Organizations today are facing unprecedented and sophisticated attacks to their internal Information Technology infrastructure. These evolving attacks include cryptojacking, spear phishing, credential hijacking, and more and can result in significant data loss and/or theft of confidential and valuable intellectual property. In response to these threats, Microsoft has released an array of tools such as Azure Sentinel, Cloud App Security, Azure Advanced Threat Protection, and more which can help to secure and protect against these threats. These tools work with both On-Premises and cloud-based infrastructure to provide for comprehensive protection of hybrid environments. This session breaks down each of these Microsoft tools and provides for an understanding of their value for specific security scenarios. A simple, no-marketing approach is taken to evaluating each individual tool, and a simple breakdown of what is provided with each Microsoft licensing model is outlined. Attendees will gain a better appreciation to which tools to utilize and how to better protect their Information Technology investments from the type of career-ending attacks which are unfortunately common today. • Understand how modern threats such as cryptojacking, spear phishing, credential hijacking, and more are commonly faced in today’s IT environments and what tools and techniques can be used to mitigate the risk faced by these modern threats • Examine Microsoft security tools such as Azure Sentinel, Azure Advanced Threat Protection, Azure Security Center, Cloud App Security, Azure AD Privileged Identity Management, Azure AD Identity Protection, Azure Information Protection, and more. • Understand which tools are available for each licensing model in the Microsoft world and when it may make sense to ‘upgrade’ existing licenses to support specific toolsets as opposed to investment in third-party tools

1. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
MICROSOFT 365 VIRTUAL MARATHON
Securing IT Against Modern Threats with Microsoft 365 Security Tools
Michael Noel
Partner, CCO
@MichaelTNoel
Broughtto youby:
TheGlobalMicrosoft Community&
M365Conf.com | #M365CONF
#M365VM
M365VirtualMarathon.com

2. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
Mark Your Calendars:
March 23-25, 2021, MGM Grand Resort
Las Vegas, Nevada, USA
M365Conf.com
#M365CONF
TheSharePoint Conferenceis nowTheMicrosoft 365 CollaborationConference
#M365VM
M365VirtualMarathon.com
Broughtto youby:
TheGlobalMicrosoft Community&
M365Conf.com | #M365CONF

3. THANK YOU TO ALL OUR GENEROUS SPONSORS

4. Michael Noel
@MichaelTNoel
• Authored/Co-authored 20 books including the best-selling
SharePoint, Exchange, and Windows Unleashed series
• Presented at over 230 events in over 85 unique countries
around the world
• Partner at Convergent Computing in the San Francisco Bay
Area (cco.com)

5.  Visit the Vendors Booth, Sessions and Watch the Videos
 Submit Your Answers to Pair up Items to Sponsor Enter the Raffle
 You need at least 5 correct answers then submit for a chance to win!
(One in each Americas, APAC, EMEA)
ARE YOU READY FOR A RAFFLE?
WE ARE GIVING AWAY 3 OCULUS QUEST ALL IN ONE!
https://bit.ly/m365raffle

6. CONSIDER DONATING TO THE FOLLOWING CHARITY RELIEF FUNDS:
UNITED WAY: https://give.uwkc.org/m365vm
INTERNATIONAL MEDICAL CORPS: https://bit.ly/MedicalCorpsFund
10% OF FUNDS FROMSPONSORS GOTO SUPPORT COMMUNITY RELIEF.
FOR MORE INFORMATION WRITE TO: info@m365virtualmarathon.com

7. May 27 & 28, 2020
Michael Noel | EN
#M365VM
 Targeted Attacks
 Spear Phishing (Exec/Finance targeting)
 State-sponsored Attacks (Sony hack, Sea Turtle, etc.)
 IP Theft/Loss (Mass downloads, disgruntled offboards, ‘oversharing.’)
 Data IntegrityChallenges
 Ransomware/Cryptojacking
 “Permanent” deletion of cloud data
 Device Security
 Theft/Compromise
 Malware/Keyboard Loggers/Rootkits
 Information Overload
 Firewall/Syslog log overload
 Audit log overload
 Noise vs signal ratio in IT
 Trying to stay one step ahead of attackers
IT Security: A Vastly Changed Landscape

8. May 27 & 28, 2020
Michael Noel | EN
#M365VM
 Key to password security is not necessarily length, complexity, or
even age; but global uniqueness
 Hackers have access to databases of ‘pwned’ passwords and can
run password hashes against these databases in a matter of
milliseconds
 ‘Passphrases’ that consist of unique seed words are infinitely more
complex and much harder to crack (i.e. “Yellow birdseed hat
pumpkin”)
 Test your password at https://haveibeenpwned.com
Passwords are Not as Secure as You Think

9. May 27 & 28, 2020
Michael Noel | EN
#M365VM
 Exploiting Cached credentials on workstations are a common attack vector
 Any user with local admin rights to a workstation (obtained legitimately or via phishing) can
access the cached credentials of any other user who logged in at some point. If the
passwords are not sufficiently complex or match any darknet database entries, they are
EASILY cracked.
 “Golden Ticket” attacks using hacking tools such as Mimikatz can then leverage elevated
domain rights (i.e. Domain Admin) to hack the krbst account and create non-expiring ‘Golden
Tickets’ that give unfettered rights to all domain resources
Lateral Attacks are Common and Easy to Exploit

10.  Examining Microsoft Security Tools
What’s the Solution?

11. May 27 & 28, 2020
Michael Noel | EN
#M365VM
Microsoft Security in Relation to the NIST Cyber Security
Framework
Identify
• Azure
Active
Directory
• Microsoft
Intune
• SCCM
• Windows
Defender
ATP
Protect
• Azure MFA
• Azure AD
Privileged Identity
Management
• Microsoft Identity
Manager /
Privileged Access
Management
• Azure Information
Protection
• Azure AD
Password
Protection
Detect
• Azure Sentinel
• Microsoft Cloud
App Security
• Azure Advanced
Threat Protection
• Windows
Defender ATP
• Azure Security
Center
• Azure AD
Identity
Protection
Respond
• Azure
Sentinel
• Azure ATP
Recover
• Azure
Security
Center
• Azure Backup

12. May 27 & 28, 2020
Michael Noel | EN
#M365VM
Microsoft Cloud App Security

13. May 27 & 28, 2020
Michael Noel | EN
#M365VM
 ATA is an on-prem version of Azure ATP
 ATA/Azure ATP deploys sensors to domain controllers to look for
behaviors associated with compromised internal systems
 ATA/ATP Sensors perform their calculations locally and then forward their
alerts to the cloud
 Microsoft Advanced Threat Protection (ATP) is a cloud-based version of
ATA that extends the capabilities of ATA to include the following:
 Azure Advanced Threat Protection (Azure ATP)
 Microsoft Defender Advanced Threat Protection (ATP)
 Office 365 Advanced Threat Protection (Office 365 ATP)
Advanced Threat Analytics (ATA) &
Azure Advanced Threat Protection (ATP)

14. May 27 & 28, 2020
Michael Noel | EN
#M365VM
Azure Sentinel
Azure Sentinel builds on the
proven Azure Monitor log
monitoring platform
Azure Sentinel provides for
centralized SIEM capabilities
for logs, alerting and
providing for reporting
trends
Firewall, switch, Windows,
and Linux logs can all be
forwarded to Sentinel to
allow for retroactive
forensics or real-time alerts

15. May 27 & 28, 2020
Michael Noel | EN
#M365VM
Azure AD Password Protection
Azure AD Password Protection runs
as agents on all internal domain
controllers that restrict how a
password is constructed.
Azure AD Password Protection
allows for complexity beyond the
default options in an AD
environment, disallowing passwords
that are known to be compromised
and/or include key words

16. May 27 & 28, 2020
Michael Noel | EN
#M365VM
Azure Multi-Factor Authentication
Azure Multi-factor Authentication
(MFA) integrates with MFA apps
(Google Authenticator, Microsoft
Authentication) and SMS based MFA
to provide for an additional layer of
auth required for traffic.
Deployment of MFA alone can
reduce your exposure to modern
threats by an exponential amount
Runs on a dedicated server or the
Azure AD Connect server

17. May 27 & 28, 2020
Michael Noel | EN
#M365VM
Azure AD Privileged Identity Management (PIM)
Azure AD Privileged Identity
Management (PIM) allows accounts
to be ‘privileged by request’ and not
by default.
Users can initiate requests to raise
their privileged roles, and these
requests can be moderated by
admins and/or monitored.
In the event of a compromise, admin
users will have no special rights until
they have been elevated, which
greatly reduces exposure.

18. May 27 & 28, 2020
Michael Noel | EN
#M365VM
Microsoft Identity Manager / PAM
The On-Prem version of PIM is
integrated into the Microsoft
Identity Manager (MIM) suite in
the form of Privileged Access
Management (PAM.)
PAM works similarly to PIM, with
the exception being that a
Bastion forest is used for
accounts with elevated
privileges.
A Bastion forest exists across a
one-way trust and accounts are
only elevated as needed. This
leaves membership in privileged
groups such as ‘Domain Admins’
to very few active accounts.

19. May 27 & 28, 2020
Michael Noel | EN
#M365VM
 Azure Information Protection provides for the ability to control what
happens to data AFTER it has been accessed.
 Azure IP assigns Information Protection tags to content either manually
or via automatic processes.
 The existing Azure Rights Management Services (Azure RMS) service is
now integrated into Azure RMS.
 Hold Your Own Key (HYOK) allows organizations to secure and encrypt
content using their own private key, removing Microsoft from data
custody.
Azure Information Protection

20. May 27 & 28, 2020
Michael Noel | EN
#M365VM
Azure Security Center
The Azure Security Center
monitors and alerts against hybrid
security scenarios
Alerts are generated from virtual
machines both in the Azure cloud
an in supported on-prem
workloads.
Microsoft prices based on a ‘Free’
tier and a ‘Standard’ tier that
includes advanced automation.
Pricing is determined by the
number and complexity of systems
managed by the platform

21. Licensing SKU
USD /
user /
month
BasicApps
EntApps
RMS
FCI
HYOK/Auto
Class
AADC
MFA
Password
Protection
ATA
ATP
MCAS
PIM/MIM/
PAM
Security
Center
Sentinel
Azure AD – Free Free X
Azure AD – Office 365 Apps *O365 X X
Azure AD Premium P1 $6.00 X X X X
Azure AD Premium P2 $9.00 X X X X X X X
Azure Information Protection - Free Free X
Azure Information Protection – Office 365 Apps *O365 X X
Azure Information Protection Premium P1 $2.00 X X X X
Azure Information Protection Premium P2 $5.00 X X X X X
Enterprise Mobility + Security E3 $8.74 X X X X X X X X
Enterprise Mobility + Security E5 $14.80 X X X X X X X X X X X X
Microsoft 365 E3 $35.00 X X X X X X X X
Microsoft 365 E5 $63.00 X X X X X X X X X X X X
Pay as You Go (Storage and/or Usage) Varies X* X*

22. Michael Noel
CCO.com
@MichaelTNoel
Facebook.com/michaelnoel
Linkedin.com/in/michaeltnoel
SharingTheGlobe.com
Slideshare.net/michaeltnoel
Thank you!
Questions? Speaker feedback
https://bit.ly/M365VMSpeakerFeedback
Event feedback
https://bit.ly/M365VMFeedback