Scribd
Upload
179 views24 pages

Microsoft Security Reference Architectures 1624813823

This document provides a reference architecture for using Azure and Microsoft 365 security tools. It discusses how to implement a security operations center (SOC) using Azure Sentinel for log collection, analytics, and incident management. It also shows how to separate SOC identities from customer identities for privacy and compliance. Global SOCs, regional SOCs, and managed security service providers' SOCs are all addressed with examples of how alerts, logs, and other data can be integrated and shared across subscriptions, tenants, and clouds.

Uploaded by

Vikas Shah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
179 views24 pages

Microsoft Security Reference Architectures 1624813823

This document provides a reference architecture for using Azure and Microsoft 365 security tools. It discusses how to implement a security operations center (SOC) using Azure Sentinel for log collection, analytics, and incident management. It also shows how to separate SOC identities from customer identities for privacy and compliance. Global SOCs, regional SOCs, and managed security service providers' SOCs are all addressed with examples of how alerts, logs, and other data can be integrated and shared across subscriptions, tenants, and clouds.

Uploaded by

Vikas Shah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Azure and Microsoft 365 Security

Reference Architecture for production deployments


Contents
This is a living document that is constantly updated
Please provide your feedback to [email protected]

Microsoft Internal Use and Microsoft Partners Only


Provide actionable security
alerts, raw logs, or both
Mapping to Industry Trends & Terminology
Azure Network Security:
Protection services enabling zero trust

DDoS protection Web Application Firewall Azure Firewall Network Security Groups VNET Integration

Application protection Segmentation

Microsoft Internal Use and Microsoft Partners Only


Questions you can ask any customer…
Does your customer have a mature SOC already ?

frameworks are followed to validate threat detection


capabilities and raise SOC awareness (e.g Mitre Att&ck)

Microsoft Internal Use and Microsoft Partners Only


Content overview
Clickable Navigation Page

Microsoft Internal Use and Microsoft Partners Only


SOC Architecture Overview
Modern approach to SOC implementations

Microsoft Internal Use and Microsoft Partners Only


Separating SOC Identity & Security Boundaries
Reference Architecture
Global SOC Production Environments

SOC Collaboration GSOC Operations Geo 1


M365 Subscription Azure Subscription 1 Azure Subscription 2

Teams for
secure CI/CD Pipeline
collaboration
and Logic Apps IaaS
communication Windows
Workbooks Azure Sentinel Virtual PaaS
Desktop
Log Analytics SaaS
Windows 10 Integrations
SAW

GitHub Enterprise Geo 2


CASB + MIP
Jupyter Notebooks
PIM & Geo 3
Conditional
Access

SOC Identity Corporate Identity


Azure AD: Tenant 2 Azure AD: Tenant 1
Microsoft Internal Use and Microsoft Partners Only
Azure Sentinel for Global SOC GSOC Individual Business Units/Regions
Reference Architecture
Global SOC Operations Region 1
Azure Subscription 1 Azure Subscription 2

CI/CD Pipeline Azure


Lighthouse Logic Apps
SOC Collaboration Workbooks Azure Sentinel Azure Sentinel
M365 Subscription API
Log Analytics
Optional
Teams for Cross
secure Logic Apps Workspace B2B Customer Identity
Azure AD: Tenant 3
collaboration Incident View
and Azure Sentinel
communication CA
Log Analytics

Region2

Region 3
PIM

SOC Identity
Azure AD: Tenant 2

Microsoft Internal Use and Microsoft Partners Only


Azure Sentinel for Global SOC
Reference Architecture

Syslog Customer Data


On-premises

Customer Data
Azure Subscriptions

Customer Data
Office 365 / AAD

Customer Data
Other Cloud Services

Microsoft Internal Use and Microsoft Partners Only


Azure Sentinel for MSSP Partner Customer
Reference Architecture
MSSP Operations Customer 1
Azure Subscription 1 Azure Subscription 2

CI/CD Pipeline Partner Admin PAL


Center Registration
Logic Apps
Workbooks
SOC Collaboration Azure Azure Sentinel
M365 Subscription Protected IP Lighthouse
Log Analytics
Optional
Teams for Azure Sentinel
secure Logic Apps API B2B Customer Identity
Azure AD: Tenant 3
collaboration
and Azure Sentinel Cross
communication Workspace CA
Log Analytics Incident View
Customer 2

Customer 3
PIM
Customer 4
MSSP Identity
Azure AD: Tenant 2

Microsoft Internal Use and Microsoft Partners Only


Azure Sentinel for MSSP
Reference Architecture

Partner Customer

Syslog Customer Data


On-premises

Customer Data
Azure Subscriptions

Customer Data
Office 365

Customer Data
Other Cloud Services

Microsoft Internal Use and Microsoft Partners Only


NEW SLIDE

MSSP Profitability
Azure Reference Architecture
Partner Customer
MSSP Operations Customer 1
Azure Subscription 0 Azure Subscription 1
Partner Profit
The partner profitability is based on the services provide: skills, expertise, 24*7 PAL / CSP Microsoft pays the partner
based on % of total spend
operations, consulting hours, and intellectual property provided/developed. Registration in this subscription
There are several ways to scope the value of the partner services: EA: Partner
• Reducing their staffing requirement: how much work is the partner doing Admin Center
on behalf of the customer

• Rapid enablement: the partner may deploy new capabilities faster than the
customer team may do on their own Customer 2
CSP: ..? Azure Subscription 2
• Ongoing improvements: the partner can add value by continuously
improving the security readiness of the customer
PAL / CSP Microsoft pays the partner
based on % of total spend
Registration in this subscription
Microsoft Credits:
Microsoft security solutions are deployed within the Customer tenant, there are two options from a
billing perspective:

• EA: customer transacts with Microsoft (LSP) and pays the partner only for their managed
security services. Partner may be qualified to be paid by Microsoft based on monthly Azure Customer 3
consumed revenue for all applicable workloads within the subscription: PAL
Azure Subscription 3
• CSP: Billing for the tenant is provided via the partner. Microsoft pays the partner credit and
rebate based on monthly Azure consumed revenue for all applicable workloads within the
subscription: CSP PAL / CSP Microsoft pays the partner
based on % of total spend
We recommend a new Azure subscription is created for each security deployment, instead of using Registration in this subscription
customers existing production workload subscription(s).

Microsoft Internal Use and Microsoft Partners Only


Azure Sentinel for Cross-Cloud Deployment
Separating your sensitive security data

GCC-High
Regulated Data
Azure Subscription 2 Syslog
On-premises
Logic Apps
Regulated Data
Azure Subscriptions
Azure Sentinel
CA Regulated Data
Global SOC Operations Log Analytics Office 365
Azure Subscription 1
Customer Identity Regulated Data
B2B Azure AD: Tenant 3
Other Cloud Services

SOC Identity
Azure AD: Tenant 2

Customer Data
Logic Apps Syslog
On-premises

Azure Sentinel Customer Data


CA Azure Subscriptions
Log Analytics
Customer Data
Office 365
B2B Customer Identity
Azure AD: Tenant 4 Customer Data
Other Cloud Services
Commercial Cloud
Azure Subscription 3
Microsoft Internal Use and Microsoft Partners Only
MDATP for MSSP Partner Customer
Reference Architecture
MSSP Operations Customer 1 Customer 1
Azure Subscription Azure Subscription M365 Subscription

Partner Admin PAL Microsoft


Center Registration Defender
SOC Collaboration
M365 Subscription Azure
Lighthouse Delegated
B2B Groups
Access
Teams for Azure Sentinel
secure API
collaboration EM Customer Identity
Azure AD: Tenant 3
and Cross
communication Workspace
Incident View CA

PIM Customer 2

Customer 3
MSSP Identity
Azure AD: Tenant 2
Customer 4
Microsoft Internal Use and Microsoft Partners Only
Azure FW for MSSP Partner Customer
Reference Architecture
MSSP Operations Customer 1 Customer 1
Azure Subscription Azure Subscription 1 Subscription 2

Partner Admin PAL Azure FW


Center Registration
SOC Collaboration
M365 Subscription
Multi Tenant Azure FW Customer 1
Support ? Manager Subscription 3
Teams for
secure
collaboration Azure FW
B2B Customer Identity
and Azure AD: Tenant 3
communication
CA

PIM Customer 2

Customer 3
MSSP Identity
Azure AD: Tenant 2
Customer 4
Microsoft Internal Use and Microsoft Partners Only
Azure Roles & Permissions Overview
Reference Architecture Partner Customer

MSSP Operations Customer 1


Azure Subscription 1 Azure Subscription 2
Gain partner earned For CSP subscription enrollment only:
credit for services CSP License Model CSP Admin Automatically provides roles for administration

For non-CSP subscriptions: Customer can


Partner Admin Center PAL Registration designate partner administration roles

Contributor or Read Only access


Azure Lighthouse Azure Permissions to Log Analytics Workspace

Azure Sentinel Cross Azure AD Azure AD


Workspace M365 Roles Groups Roles
Log Analytics Incident View

B2B + CA PIM + EM Customer Identity


Azure AD: Tenant 3
PIM
Customer 2
MSSP Identity
Azure AD: Tenant 2 Customer 3

Customer 4
Microsoft Internal Use and Microsoft Partners Only
Subscription 1 Subscription n+1
Global SOC View Subscription
Individual 2
Instances
Subscription
… 2
Logic Apps Subscription

Logic Apps 2
Global SOC Operations Subscription
… 2 Azure AD Logs
Azure Sentinel Azure Sentinel …
Central Cloud Apps
Management Log Analytics Log Analytics
IaaS / PaaS
Dashboards
App Logs
Ticketing Splunk Console

Splunk
On-premises
Logs
Which Console Do I Use ?
Portal Navigation

Security Operations Initial Monitoring Tools Investigation and Response


& MSSP Tools for Breadth Investigation for Depth Investigation

High level view across all IT, Security Operations central console for Expert solutions for deep
OT, Security, and Compliance proactive and reactive threat response analysis and configuration

Custom TDR Microsoft 365 Defender


Platform Full Control Azure Sentinel Portal
MCAS MIP MEM
Central
Management Cross-workspace
Incident View

Dashboards
Azure Lighthouse Azure Defender Azure AD
Restricted
Ticketing View/Actions OT / IoT Azure Firewall Manager
Workbooks
Reporting

CI/CD Pipeline PowerBI


Networking Containers

AI / ML CI / CD Pipeline
Full Control Azure Data Explorer
Microsoft Internal Use and Microsoft Partners Only
Azure Defender for IoT
(AKA: CyberX)

New Training Slides: Azure Defender for IoT - Deployment Guide.pptx

Microsoft Internal Use and Microsoft Partners Only


https://aka.ms/PartnerSOCArchitecture

Operational Technology (OT) Deployment Options


Apply zero trust principles to securing OT and industrial IoT environments

Business Analytics Security Analytics

Azure Analytics
Cloud
Blended cybersecurity attacks are 3rd party 3rd party
driving convergence of IT, OT, and IoT Analytics IoT Hub, PowerBI, Azure Edge,
Digital Twins, and more
Environments Analytics
Azure Sentinel Azure Defender
Microsoft
Defender
security architectures and capabilities

Operational Technology Information Technology


Stage 1
(OT) Environments (IT) Environments
Purdue Model Deploy to
local site only
Stage 2
Connect to Cloud
Business Analytic Sensor(s) Read-Only

Level 3 – Site Operations PCAP


Control & monitoring for physical site with (manual)
multiple functions (e.g. plant) MONITOR MANAGE
Business Analytics
NET WORK NIC D4IoT Sensor(s) NIC
Level 2 – Supervisory Control
T A P/ SPA N 1 + Analytics 2
Monitoring & Control for discrete business D4IoT Manager
functions (e.g. production line) ▪ Central Console
Plant Security and ▪ Configuration Backups
Operator Consoles
Level 1 – Basic Control
Electronics controlling or monitoring
Local SIEM
physical systems (Optional)
Isolation and Segmentation
Microsoft Defender
Level 0 – Process Internal Hard Boundary Soft(ware) Boundary
Physical machinery isolation
for Endpoint
Physically disconnect People, Process, and Tech (network
As business from IT network(s) + identity access control, boundary Stage 3
NGFW
processes allow patching and security hygiene) Response Actions
S A F E T Y S YS T E M S Data-Diode (1-way) Management
(SOAR)

©Microsoft Corporation
Azure
Zero Trust Principles - Assume breach, verify explicitly, Use least privilege access (identity and network)

You might also like