MS. Cybersecurity Reference Architecture

Microsoft Cybersecurity
Reference Architectures
(MCRA)
End to End Security Architecture
following Zero Trust principles
N
Adoption Framework

You are here
Adoption Framework

• Overview of Security Adoption Framework and
End to End Cybersecurity Architecture
• End to End Security: Consider the whole problem
• Ruthlessly Prioritize: Identify top gaps + quick wins
• Get started: Start somewhere & continuously improve
• Antipatterns and best practices
• Guiding Rules and Laws for security
• Diagrams and references
Applying Zero Trust principles
Top End to End Security Challenges
• Incomplete or network-centric architectures
aren’t agile & can’t keep up with continuous
change (security threats, technology platform,
and business requirements)
• Challenges with
• Creating integrated end to end architecture
• Integrating security technologies
• Planning and prioritizing security
modernization initiatives
MCRA is a subset of the full Security
Architecture Design Session (ADS)
module 1 workshop:
Adoption Framework

Whiteboard – Current Security Architecture
What types of attacks and
adversaries are top of mind?

CISO Workshop
Security Program and Strategy
End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams
Module 2 – Secure Identities and Access
Module 3 – Modern Security Operations (SecOps/SOC)
Module 4 – Infrastructure & Development Security
Module 5 – Data Security & Governance, Risk, Compliance (GRC)
Module 6 – IoT and OT Security
Security Architecture Design Session
Module 1 – Zero Trust Architecture and
Ransomware
Strategic Framework
Infrastructure and Development
Data Security & Governance, Risk, Compliance (GRC)
OT and IoT Security
Security Adoption Framework
Align security to business scenarios using initiatives that progressively get closer to full ‘Zero Trust’
Secure Identities and Access
1. Strategic Framework
End to End Strategy, Architecture,
and Operating Model
1 - I want people to do their job
securely from anywhere
2 - I want to minimize business
damage from security incidents
3 - I want to identify and protect
critical business assets
4 - I want to proactively meet
regulatory requirements
5 - I want to have confidence in my
security posture and programs
Business Scenarios
Guiding North Star
Modern Security Operations
2. Strategic initiatives
Clearly defined architecture and
implementation plans
Security Hygiene: Backup and Patching

Implementation
Architects & Technical Managers
CIO
Technical Leadership
CISO
Business Leadership
CEO
Security Strategy and Program
Zero Trust Architecture
Reduce risk by rapidly modernizing security capabilities and practices
Business and
Security
Integration
Implementation
and Operation
Technical Planning
Architecture and
Policy
Security Strategy,
Programs, and
Epics
Securing Digital
Transformation
Secure
Identities and
Access
Modern
Security
Operations
(SecOps/SOC)
Infrastructure &
Development
Security
Data Security
& Governance
IoT and OT
Security
Microsoft Cybersecurity Reference Architectures (MCRA)
Assess current plans, configurations, and operations for Microsoft security capabilities
> > > > > > > > > > > > > >
Engaging Business
Leaders on Security
Includes
Reference Plans

Common Security Antipatterns - Technical Architecture
Common mistakes that impede security effectiveness and increase organizational risk
Securing cloud like on premises
Attempting to force on-prem controls and
practices directly onto cloud resources
Lack of commitment to lifecycle
Treating security controls and processes as
points in time instead of an ongoing lifecycle
Wasting resources on legacy
Legacy system maintenance and costs draining
ability to effectively secure business assets
Disconnected security approach
Independent security teams, strategies, tech,
and processes for network, identity, devices, etc.
Skipping basic maintenance
Skipping backups, disaster recovery exercises,
and software updates/patching on assets
Artisan Security
Focused on custom manual solutions instead of
automation and off the shelf tooling
Best Practices
Develop and implement an end to end technical security
strategy focused on durable capabilities and Zero Trust
Principles
This workshop helps you define and rapidly improve on best
practices across security including:
• Asset-centric security aligned to business priorities &
technical estate (beyond network perimeter)
• Consistent principle-driven approach throughout security
lifecycle
• Pragmatic prioritization based on attacker motivations,
behavior, and return on investment
• Balance investments between innovation and rigorous
application of security maintenance/hygiene
• ‘Configure before customize’ approach that embraces
automation, innovation, and continuous improvement
• Security is a team sport across security, technology, and
business teams

Improving Resiliency
Enable business mission while continuously increasing security assurances
IDENTIFY PROTECT DETECT RESPOND RECOVER
GOVERN
‘Left of Bang’
Prevent or lessen impact of attacks
‘Right of Bang’
Rapidly and effectively manage attacks
NIST Cybersecurity Framework v2
The job will never be ‘done’ or ‘perfect’, but it’s
important to keep doing (like cleaning a house)

Security Posture Management
End to End Security
Enable business mission and increasing security assurances with intentional approach
IDENTIFY PROTECT DETECT RESPOND RECOVER
GOVERN
‘Left of Bang’
Prevent or lessen impact of attacks
‘Right of Bang’
Rapidly and effectively manage attacks
Infrastructure & Development Security
IoT and OT Security
Modern Security Operations (SecOps/SOC)
Data Security & Governance

Defenders must focus on
A. Strong security controls + effective placement
B. Rapid response to attacks
C. Continuously testing & monitoring controls

Phishing email to admin
Looks like they have
NGFW, IDS/IPS, and DLP
I bet their admins
1. Check email from
admin workstations
2. Click on links for
higher paying jobs
Low
Found passwords.xls
Now, let’s see if admins save
service account passwords
in a spreadsheet…
High

Replace password.xls ‘process’ with
• PIM/PAM
• Workload identities
Sensitive Data Protection & Monitoring
• Discover business critical assets with business, technology, and
security teams
• Increase security protections and monitoring processes
• Encrypt data with Azure Information Protection
Modernize Security Operations
• Add XDR for identity, endpoint (EDR),
cloud apps, and other paths
• Train SecOps analysts on endpoints and
identity authentication flows
Protect Privileged Accounts
Require separate accounts for Admins
and enforce MFA/passwordless
Privileged Access Workstations (PAWs)
+ enforce with Conditional Access
Rigorous Security Hygiene
• Rapid Patching
• Secure Configuration
• Secure Operational Practices

Security is complex and challenging
Infrastructure
Application
Data
People
Attackers have a lot of options
 Forcing security into a holistic
complex approach
 Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies
 Threats – Continuously changing threat landscape
 Security Tools – dozens or hundreds of tools at customers
Must secure across everything
 Brand New - IoT, DevOps, and Cloud services, devices and products
 Current/Aging - 5-25 year old enterprise IT servers, products, etc.
 Legacy/Ancient - 30+ year old Operational Technology (OT) systems
Nothing gets retired!
Usually for fear of breaking
something (& getting blamed)
Hybrid of Everything, Everywhere, All at Once
‘Data swamp’ accumulates
managed data + unmanaged ‘dark’ data

Security is the opposite of productivity Business Enablement
Align security to the organization’s mission, priorities, risks, and processes
Assume Compromise
Continuously reduce blast radius and attack surface through prevention and detection/response/recovery
All attacks can be prevented
Shift to Asset-Centric Security Strategy
Revisit how to do access control, security operations, infrastructure and development security, and more
Explicitly Validate Account Security
Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and more
Network security perimeter will keep attackers out
Passwords are strong enough
IT Admins are safe
IT Infrastructure is safe
Goal: Zero Assumed Trust
Reduce risk by finding and removing implicit assumptions of trust
Developers always write secure code
The software and components we use are secure
Plan and Execute Privileged Access Strategy
Establish security of accounts, workstations, and other privileged entities (aka.ms/spa)
Validate Infrastructure Integrity
Explicitly validate trust of operating systems, applications, services accounts, and more
Integrate security into development process
Security education, issue detection and mitigation, response, and more
Supply chain security
Validate the integrity of software and hardware components from open source. vendors, and others
False Assumptions
of implicit or explicit trust
Zero Trust Mitigation
Systematically Build & Measure Trust
With 30+ years of backlog at most organizations, it will
take a while to burn down the backlog of assumed trust

Zero Trust Security Architecture
End to End Prioritized Execution + Continuous Improvement
OBSERVE, ORIENT
DECIDE
ACT
Disrupt attacker return
on investment (ROI)
Leverage reference plans
and architectures
Security is complex
and challenging
Resilience required
across the lifecycle
Prioritize backlog of
trust assumptions
Microsoft Security
Adoption Framework

Zero Trust Commandments
Requirements that represent best practices for a Zero Trust Architecture
(ZTA) and transformation. (The Open Group Standard)
Usage: General planning + Testing whether something is ‘Zero Trust’ or
not
10 Laws of Cybersecurity Risk
Key truths about managing security risk that bust common myths.
Usage: Ensuring security strategy, controls, and risk are managed with
realistic understanding of how attacks, humans, and technology work
Immutable Laws of Security
Key truths about security claims and controls that bust common myths.
Usage: Validating design of security controls, systems, and processes to
ensure they are technically sound

End to End Security Architecture
Diagrams & References
Microsoft Security Capabilities
Zero Trust Adaptive Access
Build Slide
People
Infrastructure
Security Operations
Operational Technology (OT)
Threat Environment
Attack Chain
Coverage
aka.ms/MCRA | aka.ms/MCRA-videos | December 2023
Multi-Cloud &
Cross-Platform
Microsoft 365 E5
Journey
Role Mapping
Zero Trust
Development / DevSecOps
Cybersecurity Reference Architectures
Patch
Modernization
Privileged Access
Device Types
Artificial Intelligence
(AI) and Security

Secure Identities and Access Modern Security Operations
(SecOps/SOC)
Infrastructure & Development
Security
Reduce risk by rapidly modernizing security capabilities and practices
Business and
Security
Integration
Implementation
and Operation
Technical Planning
Architecture and
Policy
Security Strategy,
Programs, and
Epics
Securing Digital
Transformation
Microsoft Cybersecurity Reference Architectures (MCRA)
Engaging Business
Leaders on Security
Includes
Reference Plans

End to End Strategy
and Planning
Product Adoption
2-3 days
Where do you want to Start?
There’s no wrong place to start 
Plan and Execute
Initiatives
Modern Security Operations (SecOps/SOC)
Infrastructure & Development Security
Topic
Summary
Full
workshop
4 hours
MCRA
CISO Workshop
2-3 days
2-3 days
4 hours
4 hours
4 hours

Let’s get next steps locked in
Capture actions and who follows up on them
# Next Step Point of Contact
1
2
3
4
5

aka.ms/saf
Security Resources
Security Documentation
aka.ms/SecurityDocs
• CISO Workshop – aka.ms/CISOworkshop | -videos
• Cloud Adoption Framework (CAF) – aka.ms/cafsecure
• Driving Business Outcomes Using Zero Trust
▪ Rapidly modernize your security posture for Zero Trust
▪ Secure remote and hybrid work with Zero Trust
▪ Identify and protect sensitive business data with Zero Trust
▪ Meet regulatory and compliance requirements with Zero Trust
Zero Trust
Architecture
• Microsoft Cybersecurity Reference Architectures (MCRA) - aka.ms/MCRA | -videos
• Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp
• Ransomware and Extortion Mitigation - aka.ms/humanoperated
• Backup and restore plan to protect against ransomware - aka.ms/backup
Secure Identities and
Access
Modern Security
Operations (SecOps/SOC)
Infrastructure &
Development Security
Data Security &
Governance
IoT and OT Security
Product Capabilities
www.microsoft.com/security/business
• Security Product Documentation
Azure | Microsoft 365
Microsoft Security Response Center (MSRC)
www.microsoft.com/en-us/msrc
• Microsoft Cloud Security
Benchmark (MCSB)
aka.ms/benchmarkdocs
• Well Architected Framework (WAF)
aka.ms/wafsecure
• Azure Security Top 10
aka.ms/azuresecuritytop10
• Ninja Training
• Defender for Cloud
• MCRA Video
• Infrastructure Security
• Defender for Cloud Documentation
• Securing Privileged Access (SPA)
Guidance
aka.ms/SPA
• Access Control Discipline
• Ninja Training
• Microsoft Defender for Identity
aka.ms/mdininja
• MCRA Video
• Zero Trust User Access
• Microsoft Entra Documentation
aka.ms/entradocs
• Incident Response - aka.ms/IR
• CDOC Case Study - aka.ms/ITSOC
• Ninja Training
• Microsoft 365 Defender
aka.ms/m365dninja
• Microsoft Defender for Office 365
aka.ms/mdoninja
• Microsoft Defender for Endpoint
aka.ms/mdeninja
• Microsoft Cloud App Security
aka.ms/mcasninja
• Microsoft Sentinel
• MCRA Videos
• Security Operations
• SecOps Integration
• Secure data with Zero Trust
• Ninja Training
• Microsoft Purview Information Protection
aka.ms/MIPNinja
• Microsoft Purview Data Loss Prevention
aka.ms/DLPNinja
• Insider Risk Management
• Microsoft Purview Documentation
aka.ms/purviewdocs
• Ninja Training
• Defender for IoT Training
• MCRA Videos
• MCRA Video OT & IIoT Security
• Defender for IoT Documentation
aka.ms/D4IoTDocs

Key Industry References and Resources
Zero Trust Commandments - https://pubs.opengroup.org/security/zero-trust-commandments/
Zero Trust Reference Model - https://publications.opengroup.org/security-library
Security Principles for Architecture - https://publications.opengroup.org/security-library
Cybersecurity Framework - https://www.nist.gov/cyberframework
Zero Trust Architecture - https://www.nist.gov/publications/zero-trust-architecture
NCCoE Zero Trust Project - https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
Secure Software Development Framework (SSDF) - https://csrc.nist.gov/pubs/sp/800/218/final
Zero Trust Maturity Model - https://www.cisa.gov/zero-trust-maturity-model
CIS Benchmarks – https://www.cisecurity.org/cis-benchmarks/

Infrastructure &
IoT and OT
Security
Modern Security
Data Security &
Governance
Security Modernization with Zero Trust Principles
Secure Identities
and Access
Business Enablement
Align security to the organization’s
mission, priorities, risks, and processes
Assume Breach (Assume Compromise)
Assume attackers can and will successfully attack anything (identity, network, device,
app, infrastructure, etc.) and plan accordingly
Verify Explicitly
Protect assets against attacker control by explicitly validating that all trust and security
decisions use all relevant available information and telemetry.
Use least-privilege access
Limit access of a potentially compromised asset, typically with just-in-time and just-
enough-access (JIT/JEA) and risk-based polices like adaptive access control.

Zero Trust Principles
Use least privilege access
Limit access of a potentially compromised
asset, typically with just-in-time and just-
enough-access (JIT/JEA) and risk-based polices
like adaptive access control.
 Reduce “blast radius“ of compromises
 Reduces “attack surface” of each asset
 Transforms from “defend the network” to “enable secure productivity on any network”
Asset/Node = account, app, device,
VM, container, data, API, etc.
Verify explicitly
Protect assets against attacker control by
explicitly validating that all trust and security
decisions use all relevant available information
and telemetry.
Business Enablement
Align security to the organization’s mission, priorities, risks, and processes
Assume Breach (Assume Compromise)
Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly

Assume breach | Explicitly Verify | Least privileged
Access Control
Security Operations
Asset Protection
Innovation Security
Security Governance
Dependency/impact analysis
backups, service accounts and privileges that
control other systems/services, etc.
Apply Zero Trust principles
Key changes across security disciplines
Asset-centric protections
Automated threat response
Asset–centric detection and
response (XDR)
End to end visibility (SIEM)
Threat modelling
All elements informed by threat and business intelligence,
assisted by security engineering/automation
Posture Management
Continuous improvement of security posture and
standards/policies
Classify assets and apply controls per asset
type and classification (CA policies, encryption,
monitoring, detection, response etc.)
Hygiene Remediation
Patching, configuration, process updates, etc.
Enablement
Continuous Monitoring
of security posture
Adaptive Access
Risk-based polices Always make security decisions using all available data points, including
identity, location, device health, resource, data classification, and anomalies.
Just-in-time & Just-enough-access (JIT/JEA)
Cloud Infrastructure Entitlement
Management (CIEM)
Micro-segmentation
Least Privileged
Reduce blast radius both
proactive and reactively
Verify Explicitly
Reduce attack surface
and exposure to risk
Assume Compromise
General strategy shift from
‘assume safe network’
Security Disciplines
Privileged Access
Workstations (PAWs)
For SOC Analysts, IT Admins,
and business critical assets
Secure Access
Service Edge (SASE)
DevSecOps and CI/CD process integration
of best practices (Static and dynamic analysis, etc.)
Business Enablement

Key Industry Collaborations
The Open Group
Focused on integration
with business and
IT/Enterprise/Security
architecture
US National Institute of
Standards and
Technology (NIST)
Focused on architecture
and implementation with
available technology
Many organizations are contributing valuable perspectives and guidance like the Cybersecurity and
Infrastructure Security Agency (CISA), Cloud Security Alliance (CSA), and some technology vendors

Key Zero Trust Models and Architectures
Focused on integration with business
and IT/Enterprise/Security architecture Focused on architecture and
implementation with available technology

Key Zero Trust Capabilities
Increase security and flexibility for continuously changing business, technology, threats, and regulations
Posture Management – continuous improvement of attack prevention measures
Asset-Centric Protection
(Data-Centric & System-Centric)
Risk Controls - establish overall security framework based on organizational risk
Asset-Centric Security Operations – rapid and complete detection, response, and recovery from attacks
Digital Ecosystems
Data/Information
Apps & Systems
Security Zones
Adaptive
Access Control
• Centralized policy control
• Distributed enforcement
Digital Identity
Decentralized portable identities
Zero Trust Governance – continuous monitoring and audit on demand to meet risk and compliance
Security
Zones
Asset Centricity - foundational capability to identify, classify, and maintain the asset

Digital Ecosystems
Zero Trust Components
Data/Information
Apps & Systems
Security Zones
Distributed Policy
Enforcement Points (PEPs)

Asset Protection
Classification, Protection, Tokenization
Digital Ecosystems
Microsoft Security Capability Mapping
The Open Group Zero Trust Components
Rapid Threat Detection, Response, and Recovery
Asset-Centric
Security Operations
Governance
Visibility and Policy
Data/Information
Apps & Systems
Security Zones
Access Control
Identity and Network - Multi-factor Authentication
Innovation
Security
Microsoft Entra
Conditional Access
Defender for Endpoint
Endpoint Detection and
Response (EDR)
Intune
Device Management
Microsoft Sentinel
• Security Information and Event
Management (SIEM)
• Security Orchestration, Automation, and
Response (SOAR)
Microsoft Defender
Defender for Identity Defender for Cloud
Defender for Cloud Apps
Defender for Endpoint Defender for Office 365
Security telemetry from across the environment
Microsoft
Purview
65+ Trillion signals per
day of security context
Microsoft Entra
Conditional Access
Azure Firewall (Illumio partnership)
Defender for
APIs (preview)
GitHub Advanced Security
& Azure DevOps Security
Secure development and
software supply chain
Entra Internet Access
Entra Private Access
Defender for Cloud
Azure Arc
Microsoft Purview
Microsoft Priva
Distributed Policy
Enforcement Points (PEPs)
Microsoft Entra ID
Entra ID Governance
ID Protection
Workload ID
Defender for Identity

Zero Trust Architecture (ZTA)
Security Analytics
Data Security
Endpoint
Security
User
Device
Mobile
Device
Device
(with SDP Client)
ICAM
IDENTITY
• User
• Device
ACCESS & CREDENTIALS
• Management
• Authentication
(SSO/MFA)
• Authorization
FEDERATION GOVERNANCE
PE/PA
POLICY
Evaluate Access
PEP
GRANT ACCESS
(Micro-
segmentation)
GRANT ACCESS
(SDP)
Protected Resources
CLOUD
APPS & WORKLOADS
ON-PREM
APPS & WORKLOADS
(File Share, Database, Storage, Apps)
SDP (example: TLS Tunnel)

Protected Resources
Data
Security
Security Analytics
Identity
• User
• Device
Access &
Credential Mgmt.
• Authentication
• Authorization
Identity, Credentials, and Access
Management (ICAM)
Federation Governance
Secure Admin
Workstations
Virtual Desktops
Policy Enforcement / Admin (PE/PA)
Data Loss
Prevention
(DLP)
Document
Protection
Office
365
Cloud Infra
SQL DB/Files
Policy
Determine Access
Endpoint Security
Devices
Devices w/
SDP
User
Mobile
Device
Grant Access
Intune
Entra Azure Virtual
Desktop
Windows 365
Cloud Apps
Workloads
Purview
DLP
Purview
Information
Protection
Purview
Mobile App
Mgmt
Defender for
Cloud Apps Information
Protection
Intune Defender
for Cloud
Microsoft Zero Trust Capability Mapping
Key
NIST Sub-Area
• Sub-Area
NIST Area
Microsoft 365
Defender for
Cloud Apps
Entra Permissions
Management
Defender for Cloud
Microsoft Cloud
Security Benchmark
Defender for Office
365
3P SaaS
Azure IaaS
Azure Arc
Defender
for Identity
Intune
VPN Backend Connector
Azure
Automanage
Connector
Microsoft Entra
Conditional Access
Global Secure
Access client
Intune
Device Management
Microsoft Service
Response (EDR)
Microsoft Sentinel
Management (SIEM)
• Security Orchestration, Automation, and
Response (SOAR)
Microsoft Defender XDR
Purview Azure Arc
Apps
Information
Protection Scanner
Defender Application Guard
Infrastructure & Access
ON-PREM APPS & WORKLOADS
Data
Database Storage
File share
CLOUD APPS & WORKLOADS
Implemented in NCCoE lab
(Summer 2023)
Security telemetry from across the environment
Entra ID
Entra ID Governance
Grant Access
Software Defined Perimeter(SDP)
Policy Enforcement Point (PEP)
Entra ID
Conditional
Access
Feedback mechanisms enable
continuous improvement

Zero Trust Policies
Evaluation
Enforcement
Threat Protection
Continuous Assessment
Threat Intelligence
Forensics
Response Automation
Identities
Human
Non-human
Endpoints
Corporate
Personal
Public
Private
Network
Apps
SaaS
On-premises
Data
Emails & documents
Structured data
Strong
authentication
Device
compliance
Risk
assessment
Traffic filtering
& segmentation
(as available)
Request
enhancement
Telemetry/analytics/assessment
JIT & Version Control
Runtime
control
Adaptive
Access
Classify,
label,
encrypt
Policy Optimization
Governance
Compliance
Security Posture Assessment
Productivity Optimization
Infrastructure
Serverless
Containers
IaaS
Paas
Internal Sites
Zero Trust
architecture

Zero Trust Policies
Evaluation
Enforcement
Threat Protection
Continuous Assessment
Threat Intelligence
Forensics
Response Automation
Identities
Human
Non-human
Endpoints
Corporate
Personal
Public
Private
Network
Apps
SaaS
On-premises
Data
Emails & documents
Structured data
Strong
authentication
Device
compliance
Risk
assessment
Traffic filtering
& segmentation
(as available)
Request
enhancement
Telemetry/analytics/assessment
JIT & Version Control
Runtime
control
Adaptive
Access
Classify,
label,
encrypt
Policy Optimization
Governance
Compliance
Security Posture Assessment
Productivity Optimization
Infrastructure
Serverless
Containers
IaaS
Paas
Internal Sites
Zero Trust
architecture
Microsoft Entra
Conditional Access
Response (EDR)
Intune
Device Management
Microsoft Sentinel
Management (SIEM)
• Security Orchestration, Automation,
and Response (SOAR)
Microsoft Defender
Azure Networking
Microsoft Purview
Microsoft Priva
Defender for Office 365
Microsoft Defender for Cloud
Secure Score
Compliance Manager
GitHub Advanced Security
Defender for
APIs (preview)
Defender for Cloud
Azure Arc
Microsoft Entra ID
Entra ID Governance
ID Protection
Workload ID
Defender for Identity
Microsoft Entra
Permissions Management

Information Risk Management
Supply Chain Risk (People, Process, Technology)
Program Management Office (PMO)
Managing Information/Cyber Risk
Security responsibilities or “jobs to be done”
February 2023 -
https://aka.ms/SecurityRoles
Posture Management
Incident
Management
Incident
Response
Threat
Hunting
Incident
Preparation

Microsoft security capability mapping
Which roles typically use which capabilities
Access Control Asset Protection
Security Governance
Security Operations
Establish Zero Trust access model to modern and
legacy assets using identity & network controls
Detect, Respond, and Recover from attacks; Hunt
for hidden threats; share threat intelligence broadly
Protect sensitive data and systems. Continuously
discover, classify & secure assets
Continuously Identify, measure, and manage security
posture to reduce risk & maintain compliance
Identity Admin, Identity Architect,
Identity Security
• Entra ID (Formerly Azure AD)
• Multifactor Authentication
• Conditional Access
• Application Proxy
• External Identities / B2B & B2C
• Security Service Edge (SSE)
• and more..
• Entra Permission Management
• Windows Hello for Business
• Microsoft Defender for Cloud Apps
• Azure Bastion
• Azure Administrative Model
• Portal, Management Groups, Subscriptions
• Azure RBAC & ABAC
Network Security
• Azure Firewall
• Azure Firewall Manager
• Azure DDoS
• Azure Web Application Firewall
• Azure Networking Design
• Virtual Network, NSG, ASG, VPN, etc.
• PrivateLink / Private EndPoint
Endpoint / Device Admin
• Microsoft Intune
• Configuration Management
Data security
• Microsoft Purview
• Information Protection
• Data Loss Prevention
People security
• Attack Simulator
Security architecture
• Microsoft Cybersecurity Reference Architecture
https://aka.ms/MCRA
Microsoft
Entra
• Microsoft 365 Lighthouse
• Azure Lighthouse
[multi-tenant]
Security Operations Analyst
• Microsoft Defender for Office 365
• Microsoft Entra Identity Protection
• Microsoft Defender for Cloud
• Microsoft Defender for DevOps
• Microsoft Defender for Servers
• Microsoft Defender for Storage
• Microsoft Defender for SQL
• Microsoft Defender for Containers
• Microsoft Defender for App Service
• Microsoft Defender for APIs (preview)
• Microsoft Defender for Key Vault
• Microsoft Defender for DNS
• Microsoft Defender for open-source
relational databases
• Microsoft Defender for Azure
Cosmos DB
• Microsoft Security Copilot (preview)
• Microsoft Security Experts
• Microsoft Incident Response
Detection and Response Team (DART)
Posture management, Policy and
standards, Compliance management
• Secure Score
• Compliance Dashboard
• Azure Security Benchmark
• Azure Blueprints
• Azure Policy
• Microsoft Defender External Attack
Surface Management (MD-EASM)
• Azure Administrative Model
• Portal, Management Groups, Subscriptions
• Azure RBAC & ABAC
• Microsoft Purview
• Compliance manager
Microsoft
Purview
Microsoft
Defender
Innovation Security
Integrate Security into DevSecOps
processes. Align security, development,
and operations practices.
Application security and DevSecOps
• (Same as Infrastructure Roles)
• GitHub Advanced Security
• Azure DevOps Security
Infrastructure and endpoint security,
IT Ops, DevOps
(including Azure Arc)
• Entra Permission Management
• Azure Blueprints
• Azure Policy
• Azure Firewall
• Azure Monitor
• Azure Web Application Firewall
• Azure DDoS
• Azure Backup and Site Recovery
• Azure Networking Design
• Virtual Network, NSG, ASG, VPN, etc.
• PrivateLink / Private EndPoint
• Azure Resource Locks
Incident preparation
Threat intelligence Analyst
• Microsoft Defender Threat
Intelligence (Defender TI)
OT and IoT Security
• Microsoft Defender for IoT (& OT)
• Azure Sphere
Privacy Manager
• Microsoft Priva
https://aka.ms/MCRA

aka.ms/MCRA
S3
Microsoft Entra
Azure Key Vault
Azure Backup
GitHub Advanced Security & Azure DevOps Security
Secure development and software supply chain
Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM)
Microsoft Entra Private
Access & App Proxy
Beyond User VPN
Security Documentation
Benchmarks
Security & Other Services
Discover
Protect
Classify
Monitor
Secure Score Compliance Score CSPM: Defender for Cloud Microsoft Defender External Attack Surface Management (EASM) Vulnerability Management
aka.ms/SPA
Endpoint
Workstations,
Server/VM,
Containers, etc.
Office 365
Email, Teams,
and more
Cloud
Azure, AWS,
GCP, On Prem
& more
Identity
Cloud &
On-Premises
SaaS
Cloud Apps
Other
Tools, Logs,
& Data
OT/IoT
devices
Microsoft Entra Internet Access
Data
SQL, DLP,
& more
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft
Sentinel
Cloud Native
SIEM, SOAR,
and UEBA
Microsoft Security Copilot (Preview)
Microsoft Security Experts

PaaS
On-Premises IaaS
S3
https://aka.ms/MCRA

Key cross-platform and multi-cloud guidance
Microsoft Defender for Cloud multicloud solution
Microsoft Defender for Endpoint – Linux Support
Azure security solutions for AWS
Entra ID identity and access
management for AWS

Multi-cloud & hybrid protection in Microsoft Defender for Cloud
Azure Arc

Access Management Capabilities
Security Policy
Engine
Partner
Employee
Customer
Virtual Private Network (VPN)
Legacy technology being retired
Direct Application Access
Core adaptive access policy
Workload
Can be implemented today using Microsoft and partner capabilities
Macro- and Micro-segmentation
Workload isolation using identity,
network, app, and other controls
Security Service Edge (SSE)
Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure web
gateway (SWG), Cloud Access Security Broker
(CASB), and Firewall-as-a-Service (FWaaS)

Access Management Capabilities
Security Policy
Engine
Partner
Employee
Customer
Virtual Private Network (VPN)
Legacy technology being retired
Direct Application Access
Core adaptive access policy
Workload
Can be implemented today using Microsoft and partner capabilities
Macro- and Micro-segmentation
Workload isolation using identity,
network, app, and other controls
Microsoft Entra ID
(formerly Azure AD)
Microsoft Defender + Intune
Entra ID Self Service
Password Reset (SSPR)
Microsoft Entra
Conditional Access
Using Microsoft Technology
Illumio partnership, LAPS
Security Service Edge (SSE)
Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure web
gateway (SWG), Cloud Access Security Broker
(CASB), and Firewall-as-a-Service (FWaaS)
Entra Internet Access (preview),
Entra Private Access (preview),
and Partners
Microsoft Threat Intelligence
65+ Trillion signals per day of
security context & Human Expertise
https://aka.ms/MCRA

Account
Devices/Workstations
Intermediaries
Interface
Business Critical Assets
Account
Intermediaries
Interface
Potential Attack Surface

Account
Intermediaries
Interface
Business Critical Assets
Account
Intermediaries
Interface
Asset Protection also required
Security updates, DevSecOps,
data at rest / in transit, etc.

Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more
Case Management
Threat Intelligence (TI)
Automation (SOAR)
Incident Response/Recovery Assistance
Managed Detection and Response
Security Information and Event Management (SIEM)
Extended Detection and Response (XDR)
Generative AI
Simplifies tasks and performs
advanced tasks through chat interface
Analysts
and Hunters
Align to Mission + Continuously Improve
Measure and reduce attacker dwell time
(attacker access to business assets) via
Mean Time to Remediate (MTTR)
https://aka.ms/MCRA

Provide actionable security
detections, raw logs, or both
https://aka.ms/MCRA
Simplifies experience for complex tasks/skills
Align to Mission + Continuously Improve
Measure and reduce attacker dwell time
(attacker access to business assets) via
Mean Time to Remediate (MTTR)
Analysts
and Hunters

©Microsoft Corporation
Azure
Operational Technology (OT) Security Reference Architecture
Apply zero trust principles to securing OT and industrial IoT environments
S A F E T Y S Y S T E M S
Purdue Model
Level 1 – Basic Control
Electronics controlling or monitoring
physical systems
Level 0 – Process
Physical machinery
Level 2 – Supervisory Control
Monitoring & Control for discrete
business functions (e.g. production line)
Level 3 – Site Operations
Control & monitoring for physical site
with multiple functions (e.g. plant)
Security Analytics
Transform with Zero Trust Principles
Purdue model assumed static site/enterprise model
• Datacenter Segments – Align network/identity/other
controls to business workloads and business risk
• End user access - Dynamically grant access based on explicit
validation of current user and device risk level
Business Analytics
Confidentiality/Integrity/Availability
• Hardware Age: 5-10 years
• Warranty length 3-5 years
• Protocols: Native IP, HTTP(S), Others
• Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware
Safety/Integrity/Availability
• Hardware Age: 50-100 years (mechanical + electronic overlay)
• Warranty length: up to 30-50 years
• Protocols: Industry Specific (often bridged to IP networks)
• Security Hygiene: Isolation, threat monitoring, managing vendor
access risk, (patching rarely)
Operational Technology
(OT) Environments
Information Technology
(IT) Environments
IIoT / OT Digital Transformation drivers
• Business Efficiency - Data to enable business agility
• Governance & Regulatory Compliance with safety and other
standards
• Emerging Security Standards like CMMC
Azure Analytics
IoT Hub, PowerBI, Azure Edge,
Digital Twins, and more
Blended cybersecurity attacks are
driving convergence of IT, OT, and IoT
security architectures and capabilities
Plant security console
(optional)
Sensor(s) + Analytics
TLS with mutual
authentication
N E T W O R K
T A P / S P A N
https://aka.ms/MCRA
Microsoft Defender for IoT (and OT)
 Manager
 Security Console
3rd party
Analytics
Cloud
Environments
Business Analytics
Business Analytic Sensor(s)
Cloud Connection (OPTIONAL)
• Native plug-in for Microsoft Defender for IoT
• Native OT investigation & remediation playbooks
• Correlation with other data sources and
Strategic Threat intelligence (attack groups & context)
Zero Trust Principles - Assume breach, verify explicitly, Use least privilege access (identity and network)
Hard Boundary
Physically disconnect
from IT network(s)
Soft(ware) Boundary
People, Process, and Tech (network
+ identity access control, boundary
patching and security hygiene)
Internal
segmentation
As business
processes allow
Isolation and Segmentation
3rd party
Analytics Microsoft Sentinel
3rd party SIEM

Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft
Sentinel
Cloud Native
SIEM, SOAR,
and UEBA
https://aka.ms/CAF
• Automated User Provisioning
• Entitlement Management
• Access Reviews
• Privileged Identity Management (PIM)
• Terms of Use
https://aka.ms/MCRA
Microsoft Defender for Cloud - Detections across assets and tenants
Microsoft Defender for Identity
Microsoft Defender for
Endpoint Entra ID Protection
On-Premises & Other
Cloud Resources/Data
Azure Resources/Data

Architecture & Governance
Security, Compliance, Identity, & Other Standards
Idea Incubation Production DevSecOps
First Production Release
Continuous Improvement of DevSecOps Lifecycle
1. MVP definitions – Update minimum requirements for Dev, Sec, and Ops (agility, stability, security, identity standards, and more)
2. Continuously improve process, program, education, tooling, etc. to improve developer productivity, efficiency, security, identity, and more)

It’s bad out there!
For sale in “bad neighborhoods” on the internet
Attacker for hire (per job)
$250 per job (and up)
Ransomware Kits
$66 upfront
(or 30% of the profit / affiliate model)
Compromised PCs / Devices
PC: $0.13 to $0.89
Mobile: $0.82 to $2.78
Spearphishing for hire
$100 to $1,000
(per successful account takeover)
Stolen Passwords
$0.97 per 1,000 (average)
(Bulk: $150 for 400M)
Denial of Service
$766.67 per month
Attackers
Other Services
Continuous attack
supply chain innovation
Attacker techniques,
business models, and
skills/technology, are
continuously evolving
Many attack tools and
tutorials/videos available
for free on internet

Attack Chain Models
Describe stages of an attack
Reconnaissance
Resource
Development
Initial Access
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral
Movement
Command and Control
Exfiltration
Impact
Delivery Exploitation Installation Command and Control
Reconnaissance Weaponization
Actions on the
Objective
Simple model for business leaders and other non-technical stakeholders
Detailed model for technical detection coverage assessments and planning
MITRE ATT&CK Framework
Legacy Reference Model (missing lateral traversal)
Lockheed Martin Kill Chain

Product Name
Previous Product Names
Product Category(ies) Security Modernization Initiative(s)
Microsoft Defender for Endpoint (MDE)
Formerly Microsoft Defender ATP, Windows Defender ATP,
Windows Defender Antivirus
Endpoint Detection and Response (EDR)
Threat and Vulnerability Management (TVM)
Endpoint Protection Platforms (EPP)
• Modern Security Operations
• Infrastructure and Development
• Security Hygiene: Backup and Patching
Microsoft Defender for Identity (MDI)
Formerly Azure ATP
Microsoft Defender for Office (MDO)
Formerly Office 365 ATP
Extended Detection and Response (XDR) • Modern Security Operations
Microsoft Defender for Cloud Apps (MDCA)
Formerly Microsoft Cloud App Security
Cloud App Security Broker (CASB)
• Secure Identities and Access
• Data Security & Governance
Entra ID (Formerly Azure AD)
• Multifactor Authentication
• Microsoft Entra Conditional Access
• Self-service password management
• Identity Governance
• Privileged Identity Management (PIM)
Access Management
Microsoft Purview
• Compliance Management
• Data Lifecycle Management
• eDiscovery and auditing
• Data Security & Governance
Windows 10 & Windows 11
• Windows Hello for Business
• Windows AutoPilot
• Advanced Windows Security
Microsoft Intune Unified Endpoint Management (UEM) • Secure Identities and Access
What’s in Microsoft 365 E5
Product
Licensing
Details https://aka.ms/MCRA

Infrastructure &
IoT and OT
Security
Modern Security
Data Security &
Governance
Product Families Enable Modernization Initiatives
Secure Identities
and Access
Sentinel
Entra
Intune Priva
Defender Purview
Azure
Security Copilot (Preview)

Spans on-premises &
multi-cloud environments
Provided by someone else

Spans on-premises & multi-cloud environments
Managed Internet
Monitored network for validated devices to communicate
peer to peer (patching, collaboration, etc.)
Unmanaged Internet
Basic network monitoring for guests,
partners, new/unmanaged devices

Managed Internet
Unmanaged Internet
Microsoft Entra
application proxy

Managed Internet
Unmanaged Internet
Microsoft Entra
application proxy
Low Impact IoT/OT
Printers, VoIP phones, etc.
High Impact IoT/OT
IoT/OT With Life/Safety Impact

Enterprise Accounts
Privileged Accounts
Specialized Accounts
Anonymous and Consumer
identities
Sanctioned and
Managed Services
Internet and
Unsanctioned/Unmanaged Apps
Private and Managed in
the cloud or on-premises
Sensitive System users,
developers, & admins
Business critical system
users, developers, admins
Partner
Employee
Adaptive
Access Control
B
u
s
i
n
e
s
s
C
r
i
t
i
c
a
l
S
e
g
m
e
n
t
(
s
)
S
e
n
s
i
t
i
v
e
B
u
s
i
n
e
s
s
U
n
i
t
s
/
A
p
p
s
L
o
w
I
m
p
a
c
t
I
o
T
/
O
T
P
r
i
n
t
e
r
s
,
V
o
I
P
p
h
o
n
e
s
,
e
t
c
.
H
i
g
h
I
m
p
a
c
t
I
o
T
/
O
T
I
o
T
/
O
T
W
i
t
h
L
i
f
e
/
S
a
f
e
t
y
I
m
p
a
c
t
Privileged Devices
Specialized Devices
Unmanaged devices
BYOD, partners, etc.
Enterprise Devices
Managed
Devices

Direct
programming
Command
Prompt
Graphical User
Interface (GUI)
Chat/Conversation
using generative AI
Skills and learning required
to become productive
Ability (and speed) to
accomplish advanced tasks
Native
Computer
Native
Human

Protect AI Applications & Data
Integrate security from design to production
Systems
Protect custom
models from
attacks
Education
& Policy
Use of External AI
Mitigate Attacker AI
Continuously learn about
Attacker AI to protect against it
and educate stakeholders
Adopt AI Security Capabilities
Adopt generative AI capabilities to
enhance cyber defenses and human
skills (e.g. Security Copilot)
Machine Learning (ML) already processes security data
Integrated into XDR, SIEM, posture management, and other tools
Data
Human generated data
is high value asset for
training AI models AI App Design & Usage

AI Shared Responsibility Model
Illustrates which responsibilities are typically performed by an organization
and which are performed by their AI provider (such as Microsoft)
AI Platform
AI Usage
AI Application
Model
Dependent

Prioritize greatest needs and
opportunities for security
Establish clarity:
Your data is your data
Implement responsible
AI principles

Review – Artificial Intelligence (AI)
• Dynamic conversational chat is a new interface
• Makes technology easier to use and learn
• Enables people to do more advanced tasks
• Critical to adapt quickly to this technology
• Educate on and mitigate attacker use of AI
• Embrace security use of AI
• Protect business use of AI
• Securing AI is a shared responsibility
• Microsoft Approach to AI
• Establish clarity: your data is your data
• Implement responsible AI principles
• Focus initial security priorities on greatest needs
Comparing AI
Generations
Resources and
References

MS. Cybersecurity Reference Architecture

Recommended

Recommended

More Related Content

Similar to MS. Cybersecurity Reference Architecture

Similar to MS. Cybersecurity Reference Architecture (20)

Recently uploaded

Recently uploaded (20)

MS. Cybersecurity Reference Architecture