Join me as I walk you through alll what Microsoft 365 has to offer to protect your business and organization. I am going to cover every security feature and how it fits in the big picture. Whether you are on-premises organization or migrating to the cloud, there is something for you to look at.
Follow me on twitter @ammarhasayen and connect on Linkedined https://www.linkedin.com/in/ammarhasayen
Here is the full blog post: https://blog.ahasayen.com/secure-modern-workplace-with-microsoft-365-advanced-threat-protection/
TeamStation AI System Report LATAM IT Salaries 2024
Secure Modern Workplace With Microsoft 365 Threat Protection
1. SECURING THE MODERN
WORKPLACE WITH
MICROSOFT 365 THREAT
PROTECTION
@AmmarHasayen blog.ahasayen.com
Digital Transformation | Cloud Architect
| Cybersecurity | Microsoft MVP |
Speaker | Author
Ammar Hasayen
2. Advanced Threat Protection
- Office 365 ATP
- Windows ATP
- Azure ATP
New Defense in Depth
- Identity driven security
- Zero Trust Networks
Outline
3. Windows 10
Enterprise Mobility and
Security
Office 365
Microsoft 365
E-discovery, advanced
security [Office 365 ATP]
Collaboration Tools
PIM, Identity Protection, CAS,
Azure ATP
Identity Sync, Mobile
Management, From RMS to
AIP, ATA
Windows Defender Advanced
Threat Protection
BitLocker, Windows Firewall,
Windows Defender, VBS
Complete Solution
E3
E5
11. Windows Defender
Endpoint Detection and
Response
Windows Defender
Endpoint Protection
Windows Defender
Smart Screen
Windows Defender ATP
Block malicious websites
Block low reputation web
downloads
Monitors behaviors and
terminates bad processes
Block malicious programs and
content
After execution – Windows
Defender Hexadite can
reverse damage
After execution – Windows
Defender ATP monitors for
post-breach signals
Endpoint Protection Detection and Remediation
12. Advanced Real-Time Defense
Client holds file
and upload sample
Sample is processed
& checked against
machine learning
classifiers
Cloud generates signature and sends to client
Client blocks file and report back, protecting all customers
1
2
3
4
5
6
13. Machine Learning for Endpoint Protection
Local ML models, behavior-based detection algorithms, generics and heuristics
Metadata-based ML models
Sample Analysis-based ML
models
Detonation-based ML
Models
Big Data
Analysis
Client
Cloud
Milliseconds
Milliseconds
Seconds
Minutes
Hours
16. Advanced Persistence Attacks
356 days
60%
APT maintained access to victim networks
Attackers are able to compromise an
organizations within minutes
17. User account
is compromised
Attacker attempts
lateral movement
Privileged account
compromised
Attacker accesses
sensitive data
Attacker steals
sensitive data
Zero-day/
brute force attack
Anatomy of an attack
18. Anatomy of an
attack
Anomalous user behavior
Unfamiliar sign-in locations
Lateral movement attacks
Escalation of privileged
Account impersonation
23. Behavioral Analytics
Working hours
Works with
His laptop
Many failed logon attempts
Logon at unfamiliar times
Access unfamiliar resources
Logon from unfamiliar
machine
24. 1
2 4
53
Azure ATP
Cloud evolution for
Microsoft ATA
Collect
DC Logs, SIEM,
Windows Events.
L7 Deep Packet Inspection
Analyze & Learn
Self-learning and profiling
technology, patented IP
resolution, unlimited scale
by Azure
Alert & Investigate
Intuitive attack timeline.
Lateral movement graphs.
Alert via email & scheduled reports.
Detect
Abnormal behavior &
Suspicious activities
Integrate
Integrated with Windows
Defender ATP
to further dig deep into the
device health.
Azure ATP
28. Identity
MFA
• Compromised
Identity
• Stolen Credentials
• Azure ATP
• Azure Identity Protection
• Azure MFA
Devices
Lost Device
• Configuration Manager
• Intune MDM, MAM
• Hybrid Management
• Azure AD domain Join
• Windows Hello for Business
• Windows Defender ATP
29. WHO? [Users]
Azure AD Conditional Access
WHERE? [Application]
Device? [Compliance]
Network? [IN-OUT Corp]
Risk? [Identity Protection]
Allow Access
Require MFA
Password Reset
Deny Access
Limit Access
New Identity Firewall
Read more here
https://bit.ly/2LglLYd
30. SSO with SaaS Applications
Azure AD Management Layer
Self-Service Password Reset
Azure AD Domain Join
MFA Registration
Group Management
Shadow IT Discovery
Cloud App Security
Risk Scoring
Policies for Data Control
Collaboration Behavior and
Anomaly Detection
Shadow IT
Read more here
https://bit.ly/2LdXamL
31. DLP for Office 365
Data Layer
Mobile App Policies
AIP Labeling and Classification
AIP Protection & Reporting
Office 365 Secure Score
Office 365 Security
Office 365 Threat Explorer
Office 365 ATP
Data Leak
Exchange Online Protection
32. Resources
• Azure ATP [ https://blog.ahasayen.com/tag/azure-atp/ ]
• Cloud App Security [ https://blog.ahasayen.com/microsoft-cloud-app-security-casb/ ]
• Defense in Depth Diagram [ https://blog.ahasayen.com/microsoft-cloud-security-approach/ ]
• Azure AD Conditional Access [ https://blog.ahasayen.com/azure-active-directory-conditional-
access/ ]
• Exchange Online Protection Architecture [ https://blog.ahasayen.com/eop-exchange-online-
protection-architecture/ ]
• Zero Trust Network with M365 [ https://bit.ly/2MGRweJ ]
33. SECURING THE MODERN
WORKPLACE WITH
MICROSOFT 365 THREAT
PROTECTION
@AmmarHasayen blog.ahasayen.com
THANK YOU !
Ammar Hasayen
Notas do Editor
Hi , my name is Ammar Hasayen, a Microsoft MVP with over 15 years of experience working with SharePoint, Exchange, Skype for Business, Identity solutions and security.
I speak in international conferences like Ignite and SharePoint Saturday, and I do courses for Pluralsight from time to time.
I am currently focused on Microsoft 365 and cybersecurity, and today I am going to talk about how to secure your modern workplace with Microsoft 365 threat protection.
You can find many supporting article about this topic on my blog here, and here is my twitter handle if you want to connect.
I am going to talk about advanced threat protection, and specifically, Office 365 ATP , Windows and Azure ATP (btw ATP stands for advanced threat protection).
Then I am going to show you how to re-imagine the defense in depth concept we all used to learn about previously, and how identity becomes a new control plan. And finally, if we have time, I am going to talk about the concept of zero trust networks. Sounds interesting? Lets get started.
When you start thinking about the modern workplace, you naturally start thinking about Office 365 and all the collaboration tools available like SharePoint Online and Microsoft Teams. Then you quickly realize Azure Active Directory is the identity and access management entity for Office 365, and you might o need to sync your users to Azure AD. The next thing you find is that people started to download all these new Office 365 mobile apps like planner, teams, onedrive, and you want a way to protect corporate data on mobile devices, which what Intune mobile management can help you with. This is where EMS or Enterprise mobility and security services from Microsoft is here to help you with. It helps you manage and protect your existing Office 365 investments. And finally, Windows 10 is your operations system choice as it provides many security features like Bitlocker , Windows Defender and VBS which stands for Virtualized Based Security like credential guard.
So together, Office 365, EMS and Windows 10 are offered as Microsoft 365, but the story does not end here. If you are worried about security and your business cannot afford being hacked due to a security incident, then Microsoft 365 offers a lot of services for you. Office 365 can be extended to include Office 365 ATP service to handle zero day attacks. EMS can be extended to provide a lot of services like PIM or privileged identity management, a highly recommended product to provide just in time access for admins, there is also an identity protection service to evaluate the user and session risk levels, cloud app security service and also Azure ATP.
From the Windows 10 side, you can use Windows Defender Advanced Threat Protection which operates as an endpoint detect and response solution.
Now, All these advanced security features are offered under the E5 licenses of Microsoft 365.
Now, let us focus on the threat protection solutions in Microsoft 365. it is a complete solution that covers devices, email and SharePoint, and corporate identities. Windows ATP is a threat protection service to protection Windows devices, Office 365 ATP is a threat protection service for Office 365, and Azure ATP is a threat protection for on-premises identities
The three threat protection services provide an integrated experience.
I like to think of Office 365 ATP as the first line of defense, as most attacks come in the form of phishing email or an infected email attachment.
If the attack bypass Office 365 ATP or the attack did not come from email for example, then Windows ATP is the next level of protection.
If the attack bypass both protection services, or it did not pass through them, then Azure ATP can help detect the existence of attack by detecting unusual behaviors and privilege escalations.
What is unique with Microsoft threat protection offering, is the level of integration between these products. If an attack is in a form of malicious attachment was not detected by Office 365 ATP, then Windows ATP can detect that this attachment is in fact a malicious code that is trying to do bad things on the Windows device. Not only that Windows ATP can detect and stop the attack from happening on that machine, but it will send the attachment file information to Office 365 ATP asking it to block this file in the future, and to find out who received the same attachment in the enterprise, and to go and delete the attachment from other recipients; mailbox
Let us start by talking about Office 365 ATP
Office 365 ATP helps protecting your organization from malicious attacks by :
Scanning email attachments with ATP Safe Attachments feature.
And scanning web addresses or URL s in email messages and office documents with ATP safe Links Feature
Even if the URL inside an email message is pointing to a document to evade detection, Office 365 ATP will take that document and send it to ATP safe attachment if you configure the service to do so.
Office 365 ATP works with email messages and with SharePoint Online and OneDrive for Business, so files you upload there will be inspected with safe attachments.
Office 365 ATP can also check email messages for unauthorized spoofing with spoof intelligence feature, and can defect when someone attempts to impersonate your users with ATP anti-phishing capabilities in Office 365.
Office 365 ATP is a must to have feature for any enterprise or business that is using Office 365, and it is part of the Office 365 E5 licenses or it can be purchased alone. You do not even need to do complex configuration to make all this magic happen, it is so simple to configure, and the business benefits are definitely high.
Let me now talk about Windows Defender ATP
Windows Defender and Windows Defender ATP provides a complete solution to protect your Windows endpoints. We have Windows Defender Smart Screen, Windows Defender endpoint protection, and Windows defender endpoint detection and response.
With Windows smart screen, you can block low reputation web downloads and malicious websites, so if a user accidently or intentionally browse to a malicious website, you can block that website to protect your users. Same applies for web downloads.
Windows Defender Endpoint from the other side, will help protect your windows box from malicious programs and quickly terminate bad processes.
The extra step that I want to focus on in this session is the Windows Defender endpoint detection and response, which will help you in detection and remediation. It is an after execution solution to monitor post breach signals, and then do what ever actions needed to remediate and reverse the damage. It is like there is someone watching if there is unusual behaviors happening on the machine that might be related to a breach, and then taking actions to stop and block that attack before further damage happens.
And the new way of defending against attacks is by utilizing the power of the cloud and the intelligent security graph in Microsoft. Microsoft intelligent security graph provides rich signals from vast security intelligence, machine learning and behavioral analytics that Microsoft allows you to consume and use to enhance your protection and detection speeds.
So when Windows defender encounters a new file that it does not know if it is bad or good file, it sends a file query to the cloud. If the cloud knows about this file, it will provide a feedback to the endpoint, else it will ask for a sample.
The client will holds the file and upload a sample to the cloud. The cloud services will process the sample and check against machine learning classifiers, trying to find out whether the file is good or not, and then if the file turned out to be holding a malicious code, it will generate a new signature to that file and sends it back to the client along with all other clients so that when they encounter this file, they know already to block it.
And you might be asking, does this mean the client needs to consult the cloud and wait for an answer, and what if there is no internet connection at that time?
Well, here is how things are designed. Each Windows defender client has local machine learning models, and behavior-based detection algorithms , so that it can use all that logic offline and without consulting the cloud. This operation take only milliseconds.
The client can consult the cloud services by sending only metadata so that the cloud can use metadata based machine learning models to determine if the file is malicious or not. This only takes milliseconds.
If the cloud requested a sample, then sample analysis based machine learning models are used in the cloud which might takes seconds.
In certain scenarios, detonation based machine learning models can be invoked which might take minutes, and big data analysis can take up to hours.
What this means is that the client will not wait for minutes and hours. If the file is infected and the cloud could not determine it is a bad file in seconds, the client will allow that file to run. In the background, the cloud will continue working and analyzing and might do detonation based ML models and big data analysis to get the truth about that file, so other clients can be notified and updated, although we list patient zero in the process
Here is a nice poster for Windows Defender ATP showing all the features that it provides along with a link to download that poster. Windows Defender ATP can detect zero day attacks, and the most complex malware including polymorphic and metamorphic malware threats
Finally, there is Azure ATP.
It is scary that Advanced Persistent Threats or APT usually maintain access to victim networks for almost a year, that is , it takes the company a year to detect they are being hacked.
60% from attackers are able to compromise organizations within minutes. Can you imagine that. This means, there is a clear problem in detecting attacks happening in organizations.
So if we know how attacks are happening and the techniques attackers used to carry on their attacks, then we might learn the signals to look for when detecting attacks. Makes sense?
It all start with zero day or brute force attack on a machine inside your network, and the user account for that machine is compromised. The attacker will then try to learn about the resources in the network and do lateral movement using different techniques like pass the hash or pass the ticket, until the attacker compromises a privileged account, that he uses to access and steal sensitive data, or even bring the whole network down
Now that we know how attacks work, we can clearly see the anatomy of such attack . It includes anomalous user behavior, unfamiliar sign-in locations as the attacker is moving from machine to machine and performing lateral movement. At one time, the attacker will escalate his privileges and impersonate accounts.
So let us hire Micheal, a new security expert that will help us detect attacks inside our network.
The first thing micehal will try to do is to learn who is working in this building or network, who are the users, groups and computers that are connected to the network.
After that, Micheal will try to identify sensitive accounts that attackers are going after. He can quickly classify the schema admin, the domain admins, backup operators as sensitive accounts, but he will also ask his manager to manually identify what he consider as sensitive account. This might be the CEO account for example, as he can access sensitive information that attackers are going after.
Next, Michael will try to study the environment by creating a file for each user, computer and group in the company. Let us take Alice for example, Micheal will create a file for here with all her information, like when her account got created, who is her manager and who report to her. The authentication activity log, like when she logged on to the network and from where, is she considered a sensitive account or not.
Michael will create a file for each user, group and device in the network.
Now that micheal has a file for everyone in the network, he will start studding the behavior for everyone. For example, Micheal knows Kit, the HR manager in the company, he knows his working hours, who he works with, and what devices he use. If Micheal finds out unusual bevhaiour when it comes to Kit account, then Micheal can assume there is an attack happening using his account.
Such unusual behavior signals might be, many failed logon attemps, logon at unfamiliar times, accessing unfamiliar resources, like if Kit account is trying to authenticate to the financial file share, which is unusual activity from Kit the HR manager. Or if his account is logging on from unfamiliar machines. All those signals might mean one thing, His account is compromised and there is attack happening using pass the hash or pass the ticket techniques for example.
Sounds like a lot of work for micheal to do by himself. Well, Azure ATP is a way to automate all that. You deploy an agent on your on-premises domain controllers or on a gateway the is configured with port mirroring, and then these logs and windows events are sent to the Azure ATP cloud service. Azure ATP agents perform Level 7 deep packet inspection. Not only does it see a Kerberos authentication message, but it can inspect that packet to identify what SPNs are used, what user is requesting a ticket and what encryption keys are used.
Next phase is to analyze and learn about the environment , and then detecting abnormal behaviours and suspicious activities. An alert and email notifications are triggered when Azure Atp detects an attack and Azure ATP portal shows an intunitive attack timeline, to give you all the information you need to investigate what is happening. If the attack involves one or more machines with Windows ATP installed on them, then you can see some insights from Windows ATP right from within Azure ATP portal, thanks to the integration between Azure ATP and Windows ATP.
Now let us switch gears,
do you remember back then you all your important assets protected by top of art firewalls, IDS IPS devices and even VPN access controls in place. You simply have full control on the network, switches, and what users can access as you control their devices.
But now companies are moving gradually to the cloud, whether it is Office 365, Azure services or any other SaaS application. And they are doing that from the public internet that you do not control over, and since these services are available from the internet, then users can do that from anywhere and using any device. That means it is time to think of a new defense in depth techniques as traditional security perimeters are no longer effective alone.
I like to think of defense in depth from the perspective of four entities. You have a user (or identity) who is using a device, to access an application, and read or consume data.
Any defense in depth technique in this cloud first mobile first world we are living in, should provide identity and access controls to all of those four entities.
It starts with an identity or user. The risks we are trying to mitigate here is compromised identities or stolen credentials. Our defense techniques at the identity level can be implementing Azure ATP to detect identity unusual behaviors, Azure Identity protection to assign a risk to users and sessions, and implementing Azure MFA to provide stronger authentication.
Next we have the device the user is using. Here we have many management and security solutions like configuration manager, Intune MDM and MAM policies, and even an hybrid management model where a Windows device can be managed using SCCM and Intune. Windows 10 devices can now be joined to Azure AD and managed by Intune which provides a new security and management offering from Microsoft along with Windows Hello for Business for stronger authentication. And finally Windows Defender ATP can be used to protect the endpoint as explained earlier.
Now that we have a user who is using a device to access your applications, if these applications are using Azure AD for single sign on, then you can use Azure AD conditional Access as your first identity based cloud firewall. Here you can specify conditions like : who are the users trying to connect, and what applications they want to access. What is the compliance state of the devices they are connecting from, are they connecting from inside your corporate network? And what is the risk score for that user? All those conditions can help you decide whether you want to allow access, deny access, require the user to do MFA, or event limit access to the application, like the ability to prvent users to download documents from sharepoint online if they are connecting from a non domain joined device.
Azure AD can do more here, as it can help you to do SSO with many SaaS applications, and it helps you deploy an effective self service password reset features to your users, so that they can reset their own passwords, and do group management and register for MFA.
Another layer of security here is Microsoft cloud app security or CAS, which helps you detect shadow IT happening inside your organization, and apply policies for data control when accessing SaaS applications. Microsoft CAS is your application layer security and there are a lot to say about CAS that I urge you to consider when planning your security.
At the data layer, we have DLP for Office 365, mobile app policies with Intune, Azure information protection for labeling, classifying and protection documents and files, so that even if the document got leaked, it is already protected and encrypted with Azure information protection.
I also urge you to look at Office 365 secure score , which will help you tune the configuration of your office 365 deployment to enhance you security score. Office 365 threat explorer is also something worth looking at, as it cluster attacks into campaigns and gives security administrators the ability to do actions right from within the threat explorer console.
Here are some good resources I put together for you. I highly recommend you look at them so that you can get the whole picture of how Microsoft 365 security can help you protect, detect and respond to advance persistent attacks.
Remember this, Microsoft 365 provides advanced security services to hep you protect your office 365, Microsoft online services and access to man SaaS applications.
Not only will you get a comprehensive set of security features, the integration and data exchange between these services put Microsoft 365 security solutions in a unique position agaist other non Microsoft security solutions.
I want to thank you for watching my session and please connect on twitter and feel free to ask me anything.