[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools Michael Noel

1. 03.04.2020
12.09.2020
#
2020
#
Securing IT Against Modern Threats
with Microsoft 365 Security Tools
Michael Noel, CCO

2. Join us on September 12
… and let’s celebrate 5th Anniversary!
SPS Warsaw Team
Tomek, Edyta, Marcin

3. 03.04.2020
12.09.2020
#
Sponsors and Partners

4. 03.04.2020
12.09.2020
#
Michael Noel
@MichaelTNoel
• Authored/Co-authored 20 books including the best-selling
SharePoint, Exchange, and Windows Unleashed series
• Presented at over 230 events in over 85 unique countries
around the world
• Partner at Convergent Computing in the San Francisco Bay
Area (cco.com)

5. 03.04.2020
12.09.2020
#
IT Security: A Vastly Changed Landscape
• Targeted Attacks
• Spear Phishing (Exec/Finance targeting)
• State-sponsored Attacks (Sony hack, Sea Turtle, etc.)
• IP Theft/Loss (Mass downloads, disgruntled offboards,
‘oversharing.’)
• Data Integrity Challenges
• Ransomware/Cryptojacking
• “Permanent” deletion of cloud data
• Device Security
• Theft/Compromise
• Malware/Keyboard Loggers/Rootkits
• Information Overload
• Firewall/Syslog log overload
• Audit log overload
• Noise vs signal ratio in IT
• Trying to stay one step ahead of attackers

6. 03.04.2020
12.09.2020
#
Passwords are Not as Secure as You Think
• Key to password security is not
necessarily length, complexity, or
even age; but global uniqueness
• Hackers have access to databases of
‘pwned’ passwords and can run
password hashes against these
databases in a matter of milliseconds
• ‘Passphrases’ that consist of unique
seed words are infinitely more
complex and much harder to crack
(i.e. “Yellow birdseed hat pumpkin”)
• Test your password at
https://haveibeenpwned.com

7. 03.04.2020
12.09.2020
#
Lateral Attacks are Common and Easy to
Exploit
• Exploiting Cached credentials on workstations are a
common attack vector
• Any user with local admin rights to a workstation
(obtained legitimately or via phishing) can access the
cached credentials of any other user who logged in at
some point. If the passwords are not sufficiently
complex or match any darknet database entries, they
are EASILY cracked.
• “Golden Ticket” attacks using hacking tools such as
Mimikatz can then leverage elevated domain rights (i.e.
Domain Admin) to hack the krbst account and create
non-expiring ‘Golden Tickets’ that give unfettered rights
to all domain resources

8. 03.04.2020
12.09.2020
#
03.04.2020
12.09.2020
#
What’s the Solution?
Examining Microsoft Security Tools

9. 03.04.2020
12.09.2020
#
Microsoft Security in Relation to the NIST
Cyber Security Framework
Identify
• Azure Active
Directory
• Microsoft
Intune
• SCCM
• Windows
Defender
ATP
Protect • Azure MFA
• Azure AD Privileged
Identity
Management
• Microsoft Identity
Manager /
Privileged Access
Management
• Azure Information
Protection
• Azure AD Password
Protection
Detect
•Azure Sentinel
•Microsoft Cloud
App Security
•Azure Advanced
Threat
Protection
•Windows
Defender ATP
•Azure Security
Center
•Azure AD
Identity
Protection
Respond
• Azure
Sentinel
• Azure ATP
Recover
• Azure Security
Center
• Azure Backup

10. 03.04.2020
12.09.2020
#
Microsoft Cloud App Security

11. 03.04.2020
12.09.2020
#
Advanced Threat Analytics (ATA) &
Azure Advanced Threat Protection (ATP)
• ATA is an on-prem version of Azure ATP
• ATA/Azure ATP deploys sensors to
domain controllers to look for behaviors
associated with compromised internal
systems
• ATA/ATP Sensors perform their
calculations locally and then forward
their alerts to the cloud
• Microsoft Advanced Threat Protection
(ATP) is a cloud-based version of ATA
that extends the capabilities of ATA to
include the following:
• Azure Advanced Threat Protection (Azure
ATP)
• Microsoft Defender Advanced Threat
Protection (ATP)
• Office 365 Advanced Threat Protection
(Office 365 ATP)

12. 03.04.2020
12.09.2020
#
Azure Sentinel
Azure Sentinel builds on the
proven Azure Monitor log
monitoring platform
Azure Sentinel provides for
centralized SIEM capabilities
for logs, alerting and providing
for reporting trends
Firewall, switch, Windows, and
Linux logs can all be forwarded
to Sentinel to allow for
retroactive forensics or real-
time alerts

13. 03.04.2020
12.09.2020
#
Azure AD Password
Protection
Azure AD Password Protection runs as
agents on all internal domain
controllers that restrict how a password
is constructed.
Azure AD Password Protection allows
for complexity beyond the default
options in an AD environment,
disallowing passwords that are known
to be compromised and/or include key
words

14. 03.04.2020
12.09.2020
#
Azure Multi-Factor
Authentication
Azure Multi-factor Authentication
(MFA) integrates with MFA apps
(Google Authenticator, Microsoft
Authentication) and SMS based MFA to
provide for an additional layer of auth
required for traffic.
Deployment of MFA alone can reduce
your exposure to modern threats by an
exponential amount
Runs on a dedicated server or the Azure
AD Connect server

15. 03.04.2020
12.09.2020
#
Azure AD Privileged Identity Management
(PIM)
Azure AD Privileged Identity
Management (PIM) allows accounts to
be ‘privileged by request’ and not by
default.
Users can initiate requests to raise their
privileged roles, and these requests can
be moderated by admins and/or
monitored.
In the event of a compromise, admin
users will have no special rights until
they have been elevated, which greatly
reduces exposure.

16. 03.04.2020
12.09.2020
#
Microsoft Identity Manager / PAM
The On-Prem version of PIM is
integrated into the Microsoft
Identity Manager (MIM) suite in the
form of Privileged Access
Management (PAM.)
PAM works similarly to PIM, with
the exception being that a Bastion
forest is used for accounts with
elevated privileges.
A Bastion forest exists across a one-
way trust and accounts are only
elevated as needed. This leaves
membership in privileged groups
such as ‘Domain Admins’ to very
few active accounts.

17. 03.04.2020
12.09.2020
#
Azure Information Protection
• Azure Information Protection
provides for the ability to control
what happens to data AFTER it has
been accessed.
• Azure IP assigns Information
Protection tags to content either
manually or via automatic processes.
• The existing Azure Rights
Management Services (Azure RMS)
service is now integrated into Azure
RMS.
• Hold Your Own Key (HYOK) allows
organizations to secure and encrypt
content using their own private key,
removing Microsoft from data
custody.

18. 03.04.2020
12.09.2020
#
Azure Security Center
The Azure Security Center monitors
and alerts against hybrid security
scenarios
Alerts are generated from virtual
machines both in the Azure cloud an
in supported on-prem workloads.
Microsoft prices based on a ‘Free’ tier
and a ‘Standard’ tier that includes
advanced automation. Pricing is
determined by the number and
complexity of systems managed by
the platform

19. 03.04.2020
12.09.2020
#
Licensing SKU
USD /
user /
month
BasicApps
EntApps
RMS
FCI
HYOK/
AutoClass
AADC
MFA
Password
Protection
ATA
ATP
MCAS
PIM/MIM
/PAM
Security
Center
Sentinel
Azure AD – Free Free X
Azure AD – Office 365 Apps *O365 X X
Azure AD Premium P1 $6.00 X X X X
Azure AD Premium P2 $9.00 X X X X X X X
Azure Information Protection - Free Free X
Azure Information Protection – Office 365 Apps *O365 X X
Azure Information Protection Premium P1 $2.00 X X X X
Azure Information Protection Premium P2 $5.00 X X X X X
Enterprise Mobility + Security E3 $8.74 X X X X X X X X
Enterprise Mobility + Security E5 $14.80 X X X X X X X X X X X X
Microsoft 365 E3 $35.00 X X X X X X X X
Microsoft 365 E5 $63.00 X X X X X X X X X X X X
Pay as You Go (Storage and/or Usage) Varies X* X*

20. 03.04.2020
12.09.2020
#
We are doing this for the first time 
We’d love to hear you feedback!
http://bit.ly/SPSWarsaw2020Online_Survey

21. 03.04.2020
12.09.2020
#
Dziękuję! Pytania?
Don’t forget to meet us in-person on September 12th at Microsoft Poland’s Office!
Michael Noel
CCO.com
@MichaelTNoel
Facebook.com/MichaelNoel
Linkedin.com/in/MichaelTNoel
SharingTheGlobe.com
Slideshare.net/MichaelTNoel