2. The challenge of securing your environment
The digital estate offers
a very broad surface
area that is difficult to
secure.
Bad actors are using
increasingly creative
and sophisticated
attacks.
Integrated, intelligent
correlation and action on
signals is difficult, time-
consuming, and
expensive.

3. User browses to a
website
Phishing
mail
Opens
attachment
Clicks on a URL
+
Exploitation
& Installation
Command &
Control
Brute force account or
use stolen account credentials
User account
is compromised
Attacker
attempts lateral
movement
Privileged
account
compromised
Domain
compromised
Attacker accesses
sensitive data
Exfiltrate data
Maximize Detection
Azure AD Identity Protection
Identity protection &
conditional access
Cloud App Security
Azure ATP
Azure AD Identity Protection
Identity protection &
conditional access
Identity protection
Extends protection & conditional
access to other cloud apps
Microsoft Defender ATP
Endpoint Detection, Protection and Response
Office ATP
Safeguards against malicious threats posed
by email messages, links (URLs) and
collaboration tools

4. Each physical datacenter
protected with world-class,
multi-layered protection
Secured with cutting-
edge operational security
• Restricted access
• 24x7 monitoring
• Global security experts
Global cloud infrastructure
with custom hardware and
network protection
Over 100
datacenters
across the
planet

5. MicrosoftSecurity Advantage
$1B annual investment in cybersecurity
3500+ global security experts
Trillions of diverse signals for
unparalleled intelligence

7. Optimal security, minimal complexity
Today’s security is multiple, disjointed, complex products
Mail
Protection
Single
Sign On
DLP &
GDPR
Identity
Security
Apps
Security
Incident
Response
Mail
Encryption
Device
Management
Endpoint
Security
Identities Endpoints User Data Cloud Apps Infrastructure
Microsoft Threat Protection

8. Microsoft Intune
Office 365 Threat
Intelligence/ATP P2
Microsoft Defender
Advanced Threat
Protection
Azure Active
Directory
Office 365 Advanced
Threat Protection P1
Microsoft Cloud
App Security
Azure Security
Center
Azure Advanced
Threat Protection
Windows 10
Identities: Validating, verifying and
protecting both user and admin
accounts
User Data: evaluating email messages
and documents for malicious content
Endpoints: protecting user devices and
signals from sensors
Infrastructure: protecting servers,
virtual machines, databases and
networks across cloud and on-
premises locations
Cloud Apps: protecting SaaS applications
and their associated data stores
1
3
2
5
4
Exchange Online
Protection
SQL ServerWindows Server
Linux

9. Microsoft Intune
Office 365 Threat
Intelligence/ATP P2
Microsoft Defender
Advanced Threat
Protection
Azure Active
Directory
Office 365 Advanced
Threat Protection P1
Microsoft Cloud
App Security
Azure Security
Center
Azure Advanced
Threat Protection
Windows 10
1
3
2
5
4
Endpoints: protecting user devices and
signals from sensors
User Data: evaluating email messages
and documents for malicious content
SQL ServerExchange Online
Protection
Windows Server
Linux
Infrastructure: protecting servers,
virtual machines, databases and
networks across cloud and on-
premises locations
Cloud Apps: protecting SaaS applications
and their associated data stores
Identities: Validating, verifying and
protecting both user and admin
accounts

10. Microsoft Intune
Office 365 Threat
Intelligence/ATP P2
Microsoft Defender
Advanced Threat
Protection
Azure Active
Directory
Office 365 Advanced
Threat Protection P1
Microsoft Cloud
App Security
Azure Advanced
Threat Protection
Windows 10
1
3
2
5
4
Endpoints: protecting user devices and
signals from sensors
Azure Security
Center
User Data: evaluating email messages
and documents for malicious content
SQL ServerExchange Online
Protection
Windows Server
Linux
Infrastructure: protecting servers,
virtual machines, databases and
networks across cloud and on-
premises locations
Cloud Apps: protecting SaaS applications
and their associated data stores
Identities: Validating, verifying and
protecting both user and admin
accounts

11. Microsoft Intune
Office 365 Threat
Intelligence/ATP P2
Microsoft Defender
Advanced Threat
Protection
Azure Active
Directory
Office 365 Advanced
Threat Protection P1
Azure Security
Center
Azure Advanced
Threat Protection
Windows 10
1
3
2
5
4
Endpoints: protecting user devices and
signals from sensors
User Data: evaluating email messages
and documents for malicious content
SQL Server
Microsoft Cloud
App Security
Windows Server
Linux
Exchange Online
Protection
Infrastructure: protecting servers,
virtual machines, databases and
networks across cloud and on-
premises locations
Cloud Apps: protecting SaaS applications
and their associated data stores
Identities: Validating, verifying and
protecting both user and admin
accounts

12. Microsoft Intune
Office 365 Threat
Intelligence/ATP P2
Microsoft Defender
Advanced Threat
Protection
SQL Server
Azure Active
Directory
Office 365 Advanced
Threat Protection P1
Microsoft Cloud
App Security
Azure Security
Center
Azure Advanced
Threat Protection
Windows 10
1
3
2
5
4
Endpoints: protecting user devices and
signals from sensors
User Data: evaluating email messages
and documents for malicious content
Exchange Online
Protection
Infrastructure: protecting servers,
virtual machines, databases and
networks across cloud and on-
premises locations
Cloud Apps: protecting SaaS applications
and their associated data stores
Windows Server
Linux
Identities: Validating, verifying and
protecting both user and admin
accounts

13. Microsoft Intune
Office 365 Threat
Intelligence/ATP P2
Microsoft Defender
Advanced Threat
Protection
SQL ServerWindows Server
Linux
Azure Active
Directory
Office 365 Advanced
Threat Protection P1
Microsoft Cloud
App Security
Azure Security
Center
Azure Advanced
Threat Protection
Windows 10
1
3
2
5
4
Endpoints: protecting user devices and
signals from sensors
User Data: evaluating email messages
and documents for malicious content
Exchange Online
Protection
Infrastructure: protecting servers,
virtual machines, databases and
networks across cloud and on-
premises locations
Cloud Apps: protecting SaaS applications
and their associated data stores
Identities: Validating, verifying and
protecting both user and admin
accounts

14. Identities Endpoints User Data Cloud Apps Infrastructure
Users and admins Devices and sensors Email messages and
documents
SaaS applications
and data stores
Servers, virtual
machines, databases,
networks
Intelligent Security Graph
6.5 TRILLION signals per day

15. Zero Trust Access Control Strategy
Never Trust. Always verify.

16. Corporate
Network
Geo-location
Microsoft
Cloud App SecurityMacOS
Android
iOS
Windows
Windows
Defender ATP
Client apps
Browser apps
Google ID
MSA
Azure AD
ADFS
Require
MFA
Allow/block
access
Block legacy
authentication
Force
password
reset******
Limited
access
Controls
Employee & Partner
Users and Roles
Trusted &
Compliant Devices
Physical &
Virtual Location
Client apps &
Auth Method
Conditions
Machine
learning
Policies
Real time
Evaluation
Engine
Session
Risk
3
40TB
Effective
policy
Azure AD conditional access (Zero Trust)

17. Zero Trust Access Control
Conditional Access App Control

18. Protect sensitive data on-premises and in the cloud
Classification
and labeling
Classify data based on
sensitivity and add labels—
manually or automatically.
Protection
Encrypt your sensitive
data and define usage
rights or add visual
markings when
needed.
Monitoring
Use detailed tracking
and reporting to see
what’s happening with
your shared data and
maintain control over it.
Microsoft Information Protection

19. Microsoft Threat ProtectionA comprehensive, seamlessly integrated solution providing end-to-end
security for your organization.
Microsoft 365 Security Center
Azure Security
Center
3rd party data
sources
Azure Active
Directory
Microsoft Defender
ATP
Office 365 ATP
Microsoft Cloud
App Security
Microsoft Cloud
App Security
Azure ATP
Microsoft Cloud
App Security
Microsoft Threat Protection automation
Microsoft Azure Sentinel
Our next generation SIEM
Event orchestration
Cloud & Hybrid
Infrastructure
EndpointsIdentities Data & Email Cloud Apps

21. Built-in. Cloud-powered.
⁞ Embedded into Windows 10
⁞ World class anti-tampering
⁞ Deep data collection & 6m storage
⁞ Best of breed EPP , EDR
⁞ Support for W7/8, non-Windows
⁞ Integrated config mgmt.
⁞ Vulnerability analysis
⁞ Secure score & CA
⁞ Automation
⁞ Cross suite integrations
⁞ Data separation, RBAC
⁞ Cloud expertise

25. 2
1
3

26. Vulnerability Management Isn’t Just Scanners Anymore
Continuous Discovery
Vulnerable applications and configuration via continuous
endpoint monitoring to gain immediate situational awareness
Prioritize
Context-Aware Prioritization
Findings by enriching with threat intelligence sources,
business context and crowd wisdom to build an accurate
risk report
Mitigate
Surgical Mitigation & Automated Fix
Threats by tailoring a surgical mitigation/fix plan based on
organizational risk using Microsoft’s security stack, 1st party
and 3rd party partners

29. Network Boundaries SaaS Applications Web Threats and
Phishing
Anywhere
Connectivity

30. Any Device
Anywhere
Intelligent

31. Web Threat
Protection
URL / IP Allow Block
Cloud App Security

37. Configuration and Reports

39. Fileless (living-off-the-land) threats
Highly sophisticated and human operated Ransomware
Legitimate business software used as a weapon
Each platform has a unique threat landscape
Hardware/firmware attacks are a growing risk
Targeted attacks leading to data breaches continue to grow

42. Behavior
Monitoring
Memory
Scanning
Command
Line Detection
AMSI
• File System
• Boot/Volume
• Registry
• Process /
DLL’s
• Network
• Code injection
• …
• Quick Scan
• On system events
• Ad-hoc requests
by BM
• Defeats
Polymorphism
Especially
effective
against:
• LOLBIN
• LOLBAS
• Obfuscation
Instrumentation of:
• Javascript
• VBScript
• Macro
• Powershell
• WMI
• Dotnet
ML + Cloud
powered!
ML + Cloud
powered!

55. Microsoft Defender ATP
Microsoft Intune
Azure Information Protection
Microsoft Secure Score
Azure Security Center
Orchestrated protection and remediation
Azure AD & Conditional Access
Microsoft Cloud App Security
Microsoft Office 365
A uniquely integrated
endpoint protection platform

56. Azure Advanced Threat Protection

57. User
Anomalous user behavior
Unfamiliar sign-in location
Attacker
User account
is compromised
Attacker attempts
lateral movement
Attacker accesses
sensitive data
Privileged account
compromised
Lateral movement attacks
Escalation of privileges
Account impersonation
Attacker steals
sensitive data
Zero-day /
brute-force attack
The anatomy of an attack

58. Detect and investigate advanced
attacks involving identities
across on-premises, cloud and
hybrid environments
Azure
ATP

59. Identify advanced
persistent threats before
they cause damage
Abnormal
behavior
Malicious
attacks
Security issues
and risks

60. Azure
ATP
Monitor your on-premises Active
Directory with a convenient cloud service
Reduce strain and cost in your on-
premises environment with analytics
done in the cloud
Scale your anomalous behavior
detections with the power of the cloud
Pivot to and remediate a malicious attack
in Windows Defender ATP
Deploy with ease into your existing
infrastructure
Benefit from the scale of the cloud
Windows
Defender
ATP

61. Get a clear, efficient, and
convenient feed that surfaces
the right things on a timeline
Enjoy the power of perspective
on the “who-what-when-and
how” of your enterprise
Benefit from detailed
information for next steps
Focus on what is important
using the simple attack timeline

62. Azure Advanced Threat Protection

63. Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
SAM-R Enumeration
Abnormal working hours
Brute force using NTLM, Kerberos, or LDAP
Sensitive accounts exposed in plain text
authentication
Service accounts exposed in plain text
authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information
(DPAPI) Request
Abnormal VPN
Abnormal authentication requests
Abnormal resource access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
Malicious service creation
MS14-068exploit
(Forged PAC)
MS11-013exploit (Silver
PAC)
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
Abnormal Modification of
Sensitive Groups
Azure Advanced Threat Protection
Reconnaissance
!
!
!
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance

64. ATP Architecture
Alert notifications
Access to console
- Workspace Management
- Workspace portal
Parsed network
traffic from DCs
Azure ATP
Sensor
Domain
Controller
Alert notifications
to SIEM
Windows
Defender
ATP
Events
Windows Event Forwarding
Domain
Controller
Port mirroring
Alert notifications to SIEM
SIEM
Azure
ATP
Azure ATP
Standalone
Sensor

65. Verwendung von Intelligenz für eine einheitliche Identitätsuntersuchung
über On-Premises und Cloud-Aktivitäten hinweg
Azure
ATP
Microsoft
Cloud App
Security
Azure AD
Identity
Protection

66. Attack timeline
Day 1 – 11:
Attacker
compromises
privileged user’s
non MFA-enabled
account.
1 Day 137 – 143:
Attackers create rules on
Contoso’s SharePoint and
email to automate data
exfiltration to a cloud
storage solution.
3Day 16 – 218:
Attackers perform
mailbox searches
across Office 365.
2
Day 16 – 163:
Attacker uses stolen
credentials to VPN into
corporate network.
4 Day 163 – 243:
Attacker moves laterally
throughout organization’s
network, compromising
privileged credentials
5
COMPROMISED
CREDENTIAL
EXFILTRATE
DATA
CONNECTION
TO ON-PREM
MOVE
LATERALLY

84. Office
ATP
Windows
Defender
ATP
Office 365
Threat
Intelligence
Automated Detection, Investigation, & Remediation
with Microsoft Threat Protection

95. •
•
•
•
•
Security Operations Center (SOC)
Azure Sentinel – Cloud Native SIEM and SOAR

96. Security Operations Center
Provide actionable security
alerts, raw logs, or both

97. Securing Privileged Access
Office 365 Security
Rapid Cyberattacks
(Wannacrypt/Petya)
https://aka.ms/MCRA Video Recording Strategies
Office 365
Dynamics 365
+Monitor
Azure Sentinel – Cloud Native SIEM and SOAR
SQL Encryption &
Data Masking
Data Loss Protection
Data Governance
eDiscovery