As presented at SPS Lisbon 2019
Organizations today are facing unprecedented and sophisticated attacks to their internal Information Technology infrastructure. These evolving attacks include cryptojacking, spear phishing, credential hijacking, and more and can result in significant data loss and/or theft of confidential and valuable intellectual property. In response to these threats, Microsoft has released an array of tools such as Azure Sentinel, Cloud App Security, Azure Advanced Threat Protection, and more which can help to secure and protect against these threats. These tools work with both On-Premises and cloud-based infrastructure to provide for comprehensive protection of hybrid environments.
This session breaks down each of these Microsoft tools and provides for an understanding of their value for specific security scenarios. A simple, no-marketing approach is taken to evaluating each individual tool, and a simple breakdown of what is provided with each Microsoft licensing model is outlined. Attendees will gain a better appreciation to which tools to utilize and how to better protect their Information Technology investments from the type of career-ending attacks which are unfortunately common today.
• Understand how modern threats such as cryptojacking, spear phishing, credential hijacking, and more are commonly faced in today’s IT environments and what tools and techniques can be used to mitigate the risk faced by these modern threats
• Examine Microsoft security tools such as Azure Sentinel, Azure Advanced Threat Protection, Azure Security Center, Cloud App Security, Azure AD Privileged Identity Management, Azure AD Identity Protection, Azure Information Protection, and more.
• Understand which tools are available for each licensing model in the Microsoft world and when it may make sense to ‘upgrade’ existing licenses to support specific toolsets as opposed to investment in third-party tools
SPS Lisbon 2019 - Securing IT with MS Cloud Solutions - Michael Noel
1. Securing IT Against Modern
Threats with Microsoft 365
Security Tools
MICHAEL NOEL, CCO
2.
3. Michael Noel @MichaelTNoel
Authored/Co-authored 20 books
including the best-selling SharePoint,
Exchange, and Windows Unleashed
series
Presented at over 230 events in over 85
unique countries around the world
Partner at Convergent Computing in the
San Francisco Bay Area (cco.com)
4. IT Security: A Vastly Changed Landscape
Targeted Attacks
◦ Spear Phishing (Exec/Finance targeting)
◦ State-sponsored Attacks (Sony hack, Sea Turtle, etc.)
◦ IP Theft/Loss (Mass downloads, disgruntled offboards, ‘oversharing.’)
Data Integrity Challenges
◦ Ransomware/Cryptojacking
◦ “Permanent” deletion of cloud data
Device Security
◦ Theft/Compromise
◦ Malware/Keyboard Loggers/Rootkits
Information Overload
◦ Firewall/Syslog log overload
◦ Audit log overload
◦ Noise vs signal ratio in IT
◦ Trying to stay one step ahead of attackers
5. Passwords are Not as Secure as You Think
Key to password security is not necessarily
length, complexity, or even age; but global
uniqueness
Hackers have access to databases of
‘pwned’ passwords and can run password
hashes against these databases in a matter
of milliseconds
‘Passphrases’ that consist of unique seed
words are infinitely more complex and
much harder to crack (i.e. “Yellow birdseed
hat pumpkin”)
Test your password at
https://haveibeenpwned.com
6. Lateral Attacks are Common and
Easy to Exploit
Exploiting Cached credentials on workstations are a
common attack vector
Any user with local admin rights to a workstation
(obtained legitimately or via phishing) can access the
cached credentials of any other user who logged in at
some point. If the passwords are not sufficiently complex
or match any darknet database entries, they are EASILY
cracked.
“Golden Ticket” attacks using hacking tools such as
Mimikatz can then leverage elevated domain rights (i.e.
Domain Admin) to hack the krbst account and create non-
expiring ‘Golden Tickets’ that give unfettered rights to all
domain resources
10. Advanced Threat Analytics (ATA) &
Azure Advanced Threat Protection (ATP)
ATA is an on-prem version of Azure ATP
ATA/Azure ATP deploys sensors to domain
controllers to look for behaviours associated
with compromised internal systems
ATA/ATP Sensors perform their calculations
locally and then forward their alerts to the
cloud
Microsoft Advanced Threat Protection (ATP) is
a cloud-based version of ATA that extends the
capabilities of ATA to include the following:
◦ Azure Advanced Threat Protection (Azure ATP)
◦ Windows Defender Advanced Threat Protection
(Windows Defender ATP)
◦ Office 365 Advanced Threat Protection (Office
365 ATP)
11. Azure Sentinel
Azure Sentinel builds on the
proven Azure Monitor log
monitoring platform
Azure Sentinel provides for
centralised SIEM capabilities
for logs, alerting and providing
for reporting trends
Firewall, switch, Windows, and
Linux logs can all be forwarded
to Sentinel to allow for
retroactive forensics or real-
time alerts
12. Azure AD Password
Protection
Azure AD Password Protection runs as
agents on all internal domain
controllers that restrict how a password
is constructed.
Azure AD Password Protection allows
for complexity beyond the default
options in an AD environment,
disallowing passwords that are known
to be compromised and/or include key
words
13. Azure Multi-Factor
Authentication
Azure Multi-factor Authentication
(MFA) integrates with MFA apps
(Google Authenticator, Microsoft
Authentication) and SMS based MFA to
provide for an additional layer of auth
required for traffic.
Deployment of MFA alone can reduce
your exposure to modern threats by an
exponential amount
Runs on a dedicated server or the Azure
AD Connect server
14. Azure AD Privileged Identity
Management (PIM)
Azure AD Privileged Identity
Management (PIM) allows accounts to
be ‘privileged by request’ and not by
default.
Users can initiate requests to raise their
privileged roles, and these requests can
be moderated by admins and/or
monitored.
In the event of a compromise, admin
users will have no special rights until
they have been elevated, which greatly
reduces exposure.
15. Microsoft Identity Manager / PAM
The On-Prem version of PIM is
integrated into the Microsoft
Identity Manager (MIM) suite in the
form of Privileged Access
Management (PAM.)
PAM works similarly to PIM, with
the exception being that a Bastion
forest is used for accounts with
elevated privileges.
A Bastion forest exists across a one-
way trust and accounts are only
elevated as needed. This leaves
membership in privileged groups
such as ‘Domain Admins’ to very
few active accounts.
16. Azure Information Protection
Azure Information Protection provides
for the ability to control what happens
to data AFTER it has been accessed.
Azure IP assigns Information Protection
tags to content either manually or via
automatic processes.
The existing Azure Rights Management
Services (Azure RMS) service is now
integrated into Azure RMS.
Hold Your Own Key (HYOK) allows
organisations to secure and encrypt
content using their own private key,
removing Microsoft from data custody.
17. Azure Security Center
The Azure Security Center monitors
and alerts against hybrid security
scenarios
Alerts are generated from virtual
machines both in the Azure cloud an
in supported on-prem workloads.
Microsoft prices based on a ‘Free’ tier
and a ‘Standard’ tier that includes
advanced automation. Pricing is
determined by the number and
complexity of systems managed by
the platform
18. Licensing SKU
EUR /
user /
month
BasicApps
EntApps
RMS
FCI
HYOK/
AutoClass
AADC
MFA
Password
Protection
ATA
ATP
MCAS
PIM/MIM
/PAM
Security
Center
Sentinel
Azure AD – Free Free X
Azure AD – Office 365 Apps *O365 X X
Azure AD Premium P1 5.06 € X X X X
Azure AD Premium P2 7.59 € X X X X X X X
Azure Information Protection - Free Free X
Azure Information Protection – Office 365 Apps *O365 X X
Azure Information Protection Premium P1 1.69 € X X X X
Azure Information Protection Premium P2 4.22 € X X X X X
Enterprise Mobility + Security E3 7.40 € X X X X X X X X
Enterprise Mobility + Security E5 12.50 € X X X X X X X X X X X X
Microsoft 365 E3* 55.00 € X X X X X X X X
Microsoft 365 E5* 85.00 € X X X X X X X X X X X X
Pay as You Go (Storage/Retention) + Sentinel Varies X* X*