GM
Uploaded byGuido Marchetti
PPTX, PDF972 views

Zero trust deck 2020

The document outlines a strategy for implementing a modern zero-trust security framework over 30 days, emphasizing the need for a security perimeter that adapts to evolving threats. Key principles include always verifying user identity and device health, minimizing access based on necessity, and utilizing adaptive policies for risk management. It highlights the increasing risks from identity attacks and recommends integrating strong authentication measures and robust identity and access management solutions.

Embed presentation

Downloaded 81 times
Modern Zero-Trust Security in 30 Days 2020
Context of Zero trust, Why you need it?
Your enterprise in transformation Requires a modern identity and access security perimeter
Threat evolution is accelerating Identity and Apps THREAT AGES Malware and Infrastructure
Trust, but verify
Running Dual Perimeters ATTACKERS USING IDENTITY TACTICS MODERN PERIMETER (Identity Controls) FULLY ZERO TRUST
Integrate where possible
Zero Trust Technical Explanation
Why are we having a Zero Trust conversation? 1. IT Security is Complex • Many Devices, Users, & Connections 2. “Trusted network” security strategy • Initial attacks were network based • Seemingly simple and economical • Accepted lower security within network 3. Assets increasingly leave network • BYOD, WFH, Mobile, and SaaS 4. Attackers shift to identity attacks • Phishing and credential theft • Security teams often overwhelmed Access Control: Keep away from
Network Perimeter Office 365 Modernizing the security perimeter Resources Identity Perimeter
Zero Trust Principles Always authenticate and authorize based on all available data points, including user identity, location, device health, data classification, and anomalies. Verify Explicitly Minimize user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive polices, and data protection which protects data and productivity. Least Privilege Minimize scope of breach damage and prevent lateral movement by segmenting access via network, user, devices and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility and drive threat detection Assume Breach
Zero Trust Access Control Strategy Never Trust. Always verify. Allow full access Block access Allow limited Access Signal to make an informed decision Device Risk • Device Management • Threat Detection • and more… User Risk • Multi-factor Authentication • Behavior Analytics • and more… based on organization’s policy Apply to inbound requests Re-evaluate during session Decision of policy across resources Modern Applications SaaS Applications Legacy Applications And more… Enforcement Remediate Risk Increase Assurance
Zero Trust Model Modern Approach to Access Integrated Threat Intelligence Organization Policy
Corporate Network Geo-location Cloud SaaS apps On-premises & web apps Microsoft Cloud App SecurityMacOS Android iOS Windows Windows Defender ATP Client apps Browser apps Google ID MSA Azure AD ADFS Require MFA Allow/block access Block legacy authentication Force password reset****** Limited access ControlsConditions Machine learning Policies Real time Evaluation Engine Session Risk 3 40TB Effective policy Microsoft Cloud Azure AD conditional access (Zero Trust) Employee & Partner Users and Roles Trusted & Compliant Devices Physical & Virtual Location Client apps & Auth Method Conditions
Visibility and Control at the Perimeter User Role Group Device Config Location Last Sign-in Conditional access risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Device
Conditional Access Example User Role: Sales Account Representative Group: London Users Device: Windows Config: Corp Proxy Location: London, UK Last Sign-in: 5 hrs ago Office resource Conditional access risk Health: Device compromised Client: Browser Config: Anonymous Last seen: Asia High Medium Low Anonymous IP Unfamiliar sign-in location for this user Malicious activity detected on device Device Sensitivity: Medium Block access Force threat remediation Your Pa$$word doesn't matter
SharePoint Online & Office 365 apps Identity and Access Management Use Cases Assign B2B users access to any app or service your organization owns Add B2B users with accounts in other Azure AD organizations 3 I need my customers and partners to access the apps they need from everywhere and collaborate seamlessly Other organizations Add B2B users with MSA, Google, or other Identity Provider accounts Other Identity Providers* Google ID* Microsoft Account On- premises
Why you Should Do this. Reduce your Risk and take control.
Increasing attack cost User credential theft Increasing attack cost User credential theft Link Link Link Link Link Link Link
Increasing attack cost Abuse credentials to access cloud assets Link Link Link Link Link Link
Increasing attack cost Abuse credentials to access on-premises assets Link Link Link
 Impossible to forget  Ease of use  Fingerprint and facial recognition  Hardware assurances (VBS) BIOMETRICS = SECURITY AND PRODUCTIVITY
• Segregated approach • Insufficient War Chest • No Stakeholder backing to drive change • Not utilising what you already have Common Pitfalls
Journey to Zero-trust – First 30 days.
Deploy Configure an industry standard Identity & access management solution Protect Data throughout it’s full lifecycle with Information protection Use Security & Compliance intelligence to learn about YOUR environment and allow informed security decisions Enable Threat protection capabilities and monitoring solution Ensure device level Zero trust with industry standard configured Unified Endpoint Management First steps to Zero trust Model
Azure AD Identity & Access Management Secure Admin privileged identity  Configure recommended Industry practice for global admin strategy  Enable PIM & enable specific admin roles to IT user accounts  Configure Privileged Role Administrator  Enable and configure Azure Identity Protection  Configure Alerts on admin account resets Additional security features  Configure Company branding  Configure Dynamic Group Membership & automated licence provisioning  Configure Self-service user groups with naming standard and expiration Secure User identity  Restrict 3rd party app registration capabilities  Enable & harden Self-service password reset (SSPR)  Expand authentication methods  Configure Single sign-on to cloud applications
Device Management W10/macOS  Automatic Enrolment on new W10 devices  Automated BitLocker Encryption on new W10 devices  W10 Device Configuration / Application Deployment based on identity  NCSC Device Configuration policies (User / System hardening and Endpoint Protection)  Automated W10 Device refresh / Fresh Start  MacOS Compliance and Configuration policies iOS/Android  Apple Business Manager / Managed Google Play portals integration with Intune  Apple Business Manager / DEP enrolment integration with Intune / Device Supplier  Apple VPP / Managed Google Play application management, approval and deployment  Android Enterprise Work Profile and Corporate Owned Fully Managed enrolments  Locked enrolment / Factory Reset Prevention Platform  Define and configure enrolment process for all Operating Systems for both new and "in use" devices  Application Management and Deployment  Device Compliance policies per OS  Device Configuration policies per OS  Application Protection  Lost / Stolen device Data Loss Protection  Conditional Access
Data & Threat Protection Securing Exchange Online ü Validate SPF Sender Policy Framework, which enables the receiving mail server to verify the Mail From address of the email is genuine. ü Enable DomainKeys Identified Mail (DKIM) to prevent spoofers from sending messages that look like they are coming from your domain. ü Configure Domain-based Message Authentication (DMARC) to tell other mail servers what to do with messages which fail SPF and DKIM checks. ü Increased Encryption keys from 1024 to 2048 length for additional security Configure data loss and advanced threat protection polices​  Apply ATP policy configurations as per recommended security settings  Configure DLP, Retention and sensitivity labels  ​Workshops to determine information protection and compliance strategies External Sharing capability enablement  Enable external sharing to allow internal users securely share content with people outside the organization  Controlled via "allowed external domains”, user groups, , limitations on guest permissions & secure specific invite links
Enterprise Mobility + Security Azure Information Protection Protect your data, everywhere Microsoft Cloud App Security Azure Active Directory Detect threats early with visibility and threat analytics Advanced Threat Analytics Extend enterprise-grade security to your cloud and SaaS apps Intune Protect your users, devices, and apps Manage identity with hybrid integration to protect application access from identity attacks Privileged Identity Management Identity Protection ENFORCE MFA ALLOW BLOCK Conditional Access Windows 10 Azure AD Join, Health Attestation, Windows Hello, BitLocker
Key Challenges and Strategic Opportunities Identity-based attacks are up 300% this year Information is your most attractive target Attackers constantly evolving techniques Most enterprises report using more than 60 security solutions
Zero Trust Top Tips
Identity is the best starting point for Zero Trust. • 1. Realign around identity • Identity is the best starting point for Zero Trust. • Users can have multiple devices and access enterprise resources from a variety of networks and app 1. Realign around identity
2. Device level Zero trust -Implement conditional access controls • Hackers routinely compromise identity credentials and use them to access systems and move laterally in the network. • Trust cannot, therefore, be inferred solely from whether a particular user or their device is inside or outside the corporate network.
3. Strengthen your credentials • Making multi-factor authentication a part of conditional access restrictions can help enable better user verification and limit the ability of hackers to misuse stolen credentials.
4. Plan for a dual-perimeter strategy • Maintain existing network-based protections while adding new identity-based controls to your environment.
5. Integrate intelligence and behavior analytics • Your ability to make good access control decisions depends on the quality, quantity and diversity of signals you integrate into those decisions
6. Reduce your attack surface • Implementing privileged identity management will minimise the likelihood of a compromised account being used in an administrator or other privileged role. • It’s also a good idea to block apps using legacy authentication protocol
7. Increase security awareness • Use a Security Information and Event Management (SIEM) system to aggregate and correlate the data to better detect suspicious activities and patterns that indicate potential network intrusions and events, such as leaked credentials, bad IP addresses and access from infected devices.
8. Enable end-user self-help • Empower users to carry out certain security tasks, such as self-service password resets & implementing self-service group management allows owners to create and manage groups without needing an administrator to do the job.
• Achieving Zero trust is takes time. It requires • support from key stakeholders with clear communication throughout the organization, throughout the project life cycle. 9. Don’t overpromise
10. Show value along the way • One of the most effective ways to build long- term support for a Zero Trust initiative is to demonstrate incremental value with each investment.
What we Do
Identity & Access Management Threat Protection Data & Information Protection Security & Management Azure Active Directory Multi-Factor Authentication Role Based Access Control (PIM) Microsoft Defender Advanced Threat Protection Office 365 Advanced Threat Protection Azure Information Protection Intune Microsoft Security and Compliance Center + CWSI Solutions Self Service Password Reset Credential Guard/Windows Hello Azure Advanced Threat Protection Microsoft Cloud App Security Office 365 Data Loss Prevention Microsoft Information Protection BitLocker/File Vault Microsoft Cloud App Security Mobile Threat Defense Secure Score Device Management Windows 10 Autopilot BitLocker/File Vault Compliance Score Managed Service Consulting Zero Trust Solutions
Contact: Gmarchetti@cwsi.ie

More Related Content

PPTX
What is Zero Trust
byOkta-Inc
 
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
byMaganathin Veeraragaloo
 
PDF
Zero trust in a hybrid architecture
byHybrid IT Europe
 
PPTX
The Zero Trust Model of Information Security
byTripwire
 
PDF
NIST Zero Trust Explained
byrtp2009
 
PDF
Micro segmentation and zero trust for security and compliance - Guardicore an...
byYouAttestSlideshare
 
PPTX
Zero Trust Network Access
byEr. Ajay Sirsat
 
PPTX
Understanding Zero Trust Security for IBM i
byPrecisely
 
What is Zero Trust
byOkta-Inc
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
byMaganathin Veeraragaloo
 
Zero trust in a hybrid architecture
byHybrid IT Europe
 
The Zero Trust Model of Information Security
byTripwire
 
NIST Zero Trust Explained
byrtp2009
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
byYouAttestSlideshare
 
Zero Trust Network Access
byEr. Ajay Sirsat
 
Understanding Zero Trust Security for IBM i
byPrecisely
 

What's hot

PDF
Microsoft Zero Trust
byDavid J Rosenthal
 
PPTX
Microsoft Defender for Endpoint
byCheah Eng Soon
 
PDF
Cloud App Security Customer Presentation.pdf
byErikHof4
 
PDF
Zero Trust Model Presentation
byGowdhaman Jothilingam
 
PPTX
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
PDF
Azure Security Overview
byDavid J Rosenthal
 
PPTX
Zero Trust Model
byYash
 
PPTX
Adopting A Zero-Trust Model. Google Did It, Can You?
byZscaler
 
PPTX
Cloud Security
byAWS User Group Bengaluru
 
PPTX
Identity and Access Management Introduction
byAidy Tificate
 
PPTX
What is zero trust model (ztm)
byAhmed Banafa
 
PPTX
cyber-security-reference-architecture
byBirendra Negi ☁️
 
PPTX
Zero Trust
byBoaz Shunami
 
PPTX
What is a secure enterprise architecture roadmap?
byUlf Mattsson
 
PPTX
Zero Trust Framework for Network Security​
byAlgoSec
 
PPTX
Data Loss Prevention
byReza Kopaee
 
PDF
introduction to Azure Sentinel
byRobert Crane
 
PDF
IBM InfoSphere Guardium overview
bynazeer325
 
PDF
PaloAlto Enterprise Security Solution
byPrime Infoserv
 
PPTX
Azure sentinel
byMarius Sandbu
 
Microsoft Zero Trust
byDavid J Rosenthal
 
Microsoft Defender for Endpoint
byCheah Eng Soon
 
Cloud App Security Customer Presentation.pdf
byErikHof4
 
Zero Trust Model Presentation
byGowdhaman Jothilingam
 
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
Azure Security Overview
byDavid J Rosenthal
 
Zero Trust Model
byYash
 
Adopting A Zero-Trust Model. Google Did It, Can You?
byZscaler
 
Cloud Security
byAWS User Group Bengaluru
 
Identity and Access Management Introduction
byAidy Tificate
 
What is zero trust model (ztm)
byAhmed Banafa
 
cyber-security-reference-architecture
byBirendra Negi ☁️
 
Zero Trust
byBoaz Shunami
 
What is a secure enterprise architecture roadmap?
byUlf Mattsson
 
Zero Trust Framework for Network Security​
byAlgoSec
 
Data Loss Prevention
byReza Kopaee
 
introduction to Azure Sentinel
byRobert Crane
 
IBM InfoSphere Guardium overview
bynazeer325
 
PaloAlto Enterprise Security Solution
byPrime Infoserv
 
Azure sentinel
byMarius Sandbu
 

Similar to Zero trust deck 2020

PPTX
Azure security and Compliance
byKarina Matos
 
PPTX
Azure Fundamentals Part 3
byCCG
 
PPTX
microsoft-cybersecurity-reference-architectures (1).pptx
byGenericName6
 
PPTX
3 Modern Security - Secure identities to reach zero trust with AAD
byAndrew Bettany
 
PPTX
MS. Cybersecurity Reference Architecture
byangelohammond
 
PPTX
Zero Trust 20211105
byThomas Treml
 
PDF
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
byMark Simos
 
PPTX
ciso-workshop-3-identity-protection.pptx
byelyas44
 
PDF
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
byPlatformSecurityManagement
 
PPTX
ciso-workshop-1-cybersecurity-briefing.pptx
bypravinsp141
 
PPTX
Securing Teams with Microsoft 365 Security for Remote Work
byPerficient, Inc.
 
PPTX
5 steps to securing your identity infrastructure.pptx
byMCont1
 
PPTX
Microsoft Security Advice ISSA Slides.pptx
byMike Brannon
 
PDF
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
byNCCOMMS
 
PDF
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
byJürgen Ambrosi
 
PPTX
In t trustm365ems_v3
byInTTrust S.A.
 
PPTX
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
byScott Hoag
 
PDF
Security as a Service with Microsoft Presented by Razor Technology
byDavid J Rosenthal
 
PDF
Daniel Grabski | Microsofts cybersecurity story
byMicrosoft Österreich
 
PPTX
Utilizing Microsoft 365 Security for Remote Work
byPerficient, Inc.
 
Azure security and Compliance
byKarina Matos
 
Azure Fundamentals Part 3
byCCG
 
microsoft-cybersecurity-reference-architectures (1).pptx
byGenericName6
 
3 Modern Security - Secure identities to reach zero trust with AAD
byAndrew Bettany
 
MS. Cybersecurity Reference Architecture
byangelohammond
 
Zero Trust 20211105
byThomas Treml
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
byMark Simos
 
ciso-workshop-3-identity-protection.pptx
byelyas44
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
byPlatformSecurityManagement
 
ciso-workshop-1-cybersecurity-briefing.pptx
bypravinsp141
 
Securing Teams with Microsoft 365 Security for Remote Work
byPerficient, Inc.
 
5 steps to securing your identity infrastructure.pptx
byMCont1
 
Microsoft Security Advice ISSA Slides.pptx
byMike Brannon
 
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
byNCCOMMS
 
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
byJürgen Ambrosi
 
In t trustm365ems_v3
byInTTrust S.A.
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
byScott Hoag
 
Security as a Service with Microsoft Presented by Razor Technology
byDavid J Rosenthal
 
Daniel Grabski | Microsofts cybersecurity story
byMicrosoft Österreich
 
Utilizing Microsoft 365 Security for Remote Work
byPerficient, Inc.
 

Recently uploaded

PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PDF
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
PPTX
Corporate AI Training to AI Enable a Company Workforce
byStélio Inácio
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PDF
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
PDF
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PDF
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PDF
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PPTX
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
DOCX
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
PDF
“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius
byScott M. Graffius
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
Corporate AI Training to AI Enable a Company Workforce
byStélio Inácio
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius
byScott M. Graffius
 

Zero trust deck 2020

  • 1.
  • 2.
    Context of Zerotrust, Why you need it?
  • 3.
    Your enterprise intransformation Requires a modern identity and access security perimeter
  • 4.
    Threat evolution isaccelerating Identity and Apps THREAT AGES Malware and Infrastructure
  • 5.
  • 6.
    Running Dual Perimeters ATTACKERSUSING IDENTITY TACTICS MODERN PERIMETER (Identity Controls) FULLY ZERO TRUST
  • 7.
  • 8.
  • 9.
    Why are wehaving a Zero Trust conversation? 1. IT Security is Complex • Many Devices, Users, & Connections 2. “Trusted network” security strategy • Initial attacks were network based • Seemingly simple and economical • Accepted lower security within network 3. Assets increasingly leave network • BYOD, WFH, Mobile, and SaaS 4. Attackers shift to identity attacks • Phishing and credential theft • Security teams often overwhelmed Access Control: Keep away from
  • 10.
    Network Perimeter Office 365 Modernizingthe security perimeter Resources Identity Perimeter
  • 11.
    Zero Trust Principles Alwaysauthenticate and authorize based on all available data points, including user identity, location, device health, data classification, and anomalies. Verify Explicitly Minimize user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive polices, and data protection which protects data and productivity. Least Privilege Minimize scope of breach damage and prevent lateral movement by segmenting access via network, user, devices and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility and drive threat detection Assume Breach
  • 12.
    Zero Trust AccessControl Strategy Never Trust. Always verify. Allow full access Block access Allow limited Access Signal to make an informed decision Device Risk • Device Management • Threat Detection • and more… User Risk • Multi-factor Authentication • Behavior Analytics • and more… based on organization’s policy Apply to inbound requests Re-evaluate during session Decision of policy across resources Modern Applications SaaS Applications Legacy Applications And more… Enforcement Remediate Risk Increase Assurance
  • 13.
    Zero Trust Model ModernApproach to Access Integrated Threat Intelligence Organization Policy
  • 14.
    Corporate Network Geo-location Cloud SaaS apps On-premises & webapps Microsoft Cloud App SecurityMacOS Android iOS Windows Windows Defender ATP Client apps Browser apps Google ID MSA Azure AD ADFS Require MFA Allow/block access Block legacy authentication Force password reset****** Limited access ControlsConditions Machine learning Policies Real time Evaluation Engine Session Risk 3 40TB Effective policy Microsoft Cloud Azure AD conditional access (Zero Trust) Employee & Partner Users and Roles Trusted & Compliant Devices Physical & Virtual Location Client apps & Auth Method Conditions
  • 15.
    Visibility and Controlat the Perimeter User Role Group Device Config Location Last Sign-in Conditional access risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: • Allow • Allow Restricted • Require MFA • Block • Force Remediation Actions: • Allow • Block Device
  • 16.
    Conditional Access Example User Role:Sales Account Representative Group: London Users Device: Windows Config: Corp Proxy Location: London, UK Last Sign-in: 5 hrs ago Office resource Conditional access risk Health: Device compromised Client: Browser Config: Anonymous Last seen: Asia High Medium Low Anonymous IP Unfamiliar sign-in location for this user Malicious activity detected on device Device Sensitivity: Medium Block access Force threat remediation Your Pa$$word doesn't matter
  • 17.
    SharePoint Online & Office365 apps Identity and Access Management Use Cases Assign B2B users access to any app or service your organization owns Add B2B users with accounts in other Azure AD organizations 3 I need my customers and partners to access the apps they need from everywhere and collaborate seamlessly Other organizations Add B2B users with MSA, Google, or other Identity Provider accounts Other Identity Providers* Google ID* Microsoft Account On- premises
  • 18.
    Why you ShouldDo this. Reduce your Risk and take control.
  • 19.
    Increasing attack cost Usercredential theft Increasing attack cost User credential theft Link Link Link Link Link Link Link
  • 20.
    Increasing attack cost Abusecredentials to access cloud assets Link Link Link Link Link Link
  • 21.
    Increasing attack cost Abusecredentials to access on-premises assets Link Link Link
  • 22.
     Impossible toforget  Ease of use  Fingerprint and facial recognition  Hardware assurances (VBS) BIOMETRICS = SECURITY AND PRODUCTIVITY
  • 23.
    • Segregated approach •Insufficient War Chest • No Stakeholder backing to drive change • Not utilising what you already have Common Pitfalls
  • 24.
    Journey to Zero-trust– First 30 days.
  • 25.
    Deploy Configure an industrystandard Identity & access management solution Protect Data throughout it’s full lifecycle with Information protection Use Security & Compliance intelligence to learn about YOUR environment and allow informed security decisions Enable Threat protection capabilities and monitoring solution Ensure device level Zero trust with industry standard configured Unified Endpoint Management First steps to Zero trust Model
  • 26.
    Azure AD Identity& Access Management Secure Admin privileged identity  Configure recommended Industry practice for global admin strategy  Enable PIM & enable specific admin roles to IT user accounts  Configure Privileged Role Administrator  Enable and configure Azure Identity Protection  Configure Alerts on admin account resets Additional security features  Configure Company branding  Configure Dynamic Group Membership & automated licence provisioning  Configure Self-service user groups with naming standard and expiration Secure User identity  Restrict 3rd party app registration capabilities  Enable & harden Self-service password reset (SSPR)  Expand authentication methods  Configure Single sign-on to cloud applications
  • 27.
    Device Management W10/macOS  AutomaticEnrolment on new W10 devices  Automated BitLocker Encryption on new W10 devices  W10 Device Configuration / Application Deployment based on identity  NCSC Device Configuration policies (User / System hardening and Endpoint Protection)  Automated W10 Device refresh / Fresh Start  MacOS Compliance and Configuration policies iOS/Android  Apple Business Manager / Managed Google Play portals integration with Intune  Apple Business Manager / DEP enrolment integration with Intune / Device Supplier  Apple VPP / Managed Google Play application management, approval and deployment  Android Enterprise Work Profile and Corporate Owned Fully Managed enrolments  Locked enrolment / Factory Reset Prevention Platform  Define and configure enrolment process for all Operating Systems for both new and "in use" devices  Application Management and Deployment  Device Compliance policies per OS  Device Configuration policies per OS  Application Protection  Lost / Stolen device Data Loss Protection  Conditional Access
  • 28.
    Data & ThreatProtection Securing Exchange Online ü Validate SPF Sender Policy Framework, which enables the receiving mail server to verify the Mail From address of the email is genuine. ü Enable DomainKeys Identified Mail (DKIM) to prevent spoofers from sending messages that look like they are coming from your domain. ü Configure Domain-based Message Authentication (DMARC) to tell other mail servers what to do with messages which fail SPF and DKIM checks. ü Increased Encryption keys from 1024 to 2048 length for additional security Configure data loss and advanced threat protection polices​  Apply ATP policy configurations as per recommended security settings  Configure DLP, Retention and sensitivity labels  ​Workshops to determine information protection and compliance strategies External Sharing capability enablement  Enable external sharing to allow internal users securely share content with people outside the organization  Controlled via "allowed external domains”, user groups, , limitations on guest permissions & secure specific invite links
  • 29.
    Enterprise Mobility +Security Azure Information Protection Protect your data, everywhere Microsoft Cloud App Security Azure Active Directory Detect threats early with visibility and threat analytics Advanced Threat Analytics Extend enterprise-grade security to your cloud and SaaS apps Intune Protect your users, devices, and apps Manage identity with hybrid integration to protect application access from identity attacks Privileged Identity Management Identity Protection ENFORCE MFA ALLOW BLOCK Conditional Access Windows 10 Azure AD Join, Health Attestation, Windows Hello, BitLocker
  • 30.
    Key Challenges andStrategic Opportunities Identity-based attacks are up 300% this year Information is your most attractive target Attackers constantly evolving techniques Most enterprises report using more than 60 security solutions
  • 31.
  • 32.
    Identity is thebest starting point for Zero Trust. • 1. Realign around identity • Identity is the best starting point for Zero Trust. • Users can have multiple devices and access enterprise resources from a variety of networks and app 1. Realign around identity
  • 33.
    2. Device levelZero trust -Implement conditional access controls • Hackers routinely compromise identity credentials and use them to access systems and move laterally in the network. • Trust cannot, therefore, be inferred solely from whether a particular user or their device is inside or outside the corporate network.
  • 34.
    3. Strengthen yourcredentials • Making multi-factor authentication a part of conditional access restrictions can help enable better user verification and limit the ability of hackers to misuse stolen credentials.
  • 35.
    4. Plan fora dual-perimeter strategy • Maintain existing network-based protections while adding new identity-based controls to your environment.
  • 36.
    5. Integrate intelligenceand behavior analytics • Your ability to make good access control decisions depends on the quality, quantity and diversity of signals you integrate into those decisions
  • 37.
    6. Reduce yourattack surface • Implementing privileged identity management will minimise the likelihood of a compromised account being used in an administrator or other privileged role. • It’s also a good idea to block apps using legacy authentication protocol
  • 38.
    7. Increase securityawareness • Use a Security Information and Event Management (SIEM) system to aggregate and correlate the data to better detect suspicious activities and patterns that indicate potential network intrusions and events, such as leaked credentials, bad IP addresses and access from infected devices.
  • 39.
    8. Enable end-userself-help • Empower users to carry out certain security tasks, such as self-service password resets & implementing self-service group management allows owners to create and manage groups without needing an administrator to do the job.
  • 40.
    • Achieving Zerotrust is takes time. It requires • support from key stakeholders with clear communication throughout the organization, throughout the project life cycle. 9. Don’t overpromise
  • 41.
    10. Show valuealong the way • One of the most effective ways to build long- term support for a Zero Trust initiative is to demonstrate incremental value with each investment.
  • 42.
  • 43.
    Identity & Access Management Threat Protection Data& Information Protection Security & Management Azure Active Directory Multi-Factor Authentication Role Based Access Control (PIM) Microsoft Defender Advanced Threat Protection Office 365 Advanced Threat Protection Azure Information Protection Intune Microsoft Security and Compliance Center + CWSI Solutions Self Service Password Reset Credential Guard/Windows Hello Azure Advanced Threat Protection Microsoft Cloud App Security Office 365 Data Loss Prevention Microsoft Information Protection BitLocker/File Vault Microsoft Cloud App Security Mobile Threat Defense Secure Score Device Management Windows 10 Autopilot BitLocker/File Vault Compliance Score Managed Service Consulting Zero Trust Solutions
  • 44.

Editor's Notes

  • #4 Key Takeaway: Many businesses are transforming rapidly to compete with digital native startups, this change is driving the need for security transformation. These are the IT transformation components to support the business’s digital transformation that will provide both challenges and opportunities for information security. While the challenges are significant, there is also a massive opportunity to solve longstanding security problems with this next generation of computing. This represents a classic enterprise security strategy with a network perimeter and a mobile device management component bolted on. CLICK 1 To be competitive in the marketplace, businesses are seeking to transform using new powerful technologies. The availability of cloud, mobile, and Internet of Things (IoT) technologies is fueling major disruptions in once-settled markets as Digital native startups leverage this new technology to disrupt longstanding business models Existing organizations are driving digital transformation to adopt the way they engage customers, empower employees, optimize operations, and offer products to customers CLICK 2 This instantiates in a couple of different ways that each provide unique challenges for security Software as a Service (SaaS) adoption to increase collaboration and agility – SaaS provides rapid value without many of the challenges of traditional software deployment and maintenance. While security doesn’t have to update this software, they do need to be aware of their use, assess their trustworthiness, and manage the available security controls CLICK 3 Demand for a 1st class mobile experience – Business users increasingly have a choice of what devices and apps they can use to get their job done, requiring security to better meet their demands for a great user experience on a secure mobile devices. Business users need full functionality applications for creating value on corporate data beyond the limited functionality email/productivity applications that come with most Mobile Device Management (MDM) providers. CLICK 4 Internet of things (IoT) is proliferating, and the manageability and visibility of these devices vary greatly from PC and mobile devices such as Higher volume and limited functionality Limited resources to run traditional agents Frequently collect new forms of telemetry with new privacy and security implications Cloud required to support analytics and IoT management – Even if IT isn’t adopting cloud platforms and infrastructure for its own value propositions, many of the new IoT architectures require cloud services to collect and report on IoT scenarios, requiring Information Security to evaluate the trust and integrate the controls for these platforms.  CLICK 5 This leads to a modern enterprise whose resources and risk are no longer defined by IP subnet addresses. These changes bring new security challenges, but they also bring new opportunities for security to leverage the same massive storage and computing analytics capabilities to solve these new challenges as well as longstanding classic security challenges. Note: We have chosen to represent this as a “new perimeter” rather than “perimeter-less” because the core concepts of a security perimeter still apply well to identity control (separation of threats from resources using a consistent set of controls) We will talk in more depth about how we see this identity-based security perimeter later in the identity and access management module. Additional Commentary Security organizations will need to manage different aspects of this shift including the people (culture) and processes (Training) and technology to be successful Manufacturers of IoT devices will also face new challenges like ensuring and proving the security and safety assurances of their products
  • #5 Key Takeaway: Attacker techniques have been evolving rapidly recently We have also noted an increased maturity in attacker business models where new criminal entrants are able quickly become effective using attack kits and affiliate models (where the new criminals pay the kit authors a percentage of the profits rather than buying it outright) Mass Distribution Malware - Mass distribution malware has been with us for several decades Tailored/Targeted Malware - This evolved into malware targeted at individual organization, which has matured into a mainstream attack method ‘File-Less’ Malware - The past few years saw increased investment into evasion of file-based detection using PowerShell to load attack code directly into memory and other similar methods Malware-Less Attacks - Recently, we have seen the rise of attack campaigns that involve no malware. These frequently target online software as a service (such as Office 365) and involve methods like social engineering, credential theft, and native platform capabilities like document download, forged emails, delegation/forwarding rules, and PowerShell scripts.
  • #7 Key Takeaway: We are in a transition period where we will be managing two styles of security perimeters to protect both legacy workloads and modern scenarios The forces that are driving the adoption of the identity perimeter are The prevalence of attackers using identity tactics (which bypass classic network perimeters) The need to protect assets where network controls are not available such as cloud services/applications, mobile devices, and Internet of Things (IoT) devices CLICK 1 An organization will reach a full “zero trust” state once they have migrated all legacy workloads to modern platforms where authorization decisions are based on integrated signals from identity (authentication), devices (configuration, integrity, etc.), the application (data/system sensitivity, and others. This will take some time to achieve for most enterprises.
  • #8 Key Takeaway: Integrate for one identity. SSO.
  • #10 Key Takeaway – Zero trust represents a generational shift in security strategy that reflects major changes in assets being protected and evolution of attack techniques. See video at this site for more information/context - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/ciso-workshop-module-3#part-1-identity-and-zero-trust-history-933
  • #11 Key Takeaway: Defender need to transition to using an identity security perimeter as our primary defense strategy CLICK 1 The first thing to note is that the network security perimeters we built still work against the attacks they were designed to repel. This is quickly confirmed by anyone exposes an unpatched operating system or application to the direct internet without a firewall. CLICK 2 Unfortunately attackers have also developed a new generation of techniques that include phishing and credential theft. These techniques allow attackers to reliably penetrate the network security perimeter and navigate around behind it. CLICK 3 Additionally, newer technologies to increase productivity are causing data to move outside the corporate network onto managed and unmanaged devices, cloud services (both sanctioned/managed and unauthorized/Shadow IT applications). The trustworthiness of these devices and services are not defined by which IP subnet they are hosted on, so we need to manage the identities of these users, devices, services, and data. CLICK 4 Both of these trends diminish the effectiveness of the network as the sole security perimeter. We now need to establish an identity based perimeter so we can draw a line (of consistent security controls) between our assets and the threats to them.
  • #12 Key Takeaway – These are the principles for zero trust See video at this site for more information/context - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/ciso-workshop-module-3#part-2-zero-trust-definition-and-models-1537
  • #13 Key Takeaway – These are the key basic components of a Zero Trust Strategy See video at this site for more information/context - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/ciso-workshop-module-3#part-2-zero-trust-definition-and-models-1537
  • #14 Key Takeaway – This is an overview of the Zero Trust model See video at this site for more information/context – https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/ciso-workshop-module-3#part-5-zero-trust-user-access-reference-architecture-842
  • #15 Expanded view of all the conditions that are taken into account for access and the controls that you have based on the risk. Our 40 TB of data from all the conditions, integrated EMS/M365 apps, and our security intelligence network are analyzed in real-time to determine the right policy. Example: If an ADFS user signs in on a Windows machine with Windows Defender ATP we can take into account the health of the account and the device, as well as their location and if they are on the corporate network and what type of app they are trying to access. If they are on the corporate network in their normal office then the data produces a low risk score. The effective policy is to all access to the app. If, however, the person was logging in from a location across the world (in a short amount of time – impossible travel) and/or the Windows Defender ATP finds that the machine has been infected, the access can be blocked. If the user login and device are healthy, but it was a location they haven’t signed in from before (on a trip or other computer) then the user could be prompted with MFA or have limited access to certain applications.
  • #16 Key Takeaway: This is a comparison of the visibility and control you get with classic network perimeters vs a modern identity perimeter (based on Azure Active Directory Conditional Access) A network perimeter is composed of several functions (often combined into the same appliance) that uses data available from the network traffic to make a decision on whether to allow or block a connection. While this provides security visibility and control against some attacks, it has several significant limitations including: Scope is limited to resources hosted on a controlled network such as an intranet/extranet Visibility is limited to what is available on the network, which is often encrypted and frequently lacks important context on application function, user identity, data sensitivity, and other factors. Control is limited to allow and block, which doesn’t allow for managing the user experience and providing self service corrections, exception management, etc. CLICK 1 In contrast, an identity perimeter is aware of the user, device, and a number of attributes about each of them including the user's role, whether they logged on with MFA, when and where the device was last seen, the security health of the device, and more. The conditional access engine uses this information to calculate the relative risk of the operation as high, medium or low. The actions available include allow and block as well as Allow Restricted – Users may be allowed to authenticate, but only granted limited access (e.g. a user would be granted only online access to document in SharePoint online vs. being allowed to download) Require MFA - For authentication attempts with a medium risk (such as authentications from an unexpected time/geography), conditional access can require additional proof of identity before granting access (where this wouldn’t happen within their normal time/geography) Force Remediation – For high risk scenarios such as a known compromised password or computer, conditional access can force the issue to be remediated (e.g. force the user to change a password that has been leaked, requiring defender to remediate the device Network based perimeters provided needed controls for legacy workloads and PaaS components where the workload is under the control of the IT department (e.g. web applications), but protecting data and protecting newer asset types like Software as a Service (SaaS) requires and identity perimeter to provide the needed visibility and control.
  • #17 Key Takeaway: This is an example of conditional access enforcing policy on an authentication attempt In this example, a user is logging in with a device and attempting to access an internal file in Office 365 with a medium sensitivity CLICK 1 The user provides valid credentials and the user/device information checks out (so far), so the conditional risk level would be low. CLICK 2 As other factors are considered in the authentication decision, conditional access finds risk factors that would set risk to Medium An anonymous IP as the connection is coming in over the Tor network The device was last seen in an unfamiliar sign in location High Defender ATP has indicated that this device has been compromised Because of this, the conditional access engine blocks the authentication attempt and forces threat remediation (through Defender ATP) Reference https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984
  • #18 Key Takeaway: An organization can reduce their risk by adopting technology like Azure B2B By moving partner accounts from enterprise directories to a B2B solution, you are effectively lowering their access to your environment to the least privilege required.
  • #20 Key Takeaway: Microsoft has invested into raising cost of attacks for attackers attempting to steal your credentials Zero Touch - The cheapest and easiest way for an attacker to get your users’ credentials it to download stolen credentials from a public password compromise, frequently called a “breach replay” attack CLICK 1 BLUE/DEFENSE Microsoft monitors sites where attackers post these credentials and reports on these leaked credentials in Azure Active Directory so you can have these users reset the password they shared between sites. (Note that the password hashes have to be synched to Azure AD for this feature to work) RED/ATTACK Low Touch - This drives attackers into more expensive attacksl the next cheapest is a low touch attack using a phishing email that either a. Directs the user to enter their credentials into a fake logon website b. Uses a script or malware to steal credentials from the local machine (non-persistent) CLICK 2 BLUE/DEFENSE a. Office 365 ATP protects against malicious links in phishing email and Windows Defender Smartscreen is integrated into Microsoft browsers to protect against malicious websites b. Windows 10 includes TPM hardware protections to prevent theft of both legacy enterprise credentials (Kerberos and NTLM protected by Credential Guard) as well as modern biometric credentials (Windows Hello) RED/ATTACK High Touch - This drives attackers to a high touch operation that requires them to compromise a trusted device in order to steal your credentials. Attackers can either Research and target the right person with spearphishing to install malware on their computer Enter the environment through phishing any user and then perform lateral traversal to install malware on the targeted user’s computer and steal the credential CLICK 3 BLUE/DEFENSE By using advanced host mitigation and detections built into Windows 10 that, you increase the chances the attack will fail or be detected/cleaned, forcing the attacker to start the operation over again, all of which further adds to the attacker cost.
  • #21 Key Takeaway: Microsoft has invested into raising cost of attacks for attackers attempting to abuse stolen credentials to access your cloud assets This sequence assumes the adversary already has possession of a a valid credential in your Azure Active Directory The cheapest and easiest way to use it to access cloud assets is to simply log on with the credential CLICK 1 BLUE/DEFENSE Microsoft (and several partners) offer multi-factor authentication that sends single use codes to a mobile phone to validate possession of the phone RED/ATTACK Low Touch - This drives attackers into more expensive attacks that requires them to compromise the user’s mobile device or set up a fake website for the user (note that this will not work for a user that is running a trusted application for the MFA authentication such as the Azure MFA application) CLICK 2 BLUE/DEFENSE Azure AD Identity protections includes the ability to detect risky sign ins that reflect many risk factors. (Note that on-premises AD accounts need to have passwords synchronized to Azure AD in order to take advantage of this capability) Azure AD Conditional access allows you to set policy based on the authentication risk level and the security health of the device being used for authentication, raising the amount of work (and cost) to mimic the valid user behavior so they can evade these defenses. RED/ATTACK High Touch - This drives attackers to a high touch operation that requires them to compromise a trusted device in order to steal your credentials. The attacker would need to either Research and target the right person with spearphishing to install malware on their computer Enter the environment through phishing any user and then perform lateral traversal to install malware on the targeted user’s computer and steal the credential CLICK 3 BLUE/DEFENSE By using advanced host mitigation and detections built into Windows 10 that, you increase the chances the attack will fail or be detected/cleaned, forcing the attacker to start the operation over again, all of which further adds to the attacker cost. Additionally, if the account being used for lateral traversal is an on-premises Active Directory account, this can be detected using Azure Advanced Threat Protection (or Advanced Threat Analytics capability that builds a profile for each user’s normal behavior and reports anomalies.
  • #22 Key Takeaway: Microsoft has invested into raising cost of attacks for attackers attempting to steal credentials to access your on-premises assets Assuming the adversary has stolen a valid Active Directory user credential, the cheapest and easiest way to use it to access on premises assets is to simply log on with the credential directly to a published application (Outlook Web App (OWA)or other corporate application in the extranet) or use it to VPN into your corporate network. CLICK 1 BLUE/DEFENSE Several Microsoft partners offer solutions to require multi-factor authentication for VPNs and published websites RED/ATTACK High Touch - This drives attackers to a high touch operation that requires them to compromise a trusted device in order to steal your credentials. Attacker would need to either Research and target the right person with spearphishing to install malware on their computer Enter the environment through phishing any user and then perform lateral traversal to install malware on the targeted user’s computer and steal the credential CLICK 2 BLUE/DEFENSE You can further increase the attacker’s cost by using advanced host detections built into Windows 10 that increase the chances the attacker will be detected and have to start the operation over before achieving their objective. Additionally, the attack can be detected using Azure Advanced Threat Protection (or Advanced Threat Analytics) capability that builds a profile for each user’s normal behavior and reports anomalies. CLICK 3 Additionally, we see attackers use 3rd party suppliers and partners to get access to these on premises resources. They compromise the 3rd party and take advantage of the access path that the organization has opened for these suppliers to do business with the target organization. Additional Information Note that accessing an asset shared via Azure Application Proxy or similar capability that leverages Azure AD authentication would be categorized as a cloud scenario
  • #23 5/19/2020
  • #25 Common
  • #26 Key Takeaway: The first 30 days should include focused effort on identifying and classifying the assets in your infrastructure
  • #30 29
  • #32 Key Takeaway: Microsoft is focused on building solutions for 4 key solution areas: Identity and Access Management, Information protection, Threat Protection, and Security Management
  • #46 Presenter notes:  It’s evolution, not revolution.  Carefully thought through, carefully executed.  And that’s where we help.