Not sure how strong your security practice is? Contact us today for a Security Assessment to identify potential vulnerabilities in your environment!
Cloud & Datacenter
As organizations continue to increase consumption of cloud services, Microsoft understands the need to have a wholistic approach for organizations to secure their hybrid environment. As such, Microsoft has built out the Operations Management Suite (OMS) and Azure Security Center to address these needs. For anyone who hasn’t heard of or looked at OMS, it’s a remarkably powerful toolset that has not garnered the level of attention it deserves. For organizations that are moving quickly to Azure’s Infrastructure as a Service capabilities, this solution provides incredible capabilities around monitoring, compliance, automation, insight, and data protection/recovery. This blog would go on forever if I dive into all facets of OMS, so I’ll give a brief overview for each component and dive a little deeper into the security side.
Operations Management Suite
Operations Management Suite is made up of four primary components:
- Insight & Analytics: Gain Visibility across workloads with access to all the information needed on what’s happening in the environment
- Automation & Control: Enable consistent control and compliance through configuration, update management, and advanced change tracking
- Protection & Recovery: Ensure the availability of important applications and data, and keep critical data protected with integrated cloud backup and site recovery
- Security & Compliance: Drive security across the environment, with sophisticated threat intelligence capabilities, malware detection, and indicators of compromise
For organizations that enable and configure OMS Security, leadership will have a holistic view of their security state—from on-premises to cloud and across Windows and Linux systems. By helping ensure your environments are configured and operating securely, OMS Security will empower organizations to more effectively defend against cyber threats. In addition, by using advanced security analytics and threat intelligence, the solution can detect attacks earlier. Once deployed, the management team can quickly search large volumes of security data and use built-in threat intelligence to enable smarter investigations.
By configuring OMS Security and Compliance, organizations will meet the following objectives:
- View the security posture of the organization’s entire environment and quickly identify issues such as missing security updates, outdated antimalware, vulnerable OS configurations, and unusual access or network activity
- Leverage advanced security analytics and Microsoft threat intelligence to detect attacks in near real-time
- Reduce investigation time with built-in threat intelligence and rapid search of the organization’s security data
- Use security data and insights to demonstrate compliance and easily generate evidence for auditors
Azure Security Center
Unified security management and advanced threat protection across hybrid cloud workloads. By working in unison with OMS Security & Compliance, customers can start using Security Center to unify security management and threat protection across Azure, on-premises, and other clouds.
Azure Security Center now includes the same security management capabilities currently available in the OMS Security & Compliance solution, including:
- Secure data collection, search, and analysis
- Notable events driven by predefined and custom queries
- Security assessment dashboards, including system update status, antimalware protection state, OS baseline configurations, and identity and access
- Inventory of connected computers
- Advanced threat detection
- Interactive threat intelligence map
In addition, Security Center offers:
- Security policies to ensure compliance with company and regulatory security standards
- Actionable security recommendations to help mitigate security vulnerabilities
- Automatic discovery and monitoring of new Azure resources
- Additional security assessments for Azure services, including monitoring of VM, network, storage, and SQL configurations
- Adaptive application and just-in-time access controls for Azure virtual machines
- Security incidents and streamlined investigation for rapid threat response
As with all things Microsoft, there are a couple different ways to license OMS and Azure Security, and PEI is more than happy to assist with building the best route for your organization.
Cloud & Datacenter Security Resources:
|What is OMS?||Azure Security Center Documentation|
|OMS Overview||Azure Security Center for Hybrid Workloads|
|Azure Security Center Overview||Azure Security Center Data Security|
|Endpoint Protection with Azure Security Center|
With all of Microsoft’s Software as a Service offerings and knowing that virtually every client will have other 3rd party SaaS solutions, Microsoft built out tools to monitor and secure both their own applications as well as others.
Cloud App Security
Cloud App Security is a comprehensive solution that can help organizations keep their administrators in control as they move to take full advantage of the promise of cloud applications through improved visibility into activity. It also helps increase the protection of critical data across cloud applications. The framework centers around three components:
- Cloud Discovery: Discover all cloud use in your organization, including Shadow IT reporting and control and risk assessment.
- Data Protection: Monitor and control your data in the cloud by gaining visibility, enforcing DLP policies, alerting, and investigation.
- Threat Protection: Detect anomalous use and security incidents. Use behavioral analytics and advanced investigation tools to mitigate risk and set policies and alerts to achieve maximum control over network cloud traffic.
From an architecture standpoint, Cloud App Security integrates visibility with an organization’s cloud by
- using Cloud Discovery to map and identify your cloud environment and the cloud apps your organization is using.
- sanctioning and un-sanctioning apps in your cloud.
- using easy-to-deploy app connectors that take advantage of provider APIs for visibility and governance of apps that you connect to.
- using proxy protection to get real-time visibility and control over access and activities performed within your cloud apps.
- giving you have continuous control by setting and continually fine-tuning policies.
Office 365 Cloud App Security
There is also the Office 365 Cloud App Security, which is a subset of Cloud App Security, and more specifically, empowers management to have enhanced visibility and control for Office 365. Office 365 Cloud App Security is available within the Office 365 E5 bundle or can be purchased as an Add-on. We would be happy to walk through the options and features with you, so don’t hesitate to reach out.
Advanced Threat Protection (Office 365 & Azure)
All organizations that leverage Exchange Online are entitled to use Exchange Online Protection (EOP) as their cloud-based spam filtering service. Many organizations are used to more robust security solutions added onto Exchange, so if implementing an additional layer of protection is desired, Office 365 Advanced Threat Protection is right up their alley. When paired with EOP, ATP provides a number of protective measures for email, with the key components outlined below.
Office 365 Advanced Threat Protection
- Safe Links: The ATP Safe Links feature proactively protects your users from malicious hyperlinks in a message. The protection remains every time they click the link, as malicious links are dynamically blocked while good links can be accessed.
- Safe Attachments: Safe Attachments protects against unknown malware and viruses and provides zero-day protection to safeguard your messaging system. All messages and attachments that don’t have a known virus/malware signature are routed to a special environment where ATP uses a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.
- Spoof Intelligence: Spoof intelligence detects when a sender appears to be sending mail on behalf of one or more user accounts within one of your organization’s domains. It enables you to review all senders who are spoofing your domain, and then choose to allow the sender to continue or block the sender. Spoof intelligence is available in the Security & Compliance Center on the Anti-spam settings page.
- Quarantine: Messages identified by the Office 365 service as spam, bulk mail, phishing mail, containing malware, or because they matched a mail flow rule can be sent to quarantine. By default, Office 365 sends phishing messages and messages containing malware directly to quarantine. Authorized users can review, delete, or manage email messages sent to quarantine.
- Advanced anti-phishing capabilities: This feature uses machine learning models to detect phishing messages.
For licensing, there are two Office 365 ATP Plans that can be purchased as standalone offerings or can be added to any Office 365 plan. Office 365 ATP Plan 2 is included in the Office 365 E5 subscription.
Azure Advanced Threat Protection
For security operators, analysts, and professionals that are struggling to detect advanced attacks in a hybrid environment, Azure ATP is a threat protection solution that helps
- detect and identify suspicious user and device activity with learning-based analytics
- leverage threat intelligence across the cloud and on-premises environments
- protect user identities and credentials stored in Active Directory
- provide clear attack information on a simple timeline for fast triaging
- monitor multiple entry points through integration with Windows Defender Advanced Threat Protection
There’s a great deal of additional detail which can be found in the links at the bottom. For licensing, Azure ATP is included within the Enterprise Mobility + Security E5 Suite, as well as the Microsoft 365 E5 plan.
Applications Security Resources:
|Microsoft Cloud App Security||Office 365 ATP Description|
|Enterprise Mobility + Security Cloud App Security||Azure ATP Introduction|
|Connect Office 365 to Microsoft Cloud App Security||Azure ATP Features|
|Office 365 Cloud App Security Documentation|
Organizations today are embracing the mobile workforce, and as such, need to plan create a comprehensive security plan centered around securing endpoints. Both BYOD and organization-owned devices are on the move, so ensuring data and systems are secure is essential to business success. Microsoft has a number of solutions that address each security need for endpoints, which I’ll outline below.
Device Guard is a group of key features, designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run. With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
Windows Defender Device Guard describes a locked-down device configuration state that uses multiple enterprise-related hardware and software security features that run on Windows 10 Enterprise edition and Windows Server. When these features are configured together, Windows Defender Device Guard changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. If the app isn’t trusted, it can’t run, period.
Credential Guard is a distinct feature, not part of Device Guard, that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass-the- Hash-style attack in the event that malicious code is already running via a local or network-based vector. By enabling Windows Defender Credential Guard, the following features and solutions are provided:
- Hardware security: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
- Virtualization-based security: Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
- Better protection against advanced persistent threats: When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard and other security strategies and architectures.
Intune addresses the huge challenge organizations face with mobile device management.
With Intune, you can
- manage the mobile devices your workforce uses to access company data.
- manage the mobile apps your workforce uses.
- protect your company information by helping to control the way your workforce accesses and shares it.
- ensure devices and apps are compliant with company security requirements.
Mobile Device Management
Microsoft also has a tailored down MDM solution available with Office 365, but it does have some feature limitation compared to Intune. I have provided a link at the bottom that goes through the feature comparison. In addition, for organizations that leverage System Center Configuration Manager, Intune can be configured with SCCM to have a full solution stack for managing both company owned devices as well as mobile.
Windows Hello is a solution that allows sign-in with facial recognition or fingerprint scanner. Knowing end users despise changing their password every 45 days with a million unique characters, Microsoft has built a solution to make it easy and fast for end users to sign into a device, while providing the organization with the security assurance they need. You can always keep your PIN as a backup too, for the users that hate cameras and fingerprint identification.
Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft’s robust cloud service.
- Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.
- Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal Tool), enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation), behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
- Threat intelligence: Generated by Microsoft hunters and security teams and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.
For licensing, Windows Defender ATP is included within the Windows 10 Enterprise E5 Plan, as well as the Microsoft 365 E5 Plan.
Endpoint Security Resources:
Last but not least, providing identity security solutions is essential to providing a comprehensive security solution to organizations. There are a couple solutions that fall into the identity security realm for Microsoft, which I’ll highlight.
Azure Active Directory Identity Protection
Azure Active Directory Identity Protection is a feature of the Azure AD Premium P2 edition that enables you to
- detect potential vulnerabilities affecting your organization’s identities
- configure automated responses to detected suspicious actions that are related to your organization’s identities
- Investigate suspicious incidents
The vast majority of security breaches take place when attackers gain access to an environment by stealing a user’s identity. Over the years, attackers have become increasingly effective in leveraging third-party breaches and using sophisticated phishing attacks. As soon as an attacker gains access to even low-privileged user accounts, it is relatively easy for them to gain access to important company resources through lateral movement.
As a consequence of this, you need to
- Protect all identities regardless of their privilege level
- Proactively prevent compromised identities from being abused
- Take appropriate action to resolve these incidents
Azure Active Directory Identity Protection is more than a monitoring and reporting tool. To protect your organization’s identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. These policies, in addition to other conditional access controls provided by Azure Active Directory and EMS, can either automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement.
Identity Protection capabilities
Detecting vulnerabilities and risky accounts:
- Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
- Calculating sign-in risk levels
- Calculating user risk levels
Investigating risk events:
- Sending notifications for risk events
- Investigating risk events using relevant and contextual information
- Providing basic workflows to track investigations
- Providing easy access to remediation actions such as password reset
Risk-based conditional access policies:
- Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
- Policy to block or secure risky user accounts
- Policy to require users to register for multi-factor authentication
Licensing wise, Azure AD Identity Protection is a part of Azure AD Premium P2, which can be purchased as a standalone, included within EM+S E5, as well as Microsoft 365 E5.
Advanced Threat Analytics
Advanced Threat Analytics is an on-premises platform that helps protect your enterprise from multiple types of advanced, targeted cyber-attacks and insider threats.
ATA leverages a proprietary network parsing engine to capture and parse the network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering. This information is collected by ATA via either
- Port mirroring from Domain Controllers and DNS servers to the ATA Gateway and/or
- Deploying an ATA Lightweight Gateway (LGW) directly on Domain Controllers
ATA takes information from multiple data-sources—such as logs and events in your network—to learn the behavior of users and other entities in the organization and build a behavioral profile about them. ATA can receive events and logs from
- SIEM Integration
- Windows Event Forwarding (WEF)
- Directly from the Windows Event Collector (for the Lightweight Gateway)
ATA technology detects multiple suspicious activities, focusing on several phases of the cyber-attack kill chain including
- Reconnaissance: during which attackers gather information on how the environment is built, what the different assets are, and which entities exist. They generally building their plan for the next phases of the attack.
- Lateral movement cycle: during which an attacker invests time and effort in spreading their attack surface inside your network.
- Domain dominance (persistence): during which an attacker captures the information allowing them to resume their campaign using various sets of entry points, credentials, and techniques.
These phases of a cyber-attack are similar and predictable, no matter what type of company is under attack or what type of information is being targeted. ATA searches for three main types of attacks: Malicious attacks, abnormal behavior, and security issues and risks. These types of attacks and how ATA addresses them can be explored in depth within the links at the bottom.
Licensing ATA is a bit tricky, as it falls into multiple categories. It can be licensed per user through Enterprise Client Access License Suite, EM+S suite, Enterprise Cloud Suite, as a standalone license through Open Business, and per device through Enterprise Client Access License Suite.
Identity Security Resources:
|Azure Active Directory Identity Protection||Advanced Threat Analytics Documentation|
|Enterprise Mobility + Security Pricing||How to Purchase ATA|
|What is Advanced Threat Analytics|
This is a lot of information to digest and coming up with the right plan for deploying the best security components can be challenging. My team and I can make this simpler for your organization by providing many valuable services to help drive your organization forward.
- Provide complementary security demonstrations for the various solutions
- Provide overall assessment of your organization’s current security state
- Build out a roadmap for implementing the security solutions
- Provide licensing analysis and options for how best to utilize the services available
- Design and implementation of the security solutions of interest
- In depth training on how to manage and administer the security solutions
- Total Cost of Ownership analysis on licensing options to determine how best to consolidate licensing and leverage bundled subscriptions for maximum return on investment
Let PEI help improve your organization’s security and share our knowledge! Give us a call at (303) 974-6881 or shoot us an email at firstname.lastname@example.org and start taking advantage of all these solutions!
Martin Feehan, Director of Client Relations