Professional Documents
Culture Documents
Azuresecuritycompass
Azuresecuritycompass
1 – September 2019
N
General
SECURE
LEVEL OF
ACCEPTABLE RISK
COMPLIANT
N E T WO R K
Ransomware:
$66 upfront
Or
30% of the profit (affiliate model)
Denial of Service
(DOS) average prices
day: $102.05
week: $327.00 Compromised accounts
month: $766.67 As low as $150 for 400M.
Averages $0.97 per 1k.
Proxy services to evade IP
geolocation prices vary
As low as $100 per week
for 100,000 proxies.
Evolving architecture, tools, skills, & practices
ATTACKERS USING IDENTITY TACTICS
MODERN PERIMETER
(Identity Controls)
MODERN PERIMETER
(Identity Controls)
CLASSIC PERIMETER
(Network Controls)
Network →
Azure Marketplace
fits PaaS or IaaS model
SLA
EXPLOIT/ENTER TRAVERSAL MONETIZATION
CREDENTIAL THEFT &
SOCIAL ENGINEERING RANSOMWARE
ABUSE (HASHES, SSH…)
RDP/SSH
PASSWORD SPRAY
& BRUTE FORCE
Extensive machine learning to:
• Reduce manual effort
• Reduce wasted effort
on false positives
• Speed up detection
Microsoft Trust Center
https://docs.microsoft.com/en-us/azure/security/azure-
security-infrastructure
https://servicetrust.microsoft.com/
https://www.microsoft.com/en-us/trustcenter/compliance/csa-
self-assessment
https://azure.microsoft.com/en-us/resources/cis-
microsoft-azure-foundations-security-benchmark/
https://docs.microsoft.com/en-us/azure/architecture/aws-professional
Azure compliance coverage extends across most
industries and geographies
CSA STAR Attestation ISO 22301 ISO 27018
Global
CSA STAR Certification ISO 27001 SOC 1 Type 2
CSA STAR Self-Assessment ISO 27017 SOC 2 Type 2
+Monitor
Mitigating some risks requires action across multiple disciplines
Azure Tenant
(Enrollment)
Intune
Other Built-in Roles
https://aka.ms/MyASIS
Architecture guidance on this topic can be found at
https://docs.microsoft.com/en-us/azure/architecture/security/governance
https://docs.microsoft.com/en-us/azure/governance/
http://aka.ms/magicbutton
MG documentation
https://docs.microsoft.com/en-us/azure/security-center/security-
center-apply-system-updates Azure Security Center
Just in Time access
Azure Update Management
REGULARLY REVIEW CRITICAL ACCESS
https://docs.microsoft.com/en-us/azure/active-
directory/governance/create-access-review
https://docs.microsoft.com/
en-us/azure/security-center/
https://docs.microsoft.com/ security-center-
en-us/azure/security-center/ recommendations
security-center-secure-score
remediate
recommendations
BEST PRACTICE
Insecure Protocol
Dashboard
https://docs.microsoft.com/en-us/azure/security-
center/security-center-compliance-dashboard
GUIDANCE
https://www.cisecurity.org/benchmark/a
zure/
https://docs.microsoft.com/en-
us/azure/security-center/security-
center-compliance-dashboard
https://docs.microsoft.com/en-
us/azure/governance/policy/tutori
als/create-and-manage
https://docs.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview
https://docs.microsoft.com/en-us/azure/dedicated-hsm/
https://azure.microsoft.com/en-us/blog/azure-confidential-computing/
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events
https://technet.microsoft.com/en-us/mt784683
Architecture guidance on this topic can be found at
https://docs.microsoft.com/en-us/azure/architecture/security/security-operations
Detect Respond
Log Flow
Generate Alerts
Alert List
MITRE report
https://docs.microsoft.com/en-
us/azure/security-center/security-center-
get-started
GENERAL GUIDANCE
https://docs.microsoft.com/en-
us/azure/security-center/security-
center-export-data-to-siem
Azure Monitor
https://docs.microsoft.com/en-
us/azure/security/azure-log-audit
CRITICAL CHOICE
https://docs.microsoft.com/en-us/azure/architecture/security/identity
Partners
Customers
Commercial
IdPs
Azure
Consumer Active Directory
IdPs
Azure Service
Your code 3
(e.g. ARM, Azure Storage)
1
Azure Active Directory
http://localhost/oauth2/token
MSI VM 2
Extension
Credentials
https://docs.microsoft.com/en-us/azure/active-
Azure (inject and roll credentials)
directory/managed-identities-azure-resources/overview
lllllllll
200,000
5B
44M
lllllllll
650,000
Josi@contoso.com Password123
Chance@wingtiptoys.com Password123
Rami@fabrikam.com Password123
TomH@cohowinery.com Password123
AnitaM@cohovineyard.com Password123
EitokuK@cpandl.com Password123
Ramanujan@Adatum.com Password123
Maria@Treyresearch.net Password123
LC@adverture-works.com Password123
EW@alpineskihouse.com Password123
info@blueyonderairlines.com Password123
AiliS@fourthcoffee.com Password123
MM39@litwareinc.com Password123
Margie@margiestravel.com Password123
Ling-Pi997@proseware.com Password123
PabloP@fineartschool.net Password123
GiseleD@tailspintoys.com Password123
Luly@worldwideimporters.com Password123
Bjorn@woodgrovebank.com Password123
NK@lucernepublishing.com Password123
CRITICAL BEST PRACTICES
Azure AD
https://docs.microsoft.com/en- Azure AD B2B
us/azure/active-directory/connect/active-
directory-aadconnect Azure AD B2C
CRITICAL BEST PRACTICES
https://techcommunity.microsoft.com/t5/Azure-Active-
Directory-Identity/Azure-AD-Conditional-Access-
support-for-blocking-legacy-auth-is/ba-p/245417
https://www.youtube.com/watch?v=wGk0J4z90GI
– Synchronize
https://docs.microsoft.com/azure/active-
directory/connect/active-directory-aadconnectsync-
implement-password-hash-synchronization
CRITICAL BEST PRACTICES
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview
https://www.microsoft.com/en- • Azure AD reporting - Risk events are part of Azure AD's security reports.
us/research/publication/password-
guidance/
For more information, see the users at risk security report and the risky sign-
ins security report.
https://pages.nist.gov/800-63-
• Azure AD Identity Protection - Risk events are also part of the reporting
3/sp800-63b.html
capabilities of Azure Active Directory Identity Protection.
Passwordless • Use the Identity Protection risk events API to gain programmatic access to
security detections using Microsoft Graph.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
Architecture guidance on this topic can be found at
https://docs.microsoft.com/en-us/azure/architecture/security/critical-impact-accounts
AAD B2B Collaboration
remove license
where
normal administrative accounts can’t be
used (federation unavailable, etc.)
Managing
emergency access administrative accounts in
Azure AD
https://channel9.msdn.com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3016
http://aka.ms/HelloForBusiness
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-
phone-sign-in
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
CRITICAL BEST PRACTICES
SECURITY
CONTROLS
http://aka.ms/SWoverview
http://aka.ms/secureworkstation
Conditional Access policy for
Azure management
Custom roles
https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator
Architecture guidance on this topic can be found at
https://docs.microsoft.com/en-us/azure/architecture/security/network-security-containment
NSG
NSG NSG
Physical vs. Software Defined Networking
Public IP
Web App Firewalls
Public IP
Public IP
Distributed Denial of Service (DDoS) protection
Public IP
Public IP
Connecting to On Premises Resources
Public IP
Public IP
On Premises
Network(s)
Public IP
Public IP
On Premises
Network(s)
https://docs.microsoft.com/en-
us/azure/architecture/reference-
architectures/hybrid-
networking/shared-services
Public IP
CRITICAL BEST PRACTICES
More Info
using Azure Security
Center
Azure AD PIM
Local Admin
Password Solution (LAPS)
CRITICAL BEST PRACTICES
EXPRESSROUTE TERMINATION
https://docs.microsoft.com/en-
us/azure/expressroute/expressroute-introduction
CRITICAL CHOICES
ASGs
https://docs.microsoft.com/en-
us/azure/network-watcher/network-
watcher-nsg-auditing-powershell
DDOS MITIGATIONS
virtual TAP
Architecture guidance on this topic can be found at
https://docs.microsoft.com/en-us/azure/architecture/security/storage-data-encryption
Storage System
Azure Storage
Design and
Managed Disks
Architecture:
https://docs.microsoft.com/en-
us/azure/storage/common/storage-
network-security
https://docs.microsoft.com/en-
us/azure/storage/common/storage-
advanced-threat-protection
Layers (and why each is important)
Encryption Technologies
• Mitigate against attacks on cloud provider/infrastructure • Azure Storage Service Encryption (server side
• On by default and unable to disable encryption) <AES-256, Block, Append, and page Blobs>
https://docs.microsoft.com/en- https://docs.microsoft.com/en-
us/azure/storage/common/storage- us/azure/security/azure-security-disk- https://docs.microsoft.com/en-
auth-aad encryption-overview us/azure/security/azure-security-
encryption-atrest
https://azure.microsoft.com/en-us/resources/cis-
microsoft-azure-foundations-security-benchmark/