Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Secure Modern Workplace With Microsoft 365 Threat Protection
Semelhante a Secure Modern Workplace With Microsoft 365 Threat Protection (20)
Mais de Ammar Hasayen
Mais de Ammar Hasayen (18)
Último
Último (20)
Secure Modern Workplace With Microsoft 365 Threat Protection
- 1. SECURING THE MODERN WORKPLACE WITH MICROSOFT 365 THREAT PROTECTION @AmmarHasayen blog.ahasayen.com Digital Transformation | Cloud Architect | Cybersecurity | Microsoft MVP | Speaker | Author Ammar Hasayen
- 2. Advanced Threat Protection - Office 365 ATP - Windows ATP - Azure ATP New Defense in Depth - Identity driven security - Zero Trust Networks Outline
- 3. Windows 10 Enterprise Mobility and Security Office 365 Microsoft 365 E-discovery, advanced security [Office 365 ATP] Collaboration Tools PIM, Identity Protection, CAS, Azure ATP Identity Sync, Mobile Management, From RMS to AIP, ATA Windows Defender Advanced Threat Protection BitLocker, Windows Firewall, Windows Defender, VBS Complete Solution E3 E5
- 4. Complete Protection Solution Threat Protection Devices Identity Email & SharePoint Windows ATP Azure ATP Office 365 ATP
- 6. Multi-Tier Threat Protection 2 3 1 Windows ATP Office 365 ATP Azure ATP
- 7. Multi-Tier Threat Protection 2 1 Windows ATP Office 365 ATP
- 9. Office 365 ATP SAFE ATTACHMENTS SAFE LINKS If links points to attachment Works with SPO and ODFB Spoof Intelligence Anti-phishing Office 365 ATP
- 11. Windows Defender Endpoint Detection and Response Windows Defender Endpoint Protection Windows Defender Smart Screen Windows Defender ATP Block malicious websites Block low reputation web downloads Monitors behaviors and terminates bad processes Block malicious programs and content After execution – Windows Defender Hexadite can reverse damage After execution – Windows Defender ATP monitors for post-breach signals Endpoint Protection Detection and Remediation
- 12. Advanced Real-Time Defense Client holds file and upload sample Sample is processed & checked against machine learning classifiers Cloud generates signature and sends to client Client blocks file and report back, protecting all customers 1 2 3 4 5 6
- 13. Machine Learning for Endpoint Protection Local ML models, behavior-based detection algorithms, generics and heuristics Metadata-based ML models Sample Analysis-based ML models Detonation-based ML Models Big Data Analysis Client Cloud Milliseconds Milliseconds Seconds Minutes Hours
- 14. Next Generation Protection for Endpoint https://pbs.twimg.com/media/Dk98_fgW0AA YnQU.jpg:large
- 15. Azure ATP
- 16. Advanced Persistence Attacks 356 days 60% APT maintained access to victim networks Attackers are able to compromise an organizations within minutes
- 17. User account is compromised Attacker attempts lateral movement Privileged account compromised Attacker accesses sensitive data Attacker steals sensitive data Zero-day/ brute force attack Anatomy of an attack
- 18. Anatomy of an attack Anomalous user behavior Unfamiliar sign-in locations Lateral movement attacks Escalation of privileged Account impersonation
- 19. How Things Would Work? New Security Expert
- 20. Discovery Who works here? Users Groups [Nested] Computers
- 21. Identify Sensitive Accounts Who is sensitive? Automatic Identification Manual Identification
- 23. Behavioral Analytics Working hours Works with His laptop Many failed logon attempts Logon at unfamiliar times Access unfamiliar resources Logon from unfamiliar machine
- 24. 1 2 4 53 Azure ATP Cloud evolution for Microsoft ATA Collect DC Logs, SIEM, Windows Events. L7 Deep Packet Inspection Analyze & Learn Self-learning and profiling technology, patented IP resolution, unlimited scale by Azure Alert & Investigate Intuitive attack timeline. Lateral movement graphs. Alert via email & scheduled reports. Detect Abnormal behavior & Suspicious activities Integrate Integrated with Windows Defender ATP to further dig deep into the device health. Azure ATP
- 25. New Defense In Depth
- 26. Corporate Network Mobile Anywhere Public Internet Traditional Security Perimeters Are No Longer Effective Alone
- 27. Defense In Depth DevicesIdentity Applications Data Download the poster here https://bit.ly/2MrPraa
- 28. Identity MFA • Compromised Identity • Stolen Credentials • Azure ATP • Azure Identity Protection • Azure MFA Devices Lost Device • Configuration Manager • Intune MDM, MAM • Hybrid Management • Azure AD domain Join • Windows Hello for Business • Windows Defender ATP
- 29. WHO? [Users] Azure AD Conditional Access WHERE? [Application] Device? [Compliance] Network? [IN-OUT Corp] Risk? [Identity Protection] Allow Access Require MFA Password Reset Deny Access Limit Access New Identity Firewall Read more here https://bit.ly/2LglLYd
- 30. SSO with SaaS Applications Azure AD Management Layer Self-Service Password Reset Azure AD Domain Join MFA Registration Group Management Shadow IT Discovery Cloud App Security Risk Scoring Policies for Data Control Collaboration Behavior and Anomaly Detection Shadow IT Read more here https://bit.ly/2LdXamL
- 31. DLP for Office 365 Data Layer Mobile App Policies AIP Labeling and Classification AIP Protection & Reporting Office 365 Secure Score Office 365 Security Office 365 Threat Explorer Office 365 ATP Data Leak Exchange Online Protection
- 32. Resources • Azure ATP [ https://blog.ahasayen.com/tag/azure-atp/ ] • Cloud App Security [ https://blog.ahasayen.com/microsoft-cloud-app-security-casb/ ] • Defense in Depth Diagram [ https://blog.ahasayen.com/microsoft-cloud-security-approach/ ] • Azure AD Conditional Access [ https://blog.ahasayen.com/azure-active-directory-conditional- access/ ] • Exchange Online Protection Architecture [ https://blog.ahasayen.com/eop-exchange-online- protection-architecture/ ] • Zero Trust Network with M365 [ https://bit.ly/2MGRweJ ]
- 33. SECURING THE MODERN WORKPLACE WITH MICROSOFT 365 THREAT PROTECTION @AmmarHasayen blog.ahasayen.com THANK YOU ! Ammar Hasayen
Notas do Editor
- Hi , my name is Ammar Hasayen, a Microsoft MVP with over 15 years of experience working with SharePoint, Exchange, Skype for Business, Identity solutions and security. I speak in international conferences like Ignite and SharePoint Saturday, and I do courses for Pluralsight from time to time. I am currently focused on Microsoft 365 and cybersecurity, and today I am going to talk about how to secure your modern workplace with Microsoft 365 threat protection. You can find many supporting article about this topic on my blog here, and here is my twitter handle if you want to connect.
- I am going to talk about advanced threat protection, and specifically, Office 365 ATP , Windows and Azure ATP (btw ATP stands for advanced threat protection). Then I am going to show you how to re-imagine the defense in depth concept we all used to learn about previously, and how identity becomes a new control plan. And finally, if we have time, I am going to talk about the concept of zero trust networks. Sounds interesting? Lets get started.
- When you start thinking about the modern workplace, you naturally start thinking about Office 365 and all the collaboration tools available like SharePoint Online and Microsoft Teams. Then you quickly realize Azure Active Directory is the identity and access management entity for Office 365, and you might o need to sync your users to Azure AD. The next thing you find is that people started to download all these new Office 365 mobile apps like planner, teams, onedrive, and you want a way to protect corporate data on mobile devices, which what Intune mobile management can help you with. This is where EMS or Enterprise mobility and security services from Microsoft is here to help you with. It helps you manage and protect your existing Office 365 investments. And finally, Windows 10 is your operations system choice as it provides many security features like Bitlocker , Windows Defender and VBS which stands for Virtualized Based Security like credential guard. So together, Office 365, EMS and Windows 10 are offered as Microsoft 365, but the story does not end here. If you are worried about security and your business cannot afford being hacked due to a security incident, then Microsoft 365 offers a lot of services for you. Office 365 can be extended to include Office 365 ATP service to handle zero day attacks. EMS can be extended to provide a lot of services like PIM or privileged identity management, a highly recommended product to provide just in time access for admins, there is also an identity protection service to evaluate the user and session risk levels, cloud app security service and also Azure ATP. From the Windows 10 side, you can use Windows Defender Advanced Threat Protection which operates as an endpoint detect and response solution. Now, All these advanced security features are offered under the E5 licenses of Microsoft 365.
- Now, let us focus on the threat protection solutions in Microsoft 365. it is a complete solution that covers devices, email and SharePoint, and corporate identities. Windows ATP is a threat protection service to protection Windows devices, Office 365 ATP is a threat protection service for Office 365, and Azure ATP is a threat protection for on-premises identities
- The three threat protection services provide an integrated experience.
- I like to think of Office 365 ATP as the first line of defense, as most attacks come in the form of phishing email or an infected email attachment. If the attack bypass Office 365 ATP or the attack did not come from email for example, then Windows ATP is the next level of protection. If the attack bypass both protection services, or it did not pass through them, then Azure ATP can help detect the existence of attack by detecting unusual behaviors and privilege escalations.
- What is unique with Microsoft threat protection offering, is the level of integration between these products. If an attack is in a form of malicious attachment was not detected by Office 365 ATP, then Windows ATP can detect that this attachment is in fact a malicious code that is trying to do bad things on the Windows device. Not only that Windows ATP can detect and stop the attack from happening on that machine, but it will send the attachment file information to Office 365 ATP asking it to block this file in the future, and to find out who received the same attachment in the enterprise, and to go and delete the attachment from other recipients; mailbox
- Let us start by talking about Office 365 ATP
- Office 365 ATP helps protecting your organization from malicious attacks by : Scanning email attachments with ATP Safe Attachments feature. And scanning web addresses or URL s in email messages and office documents with ATP safe Links Feature Even if the URL inside an email message is pointing to a document to evade detection, Office 365 ATP will take that document and send it to ATP safe attachment if you configure the service to do so. Office 365 ATP works with email messages and with SharePoint Online and OneDrive for Business, so files you upload there will be inspected with safe attachments. Office 365 ATP can also check email messages for unauthorized spoofing with spoof intelligence feature, and can defect when someone attempts to impersonate your users with ATP anti-phishing capabilities in Office 365. Office 365 ATP is a must to have feature for any enterprise or business that is using Office 365, and it is part of the Office 365 E5 licenses or it can be purchased alone. You do not even need to do complex configuration to make all this magic happen, it is so simple to configure, and the business benefits are definitely high.
- Let me now talk about Windows Defender ATP
- Windows Defender and Windows Defender ATP provides a complete solution to protect your Windows endpoints. We have Windows Defender Smart Screen, Windows Defender endpoint protection, and Windows defender endpoint detection and response. With Windows smart screen, you can block low reputation web downloads and malicious websites, so if a user accidently or intentionally browse to a malicious website, you can block that website to protect your users. Same applies for web downloads. Windows Defender Endpoint from the other side, will help protect your windows box from malicious programs and quickly terminate bad processes. The extra step that I want to focus on in this session is the Windows Defender endpoint detection and response, which will help you in detection and remediation. It is an after execution solution to monitor post breach signals, and then do what ever actions needed to remediate and reverse the damage. It is like there is someone watching if there is unusual behaviors happening on the machine that might be related to a breach, and then taking actions to stop and block that attack before further damage happens.
- And the new way of defending against attacks is by utilizing the power of the cloud and the intelligent security graph in Microsoft. Microsoft intelligent security graph provides rich signals from vast security intelligence, machine learning and behavioral analytics that Microsoft allows you to consume and use to enhance your protection and detection speeds. So when Windows defender encounters a new file that it does not know if it is bad or good file, it sends a file query to the cloud. If the cloud knows about this file, it will provide a feedback to the endpoint, else it will ask for a sample. The client will holds the file and upload a sample to the cloud. The cloud services will process the sample and check against machine learning classifiers, trying to find out whether the file is good or not, and then if the file turned out to be holding a malicious code, it will generate a new signature to that file and sends it back to the client along with all other clients so that when they encounter this file, they know already to block it.
- And you might be asking, does this mean the client needs to consult the cloud and wait for an answer, and what if there is no internet connection at that time? Well, here is how things are designed. Each Windows defender client has local machine learning models, and behavior-based detection algorithms , so that it can use all that logic offline and without consulting the cloud. This operation take only milliseconds. The client can consult the cloud services by sending only metadata so that the cloud can use metadata based machine learning models to determine if the file is malicious or not. This only takes milliseconds. If the cloud requested a sample, then sample analysis based machine learning models are used in the cloud which might takes seconds. In certain scenarios, detonation based machine learning models can be invoked which might take minutes, and big data analysis can take up to hours. What this means is that the client will not wait for minutes and hours. If the file is infected and the cloud could not determine it is a bad file in seconds, the client will allow that file to run. In the background, the cloud will continue working and analyzing and might do detonation based ML models and big data analysis to get the truth about that file, so other clients can be notified and updated, although we list patient zero in the process
- Here is a nice poster for Windows Defender ATP showing all the features that it provides along with a link to download that poster. Windows Defender ATP can detect zero day attacks, and the most complex malware including polymorphic and metamorphic malware threats
- Finally, there is Azure ATP.
- It is scary that Advanced Persistent Threats or APT usually maintain access to victim networks for almost a year, that is , it takes the company a year to detect they are being hacked. 60% from attackers are able to compromise organizations within minutes. Can you imagine that. This means, there is a clear problem in detecting attacks happening in organizations.
- So if we know how attacks are happening and the techniques attackers used to carry on their attacks, then we might learn the signals to look for when detecting attacks. Makes sense? It all start with zero day or brute force attack on a machine inside your network, and the user account for that machine is compromised. The attacker will then try to learn about the resources in the network and do lateral movement using different techniques like pass the hash or pass the ticket, until the attacker compromises a privileged account, that he uses to access and steal sensitive data, or even bring the whole network down
- Now that we know how attacks work, we can clearly see the anatomy of such attack . It includes anomalous user behavior, unfamiliar sign-in locations as the attacker is moving from machine to machine and performing lateral movement. At one time, the attacker will escalate his privileges and impersonate accounts.
- So let us hire Micheal, a new security expert that will help us detect attacks inside our network.
- The first thing micehal will try to do is to learn who is working in this building or network, who are the users, groups and computers that are connected to the network.
- After that, Micheal will try to identify sensitive accounts that attackers are going after. He can quickly classify the schema admin, the domain admins, backup operators as sensitive accounts, but he will also ask his manager to manually identify what he consider as sensitive account. This might be the CEO account for example, as he can access sensitive information that attackers are going after.
- Next, Michael will try to study the environment by creating a file for each user, computer and group in the company. Let us take Alice for example, Micheal will create a file for here with all her information, like when her account got created, who is her manager and who report to her. The authentication activity log, like when she logged on to the network and from where, is she considered a sensitive account or not. Michael will create a file for each user, group and device in the network.
- Now that micheal has a file for everyone in the network, he will start studding the behavior for everyone. For example, Micheal knows Kit, the HR manager in the company, he knows his working hours, who he works with, and what devices he use. If Micheal finds out unusual bevhaiour when it comes to Kit account, then Micheal can assume there is an attack happening using his account. Such unusual behavior signals might be, many failed logon attemps, logon at unfamiliar times, accessing unfamiliar resources, like if Kit account is trying to authenticate to the financial file share, which is unusual activity from Kit the HR manager. Or if his account is logging on from unfamiliar machines. All those signals might mean one thing, His account is compromised and there is attack happening using pass the hash or pass the ticket techniques for example.
- Sounds like a lot of work for micheal to do by himself. Well, Azure ATP is a way to automate all that. You deploy an agent on your on-premises domain controllers or on a gateway the is configured with port mirroring, and then these logs and windows events are sent to the Azure ATP cloud service. Azure ATP agents perform Level 7 deep packet inspection. Not only does it see a Kerberos authentication message, but it can inspect that packet to identify what SPNs are used, what user is requesting a ticket and what encryption keys are used. Next phase is to analyze and learn about the environment , and then detecting abnormal behaviours and suspicious activities. An alert and email notifications are triggered when Azure Atp detects an attack and Azure ATP portal shows an intunitive attack timeline, to give you all the information you need to investigate what is happening. If the attack involves one or more machines with Windows ATP installed on them, then you can see some insights from Windows ATP right from within Azure ATP portal, thanks to the integration between Azure ATP and Windows ATP.
- Now let us switch gears,
- do you remember back then you all your important assets protected by top of art firewalls, IDS IPS devices and even VPN access controls in place. You simply have full control on the network, switches, and what users can access as you control their devices. But now companies are moving gradually to the cloud, whether it is Office 365, Azure services or any other SaaS application. And they are doing that from the public internet that you do not control over, and since these services are available from the internet, then users can do that from anywhere and using any device. That means it is time to think of a new defense in depth techniques as traditional security perimeters are no longer effective alone.
- I like to think of defense in depth from the perspective of four entities. You have a user (or identity) who is using a device, to access an application, and read or consume data. Any defense in depth technique in this cloud first mobile first world we are living in, should provide identity and access controls to all of those four entities.
- It starts with an identity or user. The risks we are trying to mitigate here is compromised identities or stolen credentials. Our defense techniques at the identity level can be implementing Azure ATP to detect identity unusual behaviors, Azure Identity protection to assign a risk to users and sessions, and implementing Azure MFA to provide stronger authentication. Next we have the device the user is using. Here we have many management and security solutions like configuration manager, Intune MDM and MAM policies, and even an hybrid management model where a Windows device can be managed using SCCM and Intune. Windows 10 devices can now be joined to Azure AD and managed by Intune which provides a new security and management offering from Microsoft along with Windows Hello for Business for stronger authentication. And finally Windows Defender ATP can be used to protect the endpoint as explained earlier.
- Now that we have a user who is using a device to access your applications, if these applications are using Azure AD for single sign on, then you can use Azure AD conditional Access as your first identity based cloud firewall. Here you can specify conditions like : who are the users trying to connect, and what applications they want to access. What is the compliance state of the devices they are connecting from, are they connecting from inside your corporate network? And what is the risk score for that user? All those conditions can help you decide whether you want to allow access, deny access, require the user to do MFA, or event limit access to the application, like the ability to prvent users to download documents from sharepoint online if they are connecting from a non domain joined device.
- Azure AD can do more here, as it can help you to do SSO with many SaaS applications, and it helps you deploy an effective self service password reset features to your users, so that they can reset their own passwords, and do group management and register for MFA. Another layer of security here is Microsoft cloud app security or CAS, which helps you detect shadow IT happening inside your organization, and apply policies for data control when accessing SaaS applications. Microsoft CAS is your application layer security and there are a lot to say about CAS that I urge you to consider when planning your security.
- At the data layer, we have DLP for Office 365, mobile app policies with Intune, Azure information protection for labeling, classifying and protection documents and files, so that even if the document got leaked, it is already protected and encrypted with Azure information protection. I also urge you to look at Office 365 secure score , which will help you tune the configuration of your office 365 deployment to enhance you security score. Office 365 threat explorer is also something worth looking at, as it cluster attacks into campaigns and gives security administrators the ability to do actions right from within the threat explorer console.
- Here are some good resources I put together for you. I highly recommend you look at them so that you can get the whole picture of how Microsoft 365 security can help you protect, detect and respond to advance persistent attacks.
- Remember this, Microsoft 365 provides advanced security services to hep you protect your office 365, Microsoft online services and access to man SaaS applications. Not only will you get a comprehensive set of security features, the integration and data exchange between these services put Microsoft 365 security solutions in a unique position agaist other non Microsoft security solutions. I want to thank you for watching my session and please connect on twitter and feel free to ask me anything.