4. We have some amazing things to give away today!
Wanna Twit about the day? Use either #O365Sat17 or
#O365SatSyd17
Leave us feedback, not only cause it makes our events
better but you win amazing prizes!
https://tinyurl.com/O365SatSyd17
5. Room 1 Room 2 Room 3
1:00-
2:00
MS Graph Building Data and
Intelligent Apps
Ashish Trivedi
Extranet for partner Collaboration
Alpesh Nakar
Team Sites | Teams |
Groups | Yammer –
Untangling the
Collaboration Web
Russ Norton
2:05-
3:05
SharePoint Framework – Build
integrated user experiences
Anupam Ranku
9 Months of Fun with SharePoint in
Azure and Office365
Colin Philips
Top 10 Adoption Tips
Kirsty McGrath
3:10 -
4:10
What the heck is GraphAPI and
why should I care?
Steven Hosking
Automate Office 365
Robert Crane
TBA
Adam Cogan
Room 1 Room 2 Room 3
9:00 -
10:00
Introduction to SharePoint
Framework (SPFx)
Sezai Komur
From Cloud Productivity to
Enterprise Business App
Igor Jericevich
SharePoint Branding for
Non-Branders
Colin Gardner
10:05-
11:05
Mayhem and Mischief with the
Outlook and Microsoft Graph
APIs
Simon Waight
Mind blown: the Dynamite
Dynamics 365 Experience
Roger Carran
Who said you have to be
a Power-User to create
Dynamic Forms?
Ishai Sagi
11:10-
12:10
Event Driven Development in
Office 365
Amr Found
Office 365 Security Best Practices
Benoit Hamet
Making your first app
with Power Apps
Haylee Fox
9. When moving to cloud services, the security is a major concern
On Office 365, security is a 2 dimensional implementation:
▶ The first dimension is the Microsoft-managed service-
level, including operational procedures or default
policies
▶ The second dimension is the customer-managed
control-level
Security and compliance is an ongoing process, not a steady
state. It is constantly maintained, enhanced, and verified by
highly-skilled, experienced and trained personnel
Objectives of this session is to give you some keys
practices/implementation to help you stay secure on Office 365
10.
11. Financial services
firms worry about
customer fraud and
advanced attacks.
47%
Financial services
Business services pros
want to use managed
security services.
11%
Business services
The nonprofit/
government
sector prioritizes
authentication
concerns
9%
Nonprofit / government
Healthcare firms
focus on patient data
protection.
8%
Healthcare
Forrester’s Inquiry Spotlight: Security And Risk, Q3 2015 To Q3 2016, Stephanie Balaouras, Claire O'Malley with Laura Koetzle, Trevor Lyness, Peggy Dostie,
December 27, 2016
Based: 1,731 inquiries from Q3 2015 to Q3 2016
12. $4 M - IDC Ponemom Institute, Cost of a Data Breach Report (2016)
63% - Verizon 2016 Data Breach Report
80% - Stratecast, December 2016
33% - VansonBourne, February 2014
13. Technical Objectives
• Get in reliably
• Obtain data I am assigned or can sell
• Avoid detection
Specialization
• Exploiting Stolen Data
• Selling Stolen Data
• Selling Attack Tools
• Sell Access to environments
Motivations
• Money / Profit
• Message / Activism
• Mission / Nation State
Daily Considerations
• Build or buy my tools?
• What is the target worth?
• Try the easy things first
Stats:
• 82% of Successful
cyberattacks are from
Cybercriminals via:
• Phishing
• Network Scans
• Strategic web site
compromise
• 11% are from insiders
• 7% are nation states
SecureWorks 2016 via eWeek
Good to know:
• Attacks aren’t random
• Likely has attacked before
• Very expensive to react to –
preventative much better than
reactive
14.
15.
16.
17. ▶ Know you risks
▶ Know your user’s behaviour
▶ Know your environment
▶ Know you data
▶ Know your legal/financial requirements
▶ Confidentially
▶ Privacy
▶ Regulatory
▶ Review / Audit
▶ Never ending story
18.
19. Apps and Data
SaaS
Malware Protection Center Cyber Hunting Teams Security Response Center
DeviceInfrastructure
CERTs
Identity
INTELLIGENT SECURITY GRAPH
Cyber Defense
Operations Center
Digital Crimes Unit
Antivirus NetworkIndustry Partners
PaaS IaaS
20.
21. Office 365 includes tools to discover your environment
▶ Office 365 Secure Score
▶ Helps to assess your security configuration
▶ Provides actions/recommendations
▶ Proactive vs reactive
▶ Compliance Center
▶ Provides regulatory documentation
▶ Security and regulations standards implemented
▶ Cloud App Security (EMS E5) / Advanced Security
Management (E5)
▶ Discovers application used by user
22.
23.
24. ▶ Cloud identity management is similar to On Premises identity
management
▶ Provisioning / Management / Termination
▶ Integrates with your On Premises directory
▶ Use latest version of Azure AD Connect
▶ Authenticate with your On Premises credentials (ADFS /
Password synch / Pass Through)
▶ Grant permissions using groups not to individuals
▶ Enable self-service (password reset)
▶ Identity sensitive users / roles
▶ Enable MFA
▶ Automate Office 365 role assignment / approval workflow
▶ Separate “day to day” and admin accounts
25. One small mistake can
lead to attacker control
Attackers Can
• Steal any data
• Modify
documents
• Impersonate
users
• Disrupt business
operations
Active Directory and Administrators control all the assets
26.
27.
28.
29.
30. Your users’ productivity and security is more
challenged than ever by different types of attacks.
80 Billion
Inbound Messages to
Office365 in 1 month –
only 31% core business
mails
55 Billion
Spam and Bulk mails
that could have
crowded users’
mailboxes
Malware
600%
Volume of malware
targeting O365 has
increased 600% in the
past year
32. ▶ Free for individuals (recipient only)
▶ Azure Right Management Services (RMS) included with
Office 365 E plans
▶ Can be automatically applied to SharePoint library
and Exchange mails
▶ Azure Information Protection included with Azure
Premium / EMS
▶ Allows tagging
▶ Both can protects data by embedding authorization
33.
34.
35.
36.
37.
38.
39. Netskope Cloud Report, Summer 2015
▶ 17.9% of files violate DLP Policy
▶ 22.2% are shared publicly
▶ Almost all data leakage occurs inadvertently
▶ Define labels
▶ Create DLP rules
▶ Built in
▶ Custom
40. ▶ Retention ensures conservation of data
▶ Applies to Exchange and SharePoint (including Office
365 groups)
▶ Not only used for compliance but can be used for
recovery
41.
42. ▶ 2 options
▶ Access Control Policy (ADFS)
▶ Conditional Access (Azure AD Premium)
▶ Access Control Policy
▶ On Premises configuration
▶ Built in and custom conditions
▶ Not only applies to Office 365
▶ Conditional Access
▶ Azure AD configuration / Intune
▶ Can work in conjunction with Azure AD Identity Protection
(Azure Premium P2)
▶ Conditions: group membership, location, device platform
and state
43.
44.
45.
46. ▶ First to discover
▶ Identity existing usage/gap
▶ Continuous activities review
▶ Identify potential malicious activities
▶ Validate/Review configuration (DLP)
▶ All activities are audited
47.
48.
49. ▶ Security is specific to you
▶ Common patterns to everybody
▶ Meet your specific needs
▶ Manage your identity
▶ Be as ‘end-user’ friendly as possible
▶ Automation
▶ Self service
▶ Communicate / Instruct
▶ No exceptions
▶ There is always exception, but the less the better
50. ▶ Restrict privileges
▶ Lower permissions as possible
▶ Elevate security requirements for sensitive role (MFA)
▶ Conditional access
▶ Monitor
▶ Be proactive
▶ Review activities
▶ Identify your data
52. Room 1 Room 2 Room 3
1:00-
2:00
MS Graph Building Data and
Intelligent Apps
Ashish Trivedi
Extranet for partner Collaboration
Alpesh Nakar
Team Sites | Teams |
Groups | Yammer –
Untangling the
Collaboration Web
Russ Norton
2:05-
3:05
SharePoint Framework – Build
integrated user experiences
Anupam Ranku
9 Months of Fun with SharePoint in
Azure and Office365
Colin Philips
Top 10 Adoption Tips
Kirsty McGrath
3:10 -
4:10
What the heck is GraphAPI and
why should I care?
Steven Hosking
Automate Office 365
Robert Crane
TBA
Adam Cogan
Room 1 Room 2 Room 3
9:00 -
10:00
Introduction to SharePoint
Framework (SPFx)
Sezai Komur
From Cloud Productivity to
Enterprise Business App
Igor Jericevich
SharePoint Branding for
Non-Branders
Colin Gardner
10:05-
11:05
Mayhem and Mischief with the
Outlook and Microsoft Graph
APIs
Simon Waight
Mind blown: the Dynamite
Dynamics 365 Experience
Roger Carran
Who said you have to be
a Power-User to create
Dynamic Forms?
Ishai Sagi
11:10-
12:10
Event Driven Development in
Office 365
Amr Found
Office 365 Security Best Practices
Benoit Hamet
Making your first app
with Power Apps
Haylee Fox
53.
54. ▶ Office 365 Microsoft Trust Center
https://www.microsoft.com/en-
us/trustcenter/cloudservices/office365
▶ Secure Store
https://securescore.office.com
▶ Security and Compliance Portal
https://protection.office.com
▶ Cloud App Security
https://portal.cloudappsecurity.com
▶ Azure Self Service Portal
https://account.activedirectory.windowsazure.com
Cloud app security discovers all applications, including third party
Advanced Security Management discovers only Office 365 applications usage/activities