Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Similar documents
Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

[ Sean TrimarcSecurity.com ]

Hybrid Identity de paraplu in de cloud

Identity as the core of enterprise mobility

News and Updates June 1, 2017

GLBA Compliance. with O365 Manager Plus.

HIPAA Compliance. with O365 Manager Plus.

Crash course in Azure Active Directory

FISMA Compliance. with O365 Manager Plus.

Partner Center: Secure application model

Integrate Microsoft Office 365. EventTracker v8.x and above

Exchange Control Panel EMC. Remote PowerShell

Securing Office 365 with Okta

Single Sign-On Showdown

Why Choose MS Azure?

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Managing Microsoft 365 Identity and Access

PCI Compliance. with O365 Manager Plus.

Office 365 and Azure Active Directory Identities In-depth

A tale of Modern Management Part 1

Microsoft Graph API Deep Dive

Identity & Access Management

SAP Security in a Hybrid World. Kiran Kola

Office 365: Modern Workplace

Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Course AZ-100T01-A: Manage Subscriptions and Resources

Centrify Identity Services for AWS

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Developing Microsoft Azure Solutions (70-532) Syllabus

Google Identity Services for work

Microsoft SharePoint Server 2013 Plan, Configure & Manage

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

Use EMS to protect your mobile data and mobile app

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

Session: CEO206. Mike Crowley Planet Technologies

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

Azure Active Directory from Zero to Hero

Use Microsoft EMS. to Protect your Mobile Data and Mobile Apps. Chris Nackers Nackers Consulting

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

CHARLES DARWIN, CYBERSECURITY VISIONARY

Integrating On-Premises Identity Infrastructure with Microsoft Azure

Service Description VMware Workspace ONE

Operation Management Suite OMS, for short. Kenneth Teo Premier Field Engineer Microsoft

MD-101: Modern Desktop Administrator Part 2

WORKPLACE Data Leak Prevention: Keeping your sensitive out of the public domain. Frans Oudendorp Ronny de Jong

Developing Microsoft Azure Solutions (70-532) Syllabus

Developing Microsoft Azure Solutions (70-532) Syllabus

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

Managing the Risk of Privileged Accounts and Passwords

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

The Common Access Card The problems it solves (and the ones it doesn t) Quest Software/One Identity Dan Conrad Federal CTO

Exam : Implementing Microsoft Azure Infrastructure Solutions

Techno Expert Solutions

Microsoft Architecting Microsoft Azure Solutions.

Yubico with Centrify for Mac - Deployment Guide

Cloud Security, Mobility and Current Threats. Tristan Watkins, Head of Research and Innovation

Conditional Access Policies

WELCOME! Using Microsoft Office 365 for a Robust Mail and Conferencing System

What is Azure Active Directory (and Why Should I care)?

AvePoint Online Services 2

INSENTRA ENHANCED SUPPORT OFFICE 365 USER AUDIT REPORT. For CUSTOMER ABC. 10/02/2017 v1.0

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Speaker Introduction Who Mate Barany, VMware Manuel Mazzolin, VMware Peter Schmitt, Deutsche Bahn Systel Why VMworld 2017 Understanding the modern sec

SharePoint Server 2016 Feature Comparison* Accessibility Standards Support Yes Yes. Asset Library Enhancements/Video Support Yes Yes.

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

VMware Identity Manager Integration with Office 365

4 Ways Your Organization Can Be Hacked

Office 365 External Sharing Webinar November 7, 2017

Minfy-Magnaquest Migration Use Case

VMware Identity Manager Integration with Office 365

VMware Identity Manager Administration

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Are You Avoiding These Top 10 File Transfer Risks?

Secure access to your enterprise. Enforce risk-based conditional access in real time

20532D: Developing Microsoft Azure Solutions

ShareFile Technical Presentation

Planning and Administering SharePoint 2016

Exam Code: Exam Code: Exam Name:Managing Office 365 Identities and Requirements.

Monitoring Active Directory: Both Azure AD and On-Premise AD and How Synchronization and Federation Play In

Expertise that goes beyond experience.

Microsoft Exam

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

CONDITIONAL ACCESS FROM A TO Z

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

Liferay Security Features Overview. How Liferay Approaches Security

6 Key Use Cases for Securing Your Organization s Cloud Workloads. 6 Key Use Cases for Securing Your Organization s Cloud Workloads

Course 10993A: Integrating On-Premises Identity Infrastructure with Microsoft Azure

Configuration Guide. Requires Vorex version 3.9 or later and VSA version or later. English

Securing Your Identities with Azure AD

Microsoft Security Management

RAP as a Service for Exchange Server: Prerequisites

TS: Forefront Identity Manager 2010, Configuring

Transcription:

@markmorow

Who am I? Identity Product Group, CXP Team Premier Field Engineer SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Active Directory Domain Services On-premises App Server Validate credentials against AD Active Directory Azure AD Connect Health Agent Password Protection DC Agent Password Filter DLL Hybrid Joined Device Validate credentials against AD PTA Agent Federation AD FS/WAP Azure AD Connect Health agent Azure AD Connect Azure AD Connect Health Agent Sync Engine Updates passwords on-premises Password writeback agent Updates passwords Password policy on-premises Protection Proxy Agent Processes requests to published endpoints AppProxy Connector On-premises Inbound sync agent provisioning to AD Mobile Device Receives credentials for validations Federation flow to validate credentials Uploads health data Sync objects Device registration Azure AD joined device External Networks Health Service Azure AD Connect Backend ****** MyApps portal Self-service Password reset service Device Services Self-Service Group Management AppProxy Cloud Service Privileged Identity Management Access Reviews Provides telemetry data Azure Monitor Diagnostics Azure Active Directory Authentication Services Azure MFA Core Store Role Based Access Control Azure Resource Manager Issues Tokens Conditional Access Engine Activity Logs Managed Service Domain Services Azure Identity Backend Resource Manager Role Services Provides service principals Role based authorization Dynamic Groups Azure IaaS Update Device State Identity Protection Group-based licensing First Party Provisioning Service Graph API Provisioning Service Provisions managed infrastructure for legacy protocols Microsoft Azure Microsoft Intune Receives security telemetry data Sync objects Microsoft Cloud Services Interact with the directory Inbound provisioning Outbound provisioning Windows Defender ATP Telemetry Provisioning Office 365 Other Microsoft Services Other Cloud Services Authentication flows Authorization flows Device Management On-prem object Sync Line of Business Cloud Apps Cloud HR Password management Intelligent Security Graph 3 rd Party Cloud Apps Access Management Services On-prem application access Governance Services Microsoft Cloud App Security Key

Azure AD Logs Sign-in logs Interactive logins Audit logs Everything else

Azure AD Sign-in Logs Application sign-in Success/Failure User display name and UPN Session conditions: location, IP, Date/Time MFA info: Required, Method, Result Client conditions: Device ID, browser, OS Conditional Access: Policy, Controls, Result Correlation ID! Latency is 5 to 10 mins

Azure AD Sign-in Logs Key Things To Know Refresh Token Sign-ins: Only initial authentication is in the reports today Only successful federated logins are displayed Failure events are on the federated IDP

Azure AD Audit Logs Actions performed that change the state of a resource, e.g. Password Reset Privileged Identity Management (PIM) Elevations Terms of Use Acceptance B2B Redemptions SaaS App Configuration/Provisioning Latency is 10 to 15 mins

Azure AD Security Logs Users flagged for risk High, Medium, Low Risk events/risky sign-ins leaked credentials, anonymous IPs, impossible travel, unfamiliar locations Vulnerabilities Users without MFA, Unused Admin Privileges

Who can access logs in Azure AD Global Administrator Security Administrator Security Reader Reports Reader No difference in data scope between roles Users can access their own sign-in logs

Back in the day Sept 2018 and earlier The only way to programmatically access Azure AD Logs was using GraphAPI calls Problems include but not limited to.. Multiple end points to enumerate for different log types Determining last synced event, de-duplicating events Using a service principal to auth with a secret stored in the script

Azure Monitor Full observability for your Azure AD Infrastructure Audit Logs Sign-in Logs Common Store Unified Monitoring Analyze Workflow Integrations A common platform for all Azure AD logs Rich Insights, advanced analytics and smart machine learning powered by Log Analytics Rich ecosystem of popular issue management, SIEM, and ITSM tools

Getting Started with SIEM Integration First click on Export Settings, new Diagnostic Setting Give it a name, click Stream to an Event Hub Optionally select storage account or Log Analytics Select the Logs

SIEMs With Azure Monitor Integration Many SIEMs have pre-built integration into Azure Monitor Splunk (docs) Sumo Logic (docs) IBM Qradar 7.3.0 (Coming Soon) Arcsight (Coming Soon) Don t see your SIEM? Tell them you want this!

What About Security Events? These come from the Intelligent Security Graph and lots of other security alerts http://aka.ms/graphsecuritysiem Setup Azure Monitor to send alerts to the same Event Hub

Quick Win Azure AD Power BI Content Pack Download

Log Analytics Central Analytics Platform Can utilize ML algorithms for clustering and anomaly detection Run your own queries natively in Azure Portal Setup custom alerts and actions

Legacy Authentication, Why You Should Care 200k accounts compromised in Aug 2018 due to password spray Nearly 100% of password spray attacks we see are from legacy authentication Blocking legacy auth reduces compromise rate by 66% https://aka.ms/passwordspraybestpractices

Legacy Authentication, Examples Clients that use legacy authentication Office 2010 and older Office 2013 by default (can use modern auth with reg key) Clients using older mail protocols (POP, IMAP, SMTP, etc) Older PowerShell Modules

Finding Legacy Authentication In Your Environment Sign In Logs to examine usage POP, IMAP, MAPI, SMTP and ActiveSync go to EXO Other Clients shows SharePoint and EWS

Key Security Events To Take Action On Any High Risk Event Leaked Credentials Users at High Risk Medium Risk Events Tor Browser Logins Unfamiliar locations Suspicious IP

Key Audit Events To Investigate Promotion of accounts to Admin Accounts Creation of accounts that look like service accounts/high-value employees Updates to ServicePrincipals Consent grants made by admins! Removal of MFA requirements Disablement or change of Audit configuration

Key O365 Events To Investigate Creation of mail forwarding rules in a mailbox or transport rule to an external domain. Addition of mail forward permissions or mailbox delegates Changes to external sharing policies More O365 events here

@markmorow Markmoro@Microsoft.com Mark Morowczynski Principal Program Manager

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback