SlideShare uma empresa Scribd logo

Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template.pptx

Transferir como PPTX, PDF
P
powerofgametest

Security Awareness

Internet
1 de 26
 Enable AMSI for Office VBA to detect Office macro attacks with endpoint tools like Defender for Endpoint  Implement Advanced Email security using Defender for Office 365 or a similar solution  Enable attack surface reduction (ASR) rules to block common attack techniques including o Endpoint Abuse - Credential theft, ransomware activity, and suspicious use of PsExec and WMI o Weaponized Office document activity including advanced macro activity, executable content, process creation, and process injection initiated by Office applications. Note: Deploy these rules in audit mode first, then assess any negative impact, and then deploy them in block mode.  Audit and Monitor – to find and fix deviations from baseline and potential attacks (see Detection and Response Plan) Sponsorship – CISO or CIO Project Leadership – Security Architecture IT Architecture – Prioritize components +integrate into architectures Cloud Productivity / End User Team – Enable Defender for Office 365, ASR, AMSI Security Architecture / Infrastructure + Endpoint – Configuration assistance User Education Team – update any guidance on workflow changes Security Policy and Standards Security Compliance Management – Monitor to ensure compliance
Apply these best practices to all Windows, Linux, MacOS, Android, iOS, and other endpoints (as available):  Block known threats – with Attack surface reduction rules, tamper protection, and block at first site  Apply Security Baselines - to harden internet-facing Windows Servers, Windows Clients, and Office Applications  Maintain Software – to avoid missing/neglecting manufacturer protections  Updated - Rapidly deploy critical security updates for OS, browser, & email  Supported – Update operating systems and software to currently support versions Isolate, disable, or retire insecure systems and protocols – including unsupported operating systems and legacy protocols  Block unexpected traffic – using host-based firewall and network defenses  Audit and Monitor – to find and fix deviations from baseline and potential attacks (see Detection and Response Plan) Executive Sponsor (Maintenance) - Business Leadership accountable for business impact of both downtime and attack damage Executive Sponsor (Others) - Central IT Operations or CIO Project Leadership - Central IT Infrastructure Team IT + Security Architecture – Prioritize components +integrate into architecture Central IT Operations – Implement changes to environment Cloud Productivity / End User Team – Enable attack surface reduction Workload/App Owners – Identify maintenance windows for changes Security Policy and Standards Security Compliance Management – Monitor to ensure compliance
 Maintain Software/Appliance – to avoid missing/neglecting manufacturer protections (security updates, supported status)  Configure Azure AD – for existing remote access, including enforcing zero trust user + device validation with Conditional Access (so that infected remote machines and compromised user accounts cannot communicate with the corporate network)  Existing 3rd party VPN – 3rd party VPNs (Cisco AnyConnect, Palo Alto Networks GlobalProtect & Captive Portal, Fortinet FortiGate SSL VPN, Citrix NetScaler, Zscaler Private Access (ZPA), and more)  Azure VPN gateway  Publish Remote Desktop with Azure Active Directory Application Proxy  Move Beyond VPN by publishing apps with Azure AD Application Proxy  Secure Access to Azure resources - using Azure Bastion  Audit and Monitor – to find and fix deviations from baseline and potential attacks (see Detection and Response Plan) Executive Sponsor – CIO or CISO Project Leadership - Central IT Infrastructure/Network Team IT + Security Architecture – Prioritize components +integrate into architectures Central IT Identity Team – Configure Azure AD and conditional access policies Central IT Operations – Implement changes to environment Workload Owners – Assist with RBAC permissions for app publishing Security Policy and Standards Security Compliance Management – Monitor to ensure compliance User Education Team – update any guidance on workflow changes
 Enforce Strong MFA or Passwordless logon – for all users starting with administrators using one or more of: Windows Hello Authenticator App Azure Multi-Factor Authentication (MFA)  Increase password security  Azure AD Accounts – Use Azure AD Identity Protection to prevent and detect attacks and extend blocking of known weak passwords to on-premises Active Directory.  On-Premises AD - Extend Azure AD Password Protection to on-premises active directory  Audit and Monitor – to find and fix deviations from baseline and potential attacks (see Detection and Response Plan) Identity and Key Management Security Architecture • IT and Security Architects – Prioritize components integrate into architectures Identity and Key Management Central IT Operations • User Education Team – update any password guidance Security Policy and Standards • Security Compliance Management – Monitor
Call SMS Push TOTP OATH Token Authenticator app Windows Hello FIDO2 Key Dependencies Risks Wi-fi Phone Carrier Mobile OS notifications Channel Jacking Real-time phishing Only susceptible to hardware attacks Hardware support required Worst Password- Only * * * * * * *
https://aka.ms/SPA Azure AD Conditional Access Security Architect(s) • IT and Security Architects – Prioritize components integrate into architectures Identity and Key Management • Central IT Productivity / End User Team – Implement changes to Devices and Office 365 tenant Policy and standards team • User Education Team – update any password guidance Security Policy and Standards • Security Compliance Management – Monitor
 Migrate to cloud - move user data to cloud solutions like OneDrive/SharePoint to take advantage of versioning and recycle bin capabilities. Educate users on how to recover their files by themselves to reduce delays and cost of recovery.  Designate Protected Folders – to make it more difficult for unauthorized applications to modify the data in these folders.  Review Permissions – to r  Discover broad write/delete permissions on fileshares, SharePoint, and other solutions Broad is defined as many users having write/delete to business-critical data  Reduce broad permissions while meeting business collaboration requirements  Audit and monitor to ensure broad permissions don’t reappear Sponsorship - Central IT Operations or CIO Project Leadership - Data Security Team Central IT Productivity / End User Team – Implement changes to Microsoft 365 tenant for OneDrive / Protected Folders Business / Application Teams - Identify business critical assets Security Policy and Standards Security Compliance Management – Monitor User Education Team – Ensure guidance for users reflects policy updates Security Architecture – Review security configuration for cloud migration
Azure Backup Azure Blob info Sponsorship - Central IT Operations CIO Project Leadership - Central IT Infrastructure Team Business / Application Teams - Identify Business Critical Assets Central IT Infrastructure/Backup Team– Enable Infrastructure backup Central IT Productivity / End User Team – Enable OneDrive Backup Security Policy and Standards Security Compliance Management – Monitor Security Architecture – Advise on configuration and standards
 Prioritize Common Entry Points – Ransomware (and other) operators favor Endpoint/Email/Identity + RDP  Integrated XDR - Use integrated Extended Detection and Response (XDR) tools like Microsoft 365 Defender to provide high quality alerts and minimize friction and manual steps during response  Brute Force - Monitor for brute-force attempts like password spray  Monitor for Adversary Disabling Security – as this is often part of HumOR attack chain  Event Logs Clearing – especially the Security Event log and PowerShell Operational logs  Disabling of security tools/controls (associated with some groups)  Don’t Ignore Commodity Malware - Ransomware attackers regularly purchase access to target organizations from dark markets  Integrate outside experts – into processes to supplement expertise, such as Microsoft Detection and Response Team (DART)  Rapidly isolate compromised computers using Defender for Endpoint Sponsorship – CISO Project Leadership - Security Operations Central IT Infrastructure Team – Implement client and server agents/features Security Operations – integrate any new tools into security operations processes Central IT Productivity / End User Team – Enable features for Defender for Endpoints, Defender for O365, Defender for Identity, and Cloud App Security Central IT Identity Team – Implement Azure AD security + Defender for Identity Security Policy and Standards Security Compliance Management – Monitor Security Architecture – Advise on configuration, standards, and tooling
Sustaining and improving your security requires you to  Assign Responsibilities – to ensure clear accountability for monitoring risk and remediating it by asset owners (see Microsoft recommendations on accountabilities)  Assess and Measure security posture using Microsoft Secure Score  Apply recommended improvement actions, guidance, and control  Audit and Monitor resources for compliance using  Azure Security Center (ASC) Secure score and regulatory compliance dashboard  Microsoft Secure Score  Compliance manager Sponsorship – CISO Project Leadership - Posture Management IT + Security Architects – Prioritize components + integrate into architectures IT or DevOps Resource Owners – Remediate security risks in their resources Cloud Team / Central IT Infrastructure Team – grant permissions to security team. Configure/Deploy Azure Arc for on-prem, AWS, GCP, other clouds Security Policy and Standards identify which elements to audit and enforce Security Compliance Management – Monitor
(if applicable) – to ensure that service level agreements (SLAs) support rapid response actions for security incidents, including  Time to isolate individual workstations  Time to remediate accounts (disable accounts, reset credentials, expire authentication tokens, and related)  Time to remove malicious message from all mailboxes and block/register malicious senders  Time to fully remediate workstations (IT provided elements of removing malware and/or rebuild/reinstall)  Time to block malicious sites  Time to remove malware from cloud services, servers, fileshares, and sharepoint Sponsorship (Incident Preparation) – Business or Risk Leadership Project Leadership – CISO Legal, Security, Communications – Participate in building and validating process Security Operations and Architects- Advise on scenarios and plans Sponsorship (Outsourcing Contract) – Chief Financial Officer (CFO) Project Leadership – Procurement leads and executes on changes CISO and CIO Provide requirements, consulting, and advisory
Attacker’s cost Defender’s cost
Account Devices/Workstations Intermediaries Interface Business Critical Assets Account Devices/Workstations Intermediaries Interface Potential Attack Surface
Account Devices/Workstations Intermediaries Interface Business Critical Assets Account Devices/Workstations Intermediaries Interface Asset Protection also required Security updates, DevSecOps, data at rest / in transit, etc.
Account Devices/Workstations Intermediaries Interface Business Critical Assets Account Devices/Workstations Intermediaries Interface
Conditional Access App Control Zero Trust User Access 8 Trillion Signals/Day https://aka.ms/MCRA
Use attack surface reduction rules to prevent malware infection

Recomendados

MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architectureangelohammond
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
ICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsMohammad Abdul Matin Emon
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfParishSummer
 
Power of the Cloud - Introduction to Microsoft Azure Security
Power of the Cloud - Introduction to Microsoft Azure SecurityPower of the Cloud - Introduction to Microsoft Azure Security
Power of the Cloud - Introduction to Microsoft Azure SecurityAdin Ermie
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfBabyBoy55
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarRobert Crane
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnedMichael King
 

Recomendados

MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architectureangelohammond
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
ICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsMohammad Abdul Matin Emon
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfParishSummer
 
Power of the Cloud - Introduction to Microsoft Azure Security
Power of the Cloud - Introduction to Microsoft Azure SecurityPower of the Cloud - Introduction to Microsoft Azure Security
Power of the Cloud - Introduction to Microsoft Azure SecurityAdin Ermie
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfBabyBoy55
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarRobert Crane
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnedMichael King
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4CrispnCrunch
 
Microsoft Security Advice ISSA Slides.pptx
Microsoft Security Advice ISSA Slides.pptxMicrosoft Security Advice ISSA Slides.pptx
Microsoft Security Advice ISSA Slides.pptxMike Brannon
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceSoumitra Bhattacharyya
 
Data Privacy By Design with AWS
Data Privacy By Design with AWSData Privacy By Design with AWS
Data Privacy By Design with AWSKrzysztof Kąkol
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloudKrzysztof Kąkol
 
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + SecurityGet Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + SecurityDavid J Rosenthal
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreJoel Oleson
 
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...SPS Paris
 
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptxSAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptxJakeariesMacarayo
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the CloudGWAVA
 
Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder
 
Mitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksMitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksErdem Erdogan
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Cost of Attack
Cost of AttackCost of Attack
Cost of AttackMark Simos
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4Integral university, India
 
Cs Comply And Audit V1.6
Cs Comply And Audit V1.6Cs Comply And Audit V1.6
Cs Comply And Audit V1.6Slavik Gimelbrand
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.pptVaishnavGhadge1
 
CSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxCSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxMohammad512578
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 

Mais conteúdo relacionado

Semelhante a Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template.pptx

Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4CrispnCrunch
 
Microsoft Security Advice ISSA Slides.pptx
Microsoft Security Advice ISSA Slides.pptxMicrosoft Security Advice ISSA Slides.pptx
Microsoft Security Advice ISSA Slides.pptxMike Brannon
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceSoumitra Bhattacharyya
 
Data Privacy By Design with AWS
Data Privacy By Design with AWSData Privacy By Design with AWS
Data Privacy By Design with AWSKrzysztof Kąkol
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloudKrzysztof Kąkol
 
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + SecurityGet Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + SecurityDavid J Rosenthal
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreJoel Oleson
 
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...SPS Paris
 
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptxSAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptxJakeariesMacarayo
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the CloudGWAVA
 
Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder
 
Mitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksMitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksErdem Erdogan
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Cost of Attack
Cost of AttackCost of Attack
Cost of AttackMark Simos
 
CSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxCSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxMohammad512578
 

Semelhante a Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template.pptx (20)

Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4
 
Microsoft Security Advice ISSA Slides.pptx
Microsoft Security Advice ISSA Slides.pptxMicrosoft Security Advice ISSA Slides.pptx
Microsoft Security Advice ISSA Slides.pptx
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform Service
 
Data Privacy By Design with AWS
Data Privacy By Design with AWSData Privacy By Design with AWS
Data Privacy By Design with AWS
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloud
 
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + SecurityGet Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
 
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
 
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptxSAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the Cloud
 
Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17
 
Mitigating Rapid Cyberattacks
Mitigating Rapid CyberattacksMitigating Rapid Cyberattacks
Mitigating Rapid Cyberattacks
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
 
Cost of Attack
Cost of AttackCost of Attack
Cost of Attack
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
Cs Comply And Audit V1.6
Cs Comply And Audit V1.6Cs Comply And Audit V1.6
Cs Comply And Audit V1.6
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
 
CSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxCSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptx
 

Último

一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptxAsmae Rabhi
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 

Último (20)

一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 

Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template.pptx

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.  Enable AMSI for Office VBA to detect Office macro attacks with endpoint tools like Defender for Endpoint  Implement Advanced Email security using Defender for Office 365 or a similar solution  Enable attack surface reduction (ASR) rules to block common attack techniques including o Endpoint Abuse - Credential theft, ransomware activity, and suspicious use of PsExec and WMI o Weaponized Office document activity including advanced macro activity, executable content, process creation, and process injection initiated by Office applications. Note: Deploy these rules in audit mode first, then assess any negative impact, and then deploy them in block mode.  Audit and Monitor – to find and fix deviations from baseline and potential attacks (see Detection and Response Plan) Sponsorship – CISO or CIO Project Leadership – Security Architecture IT Architecture – Prioritize components +integrate into architectures Cloud Productivity / End User Team – Enable Defender for Office 365, ASR, AMSI Security Architecture / Infrastructure + Endpoint – Configuration assistance User Education Team – update any guidance on workflow changes Security Policy and Standards Security Compliance Management – Monitor to ensure compliance
  • 9. Apply these best practices to all Windows, Linux, MacOS, Android, iOS, and other endpoints (as available):  Block known threats – with Attack surface reduction rules, tamper protection, and block at first site  Apply Security Baselines - to harden internet-facing Windows Servers, Windows Clients, and Office Applications  Maintain Software – to avoid missing/neglecting manufacturer protections  Updated - Rapidly deploy critical security updates for OS, browser, & email  Supported – Update operating systems and software to currently support versions Isolate, disable, or retire insecure systems and protocols – including unsupported operating systems and legacy protocols  Block unexpected traffic – using host-based firewall and network defenses  Audit and Monitor – to find and fix deviations from baseline and potential attacks (see Detection and Response Plan) Executive Sponsor (Maintenance) - Business Leadership accountable for business impact of both downtime and attack damage Executive Sponsor (Others) - Central IT Operations or CIO Project Leadership - Central IT Infrastructure Team IT + Security Architecture – Prioritize components +integrate into architecture Central IT Operations – Implement changes to environment Cloud Productivity / End User Team – Enable attack surface reduction Workload/App Owners – Identify maintenance windows for changes Security Policy and Standards Security Compliance Management – Monitor to ensure compliance
  • 10.  Maintain Software/Appliance – to avoid missing/neglecting manufacturer protections (security updates, supported status)  Configure Azure AD – for existing remote access, including enforcing zero trust user + device validation with Conditional Access (so that infected remote machines and compromised user accounts cannot communicate with the corporate network)  Existing 3rd party VPN – 3rd party VPNs (Cisco AnyConnect, Palo Alto Networks GlobalProtect & Captive Portal, Fortinet FortiGate SSL VPN, Citrix NetScaler, Zscaler Private Access (ZPA), and more)  Azure VPN gateway  Publish Remote Desktop with Azure Active Directory Application Proxy  Move Beyond VPN by publishing apps with Azure AD Application Proxy  Secure Access to Azure resources - using Azure Bastion  Audit and Monitor – to find and fix deviations from baseline and potential attacks (see Detection and Response Plan) Executive Sponsor – CIO or CISO Project Leadership - Central IT Infrastructure/Network Team IT + Security Architecture – Prioritize components +integrate into architectures Central IT Identity Team – Configure Azure AD and conditional access policies Central IT Operations – Implement changes to environment Workload Owners – Assist with RBAC permissions for app publishing Security Policy and Standards Security Compliance Management – Monitor to ensure compliance User Education Team – update any guidance on workflow changes
  • 11.  Enforce Strong MFA or Passwordless logon – for all users starting with administrators using one or more of: Windows Hello Authenticator App Azure Multi-Factor Authentication (MFA)  Increase password security  Azure AD Accounts – Use Azure AD Identity Protection to prevent and detect attacks and extend blocking of known weak passwords to on-premises Active Directory.  On-Premises AD - Extend Azure AD Password Protection to on-premises active directory  Audit and Monitor – to find and fix deviations from baseline and potential attacks (see Detection and Response Plan) Identity and Key Management Security Architecture • IT and Security Architects – Prioritize components integrate into architectures Identity and Key Management Central IT Operations • User Education Team – update any password guidance Security Policy and Standards • Security Compliance Management – Monitor
  • 12. Call SMS Push TOTP OATH Token Authenticator app Windows Hello FIDO2 Key Dependencies Risks Wi-fi Phone Carrier Mobile OS notifications Channel Jacking Real-time phishing Only susceptible to hardware attacks Hardware support required Worst Password- Only * * * * * * *
  • 13. https://aka.ms/SPA Azure AD Conditional Access Security Architect(s) • IT and Security Architects – Prioritize components integrate into architectures Identity and Key Management • Central IT Productivity / End User Team – Implement changes to Devices and Office 365 tenant Policy and standards team • User Education Team – update any password guidance Security Policy and Standards • Security Compliance Management – Monitor
  • 14.  Migrate to cloud - move user data to cloud solutions like OneDrive/SharePoint to take advantage of versioning and recycle bin capabilities. Educate users on how to recover their files by themselves to reduce delays and cost of recovery.  Designate Protected Folders – to make it more difficult for unauthorized applications to modify the data in these folders.  Review Permissions – to r  Discover broad write/delete permissions on fileshares, SharePoint, and other solutions Broad is defined as many users having write/delete to business-critical data  Reduce broad permissions while meeting business collaboration requirements  Audit and monitor to ensure broad permissions don’t reappear Sponsorship - Central IT Operations or CIO Project Leadership - Data Security Team Central IT Productivity / End User Team – Implement changes to Microsoft 365 tenant for OneDrive / Protected Folders Business / Application Teams - Identify business critical assets Security Policy and Standards Security Compliance Management – Monitor User Education Team – Ensure guidance for users reflects policy updates Security Architecture – Review security configuration for cloud migration
  • 15. Azure Backup Azure Blob info Sponsorship - Central IT Operations CIO Project Leadership - Central IT Infrastructure Team Business / Application Teams - Identify Business Critical Assets Central IT Infrastructure/Backup Team– Enable Infrastructure backup Central IT Productivity / End User Team – Enable OneDrive Backup Security Policy and Standards Security Compliance Management – Monitor Security Architecture – Advise on configuration and standards
  • 16.  Prioritize Common Entry Points – Ransomware (and other) operators favor Endpoint/Email/Identity + RDP  Integrated XDR - Use integrated Extended Detection and Response (XDR) tools like Microsoft 365 Defender to provide high quality alerts and minimize friction and manual steps during response  Brute Force - Monitor for brute-force attempts like password spray  Monitor for Adversary Disabling Security – as this is often part of HumOR attack chain  Event Logs Clearing – especially the Security Event log and PowerShell Operational logs  Disabling of security tools/controls (associated with some groups)  Don’t Ignore Commodity Malware - Ransomware attackers regularly purchase access to target organizations from dark markets  Integrate outside experts – into processes to supplement expertise, such as Microsoft Detection and Response Team (DART)  Rapidly isolate compromised computers using Defender for Endpoint Sponsorship – CISO Project Leadership - Security Operations Central IT Infrastructure Team – Implement client and server agents/features Security Operations – integrate any new tools into security operations processes Central IT Productivity / End User Team – Enable features for Defender for Endpoints, Defender for O365, Defender for Identity, and Cloud App Security Central IT Identity Team – Implement Azure AD security + Defender for Identity Security Policy and Standards Security Compliance Management – Monitor Security Architecture – Advise on configuration, standards, and tooling
  • 17. Sustaining and improving your security requires you to  Assign Responsibilities – to ensure clear accountability for monitoring risk and remediating it by asset owners (see Microsoft recommendations on accountabilities)  Assess and Measure security posture using Microsoft Secure Score  Apply recommended improvement actions, guidance, and control  Audit and Monitor resources for compliance using  Azure Security Center (ASC) Secure score and regulatory compliance dashboard  Microsoft Secure Score  Compliance manager Sponsorship – CISO Project Leadership - Posture Management IT + Security Architects – Prioritize components + integrate into architectures IT or DevOps Resource Owners – Remediate security risks in their resources Cloud Team / Central IT Infrastructure Team – grant permissions to security team. Configure/Deploy Azure Arc for on-prem, AWS, GCP, other clouds Security Policy and Standards identify which elements to audit and enforce Security Compliance Management – Monitor
  • 18. (if applicable) – to ensure that service level agreements (SLAs) support rapid response actions for security incidents, including  Time to isolate individual workstations  Time to remediate accounts (disable accounts, reset credentials, expire authentication tokens, and related)  Time to remove malicious message from all mailboxes and block/register malicious senders  Time to fully remediate workstations (IT provided elements of removing malware and/or rebuild/reinstall)  Time to block malicious sites  Time to remove malware from cloud services, servers, fileshares, and sharepoint Sponsorship (Incident Preparation) – Business or Risk Leadership Project Leadership – CISO Legal, Security, Communications – Participate in building and validating process Security Operations and Architects- Advise on scenarios and plans Sponsorship (Outsourcing Contract) – Chief Financial Officer (CFO) Project Leadership – Procurement leads and executes on changes CISO and CIO Provide requirements, consulting, and advisory
  • 19.
  • 24. Conditional Access App Control Zero Trust User Access 8 Trillion Signals/Day https://aka.ms/MCRA
  • 25.
  • 26. Use attack surface reduction rules to prevent malware infection