O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Learn how to protect against and recover from data breaches in Office 365

130 visualizações

Publicada em

Microsoft provides robust Cloud based tools to help protect our data and services in Office 365 from attackers and data breaches. These tools include capabilities for auditing, monitoring, enforcing policies and protecting critical enterprise data. However, Office 365 is not immune to attack. In this session you’ll learn common patterns used by attackers to compromise Office 365 tenants in the real world, how to make use of Microsoft Cloud based tools to protect your Office 365 tenant, and how to investigate and recover from an attack so that you can help prevent it from happening again. Microsoft Premier Field Engineer Theresa Eller and six time Microsoft MVP Antonio Maio share their experiences investigating data breaches, recovering from them and helping Office 365 customers from future data breaches.

Publicada em: Software
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Learn how to protect against and recover from data breaches in Office 365

  1. 1. Learn How to Protect Against and Recover from Data Breaches in Office 365 Theresa Eller, Microsoft Premiere Field Engineer sharepointmadam@anythingbutcode.onmicrosoft.com Antonio Maio, Protiviti Senior Enterprise Architect & Microsoft MVP Antonio.Maio@Protiviti.com
  2. 2. Platinum Gold Silver Prize(s)
  3. 3. AGENDA 01 Common Attack Patterns 02 Types of Security Breaches 03 What Does a Security Breach Look Like 04 How to Investigate & Recover from an Attack 05 Protect from Future Attacks
  4. 4. COMMON ATTACK PATTERNS
  5. 5. lllllllll lllllllll Phishing Password Spray Breach Replay 200K password spray attacks blocked in August 2018 23M high risk enterprise sign-in attempts detected in March 2018 4.6B attacker-driven sign-ins detected in May 2018 John Doe lllllll
  6. 6. PHISHING & SPEAR PHISHING • One of the Most Common Attack Vectors • Targeted Attacks – They are formatted for you! • Attackers do their research • OS-INT (open source intelligence)
  7. 7. PHISHING & SPEAR PHISHING • Lots of examples… ▪ Someone has accessed your account ▪ Verify your account ▪ Renew your subscription ▪ iTunes Receipt ▪ Replies (subject starting with Re:) when you never received original ▪ Review your PayPay account ▪ Review this invoice ▪ Urgent action required…
  8. 8. CREDENTIAL STUFFING • So Many Passwords! • So many its Difficult for us to remember them all! • Attackers will rely on human nature! CREDENTIAL STUFFING: Re-using the Same Passwords Across Multiple Systems
  9. 9. ACCESSING CREDENTIALS & SAVING ON HOME PC • Exposes Credentials to Home Users • Exposes Credentials to Software that Home Users Download … like malware!
  10. 10. Types of Security Breaches
  11. 11. Inadvertent or Accidental Data Leak Insider Threat External Threat
  12. 12. • • • • • • • • • • • • • Insider Threat External Threat Inadvertent or Accidental Data Leak
  13. 13. What Does a Security Breach Look Like
  14. 14. WHAT DOES A SECURITY BREACH LOOK LIKE? • Email anomalies • Emails from people/groups you don’t normally communicate with • Notifications from banks and online services you don’t normally interact with • Typos • Urgent call to action • Old contact information (old titles) • Slow computer/Slow web access
  15. 15. • • • External Threat
  16. 16. • • • External Threat Phishing Research/OS-Int Only send to smaller partners (those less likely to have good security practices)
  17. 17. • • • External Threat Phishing Only send to smaller partners (those less likely to have good security practices) • • • • partner4@trustedcompany.com •
  18. 18. • • • External Threat Phishing Target specific executives within the organization that are likely to have access to financial information • • • • •
  19. 19. • • • • Insider Threat
  20. 20. • • • • Insider Threat The Industrious The Partisan The Spy
  21. 21. • • • • • • Inadvertent or Accidental Data Leak The Careless The Inexperienced The Lazy The Home Worker The Newcomer The Stressed The Disorganized
  22. 22. How to Investigate & Recover from an Attack
  23. 23. https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-reporting-api
  24. 24. • Soon to be on by default on all new mailboxes
  25. 25. Protect from Future Attacks
  26. 26. Security features must be enabled to protect you >99% of common user compromises are preventable Most customers enable features after they’re compromised Average account secure score today is 14.65/180 Baseline Protection Simple one-click experience enables our recommended security configuration and features Baseline configuration For admins MFA enabled for Azure AD privileged roles For all users MFA enabled Enrolled in the Microsoft authenticator app for MFA Require MFA when sign-in risk is detected Block legacy authentication protocols Block logins from compromised users
  27. 27. threats
  28. 28. Microsoft Secure Score Visibility into your Microsoftsecurity position and how to improve it Insights into your security position Guidance to increase your security level
  29. 29. Identity Secure Score Checkout your Identity Secure Score now at aka.ms/MyIdentitySecureScore Insights into your security posture Guidance to help you secure your organization
  30. 30. CONDITIONAL ACCESS APP CONTROL Microsoft Azure Active Directory Analyze Session RiskCheck device compliance with Intune Check location Check user behavior Check user organization Enforce Relevant Policies with Conditional Access App Control Protect downloads from unmanaged devices with AIP Monitor and alert on actions when user activity is suspicious Enforce read-only mode in applications for partner (B2B) users Require MFA and define session timeouts for unfamiliar locations BOX.US.CAS.MS Cloud App Security integrates with: • Azure Active Directory • Azure Information Protection • Microsoft Intune to protect any app in your organization.
  31. 31. Unusual file share activity Unusual file download Unusual file deletion activity Ransomware activity Data exfiltration to unsanctioned apps Activity by a terminated employee Indicators of a compromisedsession Malicious useof an end-useraccount Malware implanted in cloud apps Malicious OAuth application Multiple failed login attempts to app Suspicious inbox rules (delete, forward) Threat delivery and persistence ! ! ! Unusual impersonated activity Unusual administrative activity Unusual multiple delete VM activity Malicious useof a privilegeduser Activity fromsuspicious IP addresses Activity fromanonymous IP addresses Activity froman infrequent country Impossibletravel between sessions Logon attempt from a suspicious user agent
  32. 32. Brute force attempts Suspicious groups membership modifications Honey Token account suspicious activities Suspicious VPN connection Abnormal access to AIP protected data Reconnaissance (65% of alert volume) ! ! ! Compromised credentials (16% of alert volume) Lateral movement (11% of alert volume) Domain dominance (8% of alert volume) Golden ticket attack Skeleton Key Remote code execution on DC Service creation on DC DCShadow 86% 38% 10% 12% Directoryservices DNS Account enumeration SMB sessionenumeration Impacted organizations: recon attacks Pass-the-Ticket Pass-the-Hash Overpass-the-Hash
  33. 33. MFA reduces the risk of an attack by 99.9% Have you turned on MFA?
  34. 34. Corporate Network Geo-location MacOS Android iOS Windows Windows Defender ATP Client apps Browser apps Google ID MSA Azure AD ADFS Employee & Partner Users and Roles Trusted & Compliant Devices Location Client apps & Auth Method Conditions Microsoft Cloud App Security Force password reset Require MFA Allow/block access Terms of Use ****** Limited access Controls Machine learning Policies Real time Evaluation Engine Session Risk 3 40TB Effective policy
  35. 35. https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator
  36. 36.  Enable MFA for your Admin Accounts or, even better, use PIM 1.7% admins protected by MFA  Monitor your Risk Reports  Use Identity Secure Score  Test passwordless sign-in with Microsoft Authenticator  Turn on Password Hash Sync  Pull Azure AD Logs into your SIEM systems  Block Legacy Auth  Modernize your password policy  Block Suspicious IPs  Enable user risk policy  Enable sign-in risk policy  Review app permissions & use MCAS 52
  37. 37. Thank you! Theresa Eller, Microsoft Premiere Field Engineer sharepointmadam@anythingbutcode.onmicrosoft.com Antonio Maio, Protiviti Senior Enterprise Architect & Microsoft MVP Antonio.Maio@Protiviti.com

×