Slides from training session "Chef's tour of the Security Adoption Framework" by Mark Simos at Tampa BSides training day on 5 April 2024
This session provides a view of end to end security following Zero Trust principles (and how Microsoft guides customers through this modernization journey)
2. About the Chef
Author, Zero Trust Playbook
ZeroTrustPlaybook.com
aka.ms/MarksList
Zero Trust Architecture Co-Chair
The Open Group
Lead Cybersecurity Architect
Microsoft
Mark Simos
3. Chef's Tour of SAF
A tour of end-to-end security that provides key
references and samples across many areas of security.
This training will use the Microsoft Security Adoption
Framework (SAF) to guide you through security across a
'hybrid of everything' technical estate.
• SAF delivered through Microsoft Unified
• Extensive free resources available online at https://aka.ms/SAF
including MCRA and CISO workshop
4. Learning
objectives
By the end of this session you will:
Better Understand the importance of an end to end
security approach
Better Understand how the Security Adoption
Framework (SAF) guides you through strategy, planning,
and adoption of modern security approaches
Deep Appreciation for Security Complexity
• Learn a lot from this session
• Understand how much more there is to learn and do
5. Whiteboard – Current Security Architecture
Geography and Cloud Usage
Where does your organization operate?
Which workloads are in the cloud? Which
major cloud providers? (SaaS, PaaS, IaaS)
Business and Technical Drivers
What is top of mind for business stakeholders?
What risks are important to the business?
Business/technology initiatives driving change?
What metrics are important to your program?
Threats
What types of attacks and
adversaries are top of mind?
Compliance
Large & notable
regulatory
requirements
Architecture, Policy, and Collaboration
Describe how teams work together on end to end security + guiding documents/artifacts
Enterprise-wide security architecture approach and documentation
Policy update, monitoring, and related governance processes
Posture and vulnerability management processes
Technical collaboration processes (e.g. sharing learnings, joint technical planning, etc.
with security operations, architects, engineers, posture management, governance, others)
Differences between on premises vs. cloud processes
6. Security Challenges are significant and continuously evolving
Microsoft investments to help security teams
End to end security capabilities
Guidance and workshops
Illustrative Examples of Security Adoption Framework (SAF) Workshop Content
Getting Started and Next Steps
Overview and Scoping
Adoption Framework
SAF guides your end to end security modernization journey using Zero Trust principles
7. Attacker Failure + Increased Attacker Cost/Friction
Security Success
Invest intentionally into providing these durable outcomes
Find and kick them out fast
Reduce dwell time (mean time to remediate)
with rapid detection and remediation
Block Cheap and Easy Attacks
Increase cost and friction for well known &
proven attack methods (or easy to block options)
‘Left of Bang’
Prevent as many attacks as possible
‘Right of Bang’
Rapidly and effectively manage attacks
Requires end to end collaboration
8. It’s bad out there!
For sale in “bad neighborhoods” on the internet
Attacker for hire (per job)
$250 per job (and up)
Ransomware Kits
$66 upfront
(or 30% of the profit / affiliate model)
Compromised PCs / Devices
PC: $0.13 to $0.89
Mobile: $0.82 to $2.78
Spearphishing for hire
$100 to $1,000
(per successful account takeover)
Stolen Passwords
$0.97 per 1,000 (average)
(Bulk: $150 for 400M)
Denial of Service
$766.67 per month
Attackers
Other Services
Continuous attack
supply chain innovation
Attacker techniques,
business models, and
skills/technology, are
continuously evolving
Many attack tools and
tutorials/videos available
for free on internet
9. Threat environment is continually evolving
Attackers must change to overcome defenses (in big or small ways)
Leading Edge - pushed forward by sophisticated groups & researchers
• Adoption & exploitation of Artificial Intelligence (AI)
• Supply chain techniques
• OT and IoT threats
• Insider risk
• Stealth - Evading indicators of compromise (IOCs) and other detections
• Improve existing techniques – Identity/MFA evolution, zero day vulnerabilities,
exploit line of business (LOB) apps, etc.
Note: Sophisticated attackers sometimes
use commodity toolkits to hide their origin
Commoditization – increases scale and impact of attacks
• Criminal gangs copy or purchase advanced techniques, integrate into toolkits
• Also evolve financial and social aspects of extortion/ransomware models
Agile Security is required to keep up with continuous changes
10. Security is complex and challenging
Infrastructure
Application
Data
People
Attackers have a lot of options
➢ Forcing security into a holistic
complex approach
➢ Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies
➢ Threats – Continuously changing threat landscape
➢ Security Tools – dozens or hundreds of tools at customers
Must secure across everything
➢ Brand New - IoT, DevOps, and Cloud services, devices and products
➢ Current/Aging - 5-25 year old enterprise IT servers, products, etc.
➢ Legacy/Ancient - 30+ year old Operational Technology (OT) systems
Nothing gets retired!
Usually for fear of breaking
something (& getting blamed)
Hybrid of Everything, Everywhere, All at Once
Attacks can shut all business operations down, creating board level risk
‘Data swamp’ accumulates
managed data + unmanaged ‘dark’ data
11. Security is the opposite of productivity Business Enablement
Align security to the organization’s mission, priorities, risks, and processes
Assume Compromise
Continuously reduce blast radius and attack surface through prevention and detection/response/recovery
All attacks can be prevented
Shift to Asset-Centric Security Strategy
Revisit how to do access control, security operations, infrastructure and development security, and more
Explicitly Validate Account Security
Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and more
Network security perimeter will keep attackers out
Passwords are strong enough
IT Admins are safe
IT Infrastructure is safe
Goal: Zero Assumed Trust
Reduce risk by finding and removing implicit assumptions of trust
Developers always write secure code
The software and components we use are secure
Plan and Execute Privileged Access Strategy
Establish security of accounts, workstations, and other privileged entities (aka.ms/spa)
Validate Infrastructure Integrity
Explicitly validate trust of operating systems, applications, services accounts, and more
Integrate security into development process
Security education, issue detection and mitigation, response, and more
Supply chain security
Validate the integrity of software and hardware components from open source. vendors, and others
False Assumptions
of implicit or explicit trust
Zero Trust Mitigation
Systematically Build & Measure Trust
With 30+ years of backlog at most organizations, it will
take a while to burn down the backlog of assumed trust
12. Microsoft is investing in security for our customers
There are no easy answers, but we are investing to make it easier
Security Technology
Automate and improve security processes
by simplifying and automating security for
the ‘hybrid of everything’ technical estate
Expert Engagements
Help you assess, plan, implement, and
optimize security programs and technology
based on best practices and lessons learned
Continuous improvement
Microsoft invests $1b+ per year into
security research & development
8500+ security professionals on
staff across 77 countries
Accelerate Modernization
Help integrate security successfully
into IT and business processes to
reduce risk and minimize friction
13. End to end security for ‘hybrid of everything’ technical estate
Secure Identities and Access
Modern Security Operations (SecOps/SOC)
Infrastructure & Development Security
Data Security & Governance
IoT and OT Security
Microsoft security portfolio
Effective security requires people & process changes
Security Strategy and Program Zero Trust Architecture
Align to business priorities, business
risks, and industry best practices
End to End Security approach based on
Zero Trust Principles and industry best practices
14. Software as a Service (SaaS)
This is interactive!
Present Slide
Hover for Description
Click for more information
Cybersecurity Reference Architecture
Security modernization with Zero Trust Principles
December 2023 – aka.ms/MCRA
This is interactive!
Present Slide
Hover for Description
Click for more information
Microsoft Purview
Information protection and governance across data lifecycle
Microsoft Purview
Information protection and
governance across data lifecycle
File Scanner (on-premises and cloud)
File Scanner
(on-premises and cloud)
S3
Identity & Access
Microsoft Entra
Microsoft Entra
IoT and Operational Technology (OT) People Security
3rd party IaaS & PaaS
Azure Arc
Azure Arc
Intranet
Extranet
Endpoints & Devices Hybrid Infrastructure – IaaS, PaaS, On-Premises
Azure Key Vault
Azure Key Vault
Azure WAF
Azure WAF
DDoS Protection
DDoS Protection
Azure Backup
Azure Backup
On Premises Datacenter(s)
Azure Firewall Firewall Manager
Azure Firewall
& Firewall Manager
Attack Simulator
Attack Simulator
Insider Risk Management
Insider Risk Management
Azure Sphere
Azure Sphere
Compliance Manager
Compliance Manager
Private Link
Private Link
Conditional Access – Zero Trust Access Control decisions based on explicit validation of usertrust and endpoint integrity
Conditional Access – Zero Trust Access Control decisions
based on explicit validation of user trust and endpoint integrity
GitHub Advanced Security Azure DevOps Security
Secure development and software supply chain
GitHub Advanced Security & Azure DevOps Security
Secure development and software supply chain
Network protection
Credential protection
Full Disk Encryption
Attack surface reduction
Network protection
Credential protection
Full Disk Encryption
Attack surface
reduction
Windows 11 & 10 Security
App control
Exploit protection
Behavior monitoring
Next-generation
protection
Security Operations / SOC
Microsoft Defender for Endpoint
Unified Endpoint Security
Microsoft Defender for Endpoint
Unified Endpoint Security
Endpoint Data Loss Protection (DLP)
Endpoint Data Loss Protection (DLP)
Web Content Filtering
Web Content Filtering
Endpoint Detection Response (EDR)
Endpoint Detection & Response (EDR)
Threat Vuln Management
Threat & Vuln Management
Defender for Cloud – Cross-Platform, Multi-Cloud XDR
Detection and response capabilities for infrastructure and development across IaaS, PaaS, and on-premises
Defender for Cloud – Cross-Platform, Multi-Cloud XDR
Detection and response capabilities for infrastructure and
development across IaaS, PaaS, and on-premises
Communication Compliance
Communication Compliance
Azure Lighthouse
Azure Lighthouse
Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM)
Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM) Compliance Dashboard
Compliance Dashboard
Secure Score
Secure Score
Azure Bastion
Azure Bastion
Classification
Labels
Information Protection
Advanced eDiscovery
Advanced eDiscovery
Data Governance
Data Governance
Azure Defender for IoT provides agentless security for unmanaged IoT/OT devices (via integration of CyberX technology) plus security for greenfield devices managed via Azure IoT Hub. It is deployed either as a cloud-connected or fully on-premises solution.
Microsoft Defender for IoT (and OT)
Microsoft Defender for IoT (and OT)
Asset & Vulnerability
management
Threat Detection
& Response
ICS, SCADA, OT
Internet of Things (IoT)
Industrial IoT (IIoT)
Security Development Lifecycle (SDL)
Security Development Lifecycle (SDL)
Service Trust Portal – How Microsoft secures cloud services
Service Trust Portal – How Microsoft secures cloud services
Threat Intelligence – 65+ Trillion signals per day of security context
Threat Intelligence – 65+ Trillion signals per day of security context
Defender for Identity
Defender for Identity
Microsoft Entra PIM
Microsoft Entra PIM
External Identities
External Identities
Entra ID Protection
Leaked cred protection
Behavioral Analytics
Entra ID Protection
Leaked cred protection
Behavioral Analytics
Passwordless MFA
Passwordless & MFA
Authenticator App
Authenticator App
Hello for Business
Hello for Business
ID Governance
ID Governance
FIDO2 Keys
FIDO2 Keys
NGFW
Express Route
Express Route
Microsoft Azure
Azure Marketplace
VPN & Proxy
Edge DLP
IPS/IDS/NDR
Azure Stack
Azure Stack
Microsoft Entra Private Access App Proxy
Beyond User VPN
Microsoft Entra Private
Access & App Proxy
Beyond User VPN
Security Guidance
Security Adoption Framework
Security Documentation
Cloud Security Benchmarks
Security Other Services
Security & Other Services
Discover
Protect
Classify
Monitor
Security Posture Management – Monitor and mitigate technical security risks using Secure Score, Compliance Score, CSPM: Defender for Cloud, Microsoft Defender External Attack Surface Management (EASM) and Vulnerability Management
Unified Endpoint Management (UEM)
Unified Endpoint Management (UEM)
Intune
Intune
Configuration Manager
Configuration Manager
Securing Privileged Access – aka.ms/SPA
Securing Privileged Access – aka.ms/SPA
Microsoft Defender for Cloud Apps
App Discovery Risk Scoring (Shadow IT)
Threat Detection Response
Policy Audit Enforcement
Session monitoring control
Information Protection Data Loss Prevention (DLP)
Microsoft Defender
for Cloud Apps
App Discovery & Risk Scoring
(Shadow IT)
Threat Detection & Response
Policy Audit & Enforcement
Session monitoring & control
Information Protection &
Data Loss Prevention (DLP)
Active Directory
Endpoint
Workstations, Server/VM, Containers, etc.
Endpoint
Workstations,
Server/VM,
Containers, etc.
Office 365
Email, Teams, and more
Office 365
Email, Teams,
and more
Cloud
Azure, AWS, GCP, On Prem more
Cloud
Azure, AWS,
GCP, On Prem
& more
Identity
Cloud On-Premises
Identity
Cloud &
On-Premises
SaaS
Cloud Apps
SaaS
Cloud Apps
Other
Tools, Logs,
& Data
OT/IoT
devices
OT/IoT
devices
Entra Permission Management – Discover and Mitigate Cloud Infrastructure Permission Creep
Entra Permission Management – Discover and Mitigate Cloud Infrastructure Permission Creep
Privileged Access Workstations (PAWs) - Secure workstations for administrators, developers, and other sensitive users
Privileged Access Workstations (PAWs) - Secure workstations for administrators, developers, and other sensitive users
Microsoft Entra Internet Access
Microsoft Entra Internet Access
Defender for APIs (preview)
Data
SQL, DLP, more
Data
SQL, DLP, &
more
Microsoft Defender XDR
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft Defender XDR
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft Sentinel
Microsoft
Sentinel
Cloud Native
SIEM, SOAR,
and UEBA
Microsoft Security Copilot (Preview)
Microsoft Security Copilot (Preview)
Managed Security Operations
Using Microsoft Security
Managed Security Operations
Using Microsoft Security
Microsoft Security Experts
Defender Experts | Detection and Response Team (DART)
Defender Experts | Detection and Response Team (DART)
15. CISO Workshop
Security Program and Strategy
End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams
Module 2 – Secure Identities and Access
Module 3 – Modern Security Operations (SecOps/SOC)
Module 4 – Infrastructure & Development Security
Module 5 – Data Security & Governance, Risk, Compliance (GRC)
Module 6 – IoT and OT Security
Security Architecture Design Session
Module 1 – Zero Trust Architecture and
Ransomware
Strategic Framework
Infrastructure and Development
Data Security & Governance, Risk, Compliance (GRC)
OT and IoT Security
Security Adoption Framework
Delivers Zero Trust security modernization + business alignment using recommended initiatives
Secure Identities and Access
1. Strategic Framework
End to End Strategy, Architecture,
and Operating Model
1 - I want people to do their job
securely from anywhere
2 - I want to minimize business
damage from security incidents
3 - I want to identify and protect
critical business assets
4 - I want to proactively meet
regulatory requirements
5 - I want to have confidence in my
security posture and programs
Business Scenarios
Guiding North Star
Modern Security Operations
2. Strategic initiatives
Clearly defined architecture and
implementation plans
Security Hygiene: Backup and Patching
16. Implementation
Architects & Technical Managers
CIO
Technical Leadership
CISO
Business Leadership
CEO
Security Strategy and Program
End to End Zero Trust Architecture
Security Adoption Framework
Zero Trust security modernization rapidly reduces organizational risk
Business and
Security
Integration
Implementation
and Operation
Technical Planning
Architecture and
Policy
Security Strategy,
Programs, and
Epics
Securing Digital
Transformation
Secure
Identities and
Access
Modern
Security
Operations
(SecOps/SOC)
Infrastructure &
Development
Security
Data Security
& Governance
IoT and OT
Security
Microsoft Cybersecurity Reference Architectures (MCRA)
Technical Capabilities Implementation
> > > > > > > > > > > > > >
Engaging Business
Leaders on Security
Workshops available in Microsoft Unified
Coordinated & integrated end-to-end security across the ‘hybrid of everything’ (on-prem, multi-cloud, IoT, OT, etc.)
Includes
Reference Plans
CISO Workshop
Security Capability Adoption Planning (SCAP) Technology Implementation & Optimization
17. Secure Identities
and Access
Modern Security
Operations (SecOps/SOC)
Infrastructure &
Development Security
Zero Trust Architecture
Security Strategy and Program
Security Adoption Framework Workshops
Illustrative Examples of Guidance
All workshops are holistic for the ‘hybrid of everything’ technical estate (on-premises, multi-cloud, IoT, OT, etc.)
Adoption Framework
Product
Adoption
Click to Zoom
In For Details
20. App &
Data
Teams
App Security
Dev Education & Awareness
Apps, Data, and IoT
Data Security
People
Teams
Identity
Teams
IT Operations
Insider Risk
User Education & Awareness
People
Identity & Keys
Administrator
Security
Identity System
Security
Key Management
Endpoint
Security
Mitigate
Vulnerabilities
Infrastructure & Endpoint
Infrastructure &
Network Security
Deploy
Tools
OT Operations
Operational Technology (OT) Security
Security Strategy &
Culture
Risk Management
Policy & Standards
Security Leadership
Information Risk Management
Supply Chain Risk (People, Process, Technology)
Enable Productivity and Security
Stay Agile - Adapt to changes to threat environment,
technology, regulations, business model, and more
Program Management Office (PMO)
Plan (Governance) Run (Operations)
Build
Managing Information/Cyber Risk
Security responsibilities or “jobs to be done”
Organizational Leadership
Organizational & Risk Oversight
Board Management
Organizational Risk Appetite
Business Model and Vision
External
Intelligence Sources
December 2021 -
https://aka.ms/SecurityRoles
Threat
Intelligence
Strategic Threat
Insight/Trends
Tactical Threat
Insight/Trends
Posture Management
Monitor & Remediate Risk
On-Demand Audit, Threat and Vulnerability
Management (TVM), Risk and Security
Scoring, Posture Enforcement
Incident
Management
(IT, IoT, OT)
Incident
Response
Threat
Hunting
Security
Operations
[Center]
(SOC)
Practice
Exercises
Risk
Scenarios
Incident
Preparation
Technical Policy
Authoring
Compliance
Reporting
Architecture &
Risk Assessments
Technical Policy
Monitoring
Privacy &
Compliance
Requirements
Compliance
Management
Requirements
Translation
Technical Risk Management
Security
Architecture
21. End to End Zero Trust
Architecture
Architecture Design Session Module 1
N
Adoption Framework
Shorter version (3-4 hours vs. ~2 days)
Microsoft Cybersecurity Reference
Architectures (MCRA)
22. Verify Explicitly
Reduce attack surface
and exposure to risk
Assume Compromise
General strategy shift from ‘assume safe network’
Least Privileged
Reduce blast radius both
proactive and reactively
Zero Trust Principles
Use least privilege access
Limit access of a potentially compromised
asset, typically with just-in-time and just-
enough-access (JIT/JEA) and risk-based polices
like adaptive access control.
→ Reduce “blast radius“ of compromises
→ Reduces “attack surface” of each asset
→ Transforms from “defend the network” to “enable security productivity on any network”
Asset/Node = account, app, device,
VM, container, data, API, etc.
Verify explicitly
Protect assets against attacker control by
explicitly validating that all trust and security
decisions use all relevant available information
and telemetry.
Business Enablement
Assume Compromise
Business Enablement
Align security priorities to the organization’s mission, priorities, risks, and processes
Assume Breach (Assume Compromise)
Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly
23. r for Office 365
Defender for
Office 365
Defender for Endpoint
Defender for Endpoint Defender for Identity
Defender for
Identity
Phishing
mail
Open
attachment
Click a URL
Browse
a website
Exploitation
and Installation
Command
and Control
Microsoft Entra
ID Protection
Microsoft Entra
ID Protection
Brute force account
or use stolen account
credentials
User account is
compromised
Attacker collects
reconnaissance &
configuration data
Attacker attempts
lateral movement
Privileged account
compromised
Domain
compromised
Defender for Cloud Apps
Defender for
Cloud Apps
Attacker
accesses
sensitive data
Exfiltration
of data
Leading
indicators
History of violations
Distracted and careless
Disgruntled or disenchanted
Subject to stressors
Insider has access
to sensitive data
Anomalous
activity detected
Data
leakage
Potential
sabotage
Microsoft Defender for Cloud
Microsoft Defender
for Cloud
Defend across attack chains
Insider and external threats December 2023 – https://aka.ms/MCRA
Insider risk management
Insider risk
management
Defender for IoT ( OT)
Defender for IoT (& OT)
Disrupt OT
Environment
IoT Device
Exploitation
EXTERNAL THREATS
INSIDER RISKS
Microsoft Defender XDR + Microsoft Sentinel
Microsoft Defender XDR + Microsoft Sentinel
Security Copilot (Preview)
Security Copilot (Preview)
24.
25. OBJECTIVES & KEY RESULTS (OKRs)
Summary of Outcomes
OBJECTIVE
Reduce organizational risk
caused by neglect of basic
security maintenance.
WHY
Extortion/ransomware attacks
and theft of IP are often caused
by organizations skipping well
known security best practices
(unpatched vulnerabilities,
configuration weaknesses, and
insecure operational practices)
Proper system maintenance and
hygiene also unblocks business
agility and stability from system
performance and capabilities.
KEY
RESULTS
Critical Patch Speed and
Completion
Mean Time to deploy to 90% and
100% of assets
Technical Plan · Modernize Patch Management
WHAT
Implementation Workstreams and Leads
Update Organizational Accountability
to reflect organizational nature of risk
<add name(s)>
designated by
CEO/CFO
Update Budget and Acquisition policy
for accountability and technology lifetime
<add name(s)>
Designated by CFO
Update Security Patching/Maintenance Policy
to reflect accountability model
<add name(s)>
CISO/CIO and
governance team
❑ User Device Patching
to apply updated organizational policy
<add name(s)>
IT Productivity / End
User Team(s)
❑ Domain Controllers and DNS Patching
to apply updated organizational policy
<add name(s)>
Identity/Networking/
Server Infra Teams
❑ Server Infrastructure Patching
to apply updated organizational policy
<add name(s)>
Server Infra Teams
❑ Container Patching
to apply updated organizational policy
<add name(s)>
Server Infra Teams
❑ Application Patching
to apply updated organizational policy
<add name(s)>
Multiple Teams
❑ Firmware and Device Patching
to apply updated organizational policy
<add name(s)>
Multiple Teams
Normalize rigorous security maintenance for software
WHO
Directly Responsible Individuals (DRIs)
EXECUTIVE
SPONSOR
CEO or Delegate
(frequently CFO)
PROJECT
LEADERSHIP
CIO or delegate
PROJECT TEAM(S)
Business / Application / Cloud Teams
• <add name(s)>
IT/OT/IoT Asset Management
• <add name(s)>
Purchasing/Vendor Management
• <add name(s)>
Central and Business Unit IT Infrastructure
• <add name(s)>
Productivity / End User Team(s)
(Technical and Communications Teams)
• <add name(s)>
Security Policy and Standards
• <add name(s)>
Security Compliance Management
• <add name(s)>
Security & IT/Enterprise Architecture
• <add name(s)>
TIMELINES / DEADLINES
Within 30 Days
Focus immediately on accountability
changes and getting critical patches
deployed with in hours or days, then
continuous improvement on all asset types
WORKSTREAM DETAILS
26. Technical Plan Workstreams · Modernize Patch Management
WHAT - Implementation Workstreams and Leads HOW – Key directional guidance
Update Organizational Accountability
to reflect organizational nature of risk
<add name(s)>
designated by
CEO/CFO
• Define accountability and shared responsibility model to reflect the organization-wide nature of cybersecurity risk and
distributed responsibility of mitigation via applying patches.
• Set up a team model where system owners are accountable, system managers are responsible for patching assets, and
security is responsible for advising and assisting
• Update incentive structures and measurements include scorecards, and objectives and key results (OKRs), etc.
Update Budget and Acquisition policy
for accountability and technology lifetime
<add name(s)>
Designated by CFO
• Allocate budget to support performing required security maintenance and application sustainment
• Update revenue projections based on any required changes to schedule and uptime
• Update acquisition policy to require vendor support is available for expected lifetime of the technology
Update Security Patching/Maintenance
Policy
to reflect accountability model
<add name(s)>
CISO/CIO and
governance team
Define and approve organizational policy and standards
that reflects updated accountability model and acquisition policy
❑ User Device Patching
to apply updated organizational policy
<add name(s)>
Productivity / End
User Team(s)
Update processes, tooling, and
skills for all components including
supply chain:
• Change – adopt to a ‘patch by
default’ approach to rapidly
update assets while enabling
asset owners limited control of
timing for testing and reboots
• Build – Automate deployment
(CI/CD, IaC, etc.) and include
security updates and
configuration
• Restore – Build and test ability
to rapidly recover systems after
an attack
• Retire – Ensure all asset types
support exception process and
replace/isolate un-securable
assets
Continuously improve until
reaching ideal state
Scope: Update all user devices (corporate issued, BYOD, mobile, PC, Mac, etc.) while
giving users limited control over reboot scheduling.
Key Tooling: Intune, SCCM (Dynamic Updates | WaaS) , WSUS, 3rd party tools
❑ Domain Controllers and DNS Patching
to apply updated organizational policy
<add name(s)>
Identity/Networking/
Server Infra Teams
Scope: Active Directory Domain Controllers, Exchange Servers, and DNS Servers
(high network exposure, high impact, and high resiliency/redundancy built in)
Key Tooling: WSUS / SCCM, Azure VM Patching, 3rd party tools
❑ Server Infrastructure Patching
to apply updated organizational policy
<add name(s)>
Server Infra Teams
Scope: All server operating systems instances (VMs, physical servers, hypervisors, etc.)
Key Tooling: Azure VM Patching, Azure Update Management Center (Preview)
RPM, APT-GET, Chef, Ansible, Puppet, Windows Update, WSUS, SCCM, 3rd party tools)
❑ Container Patching
to apply updated organizational policy
<add name(s)>
Server Infra Teams
Scope: Container orchestration, images, and image repositories
Key Tooling: Standard server patching for orchestration/infrastructure, container creation
and repository management tools for containers, Defender for Containers
❑ Application Patching
to apply updated organizational policy
<add name(s)>
Multiple Teams
Scope: All apps, middleware, and supply chain components for all formats and platforms
Key Tooling: Standard user device and server tooling, additional 3rd party tooling
❑ Firmware and Device Patching
to apply updated organizational policy
<add name(s)>
Multiple Teams
Scope: Firmware & embedded OS/applications for user devices, servers, printers,
routers/Switches, IoT devices, OT Devices, others with work data / network connectivity
Key Tooling: WSUS (Surface devices and other OEMs), 3rd party tools
Reference Policy
and Standards
29. KNOWN
ALLOWED
TRUSTED
Evolution of Authentication and Authorization
“Coarse authorization” during authentication
process that enforces common trust attributes
Granular authorization of individual
attributes and entitlements
Authenticated claim/assertion
of individual identity
AUTHENTICATED
AUTHORIZED
30. Two-Part Access Management Strategy
High Volume of accounts
1. High Scale: Secure the Whole Attack Surface
Establish and improve security across all accounts and all access paths
Highly
Privileged
Accounts
2. High Impact: Privileged Access
Increase security for each privileged
account with high business impact
31. Top Concern: Privileged Access
Attackers with Admin Accounts can access many/all resources
…creating a ‘cone of pain’
Cloud Admins
On Premises
Admins
3rd Party
Cloud SaaS apps
Microsoft Cloud
On-prem & Legacy apps
Privileged Admin Account(s)
Identity Admins, IT Admins,
Security Admins, etc.)
32. Two Secure Approaches for PAWs
Strong hardware foundation for Operating System
Separate Dedicated Hardware
Full Physical Separation
Single Hardware
Virtualized User (+Admin) Desktop on PAW
Typical Scenarios
• Privileged user is mobile or has limited desk space
• Administration of multiple systems (cloud and on-
premises, management and control plane, etc.)
• Where hardware cost is a consideration
Typical Scenarios
• High Security - complete isolation is required
• Single focus/function – only works with one sensitive
or business critical system
Cloud management
and security
33. Device Risk
Managed?
Compliant?
Infected with Malware?
…and more
User/Identity Risk
Multi-factor Authentication?
Impossible Travel?
Unusual Locations?
Password Leaked?
…and more
Any apps
and resources
Microsoft 365 apps
and resources
Internet and
SaaS apps
All private apps
Private web apps
Access Management Capabilities
Adaptive Access applying Zero Trust Principles
Legend
Trust Signal Adaptive Access Policy
Threat Intelligence Additional Policy & Monitoring
Decision
based on organizational policy
Signal
to make an informed decision
Enablement and Enforcement
of policy across resources
Integrated Threat Intelligence Security Policy
Engine
Organization Policy
Continuous Risk
Evaluation
Partner
Employee
Customer
Virtual Private Network (VPN)
Legacy technology being retired
Direct Application Access
Core adaptive access policy
Workload
Can be implemented today using Microsoft and partner capabilities
Macro- and Micro-segmentation
Workload isolation using identity,
network, app, and other controls
Remediate
User and
Device Risk
Security Service Edge (SSE)
Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure web
gateway (SWG), Cloud Access Security Broker
(CASB), and Firewall-as-a-Service (FWaaS)
35. Broad Enterprise View
Correlated/Unified
Incident View
Microsoft Reference Architecture
Expert Assistance
Enabling analysts with scarce skills
Deep Insights
Actionable detections
from an XDR tool with
deep knowledge of
assets, AI/ML, UEBA,
and SOAR
Raw Data
Security &
Activity Logs
(Classic SIEM
(Case Management
(Case Management
Microsoft Threat Intelligence 65+ Trillion signals per day of security context Human Expertise
Microsoft Threat Intelligence
65+ Trillion signals per day of security
context & Human Expertise
API integration
Legend
Consulting and Escalation
Outsourcing
Native Resource Monitoring
Event Log Based Monitoring
Investigation & Proactive Hunting
Security Operations
SOAR reduces analyst
effort/time per incident,
increasing SecOps capacity
Security & Network
Provide actionable security
detections, raw logs, or both
Microsoft Sentinel
Microsoft
Sentinel
Machine Learning (ML) & AI
Behavioral Analytics (UEBA)
Security Data Lake
Security Incident & Event
Management (SIEM)
Security Orchestration, Automation,
and Remediation (SOAR)
Infrastructure & Apps PaaS OT & IoT Identity & Access
Management
{LDAP}
Endpoint
& Mobile
Information
SOAR - Automated investigation and response (AutoIR)
Microsoft Defender XDR
Extended Detection and Response (XDR)
Defender for Cloud
Defender for Cloud
Containers
Servers
& VMs
SQL
Azure app
services
Network
traffic
Defender for Endpoint
Defender for
Endpoint
Defender for Cloud Apps
Defender for
Cloud Apps
Defender for Office 365
Defender for
Office 365
Defender for Identity
Defender for
Identity
Entra ID Protection
Entra ID
Protection
December 2023 – https://aka.ms/MCRA
Managed Security Operations
Managed Security Operations
Microsoft Security Experts
Microsoft Security Experts
Managed XDR
Managed threat hunting
Managed XDR
Managed threat hunting
Incident response
Formerly Detection response team (DART)
Incident response
Formerly Detection &
response team (DART)
Security Operations Modernization
Security Operations
Modernization
Microsoft Security Copilot (Preview)
Simplifies experience for complex tasks/skills
Microsoft Security Copilot (Preview)
Simplifies experience for complex tasks/skills
Align to Mission + Continuously Improve
Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR)
Align to Mission + Continuously Improve
Measure and reduce attacker dwell time
(attacker access to business assets) via
Mean Time to Remediate (MTTR)
Analysts
and Hunters
Defender for IoT OT
Defender for
IoT & OT
Applications
(SaaS, AI, legacy, DevOps, and other)
36. Incident Response Security Operations (Triage, Investigation, sometimes Hunt)
Security Operations is a Team Sport
Main functions and how they work together
Threat Intelligence
Engaged with analysts and other roles to support
investigations, hunting, and detection with research,
data, analysis, control prioritization and more
Incident Management
Coordinate with other teams (including
organizational leadership) on major
incidents and coordinate practice exercises
Architects and Engineers
Collaborate on root cause analysis to
ensure the same attacks won’t work
again, automate response steps, etc.
Security Analysts
Investigate and remediate attacks with tooling and knowledge
• Triage – Respond to detections (high volume) to find attacks
• Investigation team – Investigate and remediate confirmed incidents
• Hunt – Hunt for attacks that evaded detection, tune detections, assist with incidents
Organizational
Leadership
Legal
Communications
37.
38. Identity
Email &
Collab
Infrastructure
Endpoint
Detection &
Response
Others
Alerts & Logs from
Firewall, WAF, IDS,
Apps, etc.
Cloud Apps
Attackers traverse
rapidly across the enterprise
Silos are the Bane of Security Operations
Integrating Silos is Challenging
MAPPING CHALLENGES
Tools Pivot on Different Attributes
Network IP address
Computer Name
Documents
Device ID
Email
Etc.
STRONG BIASES/TENDENCIES
Identity
Reports only high-quality alerts because
Analysts have alert fatigue, resist new tools
Analysts with network background don’t
understand value and meaning of detections
Endpoint
Verbose alert reporting
AV testing focuses on
“not missing” malware
Reporting more improves showing
in AV Testing reports
…
Defenders struggle to
chase them across silos
Antivirus
Threat
Intelligence
IoT and
OT/ICS
39. Integrating Silos is Challenging
Integrating Silos is Challenging
Requires significant work to integrate disparate products
Harmonize analyst experience
Across portals and interfaces
Write/Update Automation
Orchestrate common tasks across systems
Harmonize entity definitions
consistency across users, devices, email, IPs, etc.
Harmonize semantics & meaning
Correlation, prioritization, orchestration, etc.
Ensure tools provide APIs
Select & Implement Tools
Others
Alerts & Logs from
Firewall, WAF, IDS,
Apps, etc.
Cloud
Apps
Protect Investigate Remediate
Event Alert Incident Mappings
#.#.#.#
Analyst Workflow/Portal Experience
Infrastructure
…and each new/changed product must be integrated
Email &
Collab
Antivirus
Endpoint
Detection &
Response
Identity
Integrate Threat Intelligence
to enrich all the different elements
Create/Maintain Detections
add new detections and tune existing ones
IoT and
OT/ICS
Threat
Intelligence
40. Microsoft Integrated XDR+SIEM
More SecOps visibility with less integration burden
Limited XDR
EDR only or EDR+
Classic SIEM Model
AV, network, other data Integrated XDR+SIEM
Investigate, Remediate, and Hunt
Write/Update Automation (SOAR)
Create/Maintain Email Detections
Create/Maintain Cloud App Detections
Create/Maintain Cloud Identity Detections
Create/Maintain On-Prem Identity Detections
Create/Maintain Endpoint Detections
Create/Maintain DevOps Detections
Create/Maintain Database Detections
Create/Maintain Storage Detections
Create/Maintain Container Detections
Create/Maintain Cloud Infra Detections
Create/Maintain IoT & OT/ICS Detections
SIEM - Integrate Threat Intelligence (If SIEM Present)
SIEM - Integrate UEBA and ML (If SIEM Present)
SIEM - Harmonize Definitions & Semantics (If SIEM Present)
Ensure tools provide APIs
Select & Implement Tools
Integrated XDR+SIEM
Simplifies SecOps and
reduces wasted time by
providing and maintaining:
• Asset-specific detections
• Tooling integration
• Threat Intelligence
integration
• MITRE ATT&CK coverage
• Additional detailed data for
investigation and advanced
hunting
This allows analysts to focus
on responding to incidents &
reducing organizational risk
Microsoft Defender XDR
Microsoft
Defender XDR
Direct Risk Reduction
Your Maintenance Burden
Vendor Maintenance Burden
Primary Focus: Reduce Risk
by removing attacker access
to resources. All other
activities support this and
should not distract from it.
Defender
for Cloud
Microsoft Sentinel
Microsoft
Sentinel
42. What you want for a train ride
Functional
Does what it promises
Secure
Resilient to attacks
Reliable
Performs well and stays available
is what you want for workloads
43. DevSecOps – Agile security for workloads
Architecture & Governance
Security, Compliance, Identity, & Other Standards
Idea Incubation
New Product or Service
Production DevSecOps
Continuous improvement
Developer
DESIGN
/
C
O
D
E
BUI
L
D
D
E
P
L
OY
R
U
N
BUILD DEPLOY
DESIGN/CODE RUN
Minimum viable product (MVP) for:
Dev - Business / Technical Requirements
Sec - Compliance / Security / Safety
Ops - Quality / Performance / Support
G
o
v
e
rnance – Continuous Improvem
e
n
t
Secure Design Secure Code Secure the Operations
Secure CI/CD Pipeline
First Production Release
Continuous Improvement of DevSecOps Lifecycle
1. MVP definitions – Update minimum requirements for Dev, Sec, and Ops (agility, stability, security, identity standards, and more)
2. Continuously improve process, program, education, tooling, etc. to improve developer productivity, efficiency, security, identity, and more)
44. Protecting assets requires partnership and expertise across teams
Architecture and Engineering
• Rules/Guidelines/Standards across workloads
and common organization-wide infrastructure
• Templates/automation for all workloads
Security Operations (SecOps/SOC)
• Incident Response – Rapid remediation of attacks
• Incident Management – technical & business coordination
• Advanced Functions - Threat hunting, detection engineering, & more
Workload Team
• Business Owner – Workload goals, risks, data, requirements
• Application Architect – Application design
• Developer – Application build/implementation
Operations Team(s) (Infrastructure/DevOps)
• Workload – Build/configure/change/rebuild/recover OS,
containers, network, identity, and more for workloads
• Infrastructure Operations – (same for common infrastructure)
Posture
Management
• Monitoring –
Monitor and report
on security posture
• Enablement –
Identify and clear
security blockers
Infrastructure Development Security is a Team Sport
Shared responsibility model enables effective security
Common Infrastructure + per-workload infrastructure
Responsibility
Workload
Team
Operations
Team(s)
Architecture &
Engineering
Security
Operations
Application – Preventive Control Design & Implementation Co-Lead Co-Lead
Application – Detection Design, Implementation, & Monitoring Co-Lead Co-Lead
Application - Remediation & Recovery Co-Lead Co-Lead
OS/Container – Preventive Control Design & Implementation Lead
OS/Container – Detection Design, Implementation, & Monitoring Co-Lead Co-Lead
OS/Container – Remediation & Recovery Lead
Security Incident Management Lead
Security Incident Response May Lead May Lead May Lead
45. High impact
on business/safety
Temporary exception for rapid
prototyping low-risk workloads
Balanced approach
for most workloads
most of the time
Comparing DevSecOps Security Levels
Rapid prototyping of
low business impact workload
Temporary Minimum High Security
Standard
Impact Life/Safety or
business critical assets
Key Antipattern: Bizarro Risk Exceptions
Organizational risk is amplified when granting
permanent security exceptions for business-critical
workloads (often for political reasons)
46. Lifecycle Stage Control
Temporary
Minimum Standard High Security
Threat Model (Security Design Review) Optional Recommended Required
Code Analysis (static/CodeQL or dynamic) Minimum Scan Full Scan & Fix Scan & Enforce
Supply Chain / Dependency management Inventory Analysis & Fix Block all insecure
Security Code Review Recommended Recommended Required
Credential and Secret Scanning Required Required Required
Reinforce/Check ‘Secure the Code’ Controls Required Required Required
Secure Pipeline (Access/Infrastructure/Apps) Required Required Required
Live Site Penetration Testing Recommended Recommended! Required
Identity/App Access Controls Minimum Standard High Security
Host/Container Controls Minimum Standard High Security
Network Access Controls Minimum Standard High Security
Monitoring, Response, and Recovery Basic XDR + Custom (Environment) + Custom (Workload)
DevSecOps Security Profiles
Control Comparison
Secure Design
Secure Code
Secure CI/CD Pipeline
Secure the Operations
Critical Foundations
For all developers & all projects
Security in Blameless Postmortems + Security Coding Standards
+ Security Tools and Training + Tool Chain Security
Shift left… but double-check!
Find + fix issues during development and
reinforce controls in CI/CD pipeline
Artificial Intelligence (AI) Implications
• Secure all code - Whether written by human or generative AI
• Use both for security - Apply classic and AI controls as available
47. Microsoft Secure Score
Microsoft Defender XDR
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft Defender XDR
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft Sentinel
Microsoft
Sentinel
Cloud Native
SIEM, SOAR,
and UEBA
Microsoft Security Copilot (Preview)
Microsoft Security Copilot (Preview)
Azure Cloud Adoption Framework (CAF)
Guidance on security strategy, planning, roles and responsibilities https://aka.ms/CAF
Azure Cloud Adoption Framework (CAF)
Guidance on security strategy, planning, roles and responsibilities https://aka.ms/CAF
Zero Trust Access Control
Explicit trust validation for users and devices before allowing access
Infrastructure Security Capabilities
Apply Zero Trust principles Infrastructure & Platform as a Service (IaaS & PaaS)
across multi-cloud cross-platform environments
Full Time Employees, Partners,
and/or outsourced providers
Microsoft Entra ID Governance
Microsoft Entra ID Governance
• Automated User Provisioning
• Entitlement Management
• Access Reviews
• Privileged Identity Management (PIM)
• Terms of Use
Entra Privileged Identity Management (PIM)
Entra Privileged Identity
Management (PIM)
Entra ID Protection
Entra ID Protection
MFA and Passwordless
Entra MFA
Entra MFA
Windows Hello
Windows Hello
Existing MFA
Management Plane Security Platform provided security guardrails, governance, policy, and more
Management Plane Security
Platform provided security guardrails, governance, policy, and more
Endpoint logs PIM Logs
Entra ID logs, access logs, alerts, risk scoring
Privileged Access Workstation (PAW)
Privileged Access Workstation (PAW)
Control
Governance &
Policy Enforcement
Preventive Controls
Security Posture
Visibility
Threat Detection & Response
Raw Logs and Signal for
Investigation & Hunting
Microsoft Defender for Cloud
Microsoft Defender for Cloud
Azure Policy
Azure Policy
Role Based Access Control (RBAC)
Role Based Access Control (RBAC)
Azure Blueprints
Azure Blueprints
Management Groups
Management Groups
Azure Lighthouse
Azure Lighthouse
Azure Backup Site Recovery
Azure Backup & Site Recovery
Resource Locks
Resource Locks
Data Plane Security
Per-Application/Workload Controls
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
Azure Well Architected Framework (WAF)
Azure Well Architected
Framework (WAF)
Microsoft Cloud Security Benchmark (MCSB)
Prescriptive Best Practices and Controls
Microsoft Cloud Security
Benchmark (MCSB)
Prescriptive Best Practices and Controls
Internal Communications (East/West) External Communications (North/South)
Network/App Security Groups
Network/App Security Groups
API Management Gateway
API Management Gateway
Azure DDoS and Web Application Firewall (WAF)
Azure DDoS and Web Application Firewall (WAF)
PrivateLink Service Endpoints
PrivateLink & Service Endpoints
Encryption Azure Key Vault, Application RBAC Model
Encryption & Azure Key Vault, Application RBAC Model
Azure Firewall and Firewall Management
Azure Firewall and Firewall Management
Azure DevOps Security
Azure DevOps Security
GitHub Advanced Security
GitHub Advanced Security
Unified Endpoint
Management
Intune
Intune
Configuration Manager
Configuration Manager
Azure Bastion
Azure Bastion
Microsoft 365 Defender
Microsoft 365 Defender
Customers
(and ‘External’ Partners)
Business Users
Developers
App/Service
and Automation
Administrators
API
Application
Workstations
‘Internal’ Access Accounts Access and Privileges Interfaces
Identity Infrastructure Network & ‘External’ Access
Resources
December 2023 – https://aka.ms/MCRA
Top 10 Azure Security Best Practices
Top 10 Azure Security Best Practices
Entra App Proxy
Entra App Proxy
Defender for DevOps
Defender for DevOps
Conditional Access
Conditional Access
Entra Private Access (preview)
Entra Private Access (preview)
Entra Permissions Management
Entra Permissions Management
Microsoft Defender for Cloud - Risk Regulatory Compliance Reporting
Microsoft Defender for Cloud - Risk & Regulatory Compliance Reporting
Azure Policy (audit) & Azure resource graph API
Microsoft Defender for Cloud - Detections across assets and tenants
Microsoft Defender for Cloud - Detections across assets and tenants
Application Logs
Azure WAF Alerts
Azure Firewall Alerts
Azure DDOS Alerts
Network Watcher – IP Flow logs, Packet Capture, Virtual TAP
Azure activity log Azure Service Diagnostic Logs & Metrics
Microsoft Defender for Cloud Apps
MDCA Alerts
MDCA Logs
VMs & Tenants (Azure, On-prem, 3rd party clouds)
Containers and Kubernetes
IoT and Legacy OT Devices (SCADA, ICS, etc.)
Application Programming Interfaces (APIs)
CI/CD Pipelines
Azure SQL & Cosmos DB
Azure Storage Accounts
And More…
Entra Permissions Management
Entra Permissions Management
Microsoft Defender External Attack Surface Management (EASM)
Microsoft Defender External Attack Surface Management (EASM)
Microsoft Defender for Identity
Microsoft Defender for Identity
Microsoft Defender for Endpoint
Microsoft Defender for
Endpoint
Entra ID Protection
Entra ID Protection
CI/CD Pipeline
CI/CD Pipeline
Azure Resource
Management (ARM)
Access Applications
Access Applications
Azure Portal
Command Line Interface (CLI)
Automation/API
Microsoft Entra ID External Identities
Formerly Azure AD
Microsoft Entra ID
& External Identities
Formerly Azure AD
Active Directory
Azure Sphere
Azure Sphere
Existing/Other
Internet of Things
(IoT) Devices
Azure IoT Hub
Azure IoT Hub
External Identities
On-Premises & Other
Cloud Resources/Data
Azure Resources/Data
Defender for APIs (preview)
50. Security Capability Adoption Planning
Maximize value from current security product
licenses and entitlements with education +
prioritization / planning exercise
51. End to End Strategy
and Planning
Zero Trust Architecture
Security ADS Module 1 – Zero Trust Architecture
Product Adoption
Security Capability Adoption Planning
2-3 days
Where do you want to Start?
There’s no wrong place to start ☺
Security Strategy and Program
Plan and Execute
Initiatives
Secure Identities and Access
Module 2 – Secure Identities and Access
Modern Security Operations (SecOps/SOC)
Infrastructure & Development Security
Module 3 – Modern Security Operations (SecOps/SOC)
Module 4 – Infrastructure & Development Security
Topic
Summary
Full
workshop
4 hours
MCRA
CISO Workshop
2-3 days
2-3 days
4 hours
4 hours
4 hours
53. Learn more about Microsoft Security
Security Adoption Framework (SAF)
aka.ms/SAF
Security Documentation
aka.ms/SecurityDocs
Product Capabilities
www.microsoft.com/security/business
Reference Architectures
aka.ms/MCRA
aka.ms/MCRA-videos
CISO workshop
aka.ms/CISOworkshop
aka.ms/CISOworkshop-videos Additional
References
54. Security Adoption Framework
aka.ms/saf
Security Resources
Security Documentation
aka.ms/SecurityDocs
Security Strategy and Program
• CISO Workshop – aka.ms/CISOworkshop | -videos
• Cloud Adoption Framework (CAF) – aka.ms/cafsecure
• Driving Business Outcomes Using Zero Trust
▪ Rapidly modernize your security posture for Zero Trust
▪ Secure remote and hybrid work with Zero Trust
▪ Identify and protect sensitive business data with Zero Trust
▪ Meet regulatory and compliance requirements with Zero Trust
Zero Trust
Architecture
• Microsoft Cybersecurity Reference Architectures (MCRA) - aka.ms/MCRA | -videos
Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp
• Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp
Ransomware and Extortion Mitigation - aka.ms/humanoperated
Backup and restore plan to protect against ransomware - aka.ms/backup
• Ransomware and Extortion Mitigation - aka.ms/humanoperated
• Backup and restore plan to protect against ransomware - aka.ms/backup
Secure Identities and
Access
Modern Security
Operations (SecOps/SOC)
Infrastructure &
Development Security
Data Security &
Governance
IoT and OT Security
• Product Capabilities
• www.microsoft.com/security/business
• Security Product Documentation
Azure | Microsoft 365
Microsoft Security Response Center (MSRC)
www.microsoft.com/en-us/msrc
• Microsoft Cloud Security
Benchmark (MCSB)
aka.ms/benchmarkdocs
• Well Architected Framework (WAF)
aka.ms/wafsecure
• Azure Security Top 10
aka.ms/azuresecuritytop10
• Ninja Training
• Defender for Cloud
• MCRA Video
• Infrastructure Security
• Defender for Cloud Documentation
• Securing Privileged Access (SPA)
Guidance
aka.ms/SPA
• Access Control Discipline
• Ninja Training
• Microsoft Defender for Identity
http://aka.ms/mdininja
• MCRA Video
• Zero Trust User Access
• Microsoft Entra Documentation
aka.ms/entradocs
• Incident Response - aka.ms/IR
• CDOC Case Study - aka.ms/ITSOC
• Ninja Training
• Microsoft 365 Defender
http://aka.ms/m365dninja
• Microsoft Defender for Office 365
https://aka.ms/mdoninja
• Microsoft Defender for Endpoint
http://aka.ms/mdeninja
• Microsoft Cloud App Security
http://aka.ms/mcasninja
• Microsoft Sentinel
• MCRA Videos
• Security Operations
• SecOps Integration
• Secure data with Zero Trust
• Ninja Training
• Microsoft Purview Information Protection
https://aka.ms/MIPNinja
• Microsoft Purview Data Loss Prevention
https://aka.ms/DLPNinja
• Insider Risk Management
• Microsoft Purview Documentation
aka.ms/purviewdocs
• Ninja Training
• Defender for IoT Training
• MCRA Videos
• MCRA Video OT & IIoT Security
• Defender for IoT Documentation
aka.ms/D4IoTDocs