Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Similar documents
Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

[ Sean TrimarcSecurity.com ]

Identity as the core of enterprise mobility

Hybrid Identity de paraplu in de cloud

Crash course in Azure Active Directory

Partner Center: Secure application model

Securing Office 365 with Okta

News and Updates June 1, 2017

GLBA Compliance. with O365 Manager Plus.

HIPAA Compliance. with O365 Manager Plus.

FISMA Compliance. with O365 Manager Plus.

Office 365 and Azure Active Directory Identities In-depth

Integrate Microsoft Office 365. EventTracker v8.x and above

SAP Security in a Hybrid World. Kiran Kola

Single Sign-On Showdown

Microsoft SharePoint Server 2013 Plan, Configure & Manage

PCI Compliance. with O365 Manager Plus.

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

Operation Management Suite OMS, for short. Kenneth Teo Premier Field Engineer Microsoft

Google Identity Services for work

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

Microsoft Graph API Deep Dive

Identity & Access Management

Office 365: Modern Workplace

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Exchange Control Panel EMC. Remote PowerShell

Centrify Identity Services for AWS

Developing Microsoft Azure Solutions (70-532) Syllabus

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Session: CEO206. Mike Crowley Planet Technologies

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Microsoft Exam

SharePoint Server 2016 Feature Comparison* Accessibility Standards Support Yes Yes. Asset Library Enhancements/Video Support Yes Yes.

VMware Identity Manager Integration with Office 365

Managing Microsoft 365 Identity and Access

Microsoft Architecting Microsoft Azure Solutions.

Office 365 External Sharing Webinar November 7, 2017

VMware Identity Manager Integration with Office 365

Managing the Risk of Privileged Accounts and Passwords

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Developing Microsoft Azure Solutions (70-532) Syllabus

Developing Microsoft Azure Solutions (70-532) Syllabus

Five critical features

Service Description VMware Workspace ONE

Yubico with Centrify for Mac - Deployment Guide

Exam : Implementing Microsoft Azure Infrastructure Solutions

Using Splunk and LOGbinder to Monitor SQL Server, SharePoint and Exchange Audit Events

Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.

Integrating On-Premises Identity Infrastructure with Microsoft Azure

SIEM Integration with SharePoint: Monitoring Access to the Sensitive Unstructured Data in SharePoint

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

6 Key Use Cases for Securing Your Organization s Cloud Workloads. 6 Key Use Cases for Securing Your Organization s Cloud Workloads

A tale of Modern Management Part 1

Securing the New Perimeter:

Mission Guide: Google Apps

Course AZ-100T01-A: Manage Subscriptions and Resources

The Common Access Card The problems it solves (and the ones it doesn t) Quest Software/One Identity Dan Conrad Federal CTO

Speaker Introduction Who Mate Barany, VMware Manuel Mazzolin, VMware Peter Schmitt, Deutsche Bahn Systel Why VMworld 2017 Understanding the modern sec

Planning and Administering SharePoint 2016

Minfy-Magnaquest Migration Use Case

VMware Identity Manager Administration

MCSE Productivity. A Success Guide to Prepare- Core Solutions of Microsoft SharePoint Server edusum.com

Modern SharePoint and Office 365 Development

Exchange Pro 4.4. User Guide. March 2017

Configuration Guide. Requires Vorex version 3.9 or later and VSA version or later. English

WELCOME! Using Microsoft Office 365 for a Robust Mail and Conferencing System

CHARLES DARWIN, CYBERSECURITY VISIONARY

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Cloud Security, Mobility and Current Threats. Tristan Watkins, Head of Research and Innovation

MEETING ISO STANDARDS

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

AvePoint Online Services 2

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Who s Attacking Your Database? Monitoring Authentication and Logon Failures in SQL Server

Define Your Office 365 External Sharing Strategy

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Securing Your Identities with Azure AD

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

CLOUD WORKLOAD SECURITY

GSX 365 Usage Reports & Security Audit

Planning and Administering SharePoint 2016

Chime for Lync High Availability Setup

MB Microsoft Dynamics CRM 2016 Online Deployment.

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

SOFTWARE DEMONSTRATION

4 Ways Your Organization Can Be Hacked

Playing Outside Your Sandbox INTERACTING WITH OTHER SYSTEMS USING SHAREPOINT BCS

The Modern Web Access Management Platform from on-premises to the Cloud

Use EMS to protect your mobile data and mobile app

2016 Braindump2go Valid Microsoft Exam Preparation Materials:

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Use Microsoft EMS. to Protect your Mobile Data and Mobile Apps. Chris Nackers Nackers Consulting

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

Why Choose MS Azure?

Transcription:

@markmorow

Who am I? Identity Product Group, CXP Team Premier Field Engineer SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Under the hood: Multiple backend services and hybrid components Hybrid Components Cloud Services AD FS/WAP Azure AD Connect Health agent AppProxy PTA Agent Cloud Service Azure AD Connect Backend Health Service Authentication Services Azure MFA Dynamic Groups Conditional Access Engine Identity Protection Group-based licensing Azure AD Connect Health Agent Sync Engine First Party Provisioning Service Password Protection DC Agent Password Filter DLL Password writeback agent Core Store Graph API Provisioning Service Password Protection Proxy Agent Role Based Access Control Domain Services AppProxy Connector On-premises sync agent Self-Service Group Management Self-service user portal Device Services ****** Self-service Password reset service Activity Logs Access Reviews Privileged Identity Management Managed Identity Backend Azure Resource Manager Role Services

Azure AD Logs Sign-in logs Interactive logins Audit logs Everything else

Azure AD Sign-in Logs Application sign-in Success/Failure User display name and UPN Session conditions: location, IP, Date/Time MFA info: Required, Method, Result Client conditions: Device ID, browser, OS Conditional Access: Policy, Controls, Result Correlation ID! Latency is 5 to 10 mins

Azure AD Sign-in Logs Key Things To Know Refresh Token Sign-ins: Only initial authentication is in the reports today Only successful federated logins are displayed Failure events are on the federated IDP

Azure AD Audit Logs Actions performed that change the state of a resource, e.g. Password Reset Privileged Identity Management (PIM) Elevations Terms of Use Acceptance B2B Redemptions SaaS App Configuration/Provisioning Latency is 10 to 15 mins

Azure AD Security Logs Users flagged for risk High, Medium, Low Risk events/risky sign-ins leaked credentials, anonymous IPs, impossible travel, unfamiliar locations Vulnerabilities Users without MFA, Unused Admin Privileges

Who can access logs in Azure AD Global Administrator Security Administrator Security Reader Reports Reader No difference in data scope between roles Users can access their own sign-in logs

Back in the day Sept 2018 and earlier The only way to programmatically access Azure AD Logs was using GraphAPI calls Problems include but not limited to.. Multiple end points to enumerate for different log types Determining last synced event, de-duplicating events Using a service principal to auth with a secret stored in the script

Azure Monitor Full observability for your Azure AD Infrastructure Audit Logs Sign-in Logs Common Store Unified Monitoring Analyze Workflow Integrations A common platform for all Azure AD logs Rich Insights, advanced analytics and smart machine learning powered by Log Analytics Rich ecosystem of popular issue management, SIEM, and ITSM tools

Getting Started with SIEM Integration First click on Export Settings, new Diagnostic Setting Give it a name, click Stream to an Event Hub Optionally select storage account or Log Analytics Select the Logs

SIEMs With Azure Monitor Integration Many SIEMs have pre-built integration into Azure Monitor Splunk (docs) Sumo Logic (docs) IBM Qradar 7.3.0 (Coming Soon) Arcsight (Coming Soon) Don t see your SIEM? Tell them you want this!

What About Security Events? These come from the Intelligent Security Graph and lots of other security alerts http://aka.ms/graphsecuritysiem Setup Azure Monitor to send alerts to the same Event Hub

Quick Win Azure AD Power BI Content Pack Download

Log Analytics Central Analytics Platform Can utilize ML algorithms for clustering and anomaly detection Run your own queries natively in Azure Portal Setup custom alerts and actions

Legacy Authentication, Why You Should Care 200k accounts compromised in Aug 2018 due to password spray Nearly 100% of password spray attacks we see are from legacy authentication Blocking legacy auth reduces compromise rate by 66% https://aka.ms/passwordspraybestpractices

Legacy Authentication, Examples Clients that use legacy authentication Office 2010 and older Office 2013 by default (can use modern auth with reg key) Clients using older mail protocols (POP, IMAP, SMTP, etc) Older PowerShell Modules

Finding Legacy Authentication In Your Environment Sign In Logs to examine usage POP, IMAP, MAPI, SMTP and ActiveSync go to EXO Other Clients shows SharePoint and EWS

Key Security Events To Take Action On Any High Risk Event Leaked Credentials Users at High Risk Medium Risk Events Tor Browser Logins Unfamiliar locations Suspicious IP

Key Audit Events To Investigate Promotion of accounts to Admin Accounts Creation of accounts that look like service accounts/high-value employees Updates to ServicePrincipals Consent grants made by admins! Removal of MFA requirements Disablement or change of Audit configuration

Key O365 Events To Investigate Creation of mail forwarding rules in a mailbox or transport rule to an external domain. Addition of mail forward permissions or mailbox delegates Changes to external sharing policies More O365 events here

@markmorow Markmoro@Microsoft.com Mark Morowczynski Principal Program Manager

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback