Microsoft 365 Security und Azure Security, Einhaltung von Compliance-Anforderungen unter Berücksichtigung des neuen Schweizer Datenschutzgesetze, Best Practices bei der Einführung und dem Betrieb von Sicherheitslösungen

1. Microsoft Security
- so schützen Sie Ihr
Unternehmen
16. August 2023

3. Heutiges ICT-Umfeld…

4. Themen
• Heutiges Bedrohungs-Umfeld
• Microsoft 365 Security
sowie Azure Security
(Compliance / Datenschutzgesetz)
• Best Practices bei der Einführung und
dem Betrieb von Sicherheitslösungen
• Fragen (im Chat) & Antworten

5. Durch das Webinar führen…
Martin Janisch
Partner Technology Strategist
Sven Heeb
Consulting, Projektleitung
Othmar Frey
Sales Director

6. Classified as Microsoft Confidential
Security Webinar
Martin Janisch
Partner Technology Strategist
16.08.2023

7. Classified as Microsoft Confidential
Attack surface is expanding due
to hybrid work
Rapid acceleration and increasing
sophistication of cybercrime
Rising cost of cybersecurity
risk mitigation and remediation
The increasingly
complex state
of cybersecurity

8. Relevance
Ransomware:
https://aka.ms/CISOWorkshop
Zero-days:
Breaching services on
a per job basis:
Exploit kits:
Loads (compromised device):
Spearphishing services:
Compromised accounts:
Denial of Service:
Highest average price
Most Common Passwords 2023 - Is Yours on the List? | CyberNews, based on
15.212 B from publicly leaked data breaches; last accessed on May 11th, 2023

9. Are SMB customers
subject to attacks?
“No one is interested
in my data anyhow.”
• Over 620 million ransomware attacks happened in 2021 globally. 1
• Of all ransomware attacks on enterprises in 2020, 55 percent hit
businesses with fewer than 100 employees, while an entire 75 percent
of attacks were on companies making less than $50 million in revenue. 2
• In fact, on average, victims of ransomware only recover around 65
percent of stolen data. 3
• “However, it’s safe to say that any business that uses a computer system
is at risk.” 4
• Average cost of a SMB data breach in 120K$ in 2018 5
Fact check
• Ransomware hackers might not be not interested in SMB customer data
– but the SMB customers are. If their data is encrypted/lost, they will
incur damage and cost immediately.
• Hackers are interested in money – and Ransomware-as-a-Service kits
allow for highly automized attacks of 10.000s of victims simultaneously
and easily.
• For public sector/sensitive data, data is often no longer encrypted
anymore – but rather used to threat making data public.
• Access to SMB customers cloud service accounts may allow hackers to
spin up crypto mining VMs – causing $100.000s of damage in days
Explaining the risk for SMB customers

10. The phishing threat landscape
The State of Cybercrime
710 million
phishing emails blocked
per week.
531,000
Unique phishing URLs hosted outside of
Microsoft taken down at the direction of our
Digital Crimes Unit.
1hr 12m
The median time it takes for an
attacker to access your private data if
you fall victim to a phishing email.
1hr 42m
The median time for an attacker to begin
moving laterally within your corporate
network once a device is compromised.
Phishing
emails with
Ethereum
wallet
addresses
Business email compromise themes
(January-June 2022)
Phishing page impersonating a
Microsoft login with dynamic content

11. Classified as Microsoft Confidential
Relevance
‘Time between Black Friday and Christmas favourable for Threat Actors
Threat Actors are Already Building Phishing Pages to Target Holiday Shoppers (cybersixgill.com)
‘Tis the Season for Online Shopping and Phishing Scams | Trustwave’
Evidence: >15 cases in Switzerland within the last 12 months; e.g.
2 Cryptojacking (28k in half a day, 464k in a few days in ACR)
1 Tenant Lockout
Local data shows that still, ~35 % (latest data even 47%!) of Azure Subscriptions
do not have MFA turned on for Owner / Administrator roles in Switzerland
Threat actor groups like ‘Conti’ have
company-like character
MFA activation
65%
35%
Yes
No
Avg. Secure Score
Conti ransomware leak shows group operates like a normal tech company (cnbc.com)

12. Classified as Microsoft Confidential
‘staggering 85% of 6,700 global security
practitioners say their companies do not
have a cybersecurity posture robust enough
to defend against risks relating to hybrid
work.’

13. 25.6billion
attempts to hijack enterprise
customer accounts detected
and blocked by Microsoft
from Jan – Dec 2021.
Identity & Access Management
Trends & Challenges
Identity is the New Battleground, Cyber Signals, February 2022
80% of attacks involve
identity-based techniques

14. Zero Trust
Attend a 2-day event for Partners: Security Through the Lens of Zero Trust here. The
training is also available On-demand.
Zero Trust Guidance Center | Microsoft Learn
Verify explicitly Use least privilege access Assume breach
Always authenticate
and authorize based
on all available data
points.
Limit user access with
Just-In-Time and Just-
Enough-Access (JIT/JEA),
risk-based adaptive
policies, and data
protection.
Minimize blast radius
and segment access.
Verify end-to-end
encryption and use
analytics to get
visibility, drive threat
detection, and
improve defenses.

15. Classified as Microsoft Confidential
Visibility across your entire organization
Secure your end users Secure your infrastructure

16. Classified as Microsoft Confidential
Microsoft 365 Defender Microsoft Defender for Cloud
Visibility Automation AI
Data
connectors
Security
analytics
Threat
intelligence
Modernize your SOC
with Microsoft Sentinel
Optimize security operations with cloud-native
SIEM powered by AI and automation

17. Classified as Microsoft Confidential
Microsoft Sentinel
Microsoft 365 Defender Microsoft Defender for Cloud
Endpoints Identities Cloud apps
Email Docs IoT
Protect end-user
environments with XDR
Stop attacks and coordinate
response across digital assets

18. Classified as Microsoft Confidential
Microsoft Sentinel
Microsoft 365 Defender Microsoft Defender for Cloud
SQL/Storage Server VMs Containers
Network Industrial
IoT
Azure App
Services
Secure multi-cloud
environments with XDR
Use industry-leading threat intelligence
and XDR capabilities to stop threats

19. Classified as Microsoft Confidential
8
3
18 21
7
Why is defense so difficult?
SecOps professionals must protect…

20. Classified as Microsoft Confidential
End Point
Attacks are crossing modalities
Typical human-operated ransomware campaign
Cloud apps

21. Classified as Microsoft Confidential
Protection across the entire kill chain
With Microsoft SIEM and XDR
Services stopped
and backups deleted
Files encrypted on
additional hosts
Browse to
a website
Phishing
mail
Open
attachment
Click a URL
Command
and Control
User account
is compromised
Brute force account or use
stolen account credentials
Attacker compromises
a privileged account
Domain is
compromised
Attacker exfiltrates
sensitive data
Attacker collects
reconnaissance and
configuration data
Email Endpoints Identities Workloads
Exploitation
and installation
Cloud apps

22. Classified as Microsoft Confidential
End Point
Protection across the entire kill chain
With Microsoft SIEM and XDR
Email Endpoints Identities
Cloud apps
Workloads
Malware detection
Safe links
Safe attachments
Endpoint Protection
Platform (EPP)
Endpoint Detection
and Response (EDR)
Verified ID
Permissions management
Privileged Access Management
Identity threat detection and response
Identity Protection
Workload threat protection
File share encryption
Control access
Protect data

23. Classified as Microsoft Confidential
November

24. Classified as Microsoft Confidential

25. Risk assurance by phases
Allows you to understand how
Microsoft security controls are
designed and operated by using
online resources such as:
• Service Trust Portal
• Compliance Manager
• Compliance Score, and
• Secure Score
All Microsoft controls have been
certified by independent third-parties
such following standards such as ISO
27001:2013, SOC 2, and FedRAMP
(NIST SP800-53).
By mapping your internal
requirements against these
frameworks, you will obtain 3rd Party
Certification over the design and
operation also of your controls.
Further confidence over the
operation of our controls may be
obtained by engaging a fully
independent third-party funded by
you as a customer.
For instance TruSight was founded
by a consortium of leading financial
service companies specifically for
this purpose.
Direct review of control evidences
is only possible through direct
audit engagements such as 1:1
and possibly group audits.
Currently, audits through the
Compliance Program are only
available to Financial Services
companies and organizations
performing privacy (GDPR)
assessments.
3rd Party
Certification
2
Service Review &
Education
1
External
Attestation
3
Direct Audit
Engagement
4
How Microsoft supports you in assessing & auditing our services
Compliance Program
Self-service Audit External

26. Microsoft Purview
Comprehensive solutions to help govern, protect and manage your data estate
Understand & govern data
Manage visibility and governance of
data assets across your environment
Safeguard data, wherever it lives
Protect sensitive data across clouds,
apps, and devices
Improve risk & compliance posture
Identify data risks and manage regulatory
compliance requirements
Microsoft ecosystem
Support for multi-cloud, hybrid, SaaS data | Third-party/partner ecosystem

29. Microsoft
Defender
Microsoft
Sentinel
Microsoft
Purview
Microsoft
Entra
Cloud
platforms
Device
OSs
Microsoft
Priva
Microsoft Security Experts
Microsoft
Intune
Microsoft
Security
Copilot

30. The odds are
today’s 4,000
72 mins
3.5M

31. Operated with simple natural language queries

32. Classified as Microsoft Confidential
140+3
Threat groups
65T4
Analyzing
Threat signals daily
50% increase
37B4
Blocking
email threats annually
Serving billions of global customers,
learning and predicting what’s next
Monitoring
40+1
Nation state-groups
Investing to improve and share
knowledge, gain insights, and
combat cybercrime
$20B1
in the next 5 years
60%
Up to savings, on
average, over
multi-vendor
security solutions
Keeping you
secure, while
saving you time
and resources
Trusted globally, protecting organizations’
multi-Cloud and multi-platform infrastructures
customers have chosen
Microsoft Security to
protect their
organizations
partners in security
ecosystem
860K4
15K1
Industry-leading security from Microsoft
1. Earnings Press Release, FY22 Q4. July 26, 2022, Microsoft Investor Relations
2. “Microsoft Digital Defense Report”. October 2021, Microsoft Security
3. Earnings Press Release, FY22 Q2. December 16, 2021, Microsoft Investor Relations
4. “Microsoft Security reaches another milestone—Comprehensive, customer-centric solutions drive results” blog – Microsoft Security

33. Classified as Microsoft Confidential
Best practices
Sven Heeb

34. Best practices
• Secure Score / Messbarkeit im Unternehmen
• Vorstellung Produkte
• Defender for Servers
• Defender for Endpoint
• Defender for Office365
• Defender for Endpoint Vulnerability Management
• Beispiel Secure Score for Device / Exposure Score
• Azure Sentinel (Monitoring)

35. Secure Score Allgemein
Was ist Secure Score? (verschiedene Scores)
Microsoft Secure Score ist ein Tool, das die Sicherheit der Einrichtung und Konfiguration Ihres
Microsoft Tenant in einer einfachen Zahl ausdrückt.
• Empfehlung Microsoft 65% und höher
• Firmenziel Baggenstos 75 % bei Managed Service
Wie erreichen wir bzw. was ist unser Ziel?
• Secure Score Punkte: Absoluter Wert Abhängig von der eingesetzten Lizenzierung
• M365 Business Premium, M365 E3/E5 oder weitere Lizenzen
• Allgemeines Ziel: Technologische Weiterentwicklung fördern für Microsoft Produkte welche in der
Baggenstos Produktematrix sind.
• Doing: Wöchentlicher Abgleich (Endpoint, Messaging, Security usw.) innerhalb Core Team
Baggenstos bestehend aus Fachspezialisten (Consultants, Engineers)
• Managed Service Ziel: Technologische Weiterentwicklung der eingesetzten Produkte im Managed
Service
• Resultat: Massnahmenpakete erstellen via Ticketingsystem
• Umsetzung: Iterative Implementierung Managed Service Kunden

36. Defender
for Servers

37. Worum geht es …
• Microsoft Defender for Servers erweitert den Schutz auf Ihre Windows- und Linux-Computer,
die in Azure, und lokal ausgeführt werden. Defender for Servers bietet weitere Features zum
Schutz vor Bedrohungen.
• Ist bereits auf jedem Server ab W2016 aktiv (Microsoft Defender Antivirus) aber aktiviert mit
maximaler Komptabilität
• Mit Defender for Server und entsprechender Konfiguration ist das Ziel maximale Security
• Sie unterscheidet sich von den typischen signaturbasierten Anti-Malware-Lösungen, die es
gibt, da sie Sensoren enthalten, um Verhaltenssignale von Betriebssystemen zu sammeln und
zu verarbeiten, und maschinelles Lernen (KI) verwendet, um verdächtiges Verhalten zu
erkennen.
• Microsoft Defender Servers ist im gleichen Zug eine zentrale Sicherheitsplattform (Portal) für
Endgeräte, die Unternehmen bei der Prävention, Erkennung, Untersuchung und Reaktion auf
fortschrittliche Bedrohungen unterstützt.

38. Defender for Servers
• Sie erhalten die Basiskonfiguration nach Baggenstos Baseline (Standard)
• Integration Azure Arc für Onboarding Onpremis Server
• Installation & Konfiguration Monitoring Agent
• Bereitstellen & Konfiguration der GPO’s für Defender Capabilities in Windows
• Onboarding (on-prem) Server in Defender for Cloud
• Exclusions für Business Applikationen setzen (bei Bedarf)
• Schulung Defender for Cloud
• Mailnotification oder Anbindung Ticketingsystem für Alerting (Azure Sentinel)
• Technische Features
• Next-generation protection (Maschine Learning / Künstliche Intelligenz)
• Attack surface reduction (Verringern der Angriffsfläche durch Regeln)
• Implementation Microsoft Defender Best Practises
• Centralized management (Security Portal)
• Security reports
• Lizenzvoraussetzungen:
• Microsoft Defender for Servers (CHF 5.– pro Monat pro Server)

39. Defender for
Endpoint

40. Worum geht es …
• Analog Server, es handelt sich grundsätzlich um das gleiche Produkt. (Microsoft Defender
Antivirus)
• Unterscheidung im Onboarding der Clients
• Einfaches Onboarding via Intune Konfigurationsrichtlinen oder AD Gruppenrichtlinen
• Intuitives Security Portal für eine Übersicht aller Clients analog Server
• Alerting über Mail oder Ticketingsystem Anbindung (Azure Sentinel)

41. Defender for Endpoint
• Sie erhalten die Basiskonfiguration nach Baggenstos Baseline (Standard)
• Konfiguration & bereitstellen Intune Konfigurationsrichtlinien für Defender for Endpoint
• Onboarding mit Microsoft Endpoint Manager (Intune)
• Onboarding Clients
• Monitoring & Anpassung an ihre Systeme & Business Applikationen
• Mailnotification oder Anbindung Ticketinsystem für Alerting (Sentinel)
• Technische Features
• Er ist in Windows 10/11 eingebettet (kein zusätzlicher Agent muss bereitgestellt werden)
• Unterstützung für Windows 7/8 und Nicht-Windows-Betriebssysteme wie Linux, macOS, Android
und iOS
• Anti-Manipulation
• Endpunkt-Erkennung und -Reaktion (EDR)
• Attack Surface reduction
• Integration mit Microsoft Endpoint Manager
• Schwachstellenanalyse
• Suite-übergreifende Integrationen
• Integrierte Datentrennung und RBAC
• Tiefe Datensammlung (bis zu 6 Monate Datenspeicherung)
• Native Integration mit Azure AD Conditional Access
• Lizenzvoraussetzungen:
• Microsoft Defender for Endpoint Plan 1 oder 2, Microsoft365 Business Premium (Defender for Business)

42. Defender Endpoint
Vulnerability
Management

43. Worum geht es …
Was ist Vulnerability Management? (Schwachstellenmanagement)
Das Vulnerability Management hat die Aufgaben die Verwundbarkeit in der IT-
Infrastruktur eines Unternehmens zu identifizieren und zu beheben. Das Ziel ist
die Reduzierung der Risiken für die IT-Systeme sowie die nachhaltige
Verbesserung der gesamten Sicherheitsniveaus.
Durch die Nutzung des Produktes priorisiert Defender Vulnerability Management
schnell und kontinuierlich die größten Sicherheitsrisiken für Ihre kritischsten
Ressourcen und bietet Sicherheitsempfehlungen zur Risikominderung.
• Software (Aktualität sowie Bugfixing)
• Browser Extensions
• Zertifikate
Fokus liegt auf Software Vulnerabilities sowie deren Bekämpfung.

44. Secure Score for Device / Exposure Score
Der Secure Score for Devices bzw. deren Empfehlungen kommen hauptsächlich
vom Defender for Endpoint.
Weitere Empfehlungen betreffen:
• OS, Netzwerk, Accounts, Applikationen
Secure Score for Devices Exposure Score
(Defender for Endpoint) (Vulnerability Management)
Empfohlener Wert
Microsoft 65% und
höher
Ziele Baggenstos
Microsoft 75% und
höher
Ziele Baggenstos
Microsoft 20 % und
tiefer
Empfohlener Wert
Microsoft 30 % und
tiefer

45. Defender for
Office365

46. Worum geht es …
Microsoft Defender für Office 365 ist ein Sicherheitsdienst, der speziell für Office 365 entwickelt
wurde und Schutz vor komplexen Bedrohungen wie Phishing, Schadsoftware, Spam und
betrügerischen Business-E-Mails bietet.
• Drei Produkte
• Exchange Online Protection (Default Exchange Online)
• Microsoft Defender for Office365 P1
• Microsoft Defender for Office365 P2
Office365

47. Was bringen die einzelnen Services?
Exchange Online Protection
Defender for Office365 Plan 1 + 2
Lizenzvoraussetzungen: Microsoft Defender Office365 Plan 1 + 2, Microsoft365 Business Premium

48. Microsoft Sentinel
Sie erhalten die Basiskonfiguration für Ihr erfolgreiches Alert
Handling im Baggenstos Ticketsystem via Microsoft Sentinel
• Integrierte Defender Produkte (Baggenstos Standard)
• Microsoft Defender for Servers
• Microsoft Defender Antivirus
• Microsoft Defender Endpoint
• Microsoft Defender for Office365

49. Zusammenfassung – das Wichtigste!
Nutzen und konfigurieren Sie beim Einsatz von Microsoft
Cloud Services die lizenzierten Security Komponenten.
Überwachen und aktualisieren Sie stets die von Microsoft
erweiterten Security Funktionen.
Sensibilisieren Sie die Mitarbeitenden auf die möglichen
Bedrohungen und Schulen Sie das Verhalten bei
Unsicherheit.

50. Gefallen am Webinar?
Jetzt Newsletter abonnieren
und aktuell bleiben!