SlideShare a Scribd company logo
1 of 54
Download to read offline
Mark Simos
Chef’s tour of the
Security Adoption Framework
(SAF)
About the Chef
Author, Zero Trust Playbook
ZeroTrustPlaybook.com
aka.ms/MarksList
Zero Trust Architecture Co-Chair
The Open Group
Lead Cybersecurity Architect
Microsoft
Mark Simos
Chef's Tour of SAF
A tour of end-to-end security that provides key
references and samples across many areas of security.
This training will use the Microsoft Security Adoption
Framework (SAF) to guide you through security across a
'hybrid of everything' technical estate.
• SAF delivered through Microsoft Unified
• Extensive free resources available online at https://aka.ms/SAF
including MCRA and CISO workshop
Learning
objectives
By the end of this session you will:
 Better Understand the importance of an end to end
security approach
 Better Understand how the Security Adoption
Framework (SAF) guides you through strategy, planning,
and adoption of modern security approaches
 Deep Appreciation for Security Complexity
• Learn a lot from this session
• Understand how much more there is to learn and do
Whiteboard – Current Security Architecture
Geography and Cloud Usage
Where does your organization operate?
Which workloads are in the cloud? Which
major cloud providers? (SaaS, PaaS, IaaS)
Business and Technical Drivers
What is top of mind for business stakeholders?
What risks are important to the business?
Business/technology initiatives driving change?
What metrics are important to your program?
Threats
What types of attacks and
adversaries are top of mind?
Compliance
Large & notable
regulatory
requirements
Architecture, Policy, and Collaboration
Describe how teams work together on end to end security + guiding documents/artifacts
Enterprise-wide security architecture approach and documentation
Policy update, monitoring, and related governance processes
Posture and vulnerability management processes
Technical collaboration processes (e.g. sharing learnings, joint technical planning, etc.
with security operations, architects, engineers, posture management, governance, others)
Differences between on premises vs. cloud processes
Security Challenges are significant and continuously evolving
Microsoft investments to help security teams
End to end security capabilities
Guidance and workshops
Illustrative Examples of Security Adoption Framework (SAF) Workshop Content
Getting Started and Next Steps
Overview and Scoping
Adoption Framework
SAF guides your end to end security modernization journey using Zero Trust principles
Attacker Failure + Increased Attacker Cost/Friction
Security Success
Invest intentionally into providing these durable outcomes
Find and kick them out fast
Reduce dwell time (mean time to remediate)
with rapid detection and remediation
Block Cheap and Easy Attacks
Increase cost and friction for well known &
proven attack methods (or easy to block options)
‘Left of Bang’
Prevent as many attacks as possible
‘Right of Bang’
Rapidly and effectively manage attacks
Requires end to end collaboration
It’s bad out there!
For sale in “bad neighborhoods” on the internet
Attacker for hire (per job)
$250 per job (and up)
Ransomware Kits
$66 upfront
(or 30% of the profit / affiliate model)
Compromised PCs / Devices
PC: $0.13 to $0.89
Mobile: $0.82 to $2.78
Spearphishing for hire
$100 to $1,000
(per successful account takeover)
Stolen Passwords
$0.97 per 1,000 (average)
(Bulk: $150 for 400M)
Denial of Service
$766.67 per month
Attackers
Other Services
Continuous attack
supply chain innovation
Attacker techniques,
business models, and
skills/technology, are
continuously evolving
Many attack tools and
tutorials/videos available
for free on internet
Threat environment is continually evolving
Attackers must change to overcome defenses (in big or small ways)
Leading Edge - pushed forward by sophisticated groups & researchers
• Adoption & exploitation of Artificial Intelligence (AI)
• Supply chain techniques
• OT and IoT threats
• Insider risk
• Stealth - Evading indicators of compromise (IOCs) and other detections
• Improve existing techniques – Identity/MFA evolution, zero day vulnerabilities,
exploit line of business (LOB) apps, etc.
Note: Sophisticated attackers sometimes
use commodity toolkits to hide their origin
Commoditization – increases scale and impact of attacks
• Criminal gangs copy or purchase advanced techniques, integrate into toolkits
• Also evolve financial and social aspects of extortion/ransomware models
Agile Security is required to keep up with continuous changes
Security is complex and challenging
Infrastructure
Application
Data
People
Attackers have a lot of options
➢ Forcing security into a holistic
complex approach
➢ Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies
➢ Threats – Continuously changing threat landscape
➢ Security Tools – dozens or hundreds of tools at customers
Must secure across everything
➢ Brand New - IoT, DevOps, and Cloud services, devices and products
➢ Current/Aging - 5-25 year old enterprise IT servers, products, etc.
➢ Legacy/Ancient - 30+ year old Operational Technology (OT) systems
Nothing gets retired!
Usually for fear of breaking
something (& getting blamed)
Hybrid of Everything, Everywhere, All at Once
Attacks can shut all business operations down, creating board level risk
‘Data swamp’ accumulates
managed data + unmanaged ‘dark’ data
Security is the opposite of productivity Business Enablement
Align security to the organization’s mission, priorities, risks, and processes
Assume Compromise
Continuously reduce blast radius and attack surface through prevention and detection/response/recovery
All attacks can be prevented
Shift to Asset-Centric Security Strategy
Revisit how to do access control, security operations, infrastructure and development security, and more
Explicitly Validate Account Security
Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and more
Network security perimeter will keep attackers out
Passwords are strong enough
IT Admins are safe
IT Infrastructure is safe
Goal: Zero Assumed Trust
Reduce risk by finding and removing implicit assumptions of trust
Developers always write secure code
The software and components we use are secure
Plan and Execute Privileged Access Strategy
Establish security of accounts, workstations, and other privileged entities (aka.ms/spa)
Validate Infrastructure Integrity
Explicitly validate trust of operating systems, applications, services accounts, and more
Integrate security into development process
Security education, issue detection and mitigation, response, and more
Supply chain security
Validate the integrity of software and hardware components from open source. vendors, and others
False Assumptions
of implicit or explicit trust
Zero Trust Mitigation
Systematically Build & Measure Trust
With 30+ years of backlog at most organizations, it will
take a while to burn down the backlog of assumed trust
Microsoft is investing in security for our customers
There are no easy answers, but we are investing to make it easier
Security Technology
Automate and improve security processes
by simplifying and automating security for
the ‘hybrid of everything’ technical estate
Expert Engagements
Help you assess, plan, implement, and
optimize security programs and technology
based on best practices and lessons learned
Continuous improvement
Microsoft invests $1b+ per year into
security research & development
8500+ security professionals on
staff across 77 countries
Accelerate Modernization
Help integrate security successfully
into IT and business processes to
reduce risk and minimize friction
End to end security for ‘hybrid of everything’ technical estate
Secure Identities and Access
Modern Security Operations (SecOps/SOC)
Infrastructure & Development Security
Data Security & Governance
IoT and OT Security
Microsoft security portfolio
Effective security requires people & process changes
Security Strategy and Program Zero Trust Architecture
Align to business priorities, business
risks, and industry best practices
End to End Security approach based on
Zero Trust Principles and industry best practices
Software as a Service (SaaS)
This is interactive!
Present Slide
Hover for Description
Click for more information
Cybersecurity Reference Architecture
Security modernization with Zero Trust Principles
December 2023 – aka.ms/MCRA
This is interactive!
Present Slide
Hover for Description
Click for more information
Microsoft Purview
Information protection and governance across data lifecycle
Microsoft Purview
Information protection and
governance across data lifecycle
File Scanner (on-premises and cloud)
File Scanner
(on-premises and cloud)
S3
Identity & Access
Microsoft Entra
Microsoft Entra
IoT and Operational Technology (OT) People Security
3rd party IaaS & PaaS
Azure Arc
Azure Arc
Intranet
Extranet
Endpoints & Devices Hybrid Infrastructure – IaaS, PaaS, On-Premises
Azure Key Vault
Azure Key Vault
Azure WAF
Azure WAF
DDoS Protection
DDoS Protection
Azure Backup
Azure Backup
On Premises Datacenter(s)
Azure Firewall Firewall Manager
Azure Firewall
& Firewall Manager
Attack Simulator
Attack Simulator
Insider Risk Management
Insider Risk Management
Azure Sphere
Azure Sphere
Compliance Manager
Compliance Manager
Private Link
Private Link
Conditional Access – Zero Trust Access Control decisions based on explicit validation of usertrust and endpoint integrity
Conditional Access – Zero Trust Access Control decisions
based on explicit validation of user trust and endpoint integrity
GitHub Advanced Security Azure DevOps Security
Secure development and software supply chain
GitHub Advanced Security & Azure DevOps Security
Secure development and software supply chain
Network protection
Credential protection
Full Disk Encryption
Attack surface reduction
Network protection
Credential protection
Full Disk Encryption
Attack surface
reduction
Windows 11 & 10 Security
App control
Exploit protection
Behavior monitoring
Next-generation
protection
Security Operations / SOC
Microsoft Defender for Endpoint
Unified Endpoint Security
Microsoft Defender for Endpoint
Unified Endpoint Security
Endpoint Data Loss Protection (DLP)
Endpoint Data Loss Protection (DLP)
Web Content Filtering
Web Content Filtering
Endpoint Detection Response (EDR)
Endpoint Detection & Response (EDR)
Threat Vuln Management
Threat & Vuln Management
Defender for Cloud – Cross-Platform, Multi-Cloud XDR
Detection and response capabilities for infrastructure and development across IaaS, PaaS, and on-premises
Defender for Cloud – Cross-Platform, Multi-Cloud XDR
Detection and response capabilities for infrastructure and
development across IaaS, PaaS, and on-premises
Communication Compliance
Communication Compliance
Azure Lighthouse
Azure Lighthouse
Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM)
Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM) Compliance Dashboard
Compliance Dashboard
Secure Score
Secure Score
Azure Bastion
Azure Bastion
Classification
Labels
Information Protection
Advanced eDiscovery
Advanced eDiscovery
Data Governance
Data Governance
Azure Defender for IoT provides agentless security for unmanaged IoT/OT devices (via integration of CyberX technology) plus security for greenfield devices managed via Azure IoT Hub. It is deployed either as a cloud-connected or fully on-premises solution.
Microsoft Defender for IoT (and OT)
Microsoft Defender for IoT (and OT)
Asset & Vulnerability
management
Threat Detection
& Response
ICS, SCADA, OT
Internet of Things (IoT)
Industrial IoT (IIoT)
Security Development Lifecycle (SDL)
Security Development Lifecycle (SDL)
Service Trust Portal – How Microsoft secures cloud services
Service Trust Portal – How Microsoft secures cloud services
Threat Intelligence – 65+ Trillion signals per day of security context
Threat Intelligence – 65+ Trillion signals per day of security context
Defender for Identity
Defender for Identity
Microsoft Entra PIM
Microsoft Entra PIM
External Identities
External Identities
Entra ID Protection
Leaked cred protection
Behavioral Analytics
Entra ID Protection
Leaked cred protection
Behavioral Analytics
Passwordless MFA
Passwordless & MFA
Authenticator App
Authenticator App
Hello for Business
Hello for Business
ID Governance
ID Governance
FIDO2 Keys
FIDO2 Keys
NGFW
Express Route
Express Route
Microsoft Azure
Azure Marketplace
VPN & Proxy
Edge DLP
IPS/IDS/NDR
Azure Stack
Azure Stack
Microsoft Entra Private Access App Proxy
Beyond User VPN
Microsoft Entra Private
Access & App Proxy
Beyond User VPN
Security Guidance
Security Adoption Framework
Security Documentation
Cloud Security Benchmarks
Security Other Services
Security & Other Services
Discover
Protect
Classify
Monitor
Security Posture Management – Monitor and mitigate technical security risks using Secure Score, Compliance Score, CSPM: Defender for Cloud, Microsoft Defender External Attack Surface Management (EASM) and Vulnerability Management
Unified Endpoint Management (UEM)
Unified Endpoint Management (UEM)
Intune
Intune
Configuration Manager
Configuration Manager
Securing Privileged Access – aka.ms/SPA
Securing Privileged Access – aka.ms/SPA
Microsoft Defender for Cloud Apps
App Discovery Risk Scoring (Shadow IT)
Threat Detection Response
Policy Audit Enforcement
Session monitoring control
Information Protection Data Loss Prevention (DLP)
Microsoft Defender
for Cloud Apps
App Discovery & Risk Scoring
(Shadow IT)
Threat Detection & Response
Policy Audit & Enforcement
Session monitoring & control
Information Protection &
Data Loss Prevention (DLP)
Active Directory
Endpoint
Workstations, Server/VM, Containers, etc.
Endpoint
Workstations,
Server/VM,
Containers, etc.
Office 365
Email, Teams, and more
Office 365
Email, Teams,
and more
Cloud
Azure, AWS, GCP, On Prem more
Cloud
Azure, AWS,
GCP, On Prem
& more
Identity
Cloud On-Premises
Identity
Cloud &
On-Premises
SaaS
Cloud Apps
SaaS
Cloud Apps
Other
Tools, Logs,
& Data
OT/IoT
devices
OT/IoT
devices
Entra Permission Management – Discover and Mitigate Cloud Infrastructure Permission Creep
Entra Permission Management – Discover and Mitigate Cloud Infrastructure Permission Creep
Privileged Access Workstations (PAWs) - Secure workstations for administrators, developers, and other sensitive users
Privileged Access Workstations (PAWs) - Secure workstations for administrators, developers, and other sensitive users
Microsoft Entra Internet Access
Microsoft Entra Internet Access
Defender for APIs (preview)
Data
SQL, DLP, more
Data
SQL, DLP, &
more
Microsoft Defender XDR
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft Defender XDR
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft Sentinel
Microsoft
Sentinel
Cloud Native
SIEM, SOAR,
and UEBA
Microsoft Security Copilot (Preview)
Microsoft Security Copilot (Preview)
Managed Security Operations
Using Microsoft Security
Managed Security Operations
Using Microsoft Security
Microsoft Security Experts
Defender Experts | Detection and Response Team (DART)
Defender Experts | Detection and Response Team (DART)
CISO Workshop
Security Program and Strategy
End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams
Module 2 – Secure Identities and Access
Module 3 – Modern Security Operations (SecOps/SOC)
Module 4 – Infrastructure & Development Security
Module 5 – Data Security & Governance, Risk, Compliance (GRC)
Module 6 – IoT and OT Security
Security Architecture Design Session
Module 1 – Zero Trust Architecture and
Ransomware
Strategic Framework
Infrastructure and Development
Data Security & Governance, Risk, Compliance (GRC)
OT and IoT Security
Security Adoption Framework
Delivers Zero Trust security modernization + business alignment using recommended initiatives
Secure Identities and Access
1. Strategic Framework
End to End Strategy, Architecture,
and Operating Model
1 - I want people to do their job
securely from anywhere
2 - I want to minimize business
damage from security incidents
3 - I want to identify and protect
critical business assets
4 - I want to proactively meet
regulatory requirements
5 - I want to have confidence in my
security posture and programs
Business Scenarios
Guiding North Star
Modern Security Operations
2. Strategic initiatives
Clearly defined architecture and
implementation plans
Security Hygiene: Backup and Patching
Implementation
Architects & Technical Managers
CIO
Technical Leadership
CISO
Business Leadership
CEO
Security Strategy and Program
End to End Zero Trust Architecture
Security Adoption Framework
Zero Trust security modernization rapidly reduces organizational risk
Business and
Security
Integration
Implementation
and Operation
Technical Planning
Architecture and
Policy
Security Strategy,
Programs, and
Epics
Securing Digital
Transformation
Secure
Identities and
Access
Modern
Security
Operations
(SecOps/SOC)
Infrastructure &
Development
Security
Data Security
& Governance
IoT and OT
Security
Microsoft Cybersecurity Reference Architectures (MCRA)
Technical Capabilities Implementation
> > > > > > > > > > > > > >
Engaging Business
Leaders on Security
Workshops available in Microsoft Unified
Coordinated & integrated end-to-end security across the ‘hybrid of everything’ (on-prem, multi-cloud, IoT, OT, etc.)
Includes
Reference Plans
CISO Workshop
Security Capability Adoption Planning (SCAP) Technology Implementation & Optimization
Secure Identities
and Access
Modern Security
Operations (SecOps/SOC)
Infrastructure &
Development Security
Zero Trust Architecture
Security Strategy and Program
Security Adoption Framework Workshops
Illustrative Examples of Guidance
All workshops are holistic for the ‘hybrid of everything’ technical estate (on-premises, multi-cloud, IoT, OT, etc.)
Adoption Framework
Product
Adoption
Click to Zoom
In For Details
CISO Workshop
Security Program and Strategy
Adoption Framework
App &
Data
Teams
App Security
Dev Education & Awareness
Apps, Data, and IoT
Data Security
People
Teams
Identity
Teams
IT Operations
Insider Risk
User Education & Awareness
People
Identity & Keys
Administrator
Security
Identity System
Security
Key Management
Endpoint
Security
Mitigate
Vulnerabilities
Infrastructure & Endpoint
Infrastructure &
Network Security
Deploy
Tools
OT Operations
Operational Technology (OT) Security
Security Strategy &
Culture
Risk Management
Policy & Standards
Security Leadership
Information Risk Management
Supply Chain Risk (People, Process, Technology)
Enable Productivity and Security
Stay Agile - Adapt to changes to threat environment,
technology, regulations, business model, and more
Program Management Office (PMO)
Plan (Governance) Run (Operations)
Build
Managing Information/Cyber Risk
Security responsibilities or “jobs to be done”
Organizational Leadership
Organizational & Risk Oversight
Board Management
Organizational Risk Appetite
Business Model and Vision
External
Intelligence Sources
December 2021 -
https://aka.ms/SecurityRoles
Threat
Intelligence
Strategic Threat
Insight/Trends
Tactical Threat
Insight/Trends
Posture Management
Monitor & Remediate Risk
On-Demand Audit, Threat and Vulnerability
Management (TVM), Risk and Security
Scoring, Posture Enforcement
Incident
Management
(IT, IoT, OT)
Incident
Response
Threat
Hunting
Security
Operations
[Center]
(SOC)
Practice
Exercises
Risk
Scenarios
Incident
Preparation
Technical Policy
Authoring
Compliance
Reporting
Architecture &
Risk Assessments
Technical Policy
Monitoring
Privacy &
Compliance
Requirements
Compliance
Management
Requirements
Translation
Technical Risk Management
Security
Architecture
End to End Zero Trust
Architecture
Architecture Design Session Module 1
N
Adoption Framework
Shorter version (3-4 hours vs. ~2 days)
Microsoft Cybersecurity Reference
Architectures (MCRA)
Verify Explicitly
Reduce attack surface
and exposure to risk
Assume Compromise
General strategy shift from ‘assume safe network’
Least Privileged
Reduce blast radius both
proactive and reactively
Zero Trust Principles
Use least privilege access
Limit access of a potentially compromised
asset, typically with just-in-time and just-
enough-access (JIT/JEA) and risk-based polices
like adaptive access control.
→ Reduce “blast radius“ of compromises
→ Reduces “attack surface” of each asset
→ Transforms from “defend the network” to “enable security productivity on any network”
Asset/Node = account, app, device,
VM, container, data, API, etc.
Verify explicitly
Protect assets against attacker control by
explicitly validating that all trust and security
decisions use all relevant available information
and telemetry.
Business Enablement
Assume Compromise
Business Enablement
Align security priorities to the organization’s mission, priorities, risks, and processes
Assume Breach (Assume Compromise)
Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly
r for Office 365
Defender for
Office 365
Defender for Endpoint
Defender for Endpoint Defender for Identity
Defender for
Identity
Phishing
mail
Open
attachment
Click a URL
Browse
a website
Exploitation
and Installation
Command
and Control
Microsoft Entra
ID Protection
Microsoft Entra
ID Protection
Brute force account
or use stolen account
credentials
User account is
compromised
Attacker collects
reconnaissance &
configuration data
Attacker attempts
lateral movement
Privileged account
compromised
Domain
compromised
Defender for Cloud Apps
Defender for
Cloud Apps
Attacker
accesses
sensitive data
Exfiltration
of data
Leading
indicators
History of violations
Distracted and careless
Disgruntled or disenchanted
Subject to stressors
Insider has access
to sensitive data
Anomalous
activity detected
Data
leakage
Potential
sabotage
Microsoft Defender for Cloud
Microsoft Defender
for Cloud
Defend across attack chains
Insider and external threats December 2023 – https://aka.ms/MCRA
Insider risk management
Insider risk
management
Defender for IoT ( OT)
Defender for IoT (& OT)
Disrupt OT
Environment
IoT Device
Exploitation
EXTERNAL THREATS
INSIDER RISKS
Microsoft Defender XDR + Microsoft Sentinel
Microsoft Defender XDR + Microsoft Sentinel
Security Copilot (Preview)
Security Copilot (Preview)
OBJECTIVES & KEY RESULTS (OKRs)
Summary of Outcomes
OBJECTIVE
Reduce organizational risk
caused by neglect of basic
security maintenance.
WHY
Extortion/ransomware attacks
and theft of IP are often caused
by organizations skipping well
known security best practices
(unpatched vulnerabilities,
configuration weaknesses, and
insecure operational practices)
Proper system maintenance and
hygiene also unblocks business
agility and stability from system
performance and capabilities.
KEY
RESULTS
Critical Patch Speed and
Completion
Mean Time to deploy to 90% and
100% of assets
Technical Plan · Modernize Patch Management
WHAT
Implementation Workstreams and Leads
 Update Organizational Accountability
to reflect organizational nature of risk
<add name(s)>
designated by
CEO/CFO
 Update Budget and Acquisition policy
for accountability and technology lifetime
<add name(s)>
Designated by CFO
 Update Security Patching/Maintenance Policy
to reflect accountability model
<add name(s)>
CISO/CIO and
governance team
❑ User Device Patching
to apply updated organizational policy
<add name(s)>
IT Productivity / End
User Team(s)
❑ Domain Controllers and DNS Patching
to apply updated organizational policy
<add name(s)>
Identity/Networking/
Server Infra Teams
❑ Server Infrastructure Patching
to apply updated organizational policy
<add name(s)>
Server Infra Teams
❑ Container Patching
to apply updated organizational policy
<add name(s)>
Server Infra Teams
❑ Application Patching
to apply updated organizational policy
<add name(s)>
Multiple Teams
❑ Firmware and Device Patching
to apply updated organizational policy
<add name(s)>
Multiple Teams
Normalize rigorous security maintenance for software
WHO
Directly Responsible Individuals (DRIs)
EXECUTIVE
SPONSOR
CEO or Delegate
(frequently CFO)
PROJECT
LEADERSHIP
CIO or delegate
PROJECT TEAM(S)
Business / Application / Cloud Teams
• <add name(s)>
IT/OT/IoT Asset Management
• <add name(s)>
Purchasing/Vendor Management
• <add name(s)>
Central and Business Unit IT Infrastructure
• <add name(s)>
Productivity / End User Team(s)
(Technical and Communications Teams)
• <add name(s)>
Security Policy and Standards
• <add name(s)>
Security Compliance Management
• <add name(s)>
Security & IT/Enterprise Architecture
• <add name(s)>
TIMELINES / DEADLINES
Within 30 Days
Focus immediately on accountability
changes and getting critical patches
deployed with in hours or days, then
continuous improvement on all asset types
WORKSTREAM DETAILS
Technical Plan Workstreams · Modernize Patch Management
WHAT - Implementation Workstreams and Leads HOW – Key directional guidance
 Update Organizational Accountability
to reflect organizational nature of risk
<add name(s)>
designated by
CEO/CFO
• Define accountability and shared responsibility model to reflect the organization-wide nature of cybersecurity risk and
distributed responsibility of mitigation via applying patches.
• Set up a team model where system owners are accountable, system managers are responsible for patching assets, and
security is responsible for advising and assisting
• Update incentive structures and measurements include scorecards, and objectives and key results (OKRs), etc.
 Update Budget and Acquisition policy
for accountability and technology lifetime
<add name(s)>
Designated by CFO
• Allocate budget to support performing required security maintenance and application sustainment
• Update revenue projections based on any required changes to schedule and uptime
• Update acquisition policy to require vendor support is available for expected lifetime of the technology
 Update Security Patching/Maintenance
Policy
to reflect accountability model
<add name(s)>
CISO/CIO and
governance team
Define and approve organizational policy and standards
that reflects updated accountability model and acquisition policy
❑ User Device Patching
to apply updated organizational policy
<add name(s)>
Productivity / End
User Team(s)
Update processes, tooling, and
skills for all components including
supply chain:
• Change – adopt to a ‘patch by
default’ approach to rapidly
update assets while enabling
asset owners limited control of
timing for testing and reboots
• Build – Automate deployment
(CI/CD, IaC, etc.) and include
security updates and
configuration
• Restore – Build and test ability
to rapidly recover systems after
an attack
• Retire – Ensure all asset types
support exception process and
replace/isolate un-securable
assets
Continuously improve until
reaching ideal state
Scope: Update all user devices (corporate issued, BYOD, mobile, PC, Mac, etc.) while
giving users limited control over reboot scheduling.
Key Tooling: Intune, SCCM (Dynamic Updates | WaaS) , WSUS, 3rd party tools
❑ Domain Controllers and DNS Patching
to apply updated organizational policy
<add name(s)>
Identity/Networking/
Server Infra Teams
Scope: Active Directory Domain Controllers, Exchange Servers, and DNS Servers
(high network exposure, high impact, and high resiliency/redundancy built in)
Key Tooling: WSUS / SCCM, Azure VM Patching, 3rd party tools
❑ Server Infrastructure Patching
to apply updated organizational policy
<add name(s)>
Server Infra Teams
Scope: All server operating systems instances (VMs, physical servers, hypervisors, etc.)
Key Tooling: Azure VM Patching, Azure Update Management Center (Preview)
RPM, APT-GET, Chef, Ansible, Puppet, Windows Update, WSUS, SCCM, 3rd party tools)
❑ Container Patching
to apply updated organizational policy
<add name(s)>
Server Infra Teams
Scope: Container orchestration, images, and image repositories
Key Tooling: Standard server patching for orchestration/infrastructure, container creation
and repository management tools for containers, Defender for Containers
❑ Application Patching
to apply updated organizational policy
<add name(s)>
Multiple Teams
Scope: All apps, middleware, and supply chain components for all formats and platforms
Key Tooling: Standard user device and server tooling, additional 3rd party tooling
❑ Firmware and Device Patching
to apply updated organizational policy
<add name(s)>
Multiple Teams
Scope: Firmware & embedded OS/applications for user devices, servers, printers,
routers/Switches, IoT devices, OT Devices, others with work data / network connectivity
Key Tooling: WSUS (Surface devices and other OEMs), 3rd party tools
Reference Policy
and Standards
Secure Identities
and Access
N
Adoption Framework
KNOWN
ALLOWED
TRUSTED
Evolution of Authentication and Authorization
“Coarse authorization” during authentication
process that enforces common trust attributes
Granular authorization of individual
attributes and entitlements
Authenticated claim/assertion
of individual identity
AUTHENTICATED
AUTHORIZED
Two-Part Access Management Strategy
High Volume of accounts
1. High Scale: Secure the Whole Attack Surface
Establish and improve security across all accounts and all access paths
Highly
Privileged
Accounts
2. High Impact: Privileged Access
Increase security for each privileged
account with high business impact
Top Concern: Privileged Access
Attackers with Admin Accounts can access many/all resources
…creating a ‘cone of pain’
Cloud Admins
On Premises
Admins
3rd Party
Cloud SaaS apps
Microsoft Cloud
On-prem & Legacy apps
Privileged Admin Account(s)
Identity Admins, IT Admins,
Security Admins, etc.)
Two Secure Approaches for PAWs
Strong hardware foundation for Operating System
Separate Dedicated Hardware
Full Physical Separation
Single Hardware
Virtualized User (+Admin) Desktop on PAW
Typical Scenarios
• Privileged user is mobile or has limited desk space
• Administration of multiple systems (cloud and on-
premises, management and control plane, etc.)
• Where hardware cost is a consideration
Typical Scenarios
• High Security - complete isolation is required
• Single focus/function – only works with one sensitive
or business critical system
Cloud management
and security
Device Risk
Managed?
Compliant?
Infected with Malware?
…and more
User/Identity Risk
Multi-factor Authentication?
Impossible Travel?
Unusual Locations?
Password Leaked?
…and more
Any apps
and resources
Microsoft 365 apps
and resources
Internet and
SaaS apps
All private apps
Private web apps
Access Management Capabilities
Adaptive Access applying Zero Trust Principles
Legend
Trust Signal Adaptive Access Policy
Threat Intelligence Additional Policy & Monitoring
Decision
based on organizational policy
Signal
to make an informed decision
Enablement and Enforcement
of policy across resources
Integrated Threat Intelligence Security Policy
Engine
Organization Policy
Continuous Risk
Evaluation
Partner
Employee
Customer
Virtual Private Network (VPN)
Legacy technology being retired
Direct Application Access
Core adaptive access policy
Workload
Can be implemented today using Microsoft and partner capabilities
Macro- and Micro-segmentation
Workload isolation using identity,
network, app, and other controls
Remediate
User and
Device Risk
Security Service Edge (SSE)
Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure web
gateway (SWG), Cloud Access Security Broker
(CASB), and Firewall-as-a-Service (FWaaS)
Modern Security
Operations
N
Adoption Framework
Broad Enterprise View
Correlated/Unified
Incident View
Microsoft Reference Architecture
Expert Assistance
Enabling analysts with scarce skills
Deep Insights
Actionable detections
from an XDR tool with
deep knowledge of
assets, AI/ML, UEBA,
and SOAR
Raw Data
Security &
Activity Logs
(Classic SIEM
(Case Management
(Case Management
Microsoft Threat Intelligence 65+ Trillion signals per day of security context Human Expertise
Microsoft Threat Intelligence
65+ Trillion signals per day of security
context & Human Expertise
API integration
Legend
Consulting and Escalation
Outsourcing
Native Resource Monitoring
Event Log Based Monitoring
Investigation & Proactive Hunting
Security Operations
SOAR reduces analyst
effort/time per incident,
increasing SecOps capacity
Security & Network
Provide actionable security
detections, raw logs, or both
Microsoft Sentinel
Microsoft
Sentinel
Machine Learning (ML) & AI
Behavioral Analytics (UEBA)
Security Data Lake
Security Incident & Event
Management (SIEM)
Security Orchestration, Automation,
and Remediation (SOAR)
Infrastructure & Apps PaaS OT & IoT Identity & Access
Management
{LDAP}
Endpoint
& Mobile
Information
SOAR - Automated investigation and response (AutoIR)
Microsoft Defender XDR
Extended Detection and Response (XDR)
Defender for Cloud
Defender for Cloud
Containers
Servers
& VMs
SQL
Azure app
services
Network
traffic
Defender for Endpoint
Defender for
Endpoint
Defender for Cloud Apps
Defender for
Cloud Apps
Defender for Office 365
Defender for
Office 365
Defender for Identity
Defender for
Identity
Entra ID Protection
Entra ID
Protection
December 2023 – https://aka.ms/MCRA
Managed Security Operations
Managed Security Operations
Microsoft Security Experts
Microsoft Security Experts
Managed XDR
Managed threat hunting
Managed XDR
Managed threat hunting
Incident response
Formerly Detection response team (DART)
Incident response
Formerly Detection &
response team (DART)
Security Operations Modernization
Security Operations
Modernization
Microsoft Security Copilot (Preview)
Simplifies experience for complex tasks/skills
Microsoft Security Copilot (Preview)
Simplifies experience for complex tasks/skills
Align to Mission + Continuously Improve
Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR)
Align to Mission + Continuously Improve
Measure and reduce attacker dwell time
(attacker access to business assets) via
Mean Time to Remediate (MTTR)
Analysts
and Hunters
Defender for IoT OT
Defender for
IoT & OT
Applications
(SaaS, AI, legacy, DevOps, and other)
Incident Response Security Operations (Triage, Investigation, sometimes Hunt)
Security Operations is a Team Sport
Main functions and how they work together
Threat Intelligence
Engaged with analysts and other roles to support
investigations, hunting, and detection with research,
data, analysis, control prioritization and more
Incident Management
Coordinate with other teams (including
organizational leadership) on major
incidents and coordinate practice exercises
Architects and Engineers
Collaborate on root cause analysis to
ensure the same attacks won’t work
again, automate response steps, etc.
Security Analysts
Investigate and remediate attacks with tooling and knowledge
• Triage – Respond to detections (high volume) to find attacks
• Investigation team – Investigate and remediate confirmed incidents
• Hunt – Hunt for attacks that evaded detection, tune detections, assist with incidents
Organizational
Leadership
Legal
Communications
Identity
Email &
Collab
Infrastructure
Endpoint
Detection &
Response
Others
Alerts & Logs from
Firewall, WAF, IDS,
Apps, etc.
Cloud Apps
Attackers traverse
rapidly across the enterprise
Silos are the Bane of Security Operations
Integrating Silos is Challenging
MAPPING CHALLENGES
Tools Pivot on Different Attributes
Network IP address
Computer Name
Documents
Device ID
Email
Etc.
STRONG BIASES/TENDENCIES
Identity
Reports only high-quality alerts because
Analysts have alert fatigue, resist new tools
Analysts with network background don’t
understand value and meaning of detections
Endpoint
Verbose alert reporting
AV testing focuses on
“not missing” malware
Reporting more improves showing
in AV Testing reports
…
Defenders struggle to
chase them across silos
Antivirus
Threat
Intelligence
IoT and
OT/ICS
Integrating Silos is Challenging
Integrating Silos is Challenging
Requires significant work to integrate disparate products
Harmonize analyst experience
Across portals and interfaces
Write/Update Automation
Orchestrate common tasks across systems
Harmonize entity definitions
consistency across users, devices, email, IPs, etc.
Harmonize semantics & meaning
Correlation, prioritization, orchestration, etc.
Ensure tools provide APIs
Select & Implement Tools
Others
Alerts & Logs from
Firewall, WAF, IDS,
Apps, etc.
Cloud
Apps
Protect Investigate Remediate
Event Alert Incident Mappings
#.#.#.#
Analyst Workflow/Portal Experience
Infrastructure
…and each new/changed product must be integrated
Email &
Collab
Antivirus
Endpoint
Detection &
Response
Identity
Integrate Threat Intelligence
to enrich all the different elements
Create/Maintain Detections
add new detections and tune existing ones
IoT and
OT/ICS
Threat
Intelligence
Microsoft Integrated XDR+SIEM
More SecOps visibility with less integration burden
Limited XDR
EDR only or EDR+
Classic SIEM Model
AV, network, other data Integrated XDR+SIEM
Investigate, Remediate, and Hunt
Write/Update Automation (SOAR)
Create/Maintain Email Detections
Create/Maintain Cloud App Detections
Create/Maintain Cloud Identity Detections
Create/Maintain On-Prem Identity Detections
Create/Maintain Endpoint Detections
Create/Maintain DevOps Detections
Create/Maintain Database Detections
Create/Maintain Storage Detections
Create/Maintain Container Detections
Create/Maintain Cloud Infra Detections
Create/Maintain IoT & OT/ICS Detections
SIEM - Integrate Threat Intelligence (If SIEM Present)
SIEM - Integrate UEBA and ML (If SIEM Present)
SIEM - Harmonize Definitions & Semantics (If SIEM Present)
Ensure tools provide APIs
Select & Implement Tools
Integrated XDR+SIEM
Simplifies SecOps and
reduces wasted time by
providing and maintaining:
• Asset-specific detections
• Tooling integration
• Threat Intelligence
integration
• MITRE ATT&CK coverage
• Additional detailed data for
investigation and advanced
hunting
This allows analysts to focus
on responding to incidents &
reducing organizational risk
Microsoft Defender XDR
Microsoft
Defender XDR
Direct Risk Reduction
Your Maintenance Burden
Vendor Maintenance Burden
Primary Focus: Reduce Risk
by removing attacker access
to resources. All other
activities support this and
should not distract from it.
Defender
for Cloud
Microsoft Sentinel
Microsoft
Sentinel
Infrastructure and
Development Security
N
Adoption Framework
What you want for a train ride
Functional
Does what it promises
Secure
Resilient to attacks
Reliable
Performs well and stays available
is what you want for workloads
DevSecOps – Agile security for workloads
Architecture & Governance
Security, Compliance, Identity, & Other Standards
Idea Incubation
New Product or Service
Production DevSecOps
Continuous improvement
Developer
DESIGN
/
C
O
D
E
BUI
L
D
D
E
P
L
OY
R
U
N
BUILD DEPLOY
DESIGN/CODE RUN
Minimum viable product (MVP) for:
Dev - Business / Technical Requirements
Sec - Compliance / Security / Safety
Ops - Quality / Performance / Support
G
o
v
e
rnance – Continuous Improvem
e
n
t
Secure Design Secure Code Secure the Operations
Secure CI/CD Pipeline
First Production Release
Continuous Improvement of DevSecOps Lifecycle
1. MVP definitions – Update minimum requirements for Dev, Sec, and Ops (agility, stability, security, identity standards, and more)
2. Continuously improve process, program, education, tooling, etc. to improve developer productivity, efficiency, security, identity, and more)
Protecting assets requires partnership and expertise across teams
Architecture and Engineering
• Rules/Guidelines/Standards across workloads
and common organization-wide infrastructure
• Templates/automation for all workloads
Security Operations (SecOps/SOC)
• Incident Response – Rapid remediation of attacks
• Incident Management – technical & business coordination
• Advanced Functions - Threat hunting, detection engineering, & more
Workload Team
• Business Owner – Workload goals, risks, data, requirements
• Application Architect – Application design
• Developer – Application build/implementation
Operations Team(s) (Infrastructure/DevOps)
• Workload – Build/configure/change/rebuild/recover OS,
containers, network, identity, and more for workloads
• Infrastructure Operations – (same for common infrastructure)
Posture
Management
• Monitoring –
Monitor and report
on security posture
• Enablement –
Identify and clear
security blockers
Infrastructure Development Security is a Team Sport
Shared responsibility model enables effective security
Common Infrastructure + per-workload infrastructure
Responsibility
Workload
Team
Operations
Team(s)
Architecture &
Engineering
Security
Operations
Application – Preventive Control Design & Implementation Co-Lead Co-Lead
Application – Detection Design, Implementation, & Monitoring Co-Lead Co-Lead
Application - Remediation & Recovery Co-Lead Co-Lead
OS/Container – Preventive Control Design & Implementation Lead
OS/Container – Detection Design, Implementation, & Monitoring Co-Lead Co-Lead
OS/Container – Remediation & Recovery Lead
Security Incident Management Lead
Security Incident Response May Lead May Lead May Lead
High impact
on business/safety
Temporary exception for rapid
prototyping low-risk workloads
Balanced approach
for most workloads
most of the time
Comparing DevSecOps Security Levels
Rapid prototyping of
low business impact workload
Temporary Minimum High Security
Standard
Impact Life/Safety or
business critical assets
Key Antipattern: Bizarro Risk Exceptions
Organizational risk is amplified when granting
permanent security exceptions for business-critical
workloads (often for political reasons)
Lifecycle Stage Control
Temporary
Minimum Standard High Security
Threat Model (Security Design Review) Optional Recommended Required
Code Analysis (static/CodeQL or dynamic) Minimum Scan Full Scan & Fix Scan & Enforce
Supply Chain / Dependency management Inventory Analysis & Fix Block all insecure
Security Code Review Recommended Recommended Required
Credential and Secret Scanning Required Required Required
 Reinforce/Check ‘Secure the Code’ Controls  Required Required Required
Secure Pipeline (Access/Infrastructure/Apps) Required Required Required
Live Site Penetration Testing Recommended Recommended! Required
Identity/App Access Controls Minimum Standard High Security
Host/Container Controls Minimum Standard High Security
Network Access Controls Minimum Standard High Security
Monitoring, Response, and Recovery Basic XDR + Custom (Environment) + Custom (Workload)
DevSecOps Security Profiles
Control Comparison
Secure Design
Secure Code
Secure CI/CD Pipeline
Secure the Operations
Critical Foundations
For all developers & all projects
Security in Blameless Postmortems + Security Coding Standards
+ Security Tools and Training + Tool Chain Security
Shift left… but double-check!
Find + fix issues during development and
reinforce controls in CI/CD pipeline
Artificial Intelligence (AI) Implications
• Secure all code - Whether written by human or generative AI
• Use both for security - Apply classic and AI controls as available
Microsoft Secure Score
Microsoft Defender XDR
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft Defender XDR
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft Sentinel
Microsoft
Sentinel
Cloud Native
SIEM, SOAR,
and UEBA
Microsoft Security Copilot (Preview)
Microsoft Security Copilot (Preview)
Azure Cloud Adoption Framework (CAF)
Guidance on security strategy, planning, roles and responsibilities https://aka.ms/CAF
Azure Cloud Adoption Framework (CAF)
Guidance on security strategy, planning, roles and responsibilities https://aka.ms/CAF
Zero Trust Access Control
Explicit trust validation for users and devices before allowing access
Infrastructure Security Capabilities
Apply Zero Trust principles Infrastructure & Platform as a Service (IaaS & PaaS)
across multi-cloud cross-platform environments
Full Time Employees, Partners,
and/or outsourced providers
Microsoft Entra ID Governance
Microsoft Entra ID Governance
• Automated User Provisioning
• Entitlement Management
• Access Reviews
• Privileged Identity Management (PIM)
• Terms of Use
Entra Privileged Identity Management (PIM)
Entra Privileged Identity
Management (PIM)
Entra ID Protection
Entra ID Protection
MFA and Passwordless
Entra MFA
Entra MFA
Windows Hello
Windows Hello
Existing MFA
Management Plane Security Platform provided security guardrails, governance, policy, and more
Management Plane Security
Platform provided security guardrails, governance, policy, and more
Endpoint logs PIM Logs
Entra ID logs, access logs, alerts, risk scoring
Privileged Access Workstation (PAW)
Privileged Access Workstation (PAW)
Control
Governance &
Policy Enforcement
Preventive Controls
Security Posture
Visibility
Threat Detection & Response
Raw Logs and Signal for
Investigation & Hunting
Microsoft Defender for Cloud
Microsoft Defender for Cloud
Azure Policy
Azure Policy
Role Based Access Control (RBAC)
Role Based Access Control (RBAC)
Azure Blueprints
Azure Blueprints
Management Groups
Management Groups
Azure Lighthouse
Azure Lighthouse
Azure Backup Site Recovery
Azure Backup & Site Recovery
Resource Locks
Resource Locks
Data Plane Security
Per-Application/Workload Controls
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
Azure Well Architected Framework (WAF)
Azure Well Architected
Framework (WAF)
Microsoft Cloud Security Benchmark (MCSB)
Prescriptive Best Practices and Controls
Microsoft Cloud Security
Benchmark (MCSB)
Prescriptive Best Practices and Controls
Internal Communications (East/West) External Communications (North/South)
Network/App Security Groups
Network/App Security Groups
API Management Gateway
API Management Gateway
Azure DDoS and Web Application Firewall (WAF)
Azure DDoS and Web Application Firewall (WAF)
PrivateLink Service Endpoints
PrivateLink & Service Endpoints
Encryption Azure Key Vault, Application RBAC Model
Encryption & Azure Key Vault, Application RBAC Model
Azure Firewall and Firewall Management
Azure Firewall and Firewall Management
Azure DevOps Security
Azure DevOps Security
GitHub Advanced Security
GitHub Advanced Security
Unified Endpoint
Management
Intune
Intune
Configuration Manager
Configuration Manager
Azure Bastion
Azure Bastion
Microsoft 365 Defender
Microsoft 365 Defender
Customers
(and ‘External’ Partners)
Business Users
Developers
App/Service
and Automation
Administrators
API
Application
Workstations
‘Internal’ Access Accounts Access and Privileges Interfaces
Identity Infrastructure Network & ‘External’ Access
Resources
December 2023 – https://aka.ms/MCRA
Top 10 Azure Security Best Practices
Top 10 Azure Security Best Practices
Entra App Proxy
Entra App Proxy
Defender for DevOps
Defender for DevOps
Conditional Access
Conditional Access
Entra Private Access (preview)
Entra Private Access (preview)
Entra Permissions Management
Entra Permissions Management
Microsoft Defender for Cloud - Risk Regulatory Compliance Reporting
Microsoft Defender for Cloud - Risk & Regulatory Compliance Reporting
Azure Policy (audit) & Azure resource graph API
Microsoft Defender for Cloud - Detections across assets and tenants
Microsoft Defender for Cloud - Detections across assets and tenants
Application Logs
Azure WAF Alerts
Azure Firewall Alerts
Azure DDOS Alerts
Network Watcher – IP Flow logs, Packet Capture, Virtual TAP
Azure activity log Azure Service Diagnostic Logs & Metrics
Microsoft Defender for Cloud Apps
MDCA Alerts
MDCA Logs
VMs & Tenants (Azure, On-prem, 3rd party clouds)
Containers and Kubernetes
IoT and Legacy OT Devices (SCADA, ICS, etc.)
Application Programming Interfaces (APIs)
CI/CD Pipelines
Azure SQL & Cosmos DB
Azure Storage Accounts
And More…
Entra Permissions Management
Entra Permissions Management
Microsoft Defender External Attack Surface Management (EASM)
Microsoft Defender External Attack Surface Management (EASM)
Microsoft Defender for Identity
Microsoft Defender for Identity
Microsoft Defender for Endpoint
Microsoft Defender for
Endpoint
Entra ID Protection
Entra ID Protection
CI/CD Pipeline
CI/CD Pipeline
Azure Resource
Management (ARM)
Access Applications
Access Applications
Azure Portal
Command Line Interface (CLI)
Automation/API
Microsoft Entra ID External Identities
Formerly Azure AD
Microsoft Entra ID
& External Identities
Formerly Azure AD
Active Directory
Azure Sphere
Azure Sphere
Existing/Other
Internet of Things
(IoT) Devices
Azure IoT Hub
Azure IoT Hub
External Identities
On-Premises & Other
Cloud Resources/Data
Azure Resources/Data
Defender for APIs (preview)
Security Capability
Adoption Planning (SCAP)
N
Adoption Framework
Security Capability Adoption Planning
Maximize value from current security product
licenses and entitlements with education +
prioritization / planning exercise
End to End Strategy
and Planning
Zero Trust Architecture
Security ADS Module 1 – Zero Trust Architecture
Product Adoption
Security Capability Adoption Planning
2-3 days
Where do you want to Start?
There’s no wrong place to start ☺
Security Strategy and Program
Plan and Execute
Initiatives
Secure Identities and Access
Module 2 – Secure Identities and Access
Modern Security Operations (SecOps/SOC)
Infrastructure & Development Security
Module 3 – Modern Security Operations (SecOps/SOC)
Module 4 – Infrastructure & Development Security
Topic
Summary
Full
workshop
4 hours
MCRA
CISO Workshop
2-3 days
2-3 days
4 hours
4 hours
4 hours
Key Resources
Zero Trust
Playbook
aka.ms/MarksList
The Open
Group
Microsoft
ZeroTrustPlaybook.com
Zero Trust Commandments
aka.ms/ZTCommandments
Zero Trust Reference Model
aka.ms/ZTRefModel
Learn more about Microsoft Security
Security Adoption Framework (SAF)
aka.ms/SAF
Security Documentation
aka.ms/SecurityDocs
Product Capabilities
www.microsoft.com/security/business
Reference Architectures
aka.ms/MCRA
aka.ms/MCRA-videos
CISO workshop
aka.ms/CISOworkshop
aka.ms/CISOworkshop-videos Additional
References
Security Adoption Framework
aka.ms/saf
Security Resources
Security Documentation
aka.ms/SecurityDocs
Security Strategy and Program
• CISO Workshop – aka.ms/CISOworkshop | -videos
• Cloud Adoption Framework (CAF) – aka.ms/cafsecure
• Driving Business Outcomes Using Zero Trust
▪ Rapidly modernize your security posture for Zero Trust
▪ Secure remote and hybrid work with Zero Trust
▪ Identify and protect sensitive business data with Zero Trust
▪ Meet regulatory and compliance requirements with Zero Trust
Zero Trust
Architecture
• Microsoft Cybersecurity Reference Architectures (MCRA) - aka.ms/MCRA | -videos
Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp
• Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp
Ransomware and Extortion Mitigation - aka.ms/humanoperated
Backup and restore plan to protect against ransomware - aka.ms/backup
• Ransomware and Extortion Mitigation - aka.ms/humanoperated
• Backup and restore plan to protect against ransomware - aka.ms/backup
Secure Identities and
Access
Modern Security
Operations (SecOps/SOC)
Infrastructure &
Development Security
Data Security &
Governance
IoT and OT Security
• Product Capabilities
• www.microsoft.com/security/business
• Security Product Documentation
Azure | Microsoft 365
Microsoft Security Response Center (MSRC)
www.microsoft.com/en-us/msrc
• Microsoft Cloud Security
Benchmark (MCSB)
aka.ms/benchmarkdocs
• Well Architected Framework (WAF)
aka.ms/wafsecure
• Azure Security Top 10
aka.ms/azuresecuritytop10
• Ninja Training
• Defender for Cloud
• MCRA Video
• Infrastructure Security
• Defender for Cloud Documentation
• Securing Privileged Access (SPA)
Guidance
aka.ms/SPA
• Access Control Discipline
• Ninja Training
• Microsoft Defender for Identity
http://aka.ms/mdininja
• MCRA Video
• Zero Trust User Access
• Microsoft Entra Documentation
aka.ms/entradocs
• Incident Response - aka.ms/IR
• CDOC Case Study - aka.ms/ITSOC
• Ninja Training
• Microsoft 365 Defender
http://aka.ms/m365dninja
• Microsoft Defender for Office 365
https://aka.ms/mdoninja
• Microsoft Defender for Endpoint
http://aka.ms/mdeninja
• Microsoft Cloud App Security
http://aka.ms/mcasninja
• Microsoft Sentinel
• MCRA Videos
• Security Operations
• SecOps Integration
• Secure data with Zero Trust
• Ninja Training
• Microsoft Purview Information Protection
https://aka.ms/MIPNinja
• Microsoft Purview Data Loss Prevention
https://aka.ms/DLPNinja
• Insider Risk Management
• Microsoft Purview Documentation
aka.ms/purviewdocs
• Ninja Training
• Defender for IoT Training
• MCRA Videos
• MCRA Video OT & IIoT Security
• Defender for IoT Documentation
aka.ms/D4IoTDocs

More Related Content

What's hot

Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
Sirius
 

What's hot (20)

Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
Siem ppt
Siem pptSiem ppt
Siem ppt
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 

Similar to Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 

Similar to Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF) (20)

MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
 
Microsoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterpriseMicrosoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterprise
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
 
Top reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | SysforeTop reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | Sysfore
 
Cost of Attack
Cost of AttackCost of Attack
Cost of Attack
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
Webinar: Microsoft 365 - Your Gateway to Data Loss Prevention
Webinar: Microsoft 365 - Your Gateway to Data Loss PreventionWebinar: Microsoft 365 - Your Gateway to Data Loss Prevention
Webinar: Microsoft 365 - Your Gateway to Data Loss Prevention
 
Cloud Adoption Framework Secure Overview
Cloud Adoption Framework Secure OverviewCloud Adoption Framework Secure Overview
Cloud Adoption Framework Secure Overview
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 

Recently uploaded

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 

Recently uploaded (20)

Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

  • 1. Mark Simos Chef’s tour of the Security Adoption Framework (SAF)
  • 2. About the Chef Author, Zero Trust Playbook ZeroTrustPlaybook.com aka.ms/MarksList Zero Trust Architecture Co-Chair The Open Group Lead Cybersecurity Architect Microsoft Mark Simos
  • 3. Chef's Tour of SAF A tour of end-to-end security that provides key references and samples across many areas of security. This training will use the Microsoft Security Adoption Framework (SAF) to guide you through security across a 'hybrid of everything' technical estate. • SAF delivered through Microsoft Unified • Extensive free resources available online at https://aka.ms/SAF including MCRA and CISO workshop
  • 4. Learning objectives By the end of this session you will:  Better Understand the importance of an end to end security approach  Better Understand how the Security Adoption Framework (SAF) guides you through strategy, planning, and adoption of modern security approaches  Deep Appreciation for Security Complexity • Learn a lot from this session • Understand how much more there is to learn and do
  • 5. Whiteboard – Current Security Architecture Geography and Cloud Usage Where does your organization operate? Which workloads are in the cloud? Which major cloud providers? (SaaS, PaaS, IaaS) Business and Technical Drivers What is top of mind for business stakeholders? What risks are important to the business? Business/technology initiatives driving change? What metrics are important to your program? Threats What types of attacks and adversaries are top of mind? Compliance Large & notable regulatory requirements Architecture, Policy, and Collaboration Describe how teams work together on end to end security + guiding documents/artifacts Enterprise-wide security architecture approach and documentation Policy update, monitoring, and related governance processes Posture and vulnerability management processes Technical collaboration processes (e.g. sharing learnings, joint technical planning, etc. with security operations, architects, engineers, posture management, governance, others) Differences between on premises vs. cloud processes
  • 6. Security Challenges are significant and continuously evolving Microsoft investments to help security teams End to end security capabilities Guidance and workshops Illustrative Examples of Security Adoption Framework (SAF) Workshop Content Getting Started and Next Steps Overview and Scoping Adoption Framework SAF guides your end to end security modernization journey using Zero Trust principles
  • 7. Attacker Failure + Increased Attacker Cost/Friction Security Success Invest intentionally into providing these durable outcomes Find and kick them out fast Reduce dwell time (mean time to remediate) with rapid detection and remediation Block Cheap and Easy Attacks Increase cost and friction for well known & proven attack methods (or easy to block options) ‘Left of Bang’ Prevent as many attacks as possible ‘Right of Bang’ Rapidly and effectively manage attacks Requires end to end collaboration
  • 8. It’s bad out there! For sale in “bad neighborhoods” on the internet Attacker for hire (per job) $250 per job (and up) Ransomware Kits $66 upfront (or 30% of the profit / affiliate model) Compromised PCs / Devices PC: $0.13 to $0.89 Mobile: $0.82 to $2.78 Spearphishing for hire $100 to $1,000 (per successful account takeover) Stolen Passwords $0.97 per 1,000 (average) (Bulk: $150 for 400M) Denial of Service $766.67 per month Attackers Other Services Continuous attack supply chain innovation Attacker techniques, business models, and skills/technology, are continuously evolving Many attack tools and tutorials/videos available for free on internet
  • 9. Threat environment is continually evolving Attackers must change to overcome defenses (in big or small ways) Leading Edge - pushed forward by sophisticated groups & researchers • Adoption & exploitation of Artificial Intelligence (AI) • Supply chain techniques • OT and IoT threats • Insider risk • Stealth - Evading indicators of compromise (IOCs) and other detections • Improve existing techniques – Identity/MFA evolution, zero day vulnerabilities, exploit line of business (LOB) apps, etc. Note: Sophisticated attackers sometimes use commodity toolkits to hide their origin Commoditization – increases scale and impact of attacks • Criminal gangs copy or purchase advanced techniques, integrate into toolkits • Also evolve financial and social aspects of extortion/ransomware models Agile Security is required to keep up with continuous changes
  • 10. Security is complex and challenging Infrastructure Application Data People Attackers have a lot of options ➢ Forcing security into a holistic complex approach ➢ Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies ➢ Threats – Continuously changing threat landscape ➢ Security Tools – dozens or hundreds of tools at customers Must secure across everything ➢ Brand New - IoT, DevOps, and Cloud services, devices and products ➢ Current/Aging - 5-25 year old enterprise IT servers, products, etc. ➢ Legacy/Ancient - 30+ year old Operational Technology (OT) systems Nothing gets retired! Usually for fear of breaking something (& getting blamed) Hybrid of Everything, Everywhere, All at Once Attacks can shut all business operations down, creating board level risk ‘Data swamp’ accumulates managed data + unmanaged ‘dark’ data
  • 11. Security is the opposite of productivity Business Enablement Align security to the organization’s mission, priorities, risks, and processes Assume Compromise Continuously reduce blast radius and attack surface through prevention and detection/response/recovery All attacks can be prevented Shift to Asset-Centric Security Strategy Revisit how to do access control, security operations, infrastructure and development security, and more Explicitly Validate Account Security Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and more Network security perimeter will keep attackers out Passwords are strong enough IT Admins are safe IT Infrastructure is safe Goal: Zero Assumed Trust Reduce risk by finding and removing implicit assumptions of trust Developers always write secure code The software and components we use are secure Plan and Execute Privileged Access Strategy Establish security of accounts, workstations, and other privileged entities (aka.ms/spa) Validate Infrastructure Integrity Explicitly validate trust of operating systems, applications, services accounts, and more Integrate security into development process Security education, issue detection and mitigation, response, and more Supply chain security Validate the integrity of software and hardware components from open source. vendors, and others False Assumptions of implicit or explicit trust Zero Trust Mitigation Systematically Build & Measure Trust With 30+ years of backlog at most organizations, it will take a while to burn down the backlog of assumed trust
  • 12. Microsoft is investing in security for our customers There are no easy answers, but we are investing to make it easier Security Technology Automate and improve security processes by simplifying and automating security for the ‘hybrid of everything’ technical estate Expert Engagements Help you assess, plan, implement, and optimize security programs and technology based on best practices and lessons learned Continuous improvement Microsoft invests $1b+ per year into security research & development 8500+ security professionals on staff across 77 countries Accelerate Modernization Help integrate security successfully into IT and business processes to reduce risk and minimize friction
  • 13. End to end security for ‘hybrid of everything’ technical estate Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Data Security & Governance IoT and OT Security Microsoft security portfolio Effective security requires people & process changes Security Strategy and Program Zero Trust Architecture Align to business priorities, business risks, and industry best practices End to End Security approach based on Zero Trust Principles and industry best practices
  • 14. Software as a Service (SaaS) This is interactive! Present Slide Hover for Description Click for more information Cybersecurity Reference Architecture Security modernization with Zero Trust Principles December 2023 – aka.ms/MCRA This is interactive! Present Slide Hover for Description Click for more information Microsoft Purview Information protection and governance across data lifecycle Microsoft Purview Information protection and governance across data lifecycle File Scanner (on-premises and cloud) File Scanner (on-premises and cloud) S3 Identity & Access Microsoft Entra Microsoft Entra IoT and Operational Technology (OT) People Security 3rd party IaaS & PaaS Azure Arc Azure Arc Intranet Extranet Endpoints & Devices Hybrid Infrastructure – IaaS, PaaS, On-Premises Azure Key Vault Azure Key Vault Azure WAF Azure WAF DDoS Protection DDoS Protection Azure Backup Azure Backup On Premises Datacenter(s) Azure Firewall Firewall Manager Azure Firewall & Firewall Manager Attack Simulator Attack Simulator Insider Risk Management Insider Risk Management Azure Sphere Azure Sphere Compliance Manager Compliance Manager Private Link Private Link Conditional Access – Zero Trust Access Control decisions based on explicit validation of usertrust and endpoint integrity Conditional Access – Zero Trust Access Control decisions based on explicit validation of user trust and endpoint integrity GitHub Advanced Security Azure DevOps Security Secure development and software supply chain GitHub Advanced Security & Azure DevOps Security Secure development and software supply chain Network protection Credential protection Full Disk Encryption Attack surface reduction Network protection Credential protection Full Disk Encryption Attack surface reduction Windows 11 & 10 Security App control Exploit protection Behavior monitoring Next-generation protection Security Operations / SOC Microsoft Defender for Endpoint Unified Endpoint Security Microsoft Defender for Endpoint Unified Endpoint Security Endpoint Data Loss Protection (DLP) Endpoint Data Loss Protection (DLP) Web Content Filtering Web Content Filtering Endpoint Detection Response (EDR) Endpoint Detection & Response (EDR) Threat Vuln Management Threat & Vuln Management Defender for Cloud – Cross-Platform, Multi-Cloud XDR Detection and response capabilities for infrastructure and development across IaaS, PaaS, and on-premises Defender for Cloud – Cross-Platform, Multi-Cloud XDR Detection and response capabilities for infrastructure and development across IaaS, PaaS, and on-premises Communication Compliance Communication Compliance Azure Lighthouse Azure Lighthouse Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM) Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM) Compliance Dashboard Compliance Dashboard Secure Score Secure Score Azure Bastion Azure Bastion Classification Labels Information Protection Advanced eDiscovery Advanced eDiscovery Data Governance Data Governance Azure Defender for IoT provides agentless security for unmanaged IoT/OT devices (via integration of CyberX technology) plus security for greenfield devices managed via Azure IoT Hub. It is deployed either as a cloud-connected or fully on-premises solution. Microsoft Defender for IoT (and OT) Microsoft Defender for IoT (and OT) Asset & Vulnerability management Threat Detection & Response ICS, SCADA, OT Internet of Things (IoT) Industrial IoT (IIoT) Security Development Lifecycle (SDL) Security Development Lifecycle (SDL) Service Trust Portal – How Microsoft secures cloud services Service Trust Portal – How Microsoft secures cloud services Threat Intelligence – 65+ Trillion signals per day of security context Threat Intelligence – 65+ Trillion signals per day of security context Defender for Identity Defender for Identity Microsoft Entra PIM Microsoft Entra PIM External Identities External Identities Entra ID Protection Leaked cred protection Behavioral Analytics Entra ID Protection Leaked cred protection Behavioral Analytics Passwordless MFA Passwordless & MFA Authenticator App Authenticator App Hello for Business Hello for Business ID Governance ID Governance FIDO2 Keys FIDO2 Keys NGFW Express Route Express Route Microsoft Azure Azure Marketplace VPN & Proxy Edge DLP IPS/IDS/NDR Azure Stack Azure Stack Microsoft Entra Private Access App Proxy Beyond User VPN Microsoft Entra Private Access & App Proxy Beyond User VPN Security Guidance Security Adoption Framework Security Documentation Cloud Security Benchmarks Security Other Services Security & Other Services Discover Protect Classify Monitor Security Posture Management – Monitor and mitigate technical security risks using Secure Score, Compliance Score, CSPM: Defender for Cloud, Microsoft Defender External Attack Surface Management (EASM) and Vulnerability Management Unified Endpoint Management (UEM) Unified Endpoint Management (UEM) Intune Intune Configuration Manager Configuration Manager Securing Privileged Access – aka.ms/SPA Securing Privileged Access – aka.ms/SPA Microsoft Defender for Cloud Apps App Discovery Risk Scoring (Shadow IT) Threat Detection Response Policy Audit Enforcement Session monitoring control Information Protection Data Loss Prevention (DLP) Microsoft Defender for Cloud Apps App Discovery & Risk Scoring (Shadow IT) Threat Detection & Response Policy Audit & Enforcement Session monitoring & control Information Protection & Data Loss Prevention (DLP) Active Directory Endpoint Workstations, Server/VM, Containers, etc. Endpoint Workstations, Server/VM, Containers, etc. Office 365 Email, Teams, and more Office 365 Email, Teams, and more Cloud Azure, AWS, GCP, On Prem more Cloud Azure, AWS, GCP, On Prem & more Identity Cloud On-Premises Identity Cloud & On-Premises SaaS Cloud Apps SaaS Cloud Apps Other Tools, Logs, & Data OT/IoT devices OT/IoT devices Entra Permission Management – Discover and Mitigate Cloud Infrastructure Permission Creep Entra Permission Management – Discover and Mitigate Cloud Infrastructure Permission Creep Privileged Access Workstations (PAWs) - Secure workstations for administrators, developers, and other sensitive users Privileged Access Workstations (PAWs) - Secure workstations for administrators, developers, and other sensitive users Microsoft Entra Internet Access Microsoft Entra Internet Access Defender for APIs (preview) Data SQL, DLP, more Data SQL, DLP, & more Microsoft Defender XDR Unified Threat Detection and Response across IT, OT, and IoT Assets Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Defender XDR Unified Threat Detection and Response across IT, OT, and IoT Assets Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Sentinel Microsoft Sentinel Cloud Native SIEM, SOAR, and UEBA Microsoft Security Copilot (Preview) Microsoft Security Copilot (Preview) Managed Security Operations Using Microsoft Security Managed Security Operations Using Microsoft Security Microsoft Security Experts Defender Experts | Detection and Response Team (DART) Defender Experts | Detection and Response Team (DART)
  • 15. CISO Workshop Security Program and Strategy End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams Module 2 – Secure Identities and Access Module 3 – Modern Security Operations (SecOps/SOC) Module 4 – Infrastructure & Development Security Module 5 – Data Security & Governance, Risk, Compliance (GRC) Module 6 – IoT and OT Security Security Architecture Design Session Module 1 – Zero Trust Architecture and Ransomware Strategic Framework Infrastructure and Development Data Security & Governance, Risk, Compliance (GRC) OT and IoT Security Security Adoption Framework Delivers Zero Trust security modernization + business alignment using recommended initiatives Secure Identities and Access 1. Strategic Framework End to End Strategy, Architecture, and Operating Model 1 - I want people to do their job securely from anywhere 2 - I want to minimize business damage from security incidents 3 - I want to identify and protect critical business assets 4 - I want to proactively meet regulatory requirements 5 - I want to have confidence in my security posture and programs Business Scenarios Guiding North Star Modern Security Operations 2. Strategic initiatives Clearly defined architecture and implementation plans Security Hygiene: Backup and Patching
  • 16. Implementation Architects & Technical Managers CIO Technical Leadership CISO Business Leadership CEO Security Strategy and Program End to End Zero Trust Architecture Security Adoption Framework Zero Trust security modernization rapidly reduces organizational risk Business and Security Integration Implementation and Operation Technical Planning Architecture and Policy Security Strategy, Programs, and Epics Securing Digital Transformation Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Data Security & Governance IoT and OT Security Microsoft Cybersecurity Reference Architectures (MCRA) Technical Capabilities Implementation > > > > > > > > > > > > > > Engaging Business Leaders on Security Workshops available in Microsoft Unified Coordinated & integrated end-to-end security across the ‘hybrid of everything’ (on-prem, multi-cloud, IoT, OT, etc.) Includes Reference Plans CISO Workshop Security Capability Adoption Planning (SCAP) Technology Implementation & Optimization
  • 17. Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Zero Trust Architecture Security Strategy and Program Security Adoption Framework Workshops Illustrative Examples of Guidance All workshops are holistic for the ‘hybrid of everything’ technical estate (on-premises, multi-cloud, IoT, OT, etc.) Adoption Framework Product Adoption Click to Zoom In For Details
  • 18. CISO Workshop Security Program and Strategy Adoption Framework
  • 19.
  • 20. App & Data Teams App Security Dev Education & Awareness Apps, Data, and IoT Data Security People Teams Identity Teams IT Operations Insider Risk User Education & Awareness People Identity & Keys Administrator Security Identity System Security Key Management Endpoint Security Mitigate Vulnerabilities Infrastructure & Endpoint Infrastructure & Network Security Deploy Tools OT Operations Operational Technology (OT) Security Security Strategy & Culture Risk Management Policy & Standards Security Leadership Information Risk Management Supply Chain Risk (People, Process, Technology) Enable Productivity and Security Stay Agile - Adapt to changes to threat environment, technology, regulations, business model, and more Program Management Office (PMO) Plan (Governance) Run (Operations) Build Managing Information/Cyber Risk Security responsibilities or “jobs to be done” Organizational Leadership Organizational & Risk Oversight Board Management Organizational Risk Appetite Business Model and Vision External Intelligence Sources December 2021 - https://aka.ms/SecurityRoles Threat Intelligence Strategic Threat Insight/Trends Tactical Threat Insight/Trends Posture Management Monitor & Remediate Risk On-Demand Audit, Threat and Vulnerability Management (TVM), Risk and Security Scoring, Posture Enforcement Incident Management (IT, IoT, OT) Incident Response Threat Hunting Security Operations [Center] (SOC) Practice Exercises Risk Scenarios Incident Preparation Technical Policy Authoring Compliance Reporting Architecture & Risk Assessments Technical Policy Monitoring Privacy & Compliance Requirements Compliance Management Requirements Translation Technical Risk Management Security Architecture
  • 21. End to End Zero Trust Architecture Architecture Design Session Module 1 N Adoption Framework Shorter version (3-4 hours vs. ~2 days) Microsoft Cybersecurity Reference Architectures (MCRA)
  • 22. Verify Explicitly Reduce attack surface and exposure to risk Assume Compromise General strategy shift from ‘assume safe network’ Least Privileged Reduce blast radius both proactive and reactively Zero Trust Principles Use least privilege access Limit access of a potentially compromised asset, typically with just-in-time and just- enough-access (JIT/JEA) and risk-based polices like adaptive access control. → Reduce “blast radius“ of compromises → Reduces “attack surface” of each asset → Transforms from “defend the network” to “enable security productivity on any network” Asset/Node = account, app, device, VM, container, data, API, etc. Verify explicitly Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry. Business Enablement Assume Compromise Business Enablement Align security priorities to the organization’s mission, priorities, risks, and processes Assume Breach (Assume Compromise) Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly
  • 23. r for Office 365 Defender for Office 365 Defender for Endpoint Defender for Endpoint Defender for Identity Defender for Identity Phishing mail Open attachment Click a URL Browse a website Exploitation and Installation Command and Control Microsoft Entra ID Protection Microsoft Entra ID Protection Brute force account or use stolen account credentials User account is compromised Attacker collects reconnaissance & configuration data Attacker attempts lateral movement Privileged account compromised Domain compromised Defender for Cloud Apps Defender for Cloud Apps Attacker accesses sensitive data Exfiltration of data Leading indicators History of violations Distracted and careless Disgruntled or disenchanted Subject to stressors Insider has access to sensitive data Anomalous activity detected Data leakage Potential sabotage Microsoft Defender for Cloud Microsoft Defender for Cloud Defend across attack chains Insider and external threats December 2023 – https://aka.ms/MCRA Insider risk management Insider risk management Defender for IoT ( OT) Defender for IoT (& OT) Disrupt OT Environment IoT Device Exploitation EXTERNAL THREATS INSIDER RISKS Microsoft Defender XDR + Microsoft Sentinel Microsoft Defender XDR + Microsoft Sentinel Security Copilot (Preview) Security Copilot (Preview)
  • 24.
  • 25. OBJECTIVES & KEY RESULTS (OKRs) Summary of Outcomes OBJECTIVE Reduce organizational risk caused by neglect of basic security maintenance. WHY Extortion/ransomware attacks and theft of IP are often caused by organizations skipping well known security best practices (unpatched vulnerabilities, configuration weaknesses, and insecure operational practices) Proper system maintenance and hygiene also unblocks business agility and stability from system performance and capabilities. KEY RESULTS Critical Patch Speed and Completion Mean Time to deploy to 90% and 100% of assets Technical Plan · Modernize Patch Management WHAT Implementation Workstreams and Leads  Update Organizational Accountability to reflect organizational nature of risk <add name(s)> designated by CEO/CFO  Update Budget and Acquisition policy for accountability and technology lifetime <add name(s)> Designated by CFO  Update Security Patching/Maintenance Policy to reflect accountability model <add name(s)> CISO/CIO and governance team ❑ User Device Patching to apply updated organizational policy <add name(s)> IT Productivity / End User Team(s) ❑ Domain Controllers and DNS Patching to apply updated organizational policy <add name(s)> Identity/Networking/ Server Infra Teams ❑ Server Infrastructure Patching to apply updated organizational policy <add name(s)> Server Infra Teams ❑ Container Patching to apply updated organizational policy <add name(s)> Server Infra Teams ❑ Application Patching to apply updated organizational policy <add name(s)> Multiple Teams ❑ Firmware and Device Patching to apply updated organizational policy <add name(s)> Multiple Teams Normalize rigorous security maintenance for software WHO Directly Responsible Individuals (DRIs) EXECUTIVE SPONSOR CEO or Delegate (frequently CFO) PROJECT LEADERSHIP CIO or delegate PROJECT TEAM(S) Business / Application / Cloud Teams • <add name(s)> IT/OT/IoT Asset Management • <add name(s)> Purchasing/Vendor Management • <add name(s)> Central and Business Unit IT Infrastructure • <add name(s)> Productivity / End User Team(s) (Technical and Communications Teams) • <add name(s)> Security Policy and Standards • <add name(s)> Security Compliance Management • <add name(s)> Security & IT/Enterprise Architecture • <add name(s)> TIMELINES / DEADLINES Within 30 Days Focus immediately on accountability changes and getting critical patches deployed with in hours or days, then continuous improvement on all asset types WORKSTREAM DETAILS
  • 26. Technical Plan Workstreams · Modernize Patch Management WHAT - Implementation Workstreams and Leads HOW – Key directional guidance  Update Organizational Accountability to reflect organizational nature of risk <add name(s)> designated by CEO/CFO • Define accountability and shared responsibility model to reflect the organization-wide nature of cybersecurity risk and distributed responsibility of mitigation via applying patches. • Set up a team model where system owners are accountable, system managers are responsible for patching assets, and security is responsible for advising and assisting • Update incentive structures and measurements include scorecards, and objectives and key results (OKRs), etc.  Update Budget and Acquisition policy for accountability and technology lifetime <add name(s)> Designated by CFO • Allocate budget to support performing required security maintenance and application sustainment • Update revenue projections based on any required changes to schedule and uptime • Update acquisition policy to require vendor support is available for expected lifetime of the technology  Update Security Patching/Maintenance Policy to reflect accountability model <add name(s)> CISO/CIO and governance team Define and approve organizational policy and standards that reflects updated accountability model and acquisition policy ❑ User Device Patching to apply updated organizational policy <add name(s)> Productivity / End User Team(s) Update processes, tooling, and skills for all components including supply chain: • Change – adopt to a ‘patch by default’ approach to rapidly update assets while enabling asset owners limited control of timing for testing and reboots • Build – Automate deployment (CI/CD, IaC, etc.) and include security updates and configuration • Restore – Build and test ability to rapidly recover systems after an attack • Retire – Ensure all asset types support exception process and replace/isolate un-securable assets Continuously improve until reaching ideal state Scope: Update all user devices (corporate issued, BYOD, mobile, PC, Mac, etc.) while giving users limited control over reboot scheduling. Key Tooling: Intune, SCCM (Dynamic Updates | WaaS) , WSUS, 3rd party tools ❑ Domain Controllers and DNS Patching to apply updated organizational policy <add name(s)> Identity/Networking/ Server Infra Teams Scope: Active Directory Domain Controllers, Exchange Servers, and DNS Servers (high network exposure, high impact, and high resiliency/redundancy built in) Key Tooling: WSUS / SCCM, Azure VM Patching, 3rd party tools ❑ Server Infrastructure Patching to apply updated organizational policy <add name(s)> Server Infra Teams Scope: All server operating systems instances (VMs, physical servers, hypervisors, etc.) Key Tooling: Azure VM Patching, Azure Update Management Center (Preview) RPM, APT-GET, Chef, Ansible, Puppet, Windows Update, WSUS, SCCM, 3rd party tools) ❑ Container Patching to apply updated organizational policy <add name(s)> Server Infra Teams Scope: Container orchestration, images, and image repositories Key Tooling: Standard server patching for orchestration/infrastructure, container creation and repository management tools for containers, Defender for Containers ❑ Application Patching to apply updated organizational policy <add name(s)> Multiple Teams Scope: All apps, middleware, and supply chain components for all formats and platforms Key Tooling: Standard user device and server tooling, additional 3rd party tooling ❑ Firmware and Device Patching to apply updated organizational policy <add name(s)> Multiple Teams Scope: Firmware & embedded OS/applications for user devices, servers, printers, routers/Switches, IoT devices, OT Devices, others with work data / network connectivity Key Tooling: WSUS (Surface devices and other OEMs), 3rd party tools Reference Policy and Standards
  • 27.
  • 29. KNOWN ALLOWED TRUSTED Evolution of Authentication and Authorization “Coarse authorization” during authentication process that enforces common trust attributes Granular authorization of individual attributes and entitlements Authenticated claim/assertion of individual identity AUTHENTICATED AUTHORIZED
  • 30. Two-Part Access Management Strategy High Volume of accounts 1. High Scale: Secure the Whole Attack Surface Establish and improve security across all accounts and all access paths Highly Privileged Accounts 2. High Impact: Privileged Access Increase security for each privileged account with high business impact
  • 31. Top Concern: Privileged Access Attackers with Admin Accounts can access many/all resources …creating a ‘cone of pain’ Cloud Admins On Premises Admins 3rd Party Cloud SaaS apps Microsoft Cloud On-prem & Legacy apps Privileged Admin Account(s) Identity Admins, IT Admins, Security Admins, etc.)
  • 32. Two Secure Approaches for PAWs Strong hardware foundation for Operating System Separate Dedicated Hardware Full Physical Separation Single Hardware Virtualized User (+Admin) Desktop on PAW Typical Scenarios • Privileged user is mobile or has limited desk space • Administration of multiple systems (cloud and on- premises, management and control plane, etc.) • Where hardware cost is a consideration Typical Scenarios • High Security - complete isolation is required • Single focus/function – only works with one sensitive or business critical system Cloud management and security
  • 33. Device Risk Managed? Compliant? Infected with Malware? …and more User/Identity Risk Multi-factor Authentication? Impossible Travel? Unusual Locations? Password Leaked? …and more Any apps and resources Microsoft 365 apps and resources Internet and SaaS apps All private apps Private web apps Access Management Capabilities Adaptive Access applying Zero Trust Principles Legend Trust Signal Adaptive Access Policy Threat Intelligence Additional Policy & Monitoring Decision based on organizational policy Signal to make an informed decision Enablement and Enforcement of policy across resources Integrated Threat Intelligence Security Policy Engine Organization Policy Continuous Risk Evaluation Partner Employee Customer Virtual Private Network (VPN) Legacy technology being retired Direct Application Access Core adaptive access policy Workload Can be implemented today using Microsoft and partner capabilities Macro- and Micro-segmentation Workload isolation using identity, network, app, and other controls Remediate User and Device Risk Security Service Edge (SSE) Additional policy control & monitoring with Zero Trust Network Access (ZTNA), secure web gateway (SWG), Cloud Access Security Broker (CASB), and Firewall-as-a-Service (FWaaS)
  • 35. Broad Enterprise View Correlated/Unified Incident View Microsoft Reference Architecture Expert Assistance Enabling analysts with scarce skills Deep Insights Actionable detections from an XDR tool with deep knowledge of assets, AI/ML, UEBA, and SOAR Raw Data Security & Activity Logs (Classic SIEM (Case Management (Case Management Microsoft Threat Intelligence 65+ Trillion signals per day of security context Human Expertise Microsoft Threat Intelligence 65+ Trillion signals per day of security context & Human Expertise API integration Legend Consulting and Escalation Outsourcing Native Resource Monitoring Event Log Based Monitoring Investigation & Proactive Hunting Security Operations SOAR reduces analyst effort/time per incident, increasing SecOps capacity Security & Network Provide actionable security detections, raw logs, or both Microsoft Sentinel Microsoft Sentinel Machine Learning (ML) & AI Behavioral Analytics (UEBA) Security Data Lake Security Incident & Event Management (SIEM) Security Orchestration, Automation, and Remediation (SOAR) Infrastructure & Apps PaaS OT & IoT Identity & Access Management {LDAP} Endpoint & Mobile Information SOAR - Automated investigation and response (AutoIR) Microsoft Defender XDR Extended Detection and Response (XDR) Defender for Cloud Defender for Cloud Containers Servers & VMs SQL Azure app services Network traffic Defender for Endpoint Defender for Endpoint Defender for Cloud Apps Defender for Cloud Apps Defender for Office 365 Defender for Office 365 Defender for Identity Defender for Identity Entra ID Protection Entra ID Protection December 2023 – https://aka.ms/MCRA Managed Security Operations Managed Security Operations Microsoft Security Experts Microsoft Security Experts Managed XDR Managed threat hunting Managed XDR Managed threat hunting Incident response Formerly Detection response team (DART) Incident response Formerly Detection & response team (DART) Security Operations Modernization Security Operations Modernization Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Analysts and Hunters Defender for IoT OT Defender for IoT & OT Applications (SaaS, AI, legacy, DevOps, and other)
  • 36. Incident Response Security Operations (Triage, Investigation, sometimes Hunt) Security Operations is a Team Sport Main functions and how they work together Threat Intelligence Engaged with analysts and other roles to support investigations, hunting, and detection with research, data, analysis, control prioritization and more Incident Management Coordinate with other teams (including organizational leadership) on major incidents and coordinate practice exercises Architects and Engineers Collaborate on root cause analysis to ensure the same attacks won’t work again, automate response steps, etc. Security Analysts Investigate and remediate attacks with tooling and knowledge • Triage – Respond to detections (high volume) to find attacks • Investigation team – Investigate and remediate confirmed incidents • Hunt – Hunt for attacks that evaded detection, tune detections, assist with incidents Organizational Leadership Legal Communications
  • 37.
  • 38. Identity Email & Collab Infrastructure Endpoint Detection & Response Others Alerts & Logs from Firewall, WAF, IDS, Apps, etc. Cloud Apps Attackers traverse rapidly across the enterprise Silos are the Bane of Security Operations Integrating Silos is Challenging MAPPING CHALLENGES Tools Pivot on Different Attributes Network IP address Computer Name Documents Device ID Email Etc. STRONG BIASES/TENDENCIES Identity Reports only high-quality alerts because Analysts have alert fatigue, resist new tools Analysts with network background don’t understand value and meaning of detections Endpoint Verbose alert reporting AV testing focuses on “not missing” malware Reporting more improves showing in AV Testing reports … Defenders struggle to chase them across silos Antivirus Threat Intelligence IoT and OT/ICS
  • 39. Integrating Silos is Challenging Integrating Silos is Challenging Requires significant work to integrate disparate products Harmonize analyst experience Across portals and interfaces Write/Update Automation Orchestrate common tasks across systems Harmonize entity definitions consistency across users, devices, email, IPs, etc. Harmonize semantics & meaning Correlation, prioritization, orchestration, etc. Ensure tools provide APIs Select & Implement Tools Others Alerts & Logs from Firewall, WAF, IDS, Apps, etc. Cloud Apps Protect Investigate Remediate Event Alert Incident Mappings #.#.#.# Analyst Workflow/Portal Experience Infrastructure …and each new/changed product must be integrated Email & Collab Antivirus Endpoint Detection & Response Identity Integrate Threat Intelligence to enrich all the different elements Create/Maintain Detections add new detections and tune existing ones IoT and OT/ICS Threat Intelligence
  • 40. Microsoft Integrated XDR+SIEM More SecOps visibility with less integration burden Limited XDR EDR only or EDR+ Classic SIEM Model AV, network, other data Integrated XDR+SIEM Investigate, Remediate, and Hunt Write/Update Automation (SOAR) Create/Maintain Email Detections Create/Maintain Cloud App Detections Create/Maintain Cloud Identity Detections Create/Maintain On-Prem Identity Detections Create/Maintain Endpoint Detections Create/Maintain DevOps Detections Create/Maintain Database Detections Create/Maintain Storage Detections Create/Maintain Container Detections Create/Maintain Cloud Infra Detections Create/Maintain IoT & OT/ICS Detections SIEM - Integrate Threat Intelligence (If SIEM Present) SIEM - Integrate UEBA and ML (If SIEM Present) SIEM - Harmonize Definitions & Semantics (If SIEM Present) Ensure tools provide APIs Select & Implement Tools Integrated XDR+SIEM Simplifies SecOps and reduces wasted time by providing and maintaining: • Asset-specific detections • Tooling integration • Threat Intelligence integration • MITRE ATT&CK coverage • Additional detailed data for investigation and advanced hunting This allows analysts to focus on responding to incidents & reducing organizational risk Microsoft Defender XDR Microsoft Defender XDR Direct Risk Reduction Your Maintenance Burden Vendor Maintenance Burden Primary Focus: Reduce Risk by removing attacker access to resources. All other activities support this and should not distract from it. Defender for Cloud Microsoft Sentinel Microsoft Sentinel
  • 42. What you want for a train ride Functional Does what it promises Secure Resilient to attacks Reliable Performs well and stays available is what you want for workloads
  • 43. DevSecOps – Agile security for workloads Architecture & Governance Security, Compliance, Identity, & Other Standards Idea Incubation New Product or Service Production DevSecOps Continuous improvement Developer DESIGN / C O D E BUI L D D E P L OY R U N BUILD DEPLOY DESIGN/CODE RUN Minimum viable product (MVP) for: Dev - Business / Technical Requirements Sec - Compliance / Security / Safety Ops - Quality / Performance / Support G o v e rnance – Continuous Improvem e n t Secure Design Secure Code Secure the Operations Secure CI/CD Pipeline First Production Release Continuous Improvement of DevSecOps Lifecycle 1. MVP definitions – Update minimum requirements for Dev, Sec, and Ops (agility, stability, security, identity standards, and more) 2. Continuously improve process, program, education, tooling, etc. to improve developer productivity, efficiency, security, identity, and more)
  • 44. Protecting assets requires partnership and expertise across teams Architecture and Engineering • Rules/Guidelines/Standards across workloads and common organization-wide infrastructure • Templates/automation for all workloads Security Operations (SecOps/SOC) • Incident Response – Rapid remediation of attacks • Incident Management – technical & business coordination • Advanced Functions - Threat hunting, detection engineering, & more Workload Team • Business Owner – Workload goals, risks, data, requirements • Application Architect – Application design • Developer – Application build/implementation Operations Team(s) (Infrastructure/DevOps) • Workload – Build/configure/change/rebuild/recover OS, containers, network, identity, and more for workloads • Infrastructure Operations – (same for common infrastructure) Posture Management • Monitoring – Monitor and report on security posture • Enablement – Identify and clear security blockers Infrastructure Development Security is a Team Sport Shared responsibility model enables effective security Common Infrastructure + per-workload infrastructure Responsibility Workload Team Operations Team(s) Architecture & Engineering Security Operations Application – Preventive Control Design & Implementation Co-Lead Co-Lead Application – Detection Design, Implementation, & Monitoring Co-Lead Co-Lead Application - Remediation & Recovery Co-Lead Co-Lead OS/Container – Preventive Control Design & Implementation Lead OS/Container – Detection Design, Implementation, & Monitoring Co-Lead Co-Lead OS/Container – Remediation & Recovery Lead Security Incident Management Lead Security Incident Response May Lead May Lead May Lead
  • 45. High impact on business/safety Temporary exception for rapid prototyping low-risk workloads Balanced approach for most workloads most of the time Comparing DevSecOps Security Levels Rapid prototyping of low business impact workload Temporary Minimum High Security Standard Impact Life/Safety or business critical assets Key Antipattern: Bizarro Risk Exceptions Organizational risk is amplified when granting permanent security exceptions for business-critical workloads (often for political reasons)
  • 46. Lifecycle Stage Control Temporary Minimum Standard High Security Threat Model (Security Design Review) Optional Recommended Required Code Analysis (static/CodeQL or dynamic) Minimum Scan Full Scan & Fix Scan & Enforce Supply Chain / Dependency management Inventory Analysis & Fix Block all insecure Security Code Review Recommended Recommended Required Credential and Secret Scanning Required Required Required  Reinforce/Check ‘Secure the Code’ Controls  Required Required Required Secure Pipeline (Access/Infrastructure/Apps) Required Required Required Live Site Penetration Testing Recommended Recommended! Required Identity/App Access Controls Minimum Standard High Security Host/Container Controls Minimum Standard High Security Network Access Controls Minimum Standard High Security Monitoring, Response, and Recovery Basic XDR + Custom (Environment) + Custom (Workload) DevSecOps Security Profiles Control Comparison Secure Design Secure Code Secure CI/CD Pipeline Secure the Operations Critical Foundations For all developers & all projects Security in Blameless Postmortems + Security Coding Standards + Security Tools and Training + Tool Chain Security Shift left… but double-check! Find + fix issues during development and reinforce controls in CI/CD pipeline Artificial Intelligence (AI) Implications • Secure all code - Whether written by human or generative AI • Use both for security - Apply classic and AI controls as available
  • 47. Microsoft Secure Score Microsoft Defender XDR Unified Threat Detection and Response across IT, OT, and IoT Assets Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Defender XDR Unified Threat Detection and Response across IT, OT, and IoT Assets Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Sentinel Microsoft Sentinel Cloud Native SIEM, SOAR, and UEBA Microsoft Security Copilot (Preview) Microsoft Security Copilot (Preview) Azure Cloud Adoption Framework (CAF) Guidance on security strategy, planning, roles and responsibilities https://aka.ms/CAF Azure Cloud Adoption Framework (CAF) Guidance on security strategy, planning, roles and responsibilities https://aka.ms/CAF Zero Trust Access Control Explicit trust validation for users and devices before allowing access Infrastructure Security Capabilities Apply Zero Trust principles Infrastructure & Platform as a Service (IaaS & PaaS) across multi-cloud cross-platform environments Full Time Employees, Partners, and/or outsourced providers Microsoft Entra ID Governance Microsoft Entra ID Governance • Automated User Provisioning • Entitlement Management • Access Reviews • Privileged Identity Management (PIM) • Terms of Use Entra Privileged Identity Management (PIM) Entra Privileged Identity Management (PIM) Entra ID Protection Entra ID Protection MFA and Passwordless Entra MFA Entra MFA Windows Hello Windows Hello Existing MFA Management Plane Security Platform provided security guardrails, governance, policy, and more Management Plane Security Platform provided security guardrails, governance, policy, and more Endpoint logs PIM Logs Entra ID logs, access logs, alerts, risk scoring Privileged Access Workstation (PAW) Privileged Access Workstation (PAW) Control Governance & Policy Enforcement Preventive Controls Security Posture Visibility Threat Detection & Response Raw Logs and Signal for Investigation & Hunting Microsoft Defender for Cloud Microsoft Defender for Cloud Azure Policy Azure Policy Role Based Access Control (RBAC) Role Based Access Control (RBAC) Azure Blueprints Azure Blueprints Management Groups Management Groups Azure Lighthouse Azure Lighthouse Azure Backup Site Recovery Azure Backup & Site Recovery Resource Locks Resource Locks Data Plane Security Per-Application/Workload Controls Microsoft Defender for Cloud Apps Microsoft Defender for Cloud Apps Azure Well Architected Framework (WAF) Azure Well Architected Framework (WAF) Microsoft Cloud Security Benchmark (MCSB) Prescriptive Best Practices and Controls Microsoft Cloud Security Benchmark (MCSB) Prescriptive Best Practices and Controls Internal Communications (East/West) External Communications (North/South) Network/App Security Groups Network/App Security Groups API Management Gateway API Management Gateway Azure DDoS and Web Application Firewall (WAF) Azure DDoS and Web Application Firewall (WAF) PrivateLink Service Endpoints PrivateLink & Service Endpoints Encryption Azure Key Vault, Application RBAC Model Encryption & Azure Key Vault, Application RBAC Model Azure Firewall and Firewall Management Azure Firewall and Firewall Management Azure DevOps Security Azure DevOps Security GitHub Advanced Security GitHub Advanced Security Unified Endpoint Management Intune Intune Configuration Manager Configuration Manager Azure Bastion Azure Bastion Microsoft 365 Defender Microsoft 365 Defender Customers (and ‘External’ Partners) Business Users Developers App/Service and Automation Administrators API Application Workstations ‘Internal’ Access Accounts Access and Privileges Interfaces Identity Infrastructure Network & ‘External’ Access Resources December 2023 – https://aka.ms/MCRA Top 10 Azure Security Best Practices Top 10 Azure Security Best Practices Entra App Proxy Entra App Proxy Defender for DevOps Defender for DevOps Conditional Access Conditional Access Entra Private Access (preview) Entra Private Access (preview) Entra Permissions Management Entra Permissions Management Microsoft Defender for Cloud - Risk Regulatory Compliance Reporting Microsoft Defender for Cloud - Risk & Regulatory Compliance Reporting Azure Policy (audit) & Azure resource graph API Microsoft Defender for Cloud - Detections across assets and tenants Microsoft Defender for Cloud - Detections across assets and tenants Application Logs Azure WAF Alerts Azure Firewall Alerts Azure DDOS Alerts Network Watcher – IP Flow logs, Packet Capture, Virtual TAP Azure activity log Azure Service Diagnostic Logs & Metrics Microsoft Defender for Cloud Apps MDCA Alerts MDCA Logs VMs & Tenants (Azure, On-prem, 3rd party clouds) Containers and Kubernetes IoT and Legacy OT Devices (SCADA, ICS, etc.) Application Programming Interfaces (APIs) CI/CD Pipelines Azure SQL & Cosmos DB Azure Storage Accounts And More… Entra Permissions Management Entra Permissions Management Microsoft Defender External Attack Surface Management (EASM) Microsoft Defender External Attack Surface Management (EASM) Microsoft Defender for Identity Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Endpoint Entra ID Protection Entra ID Protection CI/CD Pipeline CI/CD Pipeline Azure Resource Management (ARM) Access Applications Access Applications Azure Portal Command Line Interface (CLI) Automation/API Microsoft Entra ID External Identities Formerly Azure AD Microsoft Entra ID & External Identities Formerly Azure AD Active Directory Azure Sphere Azure Sphere Existing/Other Internet of Things (IoT) Devices Azure IoT Hub Azure IoT Hub External Identities On-Premises & Other Cloud Resources/Data Azure Resources/Data Defender for APIs (preview)
  • 48. Security Capability Adoption Planning (SCAP) N Adoption Framework
  • 49.
  • 50. Security Capability Adoption Planning Maximize value from current security product licenses and entitlements with education + prioritization / planning exercise
  • 51. End to End Strategy and Planning Zero Trust Architecture Security ADS Module 1 – Zero Trust Architecture Product Adoption Security Capability Adoption Planning 2-3 days Where do you want to Start? There’s no wrong place to start ☺ Security Strategy and Program Plan and Execute Initiatives Secure Identities and Access Module 2 – Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Module 3 – Modern Security Operations (SecOps/SOC) Module 4 – Infrastructure & Development Security Topic Summary Full workshop 4 hours MCRA CISO Workshop 2-3 days 2-3 days 4 hours 4 hours 4 hours
  • 52. Key Resources Zero Trust Playbook aka.ms/MarksList The Open Group Microsoft ZeroTrustPlaybook.com Zero Trust Commandments aka.ms/ZTCommandments Zero Trust Reference Model aka.ms/ZTRefModel
  • 53. Learn more about Microsoft Security Security Adoption Framework (SAF) aka.ms/SAF Security Documentation aka.ms/SecurityDocs Product Capabilities www.microsoft.com/security/business Reference Architectures aka.ms/MCRA aka.ms/MCRA-videos CISO workshop aka.ms/CISOworkshop aka.ms/CISOworkshop-videos Additional References
  • 54. Security Adoption Framework aka.ms/saf Security Resources Security Documentation aka.ms/SecurityDocs Security Strategy and Program • CISO Workshop – aka.ms/CISOworkshop | -videos • Cloud Adoption Framework (CAF) – aka.ms/cafsecure • Driving Business Outcomes Using Zero Trust ▪ Rapidly modernize your security posture for Zero Trust ▪ Secure remote and hybrid work with Zero Trust ▪ Identify and protect sensitive business data with Zero Trust ▪ Meet regulatory and compliance requirements with Zero Trust Zero Trust Architecture • Microsoft Cybersecurity Reference Architectures (MCRA) - aka.ms/MCRA | -videos Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp • Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp Ransomware and Extortion Mitigation - aka.ms/humanoperated Backup and restore plan to protect against ransomware - aka.ms/backup • Ransomware and Extortion Mitigation - aka.ms/humanoperated • Backup and restore plan to protect against ransomware - aka.ms/backup Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Data Security & Governance IoT and OT Security • Product Capabilities • www.microsoft.com/security/business • Security Product Documentation Azure | Microsoft 365 Microsoft Security Response Center (MSRC) www.microsoft.com/en-us/msrc • Microsoft Cloud Security Benchmark (MCSB) aka.ms/benchmarkdocs • Well Architected Framework (WAF) aka.ms/wafsecure • Azure Security Top 10 aka.ms/azuresecuritytop10 • Ninja Training • Defender for Cloud • MCRA Video • Infrastructure Security • Defender for Cloud Documentation • Securing Privileged Access (SPA) Guidance aka.ms/SPA • Access Control Discipline • Ninja Training • Microsoft Defender for Identity http://aka.ms/mdininja • MCRA Video • Zero Trust User Access • Microsoft Entra Documentation aka.ms/entradocs • Incident Response - aka.ms/IR • CDOC Case Study - aka.ms/ITSOC • Ninja Training • Microsoft 365 Defender http://aka.ms/m365dninja • Microsoft Defender for Office 365 https://aka.ms/mdoninja • Microsoft Defender for Endpoint http://aka.ms/mdeninja • Microsoft Cloud App Security http://aka.ms/mcasninja • Microsoft Sentinel • MCRA Videos • Security Operations • SecOps Integration • Secure data with Zero Trust • Ninja Training • Microsoft Purview Information Protection https://aka.ms/MIPNinja • Microsoft Purview Data Loss Prevention https://aka.ms/DLPNinja • Insider Risk Management • Microsoft Purview Documentation aka.ms/purviewdocs • Ninja Training • Defender for IoT Training • MCRA Videos • MCRA Video OT & IIoT Security • Defender for IoT Documentation aka.ms/D4IoTDocs