Vous êtes sur la page 1sur 20

Cybersecurity Reference Architecture Software as a Service

Office 365
Security Operations Center (SOC) 80% + of employees admit
Security Development Lifecycle (SDL) using non-approved SaaS apps ASM
Vulnerability Cybersecurity Operations for work (Stratecast, December 2013)
Service (COS) Incident Response and Lockbox
Management Internet of Things
Recovery Services
Identity & Information
MSSP Unmanaged & Mobile Clients Access
Windows Azure Office 365 Protection
Analytics / UEBA Security Security • Security & Compliance
Cloud App Security
SIEM Center Center • Threat Intelligence

Conditional Access
Intune MDM/MAM
Azure AD Office 365 DLP
Identity Protection
On Premises Datacenter(s) SIEM
Edge DLP Integration Azure
NGFW Security Azure AD PIM
Colocation Microsoft Azure Information
SSL Proxy Appliances
Office 365 ATP Protection (AIP)

Classification Labels
Multi-Factor
IPS • Classify
• Email Gateway Azure Security Center (ASC) Authentication • Label
• Anti-malware • Threat Protection
VPN • Protect
Extranet • Threat Detection • Report
Hello for
Azure Key Vault Business Hold Your Own
Enterprise Servers Windows Server 2016 Security Key (HYOK)
Azure App Gateway MIM PAM
Shielded VMs Shielded VMs, Device Guard, Credential Guard, Just Enough Admin, Hyper-V
Containers, Nano server, Defender AV, Defender ATP (Roadmap), and more… Azure Antimalware ATA
VMs VMs
Azure SQL
Network Security Groups
Domain Controllers ESAE Threat Detection
Admin Forest
VPN SQL Encryption &
Data Masking
Privileged Access Workstations (PAWs)
Endpoint DLP
SQL Firewall Certification
$ Managed Clients Legacy Windows 10 Windows
Sensitive Windows Windows 10 Security Disk & Storage Encryption Authority (PKI) Info Protection
Workloads • Secure Boot • Windows Hello
Mac EDR - Windows ATP • Device Guard • Remote
WEF
IoT OS EPP - Windows Defender AV • Exploit Guard Credential Guard DDoS attack mitigation Nearly all customer breaches that Microsoft’s Incident
• Application Guard • Device Health Response team investigates involve credential theft
System Center Configuration Manager + Intune • Credential Guard Attestation Backup & Site Recovery 63% of confirmed data breaches involve weak, default,
or stolen passwords (Verizon 2016 DBR)
Last updated July 2017 – latest at http://aka.ms/MCRA
Cybersecurity Reference
Architecture

Mark Simos Sachin Gupta


Enterprise Cybersecurity Group
Cybersecurity Reference Architecture Software as a Service
Office 365
Vulnerability Security Operations Incident
Management Center (SOC) Response
Logs & Analytics Identity & Information
Active Threat Detection Unmanaged & Mobile Clients
UEBA Access Protection
Managed
Hunting
Security Analytics
Provider Teams
SIEM

On Premises Datacenter(s)
DLP
NGFW
SSL Proxy Components
IPS • Network Edge Defenses
• Operations, Identity, & Info
Extranet Protection Functions
• Enterprise Servers & VMs
Enterprise Servers
• SaaS adoption (sanctioned or
VMs VMs
Shadow IT)
• Identity Systems including
Domain Controllers
Active Directory
• Mix of managed &
unmanaged devices Endpoint DLP

$ Managed Clients
• Endpoint and Edge DLP Certification
Windows 10
Sensitive Legacy
Windows
• Highly Sensitive Assets Authority (PKI)
Workloads
Mac • SIEM & Analytics
IoT OS
• Advanced Detection &
Response
Intranet
Identity
Embraces identity as primary security perimeter and protects
identity systems, admins, and credentials as top priorities
SECURE MODERN ENTERPRISE
Apps and Data
Aligns security investments with business priorities including
identifying and securing communications, data, and applications

Infrastructure
Operates on modern platform and uses cloud intelligence to
Identity Apps Infrastructure Devices detect and remediate both vulnerabilities and attacks
and Data
Devices
Accesses assets from trusted devices with hardware security
Secure Platform (secure by design) assurances, great user experience, and advanced threat detection
Secure the Pillars
Continue building a secure
modern enterprise by
adopting leading edge
technology and approaches:
• Threat Detection – Integrate
leading edge intelligence and
http://aka.ms/SPARoadmap SECURE MODERN ENTERPRISE Managed detection and
response (MDR) capabilities
• Identity and Access
Management – continue
Build the Security reducing risk to business
Foundation critical identities and assets
Start the journey by getting in • Information Protection–
front of current attacks Discover, protect, and monitor
your critical data
• Critical Mitigations – Critical
attack protections • Cloud Adoption – Chart a
• Attack Detection – Hunt for Identity Apps Infrastructure Devices secure path into a cloud-
enabled enterprise
hidden persistent adversaries and Data • Device & Datacenter
and implement critical attack
detection Security – Hardware
• Roadmap and planning – Secure the Pillars protections for Devices,
Credentials, Servers, and
Share Microsoft insight on
Applications
current attacks and strategies,
build a tailored roadmap to Build Security Foundation – Critical Attack Defenses • App/Dev Security – Secure
defend your organization’s your development practices
business value and mission and digital transformation
components
Secure Platform (secure by design)
Cybersecurity Reference Architecture Software as a Service
Office 365
Vulnerability Security Operations Incident Investigation
Management Center (SOC) Response and Recovery
Logs & Analytics Identity & Information
Active Threat Detection Unmanaged & Mobile Clients
UEBA ATA Access Protection
Managed Enterprise
Hunting
Security Analytics Threat
Provider Teams
SIEM Detection

On Premises Datacenter(s)
DLP
NGFW
SSL Proxy
Major Incident
IPS Credential Theft Mitigations

Extranet Prevention
• Privileged Access Workstations
• Administrative Forest (ESAE)
Enterprise Servers
• Privileged Access Management MIM PAM
Detection ATA
VMs VMs
• Advanced Threat Analytics
Domain Controllers
• ETD Managed Detection and Admin
Response (MDR) Forest

Privileged Access Workstations


Endpoint DLP
Response Certification
$ Managed Clients
Sensitive Legacy Windows 10 • Incident Response Authority (PKI)
Workloads Windows
Mac
IoT OS Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
63% of confirmed data breaches involve weak, default,
Intranet or stolen passwords (Verizon 2016 DBR)
Shadow IT
Persistent • Network perimeter repels and
Threats detects classic attacks
Office …but is reliably defeated by
Approved 365 • Phishing
Identity Perimeter
Cloud Services • Credential theft
Network Perimeter • Data has moved out of the
network and its protections
• You must establish an
$ Identity security perimeter
$ • Strong Authentication
$
$ Resources • Monitoring and enforcement
of access policies
$ $ • Threat monitoring using
Unmanaged
Devices telemetry & intelligence
Shadow IT SaaS
Applications
Risky Use of
Unprotected Approved SaaS Apps
Sensitive Data

Identity
Data Apps

Infrastructure Phishing Devices

Credential Theft
& Abuse

Unmanaged
Devices
Challenges
• Phishing reliably gains foothold in environment
• Credential Theft allows traversal within
environment

Microsoft Approach Office 365 ATP


Identity • Time of click (vs. time of • Email Gateway
• Anti-malware
send) protection and
attachment detonation Azure AD
Phishing Identity Protection

• Integrated Intelligence, Conditional Access


Credential Theft Reporting, Policy enforcement
& Abuse
Advanced
Threat Analytics

• Securing Privileged MIM PAM ATA


Access (SPA) Investigation
roadmap Enterprise
Threat Admin
to protect Active Directory
and Recovery
Detection Forest

and existing infrastructure


Privileged Access Workstations
Cybersecurity Reference Architecture Software as a Service
Office 365
80% + of employees admit
Vulnerability Security Operations Security Development Lifecycle (SDL) using non-approved SaaS apps
Incident Investigation for work (Stratecast, December 2013)
Management Center (SOC) Response and Recovery Internet of Things
Logs & Analytics Identity & Information
Active Threat Detection Unmanaged & Mobile Clients
UEBA ATA Hunting Access Protection
Managed Enterprise
Security Analytics Teams Threat
Provider OMS Detection
SIEM PADS

Azure AD
Identity Protection
On Premises Datacenter(s) SIEM
Edge DLP Integration
NGFW Security Azure AD PIM
Colocation Microsoft Azure
SSL Proxy Appliances
Office 365 ATP Multi-Factor
IPS
• Email Gateway Azure Security Center Authentication
• Anti-malware • Threat Protection
VPN • Threat Detection
Extranet Hello for
Azure Key Vault Business
Enterprise Servers
Azure App Gateway MIM PAM

Azure Antimalware ATA


VMs VMs
Network Security Groups
Domain Controllers
ESAE
Admin Forest
VPN

Privileged Access Workstations (PAWs)


Endpoint DLP
SQL Encryption & Firewall Certification
$ Managed Clients Windows 10
Sensitive Legacy Authority (PKI)
Disk & Storage Encryption
Workloads Windows
WEF Mac
IoT OS DDoS attack mitigation Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
Backup and Site Recovery 63% of confirmed data breaches involve weak, default,
or stolen passwords (Verizon 2016 DBR)
Challenges
• Shadow IT - Unsanctioned cloud services storing
Shadow IT SaaS and processing your sensitive data
Applications • SaaS Management – Challenging to consistently
Risky Use of manage many Software as a Service (SaaS)
Approved SaaS Apps
Microsoft Approach Cloud App Security
Enable Full Security Lifecycle
1. Discover SaaS Usage
2. Investigate current risk posture
Apps
3. Take Control to enforce policy on SaaS
tenants and data
Phishing
4. Alert and take automatic action on policy
Theft violations (e.g. remove public access to
se sensitive document)
Cybersecurity Reference Architecture Software as a Service
Office 365
80% + of employees admit
Vulnerability Security Operations Security Development Lifecycle (SDL) using non-approved SaaS apps
Incident Investigation for work (Stratecast, December 2013)
Management Center (SOC) Response and Recovery Internet of Things
Logs & Analytics Identity & Information
Active Threat Detection Unmanaged & Mobile Clients
UEBA ATA Hunting Access Protection
Managed Enterprise
Security Analytics Teams Threat Cloud App Security
Provider OMS Detection
SIEM PADS

Azure AD
Identity Protection
On Premises Datacenter(s) SIEM
Edge DLP Integration
NGFW Security Azure AD PIM
Colocation Microsoft Azure
SSL Proxy Appliances
Office 365 ATP Multi-Factor
IPS
• Email Gateway Azure Security Center Authentication
• Anti-malware • Threat Protection
VPN • Threat Detection
Extranet Hello for
Azure Key Vault Business
Enterprise Servers
Azure App Gateway MIM PAM

Azure Antimalware ATA


VMs VMs
Network Security Groups
Domain Controllers
ESAE
Admin Forest
VPN

Privileged Access Workstations (PAWs)


Endpoint DLP
SQL Encryption & Firewall Certification
$ Managed Clients Windows 10
Sensitive Legacy Authority (PKI)
Disk & Storage Encryption
Workloads Windows
WEF Mac
IoT OS DDoS attack mitigation Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
Backup and Site Recovery 63% of confirmed data breaches involve weak, default,
or stolen passwords (Verizon 2016 DBR)
Challenges
• Limited visibility and control of sensitive data
• Data classification is large and challenging project

Microsoft Approach Azure


Unprotected • Protect data anywhere it goes Information
Sensitive Data

Classification Labels
Protection (AIP)
• Classify
• Label
• Protect
Data • Report

• Bring or Hold your own Key Hold Your Own


Key (HYOK)
• Support most popular formats
Credential Theft
& Abuse Edge DLP
• Integration with Existing DLP
Endpoint DLP
Cybersecurity Reference Architecture Software as a Service
Office 365
80% + of employees admit
Vulnerability Security Operations Security Development Lifecycle (SDL) using non-approved SaaS apps ASM
Incident Investigation for work (Stratecast, December 2013)
Management Center (SOC) Response and Recovery Lockbox
Internet of Things
Logs & Analytics Identity & Information
Active Threat Detection Unmanaged & Mobile Clients
UEBA ATA Hunting Access Protection
Managed Enterprise
Security Analytics Teams Threat Cloud App Security
Provider OMS Detection
SIEM PADS
Conditional Access

Azure AD Office 365 DLP


Identity Protection
On Premises Datacenter(s) SIEM
Edge DLP Integration
NGFW Security Azure AD PIM Azure
Colocation Microsoft Azure
SSL Proxy Appliances Information
Office 365 ATP Multi-Factor Protection (AIP)
IPS

Classification Labels
• Email Gateway Azure Security Center Authentication • Classify
• Anti-malware • Threat Protection • Label
VPN • Threat Detection • Protect
Extranet Hello for
• Report
Azure Key Vault Business
Enterprise Servers Hold Your Own
Azure App Gateway MIM PAM
Key (HYOK)
Azure Antimalware ATA
VMs VMs
Network Security Groups
Domain Controllers
ESAE
VPN
Admin Forest Structured Data &
3rd party Apps
Privileged Access Workstations (PAWs)
Endpoint DLP
SQL Encryption & Firewall Certification
$ Managed Clients Windows 10
Sensitive Legacy Authority (PKI)
Disk & Storage Encryption
Workloads Windows
WEF Mac
IoT OS DDoS attack mitigation Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
Backup and Site Recovery 63% of confirmed data breaches involve weak, default,
or stolen passwords (Verizon 2016 DBR)
Challenges
• Provide secure PCs and devices for sensitive data
• Manage & protect data on non-corporate devices
Devices
Microsoft Approach
• Provide a great user
experience, strong Hardware-
based security, and advanced
Windows 10
Unmanaged detection + response capabilities
Devices • Mobile Device Management
and Mobile App Conditional Access
Management of popular
Intune MDM/MAM
devices via Intune

• Policy enforcement via


Conditional Access
Cybersecurity Reference Architecture Software as a Service
Office 365
80% + of employees admit
Vulnerability Security Operations Security Development Lifecycle (SDL) using non-approved SaaS apps ASM
Incident Investigation for work (Stratecast, December 2013)
Management Center (SOC) Response and Recovery Lockbox
Internet of Things
Logs & Analytics Identity & Information
Active Threat Detection Unmanaged & Mobile Clients
UEBA ATA Hunting Access Protection
Managed Enterprise
Security Analytics Teams Threat Cloud App Security
Provider OMS Detection
SIEM PADS
Conditional Access
Intune MDM/MAM
Azure AD Office 365 DLP
Identity Protection
On Premises Datacenter(s) SIEM
Edge DLP Integration
NGFW Security Azure AD PIM Azure
Colocation Microsoft Azure
SSL Proxy Appliances Information
Office 365 ATP Multi-Factor Protection (AIP)
IPS

Classification Labels
• Email Gateway Azure Security Center Authentication • Classify
• Anti-malware • Threat Protection • Label
VPN • Threat Detection • Protect
Extranet Hello for
• Report
Azure Key Vault Business
Enterprise Servers Hold Your Own
Azure App Gateway MIM PAM
Key (HYOK)
Azure Antimalware ATA
VMs VMs
Network Security Groups
Domain Controllers
ESAE
VPN
Admin Forest Structured Data &
3rd party Apps
Privileged Access Workstations (PAWs)
Endpoint DLP
SQL Encryption & Firewall Certification
$ Managed Clients Windows 10
Sensitive Legacy Authority (PKI)
Disk & Storage Encryption
Workloads Windows
WEF Mac
IoT OS DDoS attack mitigation Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
Backup and Site Recovery 63% of confirmed data breaches involve weak, default,
or stolen passwords (Verizon 2016 DBR)
Microsoft Threat Detection
Deep insight across your environment
Security
Azure Security Appliances
Center
Cloud App Security • Threat Protection
• Threat Detection
Azure AD
Information Identity Protection
Cloud Infrastructure
Identity
Operations
OMS
Management SIEM
Office 365 ATP Windows
EDR -
Advanced Suite
• Email Gateway
Defender ATP ATA
Threat
• Anti-malware Analytics Private Cloud & On-
Premises Infrastructure
Powered by the Intelligent Security Graph

Enterprise Threat Investigation


PADS
Detection and Recovery
Professional Hunt for threats and Respond to Threats with
Services Detect Threats with
managed detection and persistent adversaries in seasoned professionals and
response (MDR) service your environment deep expertise
Cybersecurity Reference Architecture Software as a Service
Office 365
80% + of employees admit
Vulnerability Security Operations Security Development Lifecycle (SDL) using non-approved SaaS apps ASM
Incident Investigation for work (Stratecast, December 2013)
Management Center (SOC) Response and Recovery Lockbox
Internet of Things
Logs & Analytics Identity & Information
Active Threat Detection Unmanaged & Mobile Clients
UEBA ATA Hunting Access Protection
Managed Enterprise
Security Analytics Teams Threat Cloud App Security
Provider OMS Detection
SIEM PADS
Conditional Access
Intune MDM/MAM
Azure AD Office 365 DLP
Identity Protection
On Premises Datacenter(s) SIEM
Edge DLP Integration
NGFW Security Azure AD PIM Azure
Colocation Microsoft Azure
SSL Proxy Appliances Information
Office 365 ATP
IPS • Hover over each item in Multi-Factor Protection (AIP)

Classification Labels
• Email Gateway Azure Security Center Authentication • Classify
• Anti-malware
VPN
presentation mode• toThreat Protection • Label
Extranet • Threat Detection • Protect
see description Hello for
Business
• Report
Azure Key Vault
Enterprise Servers Windows Server 2016 Security
• Click to go to a webpage Hold Your Own
Azure App Gateway MIM PAM
Shielded VMs Shielded VMs, Device Guard, Credential Guard, Just Enough Admin, Hyper-V Key (HYOK)
Containers, Nano server, … Azure Antimalware ATA
VMs VMs
Network Security Groups
Domain Controllers
ESAE
VPN
Admin Forest Structured Data &
3rd party Apps
Privileged Access Workstations (PAWs)
Endpoint DLP
SQL Encryption & Firewall Certification
$ Managed Clients Windows
Legacy Windows 10 Authority (PKI) Info Protection
Sensitive Windows 10 Security Disk & Storage Encryption
Workloads Windows • Secure Boot • Device Health
WEF Mac EDR - Windows Defender ATP • Device Guard Attestation
IoT OS • Application Guard • Remote DDoS attack mitigation Nearly all customer breaches that Microsoft’s Incident
EPP - Windows Defender • Credential Guard Credential Guard Response team investigates involve credential theft
• Windows Hello Backup and Site Recovery 63% of confirmed data breaches involve weak, default,
System Center Configuration Manager + Intune or stolen passwords (Verizon 2016 DBR)
Cybersecurity Reference Architecture Office
Security Operations Center (SOC)
365
Threat Protection and Monitoring Identity & Access Information
Protection
• Incident Response and Recovery Services
• Visibility across your enterprise assets Discover &
• Integration with your existing SIEM Secure SaaS usage
Analytics &
Reporting
Data Protection
On Premises Datacenter(s)
Partnerships
Microsoft
Security
Advanced Email • Firewall, Proxy Appliances Azure Conditional Full Lifecycle
Protection • Data Loss Prevention (DLP) Colocation
• Intrusion Prevention (IPS)
Advanced Threat
Access Protections
(Classify, Protect,
Protection and Report, Revoke)
Extranet Internet Facing Workloads
Detection Multi-factor
Authentication
Enterprise Servers Critical
Datacenter and Virtualization Security Formats
Critical Protections for Privileged Identities | Private Cloud Fabric | Workloads Privileged Access
Built-in Security Management
…and more DLP
Business
Critical integration
Workloads
$ Privileged Access Workstations (PAWs)

Internet Mobile Device & App Managed Clients


Legacy Protection from
Mac
of Things Management (MDM/MAM)
OS Windows DDoS, Disasters, & Nearly all customer breaches
Ransomware involve credential theft
Windows 10 Security
• Hardware based protections (Microsoft Incident Response team)
Unmanaged & Mobile Clients • Powerful detection and investigation capabilities Compliance
Last updated March 2017 – latest at http://aka.ms/MCRA