Microsoft Cybersecurity Reference Architectures (MCRA)

Capabilities People Zero Trust User Access

What cybersecurity capabilities does Microsoft have? How are roles & responsibilities How to validate trust of user/devices
evolving with cloud and zero trust? for all resources?
Build Slide

Azure Native Controls Security Operations

What native security is available? How to enable rapid incident response?

Multi-Cloud & Cross-Platform

What clouds and platforms does Microsoft protect?

Attack Chain Coverage Operational Technology

How does this map to insider and external attacks? How to enable Zero Trust Security for OT?

Build Slide

aka.ms/MCRA | May 2021 |

 Zero Trust and Related Topics
aka.ms/MCRA | May 2021 |

Zero Trust Overview Zero Trust Rapid Modernization Plan The Open Group Perspective
What is Zero Trust and why is it needed? What to do first for Zero Trust? How has The Jericho Forum™ evolved?

Security
Security
Operations
Operations

Threat Intelligence Capability Integration End-to-end integration

How is this integrated into How does Microsoft invest into How does integrating access control
Microsoft’s capabilities? integrating Security Operations tools? & Security Operations reduce risk?

Key
Key
Initiatives
Initiatives

Securing Privileged Access Human Operated Ransomware Beyond VPN for User Access
How to mitigate common and How to mitigate business-impacting How to rapidly improve security and user
high-impact attack techniques? extortion attacks? experience for remote access?
Security Guidance May 2021 - https://aka.ms/MCRA

CEO
CEO
Securing Digital
Transformation

Business Leadership Business and Security

Integration
CIO
CIO CISO Cloud Adoption Framework
CISO
(CAF)
Security Strategy,
Technical Leadership
Programs, and Epics

Architecture and Microsoft Cybersecurity

Policy Reference Architectures (MCRA) Initiative Planning/Execution
Architects & Technical Managers Azure Security Zero Trust
Microsoft Security Privileged Azure
Technical Planning Documentation Benchmark Ransomware Access Top 10

Product Docs Well Architected Framework

Implementation Azure | Microsoft 365
Implementation (For Azure Workload Owners)

Feedback and additional resources: https://aka.ms/markslist @MarkSimos

Key Industry References and Resources
The Open Group Security Forum - https://www.opengroup.org/forum/security

Zero Trust Core Principles - https://publications.opengroup.org/security-library/w210

NIST Cybersecurity Framework - https://www.nist.gov/cyberframework

Zero Trust Architecture - https://www.nist.gov/publications/zero-trust-architecture

Center for Internet Security (CIS) Benchmarks – https://www.cisecurity.org/cis-benchmarks/

Managing Information\Cyber Risk May 2021 - https://aka.ms/SecurityRoles
Security responsibilities or “jobs to be done”

Organizational Leadership External

Threat Intelligence Sources
Board Management Intelligence
Organizational & Risk Oversight Business Model and Vision Organizational Risk Appetite Strategic Threat Risk
Insight/Trends Scenarios

Information Risk Management Security Leadership

Program Management Office (PMO)

Security Operations [Center] (SOC)

Supply Chain Risk (People, Process, Technology) Leadership and Culture
Incident
Risk Management Posture Management Preparation
Enable Productivity and Security
Stay Agile - Adapt to changes to threat environment, Policy & Standards Monitor & Remediate Risk
technology, regulations, business model, and more (Conditional Access, Secure Score, Sharing
Risks, Threat and Vulnerability Management
(TVM) User & Asset Scores, etc.)
Practice
Technical Risk Management People Exercises
User Education & Awareness Insider Risk
People Tactical Threat
Teams Insight/Trends
Privacy & Apps & Data
Requirements App
Compliance Dev Education & Awareness App Security Programs Teams
Requirements Translation
Incident
Infrastructure & Endpoint Response
Compliance Architecture &
Reporting Risk Assessments Infrastructure & Endpoint Deploy Mitigate IT Operations
Network Security Security Tools Vulnerabilities Incident
Technical Policy Technical Policy Management
Monitoring Authoring Identity & Keys Identity
Key Management Administrator Identity System Threat
Compliance Security Security Security Teams
Hunting
Management Architecture
Operational Technology (OT) Security OT Operations

Plan (Governance) Build Run (Operations)

Mapping these roles/responsibilities to initiatives

Security organizational functions

https://aka.ms/SecurityRoles

Guidance that maps to these functions:

Azure Security Top 10
https://aka.ms/azuresecuritytop10

Azure Security Benchmark

https://aka.ms/benchmarkdocs

Securing Privileged Access – Rapid Modernization Plan (RaMP)

https://aka.ms/sparoadmap
 Security Operations / SOC Software as a Service (SaaS)
Threat Experts Detection and Response Team (DART) MSSP/MDR
Cybersecurity Reference Architecture Microsoft Cloud
App Security
Azure Sentinel – Cloud Native SIEM, SOAR, and UEBA for IT, OT, and IoT Security modernization with Zero Trust Principles • App Discovery & Risk Scoring
(Shadow IT)
May 2021 – https://aka.ms/MCRA • Threat Detection & Response
Azure Endpoint Office 365 Identity SaaS
& 3rd party & Server/VM Other Tools,
• Policy Audit & Enforcement
Email and Apps Cloud & Microsoft Cloud
clouds App Security Logs, and • Session monitoring & control
On-Premises
Data This is interactive! Security Guidance • Information Protection &
Extended Detection and Response (XDR) Sources Data Loss Prevention (DLP)
• Threat & Vulnerability Management 1. Present Slide 1. Security Documentation Identity & Access
Azure Defender Microsoft 365 Defender
• Integrated data classification
2. Hover for Description
• Threat analytics on top attacks
Advanced Detection & Remediation | Automated Investigation & Remediation | Advanced Threat Hunting
2. Microsoft Best Practices
3. Click for more information
3. Azure Security Top 10 | Conditional Access – Zero Trust Access Control decisions
Benchmarks | CAF | WAF based on explicit validation of user trust and endpoint integrity

Endpoints & Devices Hybrid Infrastructure – IaaS, PaaS, On-Premises Information Protection Azure Active Directory

Microsoft Endpoint Manager

Azure Security Center – Cross-Platform Cloud Security Posture Management (CSPM) Secure Score Azure Purview Passwordless & MFA
Unified Endpoint Management (UEM) Microsoft Information Hello for Business
Compliance Dashboard

Classification Labels
Intune Configuration Manager On Premises Datacenter(s) 3rd party IaaS & PaaS Microsoft Azure Protection (MIP) Authenticator App
Discover
FIDO2 Keys
Azure Marketplace
Azure Firewall Monitor Classify
NGFW Identity Protection
Extranet

Protect
& Firewall Manager
Leaked cred protection
Edge DLP
Azure WAF File Scanner
Behavioral Analytics
(on-premises and cloud)
IPS/IDS
DDoS Protection
Microsoft Defender for Endpoint Azure ADProxy
App Proxy Azure AD PIM
Unified Endpoint Security Beyond User VPN Express Route Azure Key Vault S3
Identity Governance
Endpoint Detection & Response (EDR)
Private Link Azure Bastion Data Governance Azure AD B2B & B2C
Intranet

Web Content Filtering

Threat & Vuln Management Azure Arc Azure Lighthouse

Advanced eDiscovery Defender for Identity
Endpoint Data Loss Protection (DLP) Azure Stack Azure Backup
Security & Other Services Compliance Manager Active Directory

Securing Privileged Access – Secure Accounts, Devices, Intermediaries, and interfaces to enable and protect privileged users Privileged Access Workstations (PAWs) - Secure workstations for administrators, developers, and other sensitive users

Microsoft Compliance Score – Prioritize, measure, and plan improvement actions against controls
Microsoft Secure Score – Measure your security posture, and plan/prioritize rapid improvement with included guidance

Windows 10 Security IoT and Operational Technology (OT) Azure Defender – Cross-Platform, Cross-Cloud XDR
People Security
Network protection App control
Credential protection Exploit protection
Multi-asset detection and response for infrastructure and platform
Azure Defender for IoT as a service (IaaS & PaaS), Proactive Threat defenses Attack Simulator Insider Risk Management Communication Compliance
Full Disk Encryption Behavior monitoring
Attack surface Next-generation • ICS, SCADA, OT • Asset &
reduction protection • Internet of Things (IoT) Vulnerability
management
Azure Sphere • Industrial IoT (IIoT)
• Threat Detection
& Response
GitHub Advanced Security – Secure development and software supply chain

Threat Intelligence – 8+ Trillion signals per day of security context Service Trust Portal – How Microsoft secures cloud services Security Development Lifecycle (SDL)
Cross-cloud and cross-platform
Comprehensive Security, Compliance and Identity capabilities that integrate with your existing solutions May 2021 – https://aka.ms/MCRA

Industry Partnerships
NIST / CIS / The Open Group / Others Microsoft Intelligent Security Association Solution Integration and MDR/MSSP Partners CERTs / ISACs / Others Law Enforcement

Microsoft Security, Compliance, and Identity Capabilities

Threat Intelligence – 8+ Trillion signals per day of security context

Access Control Modern Security Operations Asset Protection Technical Governance

Identity and Network Rapid Resolution with XDR, SIEM, SOAR, UEBA and more Information Protection and App Security / DevSecOps Risk Visibility, Scoring, and Policy Enforcement

People Security – User Education/Empowerment and Insider Threats

S3

Endpoints & Devices Software as a Service (SaaS) Hybrid Infrastructure – IaaS, PaaS, On-Premises IoT Devices

Operational Technology (OT)

Security Operations [Center] (SOC) – Reduce attacker time/opportunity to impact business

 Multi-Cloud and Cross-Platform Technology
Secure the enterprise you have May 2021 – https://aka.ms/MCRA

Microsoft Information Protection and Azure Purview

Discovery, Classify, Protect, and Monitor unstructured data (documents, spreadsheets, files, etc.), structured data (SQL, Databases, etc.) and identify critical risks (Open S3 buckets, SaaS Sharing Risks, etc.)

S3 Information Protection
Identity & Access

Identity Enablement Azure Active Directory Identity Security

Access cloud and legacy applications for Enterprise users, Zero Trust Access Control using Behavioral Analytics, Threat Intelligence,
Partners (B2B), and Customers/Citizens (B2C) and integration of device and app trust signals

GitHub Advanced Security – Secure development capabilities Securing components common most enterprise software supply chains

Endpoints & Devices Software as a Service (SaaS) Hybrid Infrastructure – IaaS, PaaS, On-Premises IoT Devices

On-Premises IaaS PaaS

Microsoft Endpoint Manager
Unified Endpoint Management (UEM) Continuous Cross-Platform Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWPP) Operational Technology (OT)

Security Operations [Center] (SOC)

Azure Sentinel – Cloud Native SIEM, SOAR, and UEBA for IT, OT, and IoT

Microsoft 365 Defender Extended Detection and Response (XDR) Azure Defender
Threat visibility and capabilities tailored to resources XDR for IaaS, PaaS, and On-Premises Azure Defender for IoT
Microsoft Defender for Endpoint
Microsoft Cloud App Security • Threat & Vulnerability Management • Advanced Detection & Remediation • VMs, Servers, App Environments • ICS, SCADA, OT • Asset &
Unified Endpoint Security Automated Investigation & Remediation Storage and Databases Internet of Things (IoT) Vulnerability management
• Integrated data classification • • •
• App Discovery & Risk Scoring (Shadow IT) Threat analytics on top attacks • Advanced Threat Hunting • Containers and Orchestration • Industrial IoT (IIoT) • Threat Detection & Response
• Endpoint Detection & Response (EDR) •
• Threat Detection & Response • and more
• Data Loss Protection (DLP) • Policy Audit & Enforcement
• Web Content Filtering • Session monitoring & control
• Threat & Vuln Management • Info Protection & Data Loss Prevention (DLP)
Azure Arc Threat Intelligence – 8+ Trillion
signals per day of security context
Key cross-platform and multi-cloud guidance
Microsoft Defender for Endpoint for Linux

Azure security solutions for AWS

Azure AD identity and access

management for AWS
Multi-cloud & hybrid protection in Azure Security Center

Google Amazon On-prem Microsoft

Cloud Web Services Azure

New! New! New!

Azure Arc

Security posture
& compliance
Secure score Asset management Policy

Server protection
(Azure Defender for VMs)
Threat detection VA (power by Qualys) Application control

Automation &
management at scale
Automation SIEM integration Export
 Defend across attack chains
Insider and external threats May 2021 – https://aka.ms/MCRA

Defender for Defender for Azure AD Microsoft Cloud

Office 365 Endpoint Identity Protection App Security
Phishing Open Exfiltration
Brute force account or use Attacker accesses
mail attachment of data
stolen account credentials sensitive data

Exploitation Command Attacker collects Domain

Click a URL and Installation and Control
Defender for reconnaissance & compromised
User account is
Identity compromised configuration data

Browse
a website
Azure Defender Attacker attempts
lateral movement
Privileged account
compromised

Leading Insider risk

History of violations indicators management
Data
Distracted and careless
leakage

Disgruntled or disenchanted
Potential
Subject to stressors Insider has access Anomalous
sabotage
to sensitive data activity detected
Operational Technology (OT) Security Reference Architecture May 2021 – https://aka.ms/MCRA

Apply zero trust principles to securing OT and industrial IoT environments

Business Analytics Security Analytics Threat Intelligence – 8+ Trillion

signals per day of security context

Azure Analytics
Cloud • Native plug-in for Azure Defender for IoT
Blended cybersecurity attacks are 3rd party 3rd party
driving convergence of IT, OT, and IoT Analytics IoT Hub, PowerBI, Azure Edge,
Digital Twins, and more
Environments Analytics Azure Sentinel
• Native OT investigation & remediation playbooks
• Correlation with other data sources and
Strategic Threat intelligence (attack groups & context)
security architectures and capabilities

IIoT
IIoT//OT
OTDigital
DigitalTransformation
Transformationdrivers
drivers Operational Technology Information Technology
• • Business
BusinessEfficiency
Efficiency--Data
Datato
toenable
enablebusiness
business agility
• • Governance
Governance&&Regulatory
RegulatoryCompliance
Compliancewith
agility
withsafety
safetyandandother
other
(OT) Environments (IT) Environments
standards TLS
TLSwith
withmutual
mutual
standards Safety/Integrity/Availability Confidentiality/Integrity/Availability authentication
• • Emerging
EmergingSecurity
SecurityStandards
Standardslike
likeCMMC
CMMC • Hardware Age: 50-100 years (mechanical + electronic overlay) • Hardware Age: 5-10 years authentication
• Warranty length: up to 30-50 years • Warranty length 3-5 years
• Protocols: Industry Specific (often bridged to IP networks) • Protocols: Native IP, HTTP(S), Others
• Security Hygiene: Isolation, threat monitoring, managing vendor • Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware
Purdue Model access risk, (patching rarely)

Level 3 – Site Operations

Purdue Levels 4 + 5 and Zero Trust
Business Analytic Sensor(s)
Control & monitoring for physical site
with multiple functions (e.g. plant)
Business Analytics
NETWORK
Level 2 – Supervisory Control TAP/SPAN Sensor(s) + Analytics Cloud Connection (OPTIONAL)
Monitoring & Control for discrete
business functions (e.g. production line)
Plant security console Azure Defender for IoT
(optional)  Manager 3rd party SIEM
 Security Console
Level 1 – Basic Control
Electronics controlling or monitoring
physical systems Isolation and Segmentation Transform with Zero Trust Principles
Purdue model assumed static site/enterprise model
Internal Hard Boundary Soft(ware) Boundary • Datacenter Segments – Align network/identity/other
Level 0 – Process segmentation
Physical machinery Physically disconnect People, Process, and Tech (network controls to business workloads and business risk
As business from IT network(s) + identity access control, boundary • End user access - Dynamically grant access based on explicit
processes allow patching and security hygiene) validation of current user and device risk level
S A F E T Y S Y S T E M S

©Microsoft Corporation Azure

Zero Trust Principles - Assume breach, verify explicitly, Use least privilege access (identity and network)
Why are we having a Zero Trust conversation?
Keep Assets away from Attackers

1. IT Security is Complex
• Many Devices, Users, & Connections

2. “Trusted network” security strategy

• Initial attacks were network based
• Seemingly simple and economical
• Accepted lower security within the network

3. Assets increasingly leave the network

• BYOD, WFH, Mobile, and SaaS

4. Attackers shift to identity attacks

• Phishing and credential theft
• Security teams often overwhelmed
Zero Trust
Strategy to increase security assurances
• for business assets data and applications
• everywhere including public & untrusted networks
Leads to

User Access Modern SecOps OT and Datacenter

Policy Driven Access Architecture Pervasive detection Monitor and segment
for Productivity Environment and response assets by business risk
1. Explicitly validate trust 1. Deep asset visibility inside • Workload, App, API,
of access requests & outside the firewall and Device Security
2. Dynamically address Operational Technology
2. Rapid remediation with •
insufficient trust
automation and (OT) + Industrial Internet
integrated workflows of Things (IIoT)

Increases
Increases security
security

Increases
Increases productivity
productivity
Microsoft Zero Trust Principles
Guidance for technical architecture

Verify explicitly Use least privilege access Assume breach

Always validate all available data To help secure both data and Minimize blast radius for breaches
points including productivity, limit user access using and prevent lateral movement by
• User identity and location • Just-in-time (JIT) • Segmenting access by network,
• Device health • Just-enough-access (JEA) user, devices, and app awareness.
• Service or workload context • Risk-based adaptive polices • Encrypting all sessions end to
• Data classification • Data protection against out of end.
• Anomalies band vectors • Use analytics for threat detection,
posture visibility and improving
defenses
Blend network and identity access controls
Choose the right tool for the job

Basic Hygiene Primary Control

Set once and rarely modify Granular controls and focused refinement/detection

Network
User Access
and Productivity Identity

Network
Operational Technology
(OT) and Industrial IoT Identity

Network
Datacenter
Security Identity

Note: Security Operations (SecOps) monitors all assets and environments

Zero Trust Rapid Modernization Plan (RaMP)
Prioritize rapid progress on highest positive impact Roll
Rollout
outtotoIT
ITAdmins
Adminsfirst
first
•• Targeted
Targetedby byAttackers
Attackers
•• High
Highpotential
potentialimpact
Top Priorities – critical security modernization steps •• Provide
impact
Provide technicalfeedback
technical feedback

1. Explicitly validate trust for all access requests (via Azure AD Conditional Access)
a. User Accounts - Require Passwordless or MFA for all users + measure risk with threat intelligence & behavior analytics
b. Devices - Require device integrity for access (configuration compliance first, then XDR signals)
User Access 2. Increase security for accessing key resources
and Productivity a. Apps – Enable Azure AD for all SaaS, for VPN authentication, and publish legacy on-premises/IaaS via App Proxy
b. Data - Discover and protect sensitive data (via Cloud App Security, CA App Control, Microsoft Info Protection)
3. Governance to continuously monitor security posture and reduce risk (via Secure Score)

4. Streamline response to common attacks with XDR for Endpoint/Email/Identity + Cloud (via M365 & Azure Defender)
Modernize
5. Unify Visibility with modern Security Information and Event Management (SIEM via Azure Sentinel)
Security Operations
6. Reduce manual effort - using automated investigation/remediation, enforcing alert quality, & proactive threat hunting

As Needed – typically driven by cloud adoption or OT/IoT usage

Discover – Find & classify assets with business critical, life safety, and operational/physical impact (via Azure Defender for IoT)
Operational Technology Protect – isolate assets from unneeded internet/production access with static and dynamic controls
(OT) and Industrial IoT
Monitor – unify threat detection and response processes for OT, IT, and IoT assets (via Azure Defender for IoT)

Security Hygiene – Rigorously monitor + remediate security configurations, security updates, MFA, and more
ZT
ZTbuilds
buildsonon
Datacenter & Reduce Legacy Risk – Retire or isolate legacy technology (Unsupported OS/Applications, legacy protocols) classic
classicsecurity
security
DevOps Security DevOps Integration – Integrate infrastructure + development security practices into DevOps with minimal friction Align
Alignto
tocloud
cloud
migration
migrationschedule
schedule
Microsegmentation – Additional identity and network restrictions (dynamic trust-based and/or static rules)
 Protect assets anywhere with Zero Trust
Verify explicitly | Use least-privileged access | Assume breach

User
Groups/Role
Microsoft Microsoft Cloud
Location Azure AD
Privileges
Session risk Microsoft
User Risk 365 Defender Microsoft
Information
Protection Cloud SaaS
Security & apps
Compliance
Device Policy Engine
Microsoft
Managed or BYOD Defender for
Endpoint Microsoft
Health & compliance Cloud App
Device risk Microsoft Security
Endpoint
Type and OS version Manager
Encryption status On-premises
& web apps

aka.ms/zerotrust Azure Sentinel

 Zero Trust User Access
Full access Limited access
Legend
Legend Risk Mitigation Remediation Path
May 2021 – https://aka.ms/MCRA

Conditional Access to Resources

Microsoft
MicrosoftApplications
Applications
Policy
Policyisisevaluated
evaluatedwhen
when
User Threat/ Azure AD
Initial
Lower
LowerAccess
Access Office 365
Identity Protection InitialAccess
Access++Token
TokenRefresh
Refresh Restricted
Restrictedsession
session
Risk Signals Dynamics 365
Leaked cred protection Change
Changein
insecurity
securityposture
posture
Behavioral Analytics Azure
Microsoft Defender AzureResource
Resource Cloud
CloudInfrastructure
Infrastructure
for Identity Manager
Manager(ARM)
(ARM)
Organization
User risk

Policy Azure Portal Linux Login

Microsoft Cloud User/Session Risk
App Security
Modern
ModernApplications
Applications
Increase Trust by
requesting MFA Monitor
Monitor& &
Hello for Business Restrict
RestrictAccess
Access
Multi-Factor Conditional
Conditional SaaS
SaaSApplications
Applications
Azure MFA Authentication Access
Access
Security &
Microsoft
MicrosoftCloud
Conditional
CloudApp
AppSecurity
Security
Conditional AccessApp
Access AppControl
Control
Compliance
Microsoft Threat Intelligence Azure Active
Policy Engine
8+ Trillion signals per day of security Directory (Azure AD)
context & Human Expertise IsCompliant
Azure AD B2B & B2C Azure
AzureAD
ADApp
AppProxy
Proxy Legacy
LegacyApps
Apps ((Secure
SecureVPN
VPNReplacement
Replacement))

Partner MDM Microsoft Intune {LDAP}

Remediate
Remediate Leaked
Leaked Credential
Credential
Device risk

(Requires
(Requires MFA)
MFA) Microsoft
MicrosoftInformation
Information
Microsoft Defender Protection Documents
Documents
3rdrdparty VPN Protection(MIP)
(MIP)
for Endpoint Device Threat/ 3 party VPN
Risk Signals and Remote
and Remote
Azure AD Self Access Devices
Access Devices
Service Password
Microsoft
MicrosoftIntune
Intune
Reset (SSPR) Mobile
Mobile Apps
Apps
(MAM
(MAMfunctionality)
functionality)
Active IsManaged
Directory Approved
ApprovedApps
Apps

Signal Decision Enforcement

to make an informed decision based on organizational policy of policy across resources
Key Zero Trust Resources
to help you on your Zero Trust journey

Zero
Zero Trust
Trust Resources
Resources
aka.ms/zerotrust
aka.ms/zerotrust

Maturity
Maturity Model
Model Business
Business Plan
Plan Deployment
Deployment Guidance
Guidance
aka.ms/zerotrust
aka.ms/zerotrust aka.ms/ZTbizplan
aka.ms/ZTbizplan aka.ms/ztguide
aka.ms/ztguide

• Zero Trust: Security Through a Clearer Lens session (Recording | Slides)

• CISO Workshop Slides/Videos
• Microsoft’s IT Learnings from (ongoing) Zero Trust journey
Beyond VPN
Modernize VPN Access and move applications to full modern access

1. VPN
VPN typically
typically allows
allows access
access to
to
1. Configure
Configure Azure
Azure AD
AD for
for VPN
VPN authentication
authentication
all
all ports
ports on
on the
the entire
entire network
network
Explicit
Explicit User
User and
and Device
Device
Trust Validation
Trust Validation
Provides
Provides full
full network
network access
access
(sometimes
(sometimes segmented)
segmented)

Application

Azure AD
App Proxy

2.
2. Publish
Publish Apps
Apps with
with Azure
Azure AD
AD App
App Proxy
Proxy
Explicit
Explicit User
User and
and Device
Device
Trust
Trust Validation
Validation
Provides
Provides access
access to
to only
only aa single
single app
app
(with seamless user experience) SES
SESSSION
ION SECURI
SECURITTYY AP
APPP CO
COVVERAGE
ERAGE
(with seamless user experience)
Secure assets where they are with Zero Trust
Simplify security and make it more effective

Classic
Classic Approach
Approach Zero
Zero Trust
Trust
Restrict
Restrict everything
everything to
to aa ‘secure’
‘secure’ network
network Protect
Protect assets
assets anywhere
anywhere with
with central
central policy
policy
 The digitized world is interconnected and dynamic
Modern
Modern Work
Work Use
Use Cases
Cases
•• Normalization
Normalizationofofremote
remotework
work
•• Rapidly
Rapidlyevolving
evolvingpartnerships
partnershipsand
andcompetitors
competitors
•• Rapidly
Rapidlychanging
changingcommunication
communicationpatterns
patterns
•• Evolving
Evolvingnational
nationalinterests
interestsand
andregulations
regulations
</>
</>

</> Security
Security Modernization
Modernization Imperatives
Imperatives
</>
•• Automated
AutomatedPolicy
PolicyEnforcement
Enforcement --to toaddress
address
changing
changingprocesses
processesandandmodels
modelsininananagile
agilemanner
manner
Customer
Vendor/
at minimum cost
at minimum cost
Unverified Supplier
Trading Partner •• Adaptive
Adaptiveidentity
identitymanagement
management --to torespond
respondtoto
</> rapidly changing roles, responsibilities and
rapidly changing roles, responsibilities and
Contracted/ </>
</>
</> Temporary relationships
relationships
Influencer Full Time Staff
employee •• Data-centric
Data-centricand
andasset-centric
asset-centricapproaches
approaches–– to to
Trusted & </></>
</> </>
APIs
Verified
APIs
oo Better
Betterfocus
focussecurity
securityresources
resourcesby bylimiting
limitingthe
the
Trading Partner
scope
scopeof
ofwhat
whattotoprotect
protect(via
(viatrusted
trustedzones,
zones,
IT/Business tokenization, or similar approaches)
Outsourcer tokenization, or similar approaches)
oo Better
Bettermonitor
monitorassets
assetsandandrespond
respondto tothreats
threats
</>
</> regardless
regardlessof
ofnetwork
networklocation.
location.
Applications
Zero Trust Components
Enable flexible business workflows for the digitized world

Clarity, Automation, and Metrics-Driven Approach

Governance
Visibility and Policy
Access Control Asset Protection
Identity and Network - Multi-factor Authentication Classification, Protection, Tokenization
Security Policy
Digital Ecosystems
Enforcement
Data/Information

</>
</> APIs
Apps & Systems

Threat
Intelligence Secured Zones

Modern Security
Operations

Rapid Threat Detection, Response, and Recovery

 Zero Trust Core Principles
Business
Business Strategy
Strategy and
and Organizational
Organizational Culture
Culture –– Shapes
Shapes Zero
Zero Trust
Trust Strategy
Strategy and
and Priorities
Priorities
Organizational Value and Risk
1.
1. Modern
Modern work enablement
work enablement
Guardrails and Governance
2.
2. Goal
Goal alignment
alignment 3.
3. Risk
Risk alignment
alignment
4.
4. People
People Guidance
Guidance and
and Inspiration
Inspiration

Technology
5.
5. Risk
Risk &
& Complexity
Complexity Reduction
Reduction
8.
8. Asset-centric
Asset-centric security
security 9.
9. Least
Least privilege
privilege

Security Controls 6.
6. Alignment
Alignment &
& Automation
Automation

10.
10. Simple
Simple and
and Pervasive
Pervasive
7.
7. Security
Security for
for the
the Full
Full Lifecycle
Lifecycle
11.
11. Explicit
Explicit trust
trust validation
validation
 Zero Trust
Core Principles

ORGANIZATIONAL VALUE AND

RISK1. Modern Work Enablement – Users in organizational ecosystems must be able to work on any 1. The scope and level of protection should be specific and
network in any location with the same security assurances. appropriate to the asset at risk.

2. Goal Alignment – Security must align with and enable organization goals within the risk 2. Security mechanisms must be pervasive, simple, scalable,
tolerance and threshold. and easy to manage.

3. Risk Alignment – Security risk must be managed and measured using a consistent risk
framework and considering organizational risk tolerance and thresholds. 3. Assume context at your peril.

GOVERNANCE 4. Devices and applications must communicate using open,

secure protocols.
4. People Guidance and Inspiration – Organizational governance frameworks must guide people,
process, and technology decisions with clear ownership of decisions, policy and aspirational visions. 5. All devices must be capable of maintaining their security
policy on an un-trusted network.
5. Risk and Complexity Reduction – Governance must reduce both complexity and threat surface
area.
6. All people, processes, and technology must have declared &
transparent levels of trust for any transaction to take place.
6. Alignment and Automation – Policies and security success metrics must map directly to
organizational mission and risk requirements and should favor automated execution and reporting.
7. Mutual trust assurance levels must be determinable.
7. Security for the Full Lifecycle – Risk analysis and confidentiality, integrity, and availability
assurances must be sustained for the lifetime of the data, transaction, or relationship.
8. Authentication, authorization, and accountability must
interoperate/exchange outside of your locus/area of control.
TECHNOLOGY
TECHNOLOGY AND
AND SECURITY
SECURITY CONTROLS
CONTROLS
Asset-Centric Security – Security must be as close to the assets as possible (i.e., data-centric and application-centric 9. Access to data should be controlled by security attributes of
approaches instead of network-centric strategies) to provide a tailored approach the minimizes productivity disruption. the data itself.

Least Privilege – Access to systems and data must be granted only as required and removed when no 10. Data privacy (and security of any asset of sufficiently high
longer required. value) requires a segregation of duties/privileges.

10. Simple and Pervasive Security – Security mechanisms must be simple, scalable, and easy to implement and 11. By default, data must be appropriately secured when
manage throughout the organizational ecosystem (whether internal or external). stored, in transit, and in use.
11. Explicit Trust Validation – Assumptions of integrity and trust level must be explicitly validated against
organization risk threshold and tolerance.
Compromised endpoint
Risk: Devices can be infected by personal email, USB, and other vectors
Mitigation: Rapidly detect and clean all managed devices, email, and other resources across environment and customers

Search companywide email and remove

attachment from affected mailboxes
Disable user access from
device while infected

Open attachment
from personal email

Malicious Microsoft Defender Microsoft Defender

payload detected for Endpoints for O365

Share intelligence

User
Microsoft Threat
Intelligence
Insert USB

Share telemetry and Block the attachment

remediate infected endpoints. from future attacks
Suspend access during compromise
Risk: Malware on endpoint enables adversary to steal/damage files and systems
Mitigation: Temporarily suspend user access until endpoint is cleaned

Temporarily suspend user’s access

to apps from this computer
Clean computer
and emails Access
Access Restricted
Restored

User

Microsoft Defender SaaS Apps

for Endpoints
Access
Access Restricted
Restored

AAD Office 365 User

Intune

Threat Detected
Computer Remediated
Access
Access Restricted
Restored

User

On-premises
Apps
Security Operations
Legend
Legend Outsourcing
Event Log Based Monitoring Consulting and Escalation
Investigation & Proactive Hunting Native Resource Monitoring May 2021 – https://aka.ms/MCRA
Microsoft Reference Architecture

Align to Mission + Continuously Improve

Responsiveness - Mean Time to Acknowledge (MTTA) Expert Assistance
Broad Enterprise View Enabling analysts with scarce skills
Correlated/Unified Azure
Azure Machine Learning (ML) & AI Effectiveness- Mean Time to Remediate (MTTR)
Incident View Sentinel
Sentinel
Behavioral Analytics (UEBA)
Microsoft Threat Experts
Security Orchestration, Automation, Analysts
(Case Management and Remediation (SOAR) and Hunters Incident Response & Recovery

Security Incident & Event

Security Data Lake
Management (SIEM)
Managed Detection and Response
Using Microsoft Security

(Classic SIEM

Microsoft Threat Intelligence

API integration 8+ Trillion signals per day of security
context & Human Expertise
SOAR reduces analyst effort/time
per incident, increasing overall
SOC capacity

Deep Insights Security & Network Extended Detection and Response

SOAR (XDR)
- Automated investigation and response (AutoIR)
Actionable alerts from
an XDR tool with deep Provide actionable security Azure Defender Microsoft 365 Defender
knowledge of assets alerts, raw logs, or both Servers Azure app Network IoT Defender for Azure AD Identity Defender for Defender for Microsoft Cloud
Containers SQL
and ML/UEBA & VMs services traffic & OT Identity Protection Endpoint Office 365 App Security

Infrastructure & Apps PaaS OT & IoT Identity & Access Endpoint Modern & SaaS Applications Information
Raw Data Management & Mobile
Office 365
Security &
{LDAP}
Activity Logs
Security Operations Model – Functions and Tools
Threat Intelligence External Partner Teams
Intelligence Sources IT Operations,
Strategic and Business Threat Insights/Trends DevOps, & Insider
Threat, and more

Hunt
Hunt(TIER
(TIER3)
3) Incident
Proactive
IncidentManagement
Management
ProactiveHunting,
Hunting,Advanced
AdvancedForensics,
Forensics, Business Major Incident
and BusinessCoordination
Coordination
andDetection
DetectionTuning
Tuning Assess
Any/All
Any/Alltools,
tools,data,
data,intelligence
intelligencesources
sources AssessImpact
Impact&&Manage
ManageStakeholders
Stakeholders

Investigation High Complexity Incidents

Investigation(TIER
(TIER2)
2) • Escalations & multi-stage incidents
Advanced
AdvancedAnalysis
Analysisand
andRemediation
Remediation • Alerts on business-critical assets
Primary
PrimaryTools:
Tools:XDR
XDR(Microsoft
(Microsoft365
365Defender
Defender&&Azure
AzureDefender)
Defender) • Monitoring known campaigns

Triage
Triage(TIER
(TIER1)
1) High Volume Incidents CDOC Example Alert Ratio :
• XDR Alerts (~65%)
Rapid
RapidRemediation
Remediationor
orEscalation
Escalation • High true positive rate • User Reporting (~10%)
Primary • Consistent/predictable
PrimaryTools:
Tools:XDR
XDR(Microsoft
(Microsoft365
365Defender
Defender&&Azure
AzureDefender)
Defender) • Log/Event/Other (~25%)

AUTOMATION
AUTOMATION Well known attacks
Automated
AutomatedInvestigation
Investigation&&Remediation
Remediation • XDR (Microsoft 365 Defender and Azure Defender) Alerts

Tactical Threat Trends and Indicators of Compromise (IOCs)

Silos are the Bane of Security Operations
Attackers traverse
Defender Silos make
rapidly across the enterprise
chasing them difficult

Email
& Collab
Identity Others

Endpoint Applications

Integrating Silos is Challenging

…
MAPPING
MAPPING CHALLENGES
CHALLENGES STRONG
STRONG BIASES/TENDENCIES
BIASES/TENDENCIES
Tools
Tools Pivot
Pivot on
on Different
Different Attributes
Attributes Identity Endpoint
• Network IP address Reports only high-quality alerts because Verbose alert reporting
• Computer Name • Analysts have alert fatigue, resist new tools • AV testing focuses on “not

MAPPING CHALLENGES
• Documents • Analysts have network background and missing” malware
• Device ID value of Identity isn’t self evident • Reporting more improves
• Email showing in AV Testing reports
• Etc.
 M EN U

Converging Tools & Data

Engineering a single seamless system with automation

Microsoft
Microsoft 365
365 Defender
Defender Azure
Single Portal Experience Portal Integration
Incidents,
Incidents, investigations,
investigations, threat
threat hunting,
hunting, threat
threat analytics
analytics Sentinel

Playbook Automation Protect Investigate Remediate

Ensure automation runs across all systems

Event Alert Incident Mappings

Semantics and Meaning
Correlation, prioritization,
orchestration, etc.

#.#.#.#
Unified entity definitions
Reputation for Users, machines,
email, IPs, etc.

Signal sharing
Identity Endpoint Email Applications Others
Intelligent Capabilities & Collab
High Quality Detection and Data

May 2021 – https://aka.ms/MCRA

How do signals and AI help protect you?

In the rural Midwest of the U.S., a high school geography teacher

received a brand-new variant of the Emotet banking trojan—the
first person ever.

But he had no idea. Signals and AI fully protected him.

Impact

The user clicks on an Before the attachment In parallel, the file Utilizing signals and Mail deletes the This all occurred
email attachment he can open, the Mail app is ‘detonated’ in the outcomes from trillions attachment from the in fewer than 400
receives, sent to his
Gmail account, using
queries the attachment
meta-data against 80-
cloud and an AI
system ‘watches’ to
of historical email
transactions, both
PC, flags the file for
review by (human)
milliseconds—the
the built-in Windows plus cloud-based see what happens services determine the analysts, blink of an eye
Mail app machine learning when he opens file is malicious and the AI systems
models attachment automatically update
To protect customers and make the internet
safer, our global security teams use machine
learning to process:
• Trillions of raw security signals, which
generates
• Billions of complex predictions and
• Millions of automated actions
Microsoft Threat Intelligence
Built on diverse signal sources and AI
Meeting
URLs scanned minutes delivered
18M+ 4.1B+

1.8PBs
Other clouds
1.2B+ and network logs
PCs, servers, Trillions of signals
and IoT

Billions of predictions

Emails Millions of actions Identities

analyzed authenticated
470B+ Microsoft Cloud 630B+
Machine learning and AI systems

iOS, macOS,
1B+
Apps and
Android, Linux
service users
and IoT devices Documents scanned Threats blocked
600B+ 5B+
Inside View of Microsoft Threat Intelligence

Products instrumented to strict

Trillions of signals privacy/compliance standards
Sample Dark Threat Sinkholes and Detonation Services IR
PRODUCT AND SERVICE TELEMETRY
zoos markets feeds honeypots and sandboxes intelligence See Microsoft Trust Center
[ Privacy/Compliance boundary ]

Analytics help fuel

DATA
DATA COLLECTION
COLLECTION AND
AND ANALYSIS
ANALYSIS new discoveries
Products make data available
{}
Billions of predictions
Collection and Analytics Publish to
Normalization (Machine Learning,
detonation, behavior)
Internal APIs
Products use Interflow APIs
to access results

Products generate data which

feeds back into system
Azure Azure Azure AD MillionsMicrosoft
of actions Microsoft Microsoft Microsoft Humans
Sentinel Defender Identity Defender for Defender for Defender for Cloud (Threat Hunters, Humans identify attacks,
Protection Identity Endpoint Office 365 Application
(& Microsoft Security
Engineers,
Data Scientists, improve analytics, feed
Accounts) (MCAS) and more)
back into databases and
product design
 May 2021 – https://aka.ms/MCRA

Azure
AzureCloud
CloudAdoption
AdoptionFramework
Framework(CAF)
(CAF)

Native Security for Azure

Top 10 Azure Security Best Practices
Guidance
Guidanceon
onsecurity
securitystrategy,
strategy,planning,
planning,roles
rolesand
andresponsibilities
responsibilitieshttps://aka.ms/CAF
https://aka.ms/CAF Top 10 Azure Security Best Practices

Management Plane Security

End-to-End capabilities that apply Zero Trust principles Platform provided security guardrails, governance, policy, and more
to Infrastructure & Platform as a Service (IaaS & PaaS) Azure Blueprints Azure Policy Management Groups Role Based Access Control (RBAC)

Azure Security Center Azure Lighthouse Resource Locks Azure Backup & Site Recovery
Governance & Azure
AzureAD
ADIdentity
IdentityGovernance
Governance
Policy Enforcement • Automated User Provisioning
• Entitlement Management Data Plane Security Enable Zero Trust Networking & Secure Access Service Edge (SASE)
• Access Reviews Per-Application/Workload Controls
• Privileged Identity Management (PIM) Internal Communications (East/West) External Communications (North/South)
Microsoft
Endpoint Manager • Terms of Use
Zero Trust Access Control
Control Intune Explicit trust validation for users and devices before allowing access
Azure
AzureWell
WellArchitected
Framework
Architected
Framework(WAF)
(WAF)
Network/App Security Groups API Management Gateway

Azure DDoS and Web Application Firewall

PrivateLink & Service Endpoints
(WAF)
Configuration Manager Azure AD App Proxy
MFA and Passwordless Encryption & Azure Key Vault, Application RBAC Model
Azure AD Privileged Identity
Preventive Controls Azure Bastion Azure
AzureSecurity
SecurityBenchmarks
Benchmarks(ASB)
(ASB)
Azure AD MFA Management (PIM) Azure Firewall and Firewall Management
Prescriptive
PrescriptiveBest
BestPractices
Practicesand
andControls
Controls
Microsoft 365 Defender Azure AD Identity
Windows Hello Protection Azure DevOps Security

Existing MFA Azure AD

GitHub Advanced Security
Full Time Employees, Partners, Privileged
PrivilegedAccess
AccessWorkstation
Workstation(PAW)
(PAW) Conditional Access Microsoft Cloud App Security
and/or outsourced providers

Business Users Access Applications

On-Premises & Other
Azure AD B2C
Cloud Resources/Data
Developers CI/CD Pipeline
Customers
Azure Active Directory Application (and ‘External’ Partners)
Administrators Azure Resource On-Premises & Other
(AD) and B2B Management (ARM) Cloud Resources/Data
API
App/Service Azure Portal
Command Line Interface (CLI)
and Automation Active Directory
Azure IoT Hub
Azure Sphere
Internet of Things
Automation/API (IoT) Devices
Existing/Other

‘Internal’ Access Workstations Accounts Identity Access and Privileges Interface Infrastructure Resource Network & ‘External’ Access

Microsoft Secure Score

Azure Security Center (ASC) - Risk & Regulatory Compliance Reporting
Microsoft 365 Defender Azure Policy (audit) & Azure resource graph API
Risk Factors & Governance
Microsoft Defender for Endpoint Azure AD Identity Protection Microsoft Defender for Identity

Threat Detection Azure Defender - Detections across assets and tenants Azure WAF Alerts
Azure Sentinel Microsoft Cloud App Security (MCAS) VMs & Tenants (Azure, On-prem, 3 rd party clouds)
•
Azure Firewall Alerts
Threat detection, investigation, remediation, and hunting • Containers and Kubernetes

Visibility • Security Incident & Event Management (SIEM) MCAS Alerts

• IoT and Legacy OT Devices (SCADA, ICS, etc.)
• Azure SQL & Cosmos DB
Azure DDOS Alerts
• Security Orchestration, Automation, and • Azure Storage Accounts
Remediation (SOAR) Application Logs
MCAS Logs • And More…

• Unified Entity Behavioral Analytics (UEBA) Network Watcher – IP Flow logs, Packet Capture, Virtual TAP
Machinelogs
Learning (ML) & ArtificialAzure
Intelligence (AI)
Raw Logs and Signal for • Endpoint AD logs, access logs, alerts, risk scoring PIM Logs
• Security Data Lake Azure activity log Azure Service Diagnostic Logs & Metrics
Investigation & Hunting
Attackers have options
to compromise privileged access

Business Critical Assets

Across On-Premises, Cloud, OT, & IoT

Privileged Access
Devices/Workstations Account Interface
Intermediaries Identity Systems

ed

s
ath
riz
Cloud Service Admin

nP
tho
Identity Systems

tio
Au
Intermediaries

va
Ele
User Access Business Critical Systems
Devices/Workstations Account Interface

Potential Attack Surface

Limit and protect pathways to privileged access
Prevention and rapid response Asset
Asset Protection
Protection also also required
required
Security updates, DevSecOps,
Security updates, DevSecOps,
data
data at
at rest
rest // in
in transit,
transit, etc.
etc.

Business Critical Assets

Across On-Premises, Cloud, OT, & IoT

Privileged Access
Devices/Workstations Account Interface
Intermediaries Identity Systems

ed

s
ath
riz
Cloud Service Admin

nP
tho
Identity Systems

tio
Au
Intermediaries

va
Ele
User Access Business Critical Systems
Devices/Workstations Account Interface

Complete End-to-end approach

Required for meaningful security
End-to-end approach to security
Increase the attacker’s cost to gain access and reach business critical assets

Attacker’s cost Levels of security

Business Critical Assets
$$$ Privileged Access Across On-Premises, Cloud, OT, & IoT

$$ Specialized Security
Identity Systems

$ Enterprise Security

Cloud Service Admin

Typical path of user access

Increase attacker
cost with stronger
security defenses on Business Critical Systems
Devices/Workstations Account Interface
high business impact Intermediaries
assets

See
See https://aka.ms/deploySPA
https://aka.ms/deploySPA for
for implementation
implementation guidance
guidance
Security level drill down
Enterprise Security Specialized Security Privileged Security
End-to-end Protection
For Privileged Sessions Baseline security for assets + Enhanced security profile for Strongest security for highest
starting point for higher security higher value assets impact assets and accounts

Standard users
Role Recommendation High impact users / developers
For privileged access role
IT Operations

Device Privileged Access

Enterprise Device Specialized Device
Physical device initiating session Workstation (PAW)

Account Enterprise Account Specialized Account Privileged Account

with access to resources
Session

Intermediary Enterprise Intermediary Specialized Intermediary Privileged Intermediary

Remote Access / Admin Broker

Interface Enterprise Interface Specialized Interface Privileged Interface

Controlling resource access

Cloud Considerations
• Protect cloud (and other) resources - Guidelines apply to Microsoft clouds, 3 rd party clouds, and on-premises
• Cloud is the security provider - Cloud management and security services are used for all (when technically feasible)
Enterprise Access Model
Secure and productive access to your resources

Admin
AdminRemote
RemoteAccess,
Access,Jumpservers,
Jumpservers,
Session
SessionManagement,
Management,Proxies,
Proxies,etc.
etc.

Privileged Access Privileged Access

IT Admins and High Impact Roles Privileged Accounts Privileged Devices Enables IT administrators and other high impact
(and PIM/PAM Systems) & Workstations Intermediary(ies)
roles to access to sensitive systems and data.
Stronger security for higher impact accounts
• Secure - Explicit validation of users and devices during access

Control Plane •
•
Consistent – Single strategy and fewest possible policy engines
Comprehensive – Enforcement with identity, network, apps, data, etc.
Access Control for Assets
(zero trust policy enforcement)
• Identity Centric – Prefer identity controls when available because of
rich context into access requests and granular coverage across
Control and Management Planes
scenarios Provide unified access and management for
Management Plane workloads and assets (and provide attackers
Asset Management, monitoring and Security shortcut for illicit objectives)

Data/Workload Plane
Data/Workloads
Machine Learning
(ML) Applications API Create and store business value in
Data & Websites
• Business processes (in apps/workloads)
App Access (Internal)
• Intellectual property (in data and apps)
Remote
RemoteAccess,
Access,Proxies,
Proxies,
Virtual
VirtualDesktop,
Desktop,etc.
etc.

User Access App Access (External) User and App Access

Employee and Partner/Outsourcer Customer and Partner
User Accounts User Devices How employees, partners, and customers access
& Workstations Intermediary(ies)
Public Access (unauthenticated) these resources
Evolution of ransomware models
(Not)Petya

Wannacrypt

Cryptolocker

Human Operated Ransomware - Enterprise Organization

Opportunistic Ransomware - Single Device

2013 2016 2017 2020

2013
2013 -- New
New Business
Business Model
Model 2019
2019 -- Vastly
Vastly Expands
Expands Extortion
Extortion Scope
Scope
Monetizes
Monetizes byby extorting
extorting need
need to
to to
to enterprise
enterprise scale
scaleattacks
attacks (all
(all data
data &
& systems),
systems),
access
access data
data (single
(single device)
device) monetizing
monetizing major
major business
business disruption
disruption and/or
and/or
disclosure of confidential data
disclosure of confidential data
Human Operated Ransomware - high impact & growing
Not another background security risk

What’s different?
High Business impact Stop
Extortion must disrupt business operations
to motivate payment Business
Operations

Ransomware
Commodity
Profitable
Profitable for
for Attackers
Attackers
Economic
Economic incentive
incentive to
to continue
continue growing
growing
Human Operated
Ransomware

Room
Room to
to Grow
Grow
Attackers
Attackers can
can monetize
monetize security
security maintenance
maintenancegaps gaps at
at most
most
enterprises:
enterprises:
•• Apply
Apply security
security updates
updates consistently
consistentlyto to all
all computers
computers Limited
•• Securely configure all resources using manufacturer
Securely configure all resources using manufacturer Immediate Commodity Targeted Data Theft
best
best practices
practices
•• Mitigate
Impact
Mitigate credential
credential theft
theft attacks
attacks for
for privileged
privileged users
users
Per Computer Enterprise wide
Pattern – Human Operated Ransomware

ENTER ENVIRONMENT TRAVERSE & SPREAD EXECUTE OBJECTIVES

Attacker gains access Attacker gains administrative

to organization access to organization

Encryption
Client Attacks Lock up Data
Email, Credential, Browser, etc.
Credential Theft
Logon with legit creds Exfiltration Extortion
Steal Data Demand Money
Datacenter Attacks Malware Installation
RDP, SSH, Server, App, etc.
• Sabotage Backup/Recovery
• Establish persistence
Ransomware actors sometimes buy
access to target organizations from
other attackers in dark markets
Human Attack Operator(s)
Assisted by scripts and malware
Key Takeaways

Stakes have changed with evolved threat

New attacker business model changes the impact and likelihood of attacks

No end in sight – potential explosive growth trajectory from

 Attacker Profitability to fund and incent future attacks
 Lack of resistance to growth from legal or technical obstacles

Attacks have weaknesses – efficient extortion relies on

 Getting asset access – rapidly via admin privileges
 Denying recovery – via backups and recovery processes

Urgently Follow Mitigation Plan – for critical defenses

1. Rapidly and securely restore critical business operations
2. Protect Admins to strengthen privileged access security
3. Clean up common/cheap entry points to continually increase attacker cost and
aka.ms/humanoperated
friction