automation and Response (SOAR)
Deep - Extended Detection and Response (XDR) – capabilities provide detection and response capabilities tailored to the specific assets to provide high quality alerts (low false positive rate) to reduce the burden on SOC analysts to write alert queries and handle false positives for endpoint, cloud and on-premises identity, email, Office 365, Azure services, and more.
CLICK 3 – Infrastructure XDR
Microsoft Defender for Cloud is the XDR for Azure services including servers/VMs, App Services, Storage, SQL, Kubernetes, container registries, DNS, and more.
Azure Arc extends Microsoft Defender for Cloud to AWS, GCP, and on-premises resources by projecting those resources into Azure objects, enabling management and security of those resources
Microsoft Defender for IoT (and OT) provides threat detection and response capabilities for Operational Technology (OT) devices like SCADA, ICS, and industrial IoT (IIoT)
This can be run in offline mode for security isolation or in online mode where it integrates natively with playbooks and more in Microsoft Sentinel.
CLICK 4 – Productivity and Identity XDR
Microsoft 365 Defender provides an extensive library of pre-built investigation and response automation (SOAR) capabilities, Data Loss Protection (DLP) capabilities, Web Content Filtering, integrated Threat and Vulnerability Management, and more.
CLICK 5 – Identity Enablement and Security
Azure Active Directory provides comprehensive solutions for
Identity Enablement – for employees, partners (B2B), and customers/clients/citizens (B2C) across any platform or cloud
Identity Security – for those scenarios with Zero Trust access control that explicitly verifies trustworthiness of devices (via XDR) and users via native UEBA, Threat Intelligence, and analytics.
CLICK 6 – Information Protection
Microsoft Information Protection and Azure Purview provide a full lifecycle approach to discovering, classifying, protecting, and monitoring structured and unstructured data as your organization generates and leverages more data and insights to drive mission completion and competitive advantage.