joe stocker, cissp, mcitp, vtsp patriot consultingfiles.meetup.com/18259330/azure user group...

Joe Stocker, CISSP, MCITP, VTSP

Patriot Consulting

2

Principal Systems Architect with 17 Years of experience

Technical certifications: MCSE, MCITP Office 365, CISSP

B.S. Biola University.

Microsoft “Virtual Technology Sales Professional” b-joes@Microsoft.com

Twitter: @ITGuySoCal

Blog: www.TheCloudTechnologist.com

LinkedIN: https://www.linkedin.com/in/jstocker101

My Company: www.PatriotConsultingTech.com

Microsoft Cloud Evangelist at Patriot Consulting

Top 10 Security Threats and how Azure Security Solutions can help.

Live demonstration of the newest Microsoft Security technologies:

- Azure AD Identity Protection

- Azure AD Privileged Identity Management

- Azure Information Protection

- Cloud App Discovery

- Azure Security Center

- Advanced Security Management

- Advanced Threat Protection

- OMS Security Suite

Targeting

So

ph

isticatio

n

2003–2004 2005–present 2012–beyond

How do I know what apps

are used in my environment?

Shadow IT

How do I ensure appropriate

access to my cloud apps?

Access control

Visibility/reporting

How do I gain visibility into

cloud apps and usage?

How do I prevent

data leakage?

Data protectionThreat prevention

How do I know if my users

have been breached?

How do I address

regulatory mandates?

Compliance

Security Issue #1

Data breaches

involve weak, default, or stolen passwords.

63%

CLOUD-POWERED PROTECTION

Risk severity calculation

Remediation recommendations

Risk-based conditional access automatically protects against suspicious logins and compromised credentials

Gain insights from a consolidated view of machine learning based threat detection

Leaked credentials

Infected devices Configuration

vulnerabilities Risk-based

policies

MFA Challenge Risky Logins

Block attacks

Change bad credentials

Machine-Learning Engine

Brute force attacks

Suspicious sign-in activities

Security Issue #2

Attackers target global admins

Privileged

Accounts

CLOUD-POWERED PROTECTION

Discover, restrict, and monitor privileged identities

Enforce on-demand, just-in-time administrative access when needed

Provides more visibility through alerts, audit reports and access reviews

Global Administrator

Billing Administrator

Exchange Administrator

User Administrator

Password Administrator

Security Issue #3

Sensitive

files being

leaked

DOCUMENT

TRACKING

DOCUMENT

REVOCATION

Monitor &

respond

LABELINGCLASSIFICATION

Classification

& labeling

ENCRYPTION

Protect

ACCESS

CONTROLPOLICY

ENFORCEMENT

Azure InformationProtection DOCUMENT

TRACKING

DOCUMENT

REVOCATION

Monitor &

respond

LABELINGCLASSIFICATION

Classification

& labeling

ENCRYPTION

Protect

ACCESS

CONTROLPOLICY

ENFORCEMENT

Full Data

Lifecycle

Security Issue #4

Shadow IT

Microsoft Azure Active Directory Cloud app discovery

Source: Help Net Security 2014

as many Cloud apps are in use than IT estimates

• SaaS app category

• Number of users

• Utilization volume

Comprehensivereporting

Discover all SaaS apps in use within your organization

CLOUD-POWERED PROTECTION

Security Issue #5

Spear Phishing

91% of successful data breaches started with a

spear-phishing attack

[Source: Trend Micro]

From: Real CEO’s Full Name [mailto:RealCEO@contoso.com]

Sent: Monday, March 21, 2016 9:53 AM

To: (Unsuspecting End-User – Probably in Accounting

Department) <AccountingClerk@contoso.com>

Subject: RE: Invoice Payment

Jane,

I need you to process an urgent payment, which needs to go out

today as a same value day payment. Let me know when you are

set to proceed, so i can have the account information forwarded to

you once received.

Awaiting your response.

Regards

Thanks.

Security Issue #6

Detecting

Intrusions

200 days. That’s the average time an attacker goes

undetected.

Gain enhanced visibility and

context into your Office 365

usage and shadow IT – no

agents required.

Identify high-risk and abnormal

usage, security incidents,

and threats

Shape your Office 365

environment with granular

security controls and policies

Security Issue #7

Employee Exits

How do I wipe business data from a personally

owned mobile phone or tablet?

Maximize mobile productivity and protect corporate resources

with Office mobile apps – including multi-identity support

Extend these capabilities to your existing line-of-business

apps using the Intune App Wrapping Tool

Enable secure viewing of content using the Managed Browser,

PDF Viewer, AV Player, and Image Viewer apps

Managed apps

Personal appsPersonal apps

Managed apps

ITUser

Corporate data

Personaldata

Multi-identity policy

Security Issue #8

Conventional

Antivirus is

insufficient10% of viruses get by antivirus “blacklists’

Windows Defender ATP

Security Issue #9

Assume

Breach

There are companies who have been hacked

And companies who don’t know they have been hacked

Advanced Threat Analytics

Microsoft Advanced Threat Analytics

brings the behavioral analytics concept

to IT and the organization’s users.

An on-premises platform to identify advanced security attacks and insider threats before they cause damage

DETECT ATTACKS BEFORE THEY CAUSE DAMAGE

Behavioral

Analytics

Detection of advanced

attacks and security risks

Advanced Threat

Detection

Analyze1

DETECT ATTACKS BEFORE THEY CAUSE DAMAGE

ATA Analyzes all Active

Directory-related traffic and

collects relevant events from

SIEM

ATA Builds the organizational security

graph, detects abnormal behavior,

protocol attacks and weaknesses and

constructs an attack timeline

ATA automatically learns all entities’

behaviors

Learn2 Detect3

Abnormal resource access

Account enumeration

Net Session enumeration

DNS enumeration

SAM-R Enumeration

Abnormal working hours

Brute force using NTLM, Kerberos, or LDAP

Sensitive accounts exposed in plain text authentication

Service accounts exposed in plain text authentication

Honey Token account suspicious activities

Unusual protocol implementation

Malicious Data Protection Private Information (DPAPI) Request

Abnormal authentication requests

Abnormal resource access

Pass-the-Ticket

Pass-the-Hash

Overpass-the-Hash

MS14-068 exploit (Forged PAC)

MS11-013 exploit (Silver PAC)

Skeleton key malware

Golden ticket

Remote execution

Malicious replication requests

Reconnaissance

Compromised

Credential

Lateral

Movement

Privilege

Escalation

Domain

Dominance

Security Issue #10

Privilege

Escalation

Mimikatz… nuff said.

http://www.winbeta.org/news/us-department-defense-move-windows-10-february-2017-upgrading-4-million-seats

Azure Security Center vs OMS

So what’s the difference?

VM's patched, running antivirus, using Network Security Groups, any endpoints without access control lists.

OMS Security is a cloud-based service that enables customers to quickly and easily assess the security posture and detect security threats across hybrid cloud environments

Summary

Security Solution Overview

Secure the Enterprise

Protect your users, devices, and apps

Azure

Information

Protection

Detect problems early with visibility

and threat analytics

ATA

INTUNE

Users

Protect your data, everywhere

AZURE ACTIVE

DIRECTORY

IDENTITY

PROTECTION

Extend enterprise-grade security to your cloud and SaaS apps

Protect application access from identity attacks

MICROSOFT

CLOUD APP

SECURITY

Time Limited Access and Just in Time Activation

Privileged

Identity and

Access Mgmt

Administrators