- No category
Microsoft Cybersecurity Reference Architecture (MCRA)
advertisement
Adoption Framework N Microsoft Cybersecurity Reference Architectures (MCRA) End to End Security Architecture following Zero Trust principles Adoption Framework You are here Top End to End Security Challenges Adoption Framework • Incomplete or network-centric architectures aren’t agile & can’t keep up with continuous change (security threats, technology platform, and business requirements) • Challenges with • Creating integrated end to end architecture • Integrating security technologies • Planning and prioritizing security modernization initiatives • Overview of Security Adoption Framework and End to End Cybersecurity Architecture • End to End Security: Consider the whole problem • Ruthlessly Prioritize: Identify top gaps + quick wins MCRA is a subset of the full Security Architecture Design Session (ADS) module 1 workshop: • Get started: Start somewhere & continuously improve • Antipatterns and best practices • Guiding Rules and Laws for security • Diagrams and references Applying Zero Trust principles Whiteboard – Current Security Architecture What types of attacks and adversaries are top of mind? Security Adoption Framework Align security to business scenarios using initiatives that progressively get closer to full ‘Zero Trust’ 1. Strategic Framework Strategic Framework End to End Strategy, Architecture, and Operating Model Business Scenarios Guiding North Star CISO Workshop Security Program and Strategy 1 - I want people to do their job securely from anywhere 2. Strategic initiatives Clearly defined architecture and implementation plans Security Hygiene: Backup and Patching End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams 2 - I want to minimize business damage from security incidents 3 - I want to identify and protect critical business assets 4 - Security I want to proactively meetDesign Session Architecture regulatory requirements Module 1 – Zero Trust Architecture and Ransomware 5 - I want to have confidence in my security posture and programs Secure Identities and Access Module 2 – Secure Identities and Access Module 3 – Modern Security Operations (SecOps/SOC) Modern Security Operations Module 4 – Infrastructure & Development Security Infrastructure and Development Module 5 – Data Security & Governance, Risk, Compliance (GRC) Data Security & Governance, Risk, Compliance (GRC) Module 6 – IoT andSecurity OT Security OT and IoT Security Adoption Framework Reduce risk by rapidly modernizing security capabilities and practices CEO Securing Digital Transformation Business Leadership CIO CISO Technical Leadership Business and Security Integration Engaging Business Leaders on Security Security Strategy and Program Security Strategy, Programs, and Epics Architecture and Policy Architects & Technical Managers Technical Planning Implementation and Operation Implementation Includes Reference Plans Zero Trust Architecture Microsoft Cybersecurity Reference Architectures (MCRA) Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Data Security & Governance IoT and OT Security > > > > > > > > > > > > > > Assess current plans, configurations, and operations for Microsoft security capabilities Common Security Antipatterns - Technical Architecture Common mistakes that impede security effectiveness and increase organizational risk Skipping basic maintenance Skipping backups, disaster recovery exercises, and software updates/patching on assets Securing cloud like on premises Attempting to force on-prem controls and practices directly onto cloud resources Wasting resources on legacy Best Practices Develop and implement an end to end technical security strategy focused on durable capabilities and Zero Trust Principles This workshop helps you define and rapidly improve on best practices across security including: • Asset-centric security aligned to business priorities & • Consistent principle-driven approach throughout security lifecycle Focused on custom manual solutions instead of automation and off the shelf tooling • Pragmatic prioritization based on attacker motivations, Disconnected security approach • Balance investments between innovation and rigorous • ‘Configure before customize’ approach that embraces • Security is a team sport across security, technology, and Legacy system maintenance and costs draining ability to effectively secure business assets Artisan Security Independent security teams, strategies, tech, and processes for network, identity, devices, etc. Lack of commitment to lifecycle Treating security controls and processes as points in time instead of an ongoing lifecycle technical estate (beyond network perimeter) behavior, and return on investment application of security maintenance/hygiene automation, innovation, and continuous improvement business teams Improving Resiliency Enable business mission while continuously increasing security assurances ‘Left of Bang’ ‘Right of Bang’ Prevent or lessen impact of attacks IDENTIFY GOVERN PROTECT The job will never be ‘done’ or ‘perfect’, but it’s important to keep doing (like cleaning a house) Rapidly and effectively manage attacks DETECT RESPOND RECOVER NIST Cybersecurity Framework v2 End to End Security Enable business mission and increasing security assurances with intentional approach Security Strategy and Program Zero Trust Architecture Security Posture Management Modern Security Operations (SecOps/SOC) Secure Identities and Access Infrastructure & Development Security IoT and OT Security Data Security & Governance ‘Left of Bang’ ‘Right of Bang’ Prevent or lessen impact of attacks IDENTIFY GOVERN PROTECT Rapidly and effectively manage attacks DETECT RESPOND RECOVER Defenders must focus on A. Strong security controls + effective placement B. Rapid response to attacks C. Continuously testing & monitoring controls High Looks like they have NGFW, IDS/IPS, and DLP Low I bet their admins 1. Check email from admin workstations 2. Click on links for higher paying jobs Found passwords.xls Phishing email to admin Now, let’s see if admins save service account passwords in a spreadsheet… Sensitive Data Protection & Monitoring • Discover business critical assets with business, technology, and security teams • Increase security protections and monitoring processes • Encrypt data with Azure Information Protection Replace password.xls ‘process’ with • PIM/PAM • Workload identities Modernize Security Operations • Add XDR for identity, endpoint (EDR), cloud apps, and other paths • Train SecOps analysts on endpoints and identity authentication flows Rigorous Security Hygiene • Rapid Patching • Secure Configuration • Secure Operational Practices Protect Privileged Accounts Require separate accounts for Admins and enforce MFA/passwordless Privileged Access Workstations (PAWs) + enforce with Conditional Access Security is complex and challenging Hybrid of Everything, Everywhere, All at Once Must secure across everything Brand New - IoT, DevOps, and Cloud services, devices and products Current/Aging - 5-25 year old enterprise IT servers, products, etc. Legacy/Ancient - 30+ year old Operational Technology (OT) systems Nothing gets retired! ‘Data swamp’ accumulates managed data + unmanaged ‘dark’ data Usually for fear of breaking something (& getting blamed) Data Attackers have a lot of options Forcing security into a holistic complex approach Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies Threats – Continuously changing threat landscape Security Tools – dozens or hundreds of tools at customers People Application Infrastructure Goal: Zero Assumed Trust With 30+ years of backlog at most organizations, it will take a while to burn down the backlog of assumed trust Reduce risk by finding and removing implicit assumptions of trust False Assumptions Zero Trust Mitigation of implicit or explicit trust Systematically Build & Measure Trust Security is the opposite of productivity Business Enablement All attacks can be prevented Network security perimeter will keep attackers out Passwords are strong enough IT Admins are safe IT Infrastructure is safe Developers always write secure code The software and components we use are secure Align security to the organization’s mission, priorities, risks, and processes Assume Compromise Continuously reduce blast radius and attack surface through prevention and detection/response/recovery Shift to Asset-Centric Security Strategy Revisit how to do access control, security operations, infrastructure and development security, and more Explicitly Validate Account Security Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and more Plan and Execute Privileged Access Strategy Establish security of accounts, workstations, and other privileged entities (aka.ms/spa) Validate Infrastructure Integrity Explicitly validate trust of operating systems, applications, services accounts, and more Integrate security into development process Security education, issue detection and mitigation, response, and more Supply chain security Validate the integrity of software and hardware components from open source. vendors, and others Zero Trust Security Architecture End to End Prioritized Execution + Continuous Improvement OBSERVE, ORIENT Security is complex and challenging Resilience required across the lifecycle DECIDE Prioritize backlog of trust assumptions Disrupt attacker return on investment (ROI) ACT Microsoft Security Adoption Framework Leverage reference plans and architectures Zero Trust Commandments Requirements that represent best practices for a Zero Trust Architecture (ZTA) and transformation. (The Open Group Standard) Usage: General planning + Testing whether something is ‘Zero Trust’ or not 10 Laws of Cybersecurity Risk Key truths about managing security risk that bust common myths. Usage: Ensuring security strategy, controls, and risk are managed with realistic understanding of how attacks, humans, and technology work Immutable Laws of Security Key truths about security claims and controls that bust common myths. Usage: Validating design of security controls, systems, and processes to ensure they are technically sound End to End Security Architecture Diagrams & References People Cybersecurity Reference Architectures Zero Trust Adaptive Access Threat Environment Artificial Intelligence (AI) and Security Journey Zero Trust Attack Chain Coverage Privileged Access Security Operations Development / DevSecOps Microsoft Security Capabilities Operational Technology (OT) Infrastructure Patch Modernization Multi-Cloud & Cross-Platform Build Slide Microsoft 365 E5 Role Mapping aka.ms/MCRA | aka.ms/MCRA-videos | December 2023 Device Types Security Adoption Framework Reduce risk by rapidly modernizing security capabilities and practices Securing Digital Transformation Engaging Business Leaders on Security Business and Security Integration Security Strategy and Program Security Strategy, Programs, and Epics Architecture and Policy Zero Trust Architecture Microsoft Cybersecurity Reference Architectures (MCRA) Secure Identities and Access Technical Planning Implementation and Operation Includes Reference Plans Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Where do you want to Start? There’s no wrong place to start Topic Summary End to End Strategy and Planning Zero Trust Architecture 4 hours MCRA Product Adoption Full workshop 2-3 days 2-3 days Security Strategy and Program CISO Workshop Plan and Execute Initiatives Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security 4 hours 4 hours 4 hours 2-3 days Let’s get next steps locked in Capture actions and who follows up on them # 1 2 3 4 5 Next Step Point of Contact Security Resources Security Adoption Framework Security Documentation aka.ms/SecurityDocs aka.ms/saf Security Strategy and Program Zero Trust Architecture • CISO Workshop – aka.ms/CISOworkshop | -videos • Cloud Adoption Framework (CAF) – aka.ms/cafsecure • Microsoft Cybersecurity Reference Architectures (MCRA) - aka.ms/MCRA | -videos • Ransomware and Extortion Mitigation - aka.ms/humanoperated • Backup and restore plan to protect against ransomware - aka.ms/backup • Driving Business Outcomes Using Zero Trust ▪ ▪ ▪ ▪ Rapidly modernize your security posture for Zero Trust Secure remote and hybrid work with Zero Trust Identify and protect sensitive business data with Zero Trust Meet regulatory and compliance requirements with Zero Trust • Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Data Security & Governance IoT and OT Security • Securing Privileged Access (SPA) Guidance aka.ms/SPA • Access Control Discipline • Ninja Training • Incident Response - aka.ms/IR • CDOC Case Study - aka.ms/ITSOC • Ninja Training • Microsoft Cloud Security Benchmark (MCSB) aka.ms/benchmarkdocs • Well Architected Framework (WAF) aka.ms/wafsecure • Azure Security Top 10 aka.ms/azuresecuritytop10 • Secure data with Zero Trust • Ninja Training • Ninja Training • Microsoft 365 Defender aka.ms/m365dninja • Microsoft Defender for Office 365 aka.ms/mdoninja • Microsoft Defender for Endpoint aka.ms/mdeninja • Microsoft Cloud App Security aka.ms/mcasninja • Microsoft Sentinel • Microsoft Defender for Identity aka.ms/mdininja • MCRA Video • Zero Trust User Access • Microsoft Entra Documentation aka.ms/entradocs • MCRA Videos • Security Operations • SecOps Integration Product Capabilities www.microsoft.com/security/business • Ninja Training • Microsoft Purview Information Protection aka.ms/MIPNinja • Microsoft Purview Data Loss Prevention aka.ms/DLPNinja • Insider Risk Management • Defender for IoT Training • MCRA Videos • MCRA Video OT & IIoT Security • Defender for IoT Documentation aka.ms/D4IoTDocs • Microsoft Purview Documentation aka.ms/purviewdocs • Defender for Cloud • MCRA Video • Infrastructure Security • Defender for Cloud Documentation • Security Product Documentation Azure | Microsoft 365 Microsoft Security Response Center (MSRC) www.microsoft.com/en-us/msrc Key Industry References and Resources Zero Trust Commandments - https://pubs.opengroup.org/security/zero-trust-commandments/ Zero Trust Reference Model - https://publications.opengroup.org/security-library Security Principles for Architecture - https://publications.opengroup.org/security-library Cybersecurity Framework - https://www.nist.gov/cyberframework Zero Trust Architecture - https://www.nist.gov/publications/zero-trust-architecture NCCoE Zero Trust Project - https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture Secure Software Development Framework (SSDF) - https://csrc.nist.gov/pubs/sp/800/218/final Zero Trust Maturity Model - https://www.cisa.gov/zero-trust-maturity-model CIS Benchmarks – https://www.cisecurity.org/cis-benchmarks/ Security Modernization with Zero Trust Principles Business Enablement Security Strategy and Program Align security to the organization’s mission, priorities, risks, and processes Assume Breach (Assume Compromise) Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly Verify Explicitly Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry. Use least-privilege access Limit access of a potentially compromised asset, typically with just-in-time and justenough-access (JIT/JEA) and risk-based polices like adaptive access control. Zero Trust Architecture Secure Identities and Access Infrastructure & Development Security IoT and OT Security Modern Security Operations (SecOps/SOC) Data Security & Governance Zero Trust Principles Business Enablement Align security to the organization’s mission, priorities, risks, and processes Assume Breach (Assume Compromise) Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly Transforms from “defend the network” to “enable secure productivity on any network” Asset/Node = account, app, device, VM, container, data, API, etc. Verify explicitly Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry. Reduces “attack surface” of each asset Use least privilege access Limit access of a potentially compromised asset, typically with just-in-time and justenough-access (JIT/JEA) and risk-based polices like adaptive access control. Reduce “blast radius“ of compromises Apply Zero Trust principles Key changes across security disciplines All elements informed by threat and business intelligence, assisted by security engineering/automation Business Enablement Verify Explicitly Least Privileged Assume breach | Explicitly Verify | Least privileged General strategy shift from Reduce attack surface Reduce blast radius both Assume Compromise Security Disciplines Access Control ‘assume safe network’ and exposure to risk proactive and reactively Just-in-time & Just-enough-access (JIT/JEA) Adaptive Access Risk-based polices Always make security decisions using all available data points, including identity, location, device health, resource, data classification, and anomalies. Secure Access Service Edge (SASE) Cloud Infrastructure Entitlement Management (CIEM) Micro-segmentation Security Operations Automated threat response End to end visibility (SIEM) Asset Protection Innovation Security Security Governance Asset-centric protections Threat modelling Asset–centric detection and response (XDR) Classify assets and apply controls per asset type and classification (CA policies, encryption, monitoring, detection, response etc.) Privileged Access Workstations (PAWs) For SOC Analysts, IT Admins, and business critical assets Dependency/impact analysis backups, service accounts and privileges that control other systems/services, etc. DevSecOps and CI/CD process integration of best practices (Static and dynamic analysis, etc.) Posture Management Continuous improvement of security posture and standards/policies Continuous Monitoring of security posture Enablement Hygiene Remediation Patching, configuration, process updates, etc. Key Industry Collaborations The Open Group Focused on integration with business and IT/Enterprise/Security architecture US National Institute of Standards and Technology (NIST) Focused on architecture and implementation with available technology Many organizations are contributing valuable perspectives and guidance like the Cybersecurity and Infrastructure Security Agency (CISA), Cloud Security Alliance (CSA), and some technology vendors Key Zero Trust Models and Architectures Focused on integration with business and IT/Enterprise/Security architecture Focused on architecture and implementation with available technology Key Zero Trust Capabilities Increase security and flexibility for continuously changing business, technology, threats, and regulations Risk Controls - establish overall security framework based on organizational risk Asset Centricity - foundational capability to identify, classify, and maintain the asset Asset-Centric Protection (Data-Centric & System-Centric) Digital Ecosystems • • Adaptive Access Control Data/Information Centralized policy control Distributed enforcement Apps & Systems Digital Identity Decentralized portable identities Security Zones Security Zones Asset-Centric Security Operations – rapid and complete detection, response, and recovery from attacks Posture Management – continuous improvement of attack prevention measures Zero Trust Governance – continuous monitoring and audit on demand to meet risk and compliance Zero Trust Components Digital Ecosystems Data/Information Distributed Policy Enforcement Points (PEPs) Apps & Systems Security Zones Microsoft Security Capability Mapping The Open Group Zero Trust Components Microsoft Entra ID ID Protection Workload ID Governance Visibility and Policy Entra ID Governance Defender for Identity Access Control Microsoft Purview Asset Protection Classification, Protection, Tokenization Identity and Network - Multi-factor Authentication Digital Ecosystems Data/Information Microsoft Entra Microsoft Purview Conditional Access Microsoft Priva Entra Internet Access Entra Private Access Distributed Policy Enforcement Points (PEPs) Apps & Systems Defender for Cloud Defender for APIs (preview) Intune Device Management 65+ Trillion signals per day of security context Endpoint Detection and Response (EDR) Azure Arc GitHub Advanced Security & Azure DevOps Security Security Zones Defender for Endpoint Secure development and software supply chain Microsoft Entra Asset-Centric Security Operations Innovation Security Conditional Access Azure Firewall (Illumio partnership) Security telemetry from across the environment Microsoft Sentinel Microsoft Defender Defender for Endpoint Rapid Threat Detection, Response, and Defender for Identity Defender for Cloud Apps Recovery Defender for Cloud Defender for Office 365 • Security Information and Event Management (SIEM) • Security Orchestration, Automation, and Response (SOAR) Zero Trust Architecture (ZTA) Security Analytics Endpoint Security User PE/PA ICAM IDENTITY • User • Device ACCESS & CREDENTIALS • Management • Authentication (SSO/MFA) • Authorization Protected Resources POLICY Evaluate Access CLOUD PEP APPS & WORKLOADS Device FEDERATION GOVERNANCE Mobile Device GRANT ACCESS (Microsegmentation) ON-PREM APPS & WORKLOADS GRANT ACCESS (SDP) Device (with SDP Client) Classified as Microsoft Confidential SDP (example: TLS Tunnel) Data Security (File Share, Database, Storage, Apps) Implemented in NCCoE lab (Summer 2023) Microsoft Zero Trust Capability Mapping Key Security Analytics NIST Area Microsoft Sentinel NIST Sub-Area • Sub-Area Microsoft Defender XDR Microsoft Service Defender for Endpoint Defender for Office 365 Defender for Identity Defender for Cloud Apps Defender for Cloud • Security Information and Event Management (SIEM) • Security Orchestration, Automation, and Response (SOAR) Security telemetry from across the environment Endpoint Security Identity, Credentials, and Access Management (ICAM) Microsoft Entra Conditional Access Global Secure Access client Identity • • User Access & Credential Mgmt. User Device • • Devices Intune Entra ID Governance Mobile Device Microsoft Cloud Security Benchmark Devices w/ SDP Purview DLP Software Defined Perimeter(SDP) Virtual Desktops Entra Azure Virtual Desktop Intune Windows 365 Document Protection Purview Information Protection Office 365 Feedback mechanisms enable continuous improvement Entra Private Access Connector Database Apps Defender for Cloud Apps File share Storage Information Protection Scanner Defender Application Guard Defender for Identity Intune Mobile App Mgmt Azure Arc Infrastructure & Access VPN Backend Connector Intune Azure IaaS ON-PREM APPS & WORKLOADS Policy Enforcement Point (PEP) Data Purview Secure Admin Workstations Endpoint Detection and Response (EDR) Data Loss Prevention (DLP) Entra Permissions Management Defender for Cloud Entra Internet Access Governance 3P SaaS Workloads Microsoft 365 Conditional Access Grant Access Federation Data Security Defender for Cloud Apps Defender forCloud Office Apps 365 Entra ID Grant Access Device Management Defender for Endpoint CLOUD APPS & WORKLOADS Policy Determine Access Authentication Authorization Entra ID Protected Resources Policy Enforcement / Admin (PE/PA) Purview Information Protection Cloud Infra SQL DB/Files Azure Arc Azure Automanage Defender for Cloud Zero Trust architecture Policy Optimization Governance Data Compliance Classify, label, encrypt Security Posture Assessment Productivity Optimization Identities Human Emails & documents Structured data Strong authentication Non-human Request enhancement Endpoints Corporate Private Risk assessment SaaS On-premises Serverless Runtime control Containers IaaS Threat Protection Paas Continuous Assessment Internal Sites Threat Intelligence Forensics JIT & Version Control Traffic filtering & segmentation (as available) Adaptive Access Infrastructure Device compliance Personal Telemetry/analytics/assessment Public Evaluation Enforcement Apps Network Zero Trust Policies Response Automation Zero Trust architecture Policy Optimization Governance Data Compliance Classify, label, encrypt Security Posture Assessment Productivity Optimization Identities Human Strong authentication Emails & documents Structured data Microsoft Defender for Cloud Defender for Office 365 Secure Score Microsoft Purview Compliance Manager Microsoft Priva Non-human Microsoft Entra ID ID Protection Workload ID Request enhancement Evaluation Entra ID Governance Microsoft Entra Conditional Access Enforcement Defender for Identity Corporate Device compliance Traffic filtering & segmentation (as available) SaaS On-premises Private GitHub Advanced Security Azure Networking Defender for Cloud Apps Defender for APIs (preview) Infrastructure Risk assessment Serverless Containers Runtime control Personal Intune Threat Protection Device Management Continuous Assessment Paas Permissions Management Internal Sites Defender for Cloud Forensics Endpoint Detection and Response (EDR) IaaS Microsoft Entra Threat Intelligence Defender for Endpoint Azure Arc Response Automation Microsoft Sentinel Telemetry/analytics/assessment JIT & Version Control Adaptive Access Public Entra Internet Access Entra Private Access Endpoints Apps Network Zero Trust Policies Microsoft Defender Defender for Endpoint Defender for Office 365 Defender for Identity Defender for Cloud Apps Defender for Cloud • Security Information and Event Management (SIEM) • Security Orchestration, Automation, and Response (SOAR) Managing Information/Cyber Risk February 2023 https://aka.ms/SecurityRoles Security responsibilities or “jobs to be done” Information Risk Management Program Management Office (PMO) Supply Chain Risk (People, Process, Technology) Posture Management Incident Preparation Incident Response Incident Management Threat Hunting Microsoft security capability mapping Which roles typically use which capabilities Access Control Detect, Respond, and Recover from attacks; Hunt for hidden threats; share threat intelligence broadly • • • • • • Multifactor Authentication Conditional Access Application Proxy External Identities / B2B & B2C Security Service Edge (SSE) and more.. • Entra Permission Management • Windows Hello for Business • Microsoft 365 Defender • Microsoft Defender for Identity • Microsoft Defender for Cloud Apps • Microsoft 365 Lighthouse [multi-tenant] • Azure Lighthouse • Azure Bastion • Azure Administrative Model • Portal, Management Groups, Subscriptions • Azure RBAC & ABAC Network Security • Azure Firewall • Azure Firewall Manager • Azure DDoS • Azure Web Application Firewall • Azure Networking Design • Virtual Network, NSG, ASG, VPN, etc. • PrivateLink / Private EndPoint Endpoint / Device Admin • Microsoft Intune • Configuration Management • Microsoft Defender for Endpoint Protect sensitive data and systems. Continuously discover, classify & secure assets Security architecture Incident preparation • Microsoft Cybersecurity Reference Architecture https://aka.ms/MCRA Security Operations Analyst • Entra ID (Formerly Azure AD) Posture management, Policy and standards, Compliance management Microsoft Defender XDR • Microsoft Defender for Endpoint • Microsoft Defender for Office 365 • Microsoft Defender for Identity • Microsoft Defender for Cloud Apps • Microsoft Entra Identity Protection • Microsoft Defender for Cloud • Secure Score • Compliance Dashboard • Azure Security Benchmark • Microsoft Defender for Cloud • Microsoft Defender for DevOps • Microsoft Defender for Servers • Microsoft Defender for Storage • Microsoft Defender for SQL • Microsoft Defender for Containers • Microsoft Defender for App Service • Microsoft Defender for APIs (preview) • Microsoft Defender for Key Vault • Microsoft Defender for DNS • Microsoft Defender for open-source relational databases • Microsoft Defender for Azure Cosmos DB • Microsoft Security Copilot (preview) • Microsoft Sentinel • Microsoft Security Experts • Microsoft Incident Response Detection and Response Team (DART) Threat intelligence Analyst • Microsoft Defender Threat Intelligence (Defender TI) • Microsoft Sentinel Asset Protection Security Governance • Azure Blueprints • Azure Policy • Microsoft Defender External Attack Surface Management (MD-EASM) • Azure Administrative Model • Portal, Management Groups, Subscriptions • Azure RBAC & ABAC • Microsoft Purview • Compliance manager Microsoft Purview Identity Admin, Identity Architect, Identity Security Security Operations Microsoft Defender Microsoft Entra Establish Zero Trust access model to modern and legacy assets using identity & network controls https://aka.ms/MCRA Data security • Microsoft Purview Continuously Identify, measure, and manage security posture to reduce risk & maintain compliance Infrastructure and endpoint security, IT Ops, DevOps • Microsoft Defender for Cloud (including Azure Arc) • Entra Permission Management • Azure Blueprints • Azure Policy • Azure Firewall • Azure Monitor • Azure Web Application Firewall • Azure DDoS • Azure Backup and Site Recovery • Azure Networking Design • Virtual Network, NSG, ASG, VPN, etc. • PrivateLink / Private EndPoint • Azure Resource Locks OT and IoT Security • Microsoft Defender for IoT (& OT) • Azure Sphere • Information Protection • Data Loss Prevention • Microsoft 365 Defender • Microsoft Defender for Cloud Apps People security • Attack Simulator • Insider Risk Management Privacy Manager • Microsoft Priva Innovation Security Integrate Security into DevSecOps processes. Align security, development, and operations practices. Application security and DevSecOps • • • (Same as Infrastructure Roles) GitHub Advanced Security Azure DevOps Security Microsoft Security Experts Microsoft Defender XDR Unified Threat Detection and Response across IT, OT, and IoT Assets Microsoft Sentinel Incident Response | Automation | Threat Hunting | Threat Intelligence aka.ms/MCRA Microsoft Entra Internet Access Cloud Native SIEM, SOAR, and UEBA Microsoft Security Copilot (Preview) Cloud Endpoint Office 365 Identity SaaS Data OT/IoT Azure, AWS, GCP, On Prem & more Workstations, Server/VM, Containers, etc. Email, Teams, and more Cloud & On-Premises Cloud Apps SQL, DLP, & more Other devices Tools, Logs, & Data Security Adoption Framework Security Documentation Benchmarks Microsoft Entra Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM) Discover Monitor Classify Protect Microsoft Entra Private Access & App Proxy Beyond User VPN Azure Key Vault S3 Azure Backup Security & Other Services aka.ms/SPA Secure Score Compliance Score CSPM: Defender for Cloud Microsoft Defender External Attack Surface Management (EASM) Vulnerability Management GitHub Advanced Security & Azure DevOps Security Secure development and software supply chain Microsoft Security Experts Microsoft Defender XDR Unified Threat Detection and Response across IT, OT, and IoT Assets Microsoft Sentinel Incident Response | Automation | Threat Hunting | Threat Intelligence aka.ms/MCRA Microsoft Entra Internet Access Cloud Native SIEM, SOAR, and UEBA Microsoft Security Copilot (Preview) Cloud Endpoint Office 365 Identity SaaS Data OT/IoT Azure, AWS, GCP, On Prem & more Workstations, Server/VM, Containers, etc. Email, Teams, and more Cloud & On-Premises Cloud Apps SQL, DLP, & more Other devices Tools, Logs, & Data Security Adoption Framework Security Documentation Benchmarks Microsoft Entra Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM) Discover Monitor Classify Protect Microsoft Entra Private Access & App Proxy Beyond User VPN Azure Key Vault S3 Azure Backup Security & Other Services aka.ms/SPA Secure Score Compliance Score CSPM: Defender for Cloud Microsoft Defender External Attack Surface Management (EASM) Vulnerability Management GitHub Advanced Security & Azure DevOps Security Secure development and software supply chain https://aka.ms/MCRA S3 https://aka.ms/MCRA S3 On-Premises IaaS PaaS Key cross-platform and multi-cloud guidance Microsoft Defender for Cloud multicloud solution Microsoft Defender for Endpoint – Linux Support Azure security solutions for AWS Entra ID identity and access management for AWS Multi-cloud & hybrid protection in Microsoft Defender for Cloud Azure Arc Access Management Capabilities Can be implemented today using Microsoft and partner capabilities Employee Partner Direct Application Access Customer Core adaptive access policy Workload Security Policy Engine Security Service Edge (SSE) Additional policy control & monitoring with Zero Trust Network Access (ZTNA), secure web gateway (SWG), Cloud Access Security Broker (CASB), and Firewall-as-a-Service (FWaaS) Virtual Private Network (VPN) Legacy technology being retired Macro- and Micro-segmentation Workload isolation using identity, network, app, and other controls Access Management Capabilities Using Microsoft Technology Can be implemented today using Microsoft and partner capabilities Microsoft Entra ID (formerly Azure AD) Employee Microsoft Entra Conditional Access Entra Internet Access (preview), Entra Private Access (preview), and Partners Partner Direct Application Access Customer Core adaptive access policy Workload Microsoft Threat Intelligence 65+ Trillion signals per day of security context & Human Expertise Security Policy Engine Security Service Edge (SSE) Additional policy control & monitoring with Zero Trust Network Access (ZTNA), secure web gateway (SWG), Cloud Access Security Broker (CASB), and Firewall-as-a-Service (FWaaS) Virtual Private Network (VPN) Legacy technology being retired Illumio partnership, LAPS Microsoft Defender + Intune Entra ID Self Service Password Reset (SSPR) Macro- and Micro-segmentation Workload isolation using identity, network, app, and other controls https://aka.ms/MCRA Business Critical Assets Devices/Workstations Account Interface Intermediaries Intermediaries Devices/Workstations Potential Attack Surface Account Interface Asset Protection also required Security updates, DevSecOps, data at rest / in transit, etc. Business Critical Assets Devices/Workstations Account Interface Intermediaries Intermediaries Devices/Workstations Account Interface Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Case Management Analysts and Hunters Security Information and Event Management (SIEM) Incident Response/Recovery Assistance Managed Detection and Response Threat Intelligence (TI) Automation (SOAR) Generative AI Simplifies tasks and performs advanced tasks through chat interface Extended Detection and Response (XDR) Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more https://aka.ms/MCRA https://aka.ms/MCRA Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Analysts and Hunters Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Provide actionable security detections, raw logs, or both Operational Technology (OT) Security Reference Architecture https://aka.ms/MCRA Apply zero trust principles to securing OT and industrial IoT environments Business Analytics Blended cybersecurity attacks are driving convergence of IT, OT, and IoT security architectures and capabilities Azure Analytics 3rd party Analytics IIoT / OT Digital Transformation drivers • Business Efficiency - Data to enable business agility • Governance & Regulatory Compliance with safety and other standards • Emerging Security Standards like CMMC Purdue Model Level 3 – Site Operations Control & monitoring for physical site with multiple functions (e.g. plant) Level 2 – Supervisory Control IoT Hub, PowerBI, Azure Edge, Digital Twins, and more Safety/Integrity/Availability Confidentiality/Integrity/Availability • • • • • • • • Hardware Age: 50-100 years (mechanical + electronic overlay) Warranty length: up to 30-50 years Protocols: Industry Specific (often bridged to IP networks) Security Hygiene: Isolation, threat monitoring, managing vendor access risk, (patching rarely) Hardware Age: 5-10 years Warranty length 3-5 years Protocols: Native IP, HTTP(S), Others Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware Business Analytics NETWORK TAP/SPAN Sensor(s) + Analytics Plant security console Electronics controlling or monitoring physical systems ©Microsoft Corporation Azure TLS with mutual authentication Business Analytic Sensor(s) Level 1 – Basic Control S A F E T Y Microsoft Sentinel • Native plug-in for Microsoft Defender for IoT • Native OT investigation & remediation playbooks • Correlation with other data sources and Strategic Threat intelligence (attack groups & context) Information Technology (IT) Environments (optional) Physical machinery 3rd party Analytics Operational Technology (OT) Environments Monitoring & Control for discrete business functions (e.g. production line) Level 0 – Process Security Analytics Cloud Environments Isolation and Segmentation Internal segmentation As business processes allow Hard Boundary Soft(ware) Boundary Physically disconnect from IT network(s) People, Process, and Tech (network + identity access control, boundary patching and security hygiene) Cloud Connection (OPTIONAL) Microsoft Defender for IoT (and OT) Manager Security Console Transform with Zero Trust Principles 3rd party SIEM Purdue model assumed static site/enterprise model • Datacenter Segments – Align network/identity/other controls to business workloads and business risk • End user access - Dynamically grant access based on explicit validation of current user and device risk level S Y S T E M S Zero Trust Principles - Assume breach, verify explicitly, Use least privilege access (identity and network) https://aka.ms/MCRA https://aka.ms/CAF • • • Automated User Provisioning Entitlement Management Access Reviews • • Privileged Identity Management (PIM) Terms of Use On-Premises & Other Cloud Resources/Data Azure Resources/Data Microsoft Defender XDR Unified Threat Detection and Response across IT, OT, and IoT Assets Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Security Copilot (Preview) Microsoft Defender for Endpoint Entra ID Protection Microsoft Defender for Identity Microsoft Sentinel Cloud Native SIEM, SOAR, and UEBA Microsoft Defender for Cloud - Detections across assets and tenants Idea Incubation First Production Release Production DevSecOps Architecture & Governance Security, Compliance, Identity, & Other Standards Continuous Improvement of DevSecOps Lifecycle 1. MVP definitions – Update minimum requirements for Dev, Sec, and Ops (agility, stability, security, identity standards, and more) 2. Continuously improve process, program, education, tooling, etc. to improve developer productivity, efficiency, security, identity, and more) It’s bad out there! Attacker techniques, business models, and skills/technology, are continuously evolving For sale in “bad neighborhoods” on the internet Attacker for hire (per job) Other Services $250 per job (and up) Continuous attack supply chain innovation Ransomware Kits $66 upfront (or 30% of the profit / affiliate model) Compromised PCs / Devices PC: $0.13 to $0.89 Mobile: $0.82 to $2.78 Spearphishing for hire $100 to $1,000 (per successful account takeover) Attackers Stolen Passwords $0.97 per 1,000 (average) (Bulk: $150 for 400M) Denial of Service $766.67 per month Many attack tools and tutorials/videos available for free on internet https://aka.ms/humanoperated Attack Chain Models Describe stages of an attack Simple model for business leaders and other non-technical stakeholders MITRE ATT&CK Framework Lockheed Martin Kill Chain Reconnaissance Weaponization Delivery Detailed model for technical detection coverage assessments and planning Legacy Reference Model (missing lateral traversal) Exploitation Reconnaissance Resource Development Installation Persistence Initial Access Actions on the Objective Command and Control Command and Control Defense Evasion Privilege Escalation Discovery Credential Access Lateral Movement Exfiltration Impact aka.ms/HumanOperated What’s in Microsoft 365 E5 Product Licensing Details https://aka.ms/MCRA Product Name Product Category(ies) Security Modernization Initiative(s) Microsoft Defender for Endpoint (MDE) Extended Detection and Response (XDR) Endpoint Detection and Response (EDR) Threat and Vulnerability Management (TVM) Endpoint Protection Platforms (EPP) • Modern Security Operations • Infrastructure and Development • Security Hygiene: Backup and Patching Previous Product Names Formerly Microsoft Defender ATP, Windows Defender ATP, Windows Defender Antivirus Microsoft Defender for Identity (MDI) Extended Detection and Response (XDR) Formerly Azure ATP Microsoft Defender for Office (MDO) Formerly Office 365 ATP Microsoft Defender for Cloud Apps (MDCA) Formerly Microsoft Cloud App Security • Modern Security Operations Extended Detection and Response (XDR) • Modern Security Operations Cloud App Security Broker (CASB) Extended Detection and Response (XDR) • Secure Identities and Access • Modern Security Operations • Data Security & Governance Access Management • Secure Identities and Access • Modern Security Operations Entra ID (Formerly Azure AD) • • • • • Multifactor Authentication Microsoft Entra Conditional Access Self-service password management Identity Governance Privileged Identity Management (PIM) Microsoft Purview • • • • Compliance Management Data Lifecycle Management eDiscovery and auditing Insider Risk Management • Data Security & Governance Windows 10 & Windows 11 • Windows Hello for Business • Windows AutoPilot • Advanced Windows Security Microsoft Intune • Secure Identities and Access Unified Endpoint Management (UEM) • Secure Identities and Access Product Families Enable Modernization Initiatives Security Strategy and Program Zero Trust Architecture Secure Identities and Access IoT and OT Security Infrastructure & Development Security Entra Modern Security Operations (SecOps/SOC) Data Security & Governance Defender Purview Sentinel Priva Security Copilot (Preview) Intune Azure Provided by someone else Spans on-premises & multi-cloud environments Provided by someone else Unmanaged Internet Basic network monitoring for guests, partners, new/unmanaged devices Managed Internet Monitored network for validated devices to communicate peer to peer (patching, collaboration, etc.) Spans on-premises & multi-cloud environments Provided by someone else Unmanaged Internet Basic network monitoring for guests, partners, new/unmanaged devices Managed Internet Monitored network for validated devices to communicate peer to peer (patching, collaboration, etc.) Microsoft Entra application proxy Spans on-premises & multi-cloud environments Provided by someone else High Impact IoT/OT IoT/OT With Life/Safety Impact Unmanaged Internet Low Impact IoT/OT Basic network monitoring for guests, partners, new/unmanaged devices Managed Internet Monitored network for validated devices to communicate peer to peer (patching, collaboration, etc.) Printers, VoIP phones, etc. Microsoft Entra application proxy Spans on-premises & multi-cloud environments Sanctioned and Managed Services Internet and Unsanctioned/Unmanaged Apps Private and Managed in the cloud or on-premises Privileged Devices Privileged Accounts Business critical system users, developers, admins Sensitive System users, developers, & admins Enterprise Accounts Enterprise Devices Partner Unmanaged devices L o w I m p a c t I o T / O T Anonymous and Consumer identities P H r i i g n h t I e m r p s a , c V t o I I o P T p / h O o T n B eu s I,i en o te T /cs .s O C T r W i tt i h Lc ia fl eS /e Sg m a fe en tt y( Is ) m p a c tS e n s i t i v e B u s i n e s s U n i t s / A p p s Employee Adaptive Access Control BYOD, partners, etc. Managed Devices Specialized Devices Specialized Accounts Ability (and speed) to accomplish advanced tasks Native Computer Native Human Skills and learning required to become productive Direct programming Command Prompt Graphical User Interface (GUI) Chat/Conversation using generative AI Machine Learning (ML) already processes security data Integrated into XDR, SIEM, posture management, and other tools Adopt AI Security Capabilities Mitigate Attacker AI Adopt generative AI capabilities to enhance cyber defenses and human skills (e.g. Security Copilot) Continuously learn about Attacker AI to protect against it and educate stakeholders Protect AI Applications & Data Integrate security from design to production Data Systems Human generated data is high value asset for training AI models Protect custom models from attacks Education & Policy AI App Design & Usage Use of External AI AI Shared Responsibility Model Illustrates which responsibilities are typically performed by an organization and which are performed by their AI provider (such as Microsoft) AI Usage AI Application AI Platform Model Dependent Establish clarity: Your data is your data Implement responsible AI principles Prioritize greatest needs and opportunities for security Review – Artificial Intelligence (AI) • Dynamic conversational chat is a new interface • • Makes technology easier to use and learn Enables people to do more advanced tasks Comparing AI Generations • Critical to adapt quickly to this technology • • • Educate on and mitigate attacker use of AI Embrace security use of AI Protect business use of AI • Securing AI is a shared responsibility • Microsoft Approach to AI • • • Establish clarity: your data is your data Implement responsible AI principles Focus initial security priorities on greatest needs Resources and References
0
advertisement
Download
advertisement
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users