Compliance, Data and

Identity Protection
Nonis Pistol, 20.05.2021, Mirabaud Asset Management
 Overview
The goal of this presentation is to describe a new modern IT
environment for Mirabaud Asset Management and the transition
path from the existing environment in terms of Compliance,
Nonis Pistol, 20.05.2021, MAM

Data and Identity Protection

2
 Microsoft 365 – Shared responsibility model

Responsibility On-Prem SaaS

Protect Manage

Information & Data Least privilege access Delegate administrations

Document classification Endpoint Analytics
Enhanced e-discovery MDM & MAM
Client & endpoints Security Policies Audit, monitoring and
Automated workflows reporting
Account, identity
& access mgmt

Identity & directory

infrastructure
Nonis Pistol, 20.05.2021, MAM

Applications

Network
controls

Operating Systems

Physical Host, Network

Physical Datacenter
4
Nonis Pistol, 20.05.2021, MAM
Security Layout
 Security Management 

• Risk Model is different

• Threat landscape has evolved
• Zero Trust Security Model
• Lifecycle (including financing) of
projects and software is more fluid
Nonis Pistol, 20.05.2021, MAM
6
 Protection across the attack kill chain Microsoft Cloud App Security
Extends protection & conditional
access to other cloud apps

Windows Defender for Office

Azure AD Identity Protection
Malware detection, safe links,
and safe attachments Identity protection & conditional access Exfiltrate data

Brute force account or use Attacker accesses

Attacker collects
Phishing Open stolen account credentials sensitive data
reconnaissance &
mail attachment configuration data

Click a URL
Exploitation Command
& Installation & Control

Browse to
a website User account Attacker attempts Privileged account Domain
is compromised lateral movement compromised compromised

Windows Defender for Endpoint Windows defender for Identity

Endpoint Detection and Response Identity protection
(EDR) & End-point Protection (EPP)
 Identity In Azure/Microsoft 365

SaaS
Azure PaaS Azure IaaS
Introduction to identity with Microsoft Cloud Software as a Service

Integrating your identities with the Microsoft cloud Microsoft Intune Your LOB application Your LOB application on
provides access to a broad range of services and Virtual machines
applications. Dynamics 365 Your mobile app LOB app
Office 365
Azure Active Directory (Azure AD) integration provides:
• Identity management for applications across all
categories of Microsoft s cloud (SaaS, PaaS, IaaS).
• Consolidated identity management for third-party cloud
applications in your portfolio. Extend your on-
Azure AD integration Domain premises directory
• Collaboration with partners. Services services to your
• Management of customer identities.
azure virtual
• Integration with web-based applications located on-
Nonis Pistol, 20.05.2021, MAM

machines
premises.
For line of business (LOB) applications hosted on virtual
machines in Azure IaaS, you can use Domain Services in
Your on-premises datacenter
Azure AD. Or you can extend your on-premises Windows
Server Active Directory (AD) environment.

8
 Identity Management
• Azure AD Connect will be used to sync identities from local
Active Directory to Azure/Microsoft 365.
• PTA is recommended can be used as well as authentication
method for users using the following services: Exchange
Online, Sharepoint, OneDrive
Nonis Pistol, 20.05.2021, MAM

• ADFS will be deployed for the Exchange Hybrid migration

from MCC to Exchange Online.

9
Azure AD Connect

Sync Seamless
engine authentication

Single
sign-on MFA
Self
Azure AD Service
Windows Server Connect
Active Directory

Microsoft Azure
Active Directory
On-premises
/ Private cloud
Password Hash Sync (PHS)
Great user experience
Same passwords for cloud-based
and on-premises apps
Disaster recovery option incase
other auth methods are unavailable
ON PREMISES
Azure AD
Azure AD Connect
Active
Directory
Secure and compliant Easy to deploy & administer
Only non-reversible hashes are No on-premises agent needed
stored in the cloud
Leaked credential report available
Small on-premises footprint 
Integrated with Smart Lockout,
Identity Protection and Conditional
Access
Pass through Authentication (PTA)

ON PREMISES

Azure AD
AuthN Agent

Active
AuthN agent Directory

Great user experience Secure and compliant Easy to deploy & administer

Same passwords for cloud-based Passwords remain on-premises Agent-based deployment

and on-premises apps
Integrated with Self-Service
Password Reset
No DMZ and no inbound firewall
requirements
Integrated with Smart Lockout,
Identity Protection and Conditional
Access
High availability out-of-the-box
No complex on-premises
deployments or network config
Zero management overhead
Seamless Single Sign On (SSO)

ON PREMISES

Azure AD

Active
Directory

Easy to integrate Easy to administer Great user experience

Works with Password Hash Sync No additional on-premise SSO experience from domain-
and Pass-through Authentication infrastructure joined devices within your corpnet

Supports Alternate Login ID Register non-Windows 10 devices

without AD FS
 PHS vs PTA – Limitations & recommendations

PTA remarks
• No Detection of users with leaked credentials.
• If used: Azure AD Domain Services needs Password Hash Synchronization to be enabled.
• Pass-through Authentication is not integrated with Azure AD Connect Health.

PHS remarks
• On-premises password expirations not synced/enforced in the cloud and are not enabled by default
• Temporary password with change at first logon is supported but not enabled by default

For both approach, Password Self Service Reset portal with password write back is strongly
recommended with strong protection mechanisms (MFA, personal questions, etc)
 authfs.mirabaud-am.com. DNS Request

authfsmam.trafficmanager.net User

ADFS Farm in Azure Traffic

Manager
Effective connection

authfs-we.mirabaud-am.com authfs-ne.mirabaud-am.com

• ADFS infrastructure will

be installed in high
availability across Azure Application Application

regions. Gateway Gateway

Nonis Pistol, 27.04.2021, MAM

WAP WAP

ADFS ADFS

15 West Europe Azure North Europe Azure

 Understanding Azure Roles and RBAC (Identity Protection)

Azure Active Directory Tenant

Active Directory
Global Administrator (Use sparingly)
Azure
AzureADADisis
typically
typicallysynched
synched
with
withon
onprem
premADAD Enterprise Groups and Users
(though
(thoughAdmin
Admin
accounts
accountsshould
should
be
beseparate)
separate) Built-in
roles
Intune Office 365 Azure Tenant
Privileged Role (Enrollment)
Administrator Exchange Admin Root management group

App admin Message Center

Reader
Billing admin
… Management group
Password Admin
…
Azure RBAC roles
Owner
Contributor Account admin
Other Apps Intune Office 365 Reader
Subscriptions
Other Built-in Roles
…
Resource group

Service admin
Notes
Notes Resource

•• Azure
Azure AD
AD resides
resides in
in an
an Azure
Azure Subscription
Subscription
•• Global
Global Admin
Admin cancan self-assign
self-assign permission
permission to
to manage
manage Azure
Azure
•• Service
Service &
& Account
Account Admins
Admins are
are assigned
assigned on
on each
each subscription
subscription
 Privileged Access Management
Controlling privileged access by Microsoft service
engineers and by your administrators

The principle of zero standing access

Just in time and just enough access

Privileged workflow

Logging and auditing

Building the Microsoft Threat Protection suite
Microsoft 365 Security Center
Builds on best of breed
security workloads Incidents, investigations, threat hunting, threat analytics

Introduces new layers of Automated protection and remediation playbooks

cross product knowledge Upstream and downstream orchestrated semantics

and capabilities
Unified entity reputation (Users, machines, email, files, IP, URLs)
Provides coordinated
protection to stop attacks Signal sharing

and automated remediation

Identity Endpoint Email & Collab Applications
to self heal affected assets
Azure Active Microsoft Microsoft Defender for Microsoft Cloud
Enables security teams to Directory Defender for Endpoint Office App Security
investigate, hunt or Microsoft Defender for
remediate attacks through Identity

a single suite portal Microsoft Cloud

App Security
 Azure AD Identity Protection
RISK DETECTION AND REMEDIATION
Risk detection type
User Risk
Leaked Credentials
Azure AD threat intelligence
Sign-in Risk
Anonymous IP address
Atypical travel
Malware linked IP address
Unfamiliar sign-in properties
Password spray
Azure AD threat intelligence
New country
Activity from anonymous IP address
Suspicious inbox forwarding
Description
Indicates that the user's valid credentials have been
leaked.
Microsoft's internal and external threat intelligence
sources have identified a known attack pattern.
Sign in from an anonymous IP address (for
example: Tor browser, anonymizer VPNs).
Sign in from an atypical location based on the user's
recent sign-ins.
Sign in from a malware linked IP address.
Sign in with properties we've not seen recently for
the given user.
Indicates that multiple usernames are being
attacked using common passwords in a unified,
brute-force manner.
Microsoft's internal and external threat intelligence
sources have identified a known attack pattern.
This detection is discovered by 
Microsoft Cloud App Security (MCAS).
This detection is discovered by 
Microsoft Cloud App Security (MCAS).
This detection is discovered by 
Microsoft Cloud App Security (MCAS).
 Azure AD Conditional Access

Conditional access rules govern the access of devices to the

available services.

Conditional Access recommended rules include the following:

Nonis Pistol, 27.04.2021, MAM

 Corporate intune registered devices only may connect

 Multifactor authentication is required when connecting
outside the corporate network zones
 Multifactor authentication is required for administrative
access at all times.
20
 Azure AD Conditional Access
Azure AD
ADFS
Conditions Controls
MSA 40TB
Google ID Employee & Partner
Users and Roles Allow/block Microsoft Cloud
Session access
Android Risk
Machine
iOS Trusted & learning 3 Microsoft
Limited
Compliant Devices Cloud App Security
access
MacOS
Windows
Windows Require
Defender ATP Real time MFA
Evaluation
Engine Cloud SaaS apps
Force
Geo-location Physical & password
Virtual Location reset
******
Corporate
Network Policies Effective
policy Block legacy
Client apps & authentication
Auth Method
Browser apps

Client apps On-premises & web apps

 Protecting Devices – Use Case sample
Protection Device type Azure AD conditional access policies Azure AD Identity Protection Intune device compliance Intune app protection
user risk policy policy policies
level

Baseline Require multi-factor Block clients that don·t Require compliant PCs High risk users must Define compliance policies
authentication (MFA) when support modern change password
(One policy for each
sign-in risk is medium or authentication
platform)
high (Forces users to change
(Clients that do not use their password when
modern authentication can signing in if high risk
Require approved apps bypass conditional access activity is detected for their Define app protection
rules, so it·s important to account) policies
(Enforces mobile app
protection for phones and block these) (One policy per platform —
tablets) iOS, Android)

Require MFA when sign-in Require compliant PCs and

Sensitive risk is low, medium, or high mobile devices

(Enforces Intune
management for PCs and
phone/tablets)

Highly Always require MFA

regulated

Product key All Office 365 Enterprise plans

Microsoft 365 E3,
Enterprise Mobility + Security (EMS) E3,
22 Azure AD P1
Microsoft 365 E5, EMS E5, Azure AD P2
 Azure Key Vault

• Azure Key Vault can be used to Securely store and tightly

control access to tokens, passwords, certificates, API keys,
and other secrets
• This protects the customer encryption keys used in both the
customer key service as well as database encryption key.
• Azure key vault should be deployed in two separate locations
Nonis Pistol, 27.04.2021, MAM

for redundancy.
• Monitoring will be sent to the Azure Monitor logs.

23
 Azure Key Vault roles (use cases)

Role Problem statement Solved by Azure Key Vault

Developer for an Azure
application
"I want to write an application for Azure that uses keys for signing and √ Keys are stored in a vault and invoked by URI when needed.
encryption. But I want these keys to be external from my application so that
the solution is suitable for an application that's geographically distributed. √ Keys are safeguarded by Azure, using industry-standard algorithms,
key lengths, and hardware security modules.
I want these keys and secrets to be protected, without having to write the
code myself. I also want these keys and secrets to be easy for me to use from √ Keys are processed in HSMs that reside in the same Azure datacenters
my applications, with optimal performance." as the applications. This method provides better reliability and reduced
latency than keys that reside in a separate location, such as on-premises.

Developer for software as a
service (SaaS)
Ersteller, Datum, Dokumentenname, C2 Internal
"I don't want the responsibility or potential liability for my customers' tenant √ Customers can import their own keys into Azure and manage them.
keys and secrets. When a SaaS application needs to perform cryptographic operations by
using customers' keys, Key Vault does these operations on behalf of the
I want customers to own and manage their keys so that I can concentrate on application. The application does not see the customers' keys.

doing what I do best, which is providing the core software features."

Chief security officer (CSO) "I want to know that our applications comply with FIPS 140-2 Level 2 or √ Choose vaults for FIPS 140-2 Level 2 validated HSMs.
FIPS 140-2 Level 3 HSMs for secure key management. √ Choose managed HSM pools for FIPS 140-2 Level 3 validated HSMs.

I want to make sure that my organization is in control of the key lifecycle
and can monitor key usage.
And although we use multiple Azure services and resources, I want to
manage the keys from a single location in Azure."
√ Key Vault is designed so that Microsoft does not see or extract your
keys.
√ Key usage is logged in near real time.
√ The vault provides a single interface, regardless of how many vaults
you have in Azure, which regions they support, and which applications
use them.

24
 Azure Security Center

• Helps protect your cloud environment. By performing

continuous security assessments of your connected resources,
it's able to provide detailed security recommendations for the
discovered vulnerabilities.
Nonis Pistol, 27.04.2021, MAM

• Azure Security Center with Standard pricing tier should be

enabled to help operation to control security enhancement,
monitoring, and reporting for IaaS and PaaS services in Azure.

25
Azure Security Center

• Because Security Center is natively part of Azure, PaaS services in Azure - including Service Fabric, SQL
Database, SQL Managed Instance, and storage accounts - are monitored and protected by Security Center
without necessitating any deployment.
• In addition, Security Center protects non-Azure servers and virtual machines in the cloud or on premises, for
both Windows and Linux servers, by installing the Log Analytics agent on them. Azure virtual machines are
auto-provisioned in Security Center.

Security Center provides you with the tools to:

• Strengthen security posture: Security Center assesses your environment and enables you to understand the
status of your resources, and whether they are secure.
• Protect against threats: Security Center assesses your workloads and raises threat prevention
recommendations and security alerts.
• Get secure faster: In Security Center, everything is done in cloud speed. Because it is natively integrated,
deployment of Security Center is easy, providing you with auto-provisioning and protection with Azure
services.
 1. Tenant encryption
2. Retention Policies
Microsoft 365 data
3. DLP
protection
Nonis Pistol, 27.04.2021, MAM

4. EOP
5. Advanced Threat
Protection
27
 Microsoft 365 Data repository

SharePoint OneDrive
Content and knowledge management Individual file storage

Teams Exchange Online

Team workspace hub Email attachments

• OneDrive used for user’s personal data

SharePoint Online
• Company wide collaboration & data sharing
• “Cold” data for less access
Microsoft Teams
• Targeted collaboration (project & small entity)
• “Hot” data, like ongoing project
28
 Tenant – Data Encryption

Data Encryption

Customer data within Microsoft's enterprise cloud services is protected by a variety of

technologies and processes, including various forms of encryption. For O365 following
types of encryption are applied
Data at rest 
 Disk encryption: protect against device theft or tampering
 Service encryption: protect customer data in Office 365 from hackers and
malicious insiders, comply with data protection laws  Customer key
2
Data in transit 
Nonis Pistol, 27.04.2021, MAM

 Transport Layer encryption: for data pipes, strong SSL / TLS

Customer Key: the customer manages and holds its cloud keys, and it explicitly authorizes
M365 services to use their encryption keys to provide value added cloud services, such as
anti-malware, anti-spam, search indexing, etc.

29
 Customer key in Microsoft 365

Helps meet compliance obligations that

require you to provide and manage your
own keys used to encrypt M365 data at-
rest    
Customer in control over service’s
ability to reason over your data when
key is revoked-initiating path towards
data deletion
Built into the service for seamless
integration with no disruption to end
user and added protections against
unintended key loss
Auditable and verified actions are
auditable and controls will be verified
in an SOC audit
• Can be enabled to encrypt files on
Sharepoint, Onedrive for business,
Teams
• Exchange online – encrypts mailbox
content
 Tenant – Access Restrictions

Data Access

1 2 3 4

Just Enough Just in Time Privileged Admin Audit-ready

Access Access Workflow

1 By default, Microsoft engineers have zero standing administrative privileges and zero standing access to customer
content in Office 365.
2 A Microsoft engineer can have limited, audited, and secured access to a customer's content for a limited amount of time.
3 Access is only when necessary, for service operations and only when approved by a member of Microsoft senior
management and by the customer itself (i.e. Customer Lockbox feature)
4 Access control requests, approvals, and administrative operations logs are captured for analysis of security and malicious
events.
 Customer lockbox in M365 or MS Azure

Meet compliance needs

Demonstrate there are
procedures in place for explicit data
access authorization
Extended access control
Control access to customer content
for service operations
Auditable and verified
Actions taken by Microsoft engineers
in response to Customer Lockbox
requests
are logged, Customer
Lockbox controls are verified
in independent SOC audits
 Information security, compliance & governance
Implement Microsoft Compliance Manager to manage organizational and IT risk and compliance
Define Data Classification & Labeling
− Define label for documents. End-user manual labeling to encourage security responsibility
− Use automatic location/rule-based labeling to ensure consistency
− Define label for containers (Teams / SPO sites)
− Consider implement DKE (Double Key Encryption) for high-sensitive data (be aware of limitations)
Implement Microsoft DLP for cloud content and data classification behavior
Implement retention labels for legal / regulation requirement
Define legal case rules and delegation with eDiscovery
Use policies (Conditional Access, CAS policy) to constrain activities into monitored paths.

33
 Microsoft 365 compliance center

Microsoft Compliance Score

Simplify compliance and reduce risk
Continuous assessments
Detect and monitor control effectiveness
automatically with a risk-based score

Recommended actions
Reduce compliance risks
with actionable guidance

Built-in control mapping

Scale your compliance efforts with built-in mapping
across regulations and standards

Compliance Score is a dashboard that provides your Compliance Score and a

summary of your data protection and compliance posture. It also includes
recommendations to improve data protection and compliance. This is a
recommendation; it is up to you to evaluate and validate the effectiveness of
customer controls as per your regulatory environment. Recommendations from
Compliance Manager and Compliance Score should not be interpreted as a
guarantee of compliance.

Accessed via https://compliance.microsoft.com

 Microsoft 365 compliance center
Data classification
Use to access Sensitive Information type definitions,
content and activity explorer
Data connectors
Use to configure connectors to import and archive
data in the M365 subscription
Alerts
Use to view and resolve alerts
Reports
Use to view data about DLP policies, shared files,
label usage and retention
Policies
Use to set up policies to govern data, manage
devices, access DLP and retention policies
Permissions
Use to manage who in the organization has access to
the M365 compliance center
Audit
Use to investigate common support and compliance
issues
Content search
Use to find emails, documents and IM conversations
in EXO, SPO, OneDrive or Teams
Communication compliance
Use to automatically capture inappropriate messages,
investigate policy violations and take steps to
remediate them
Data loss prevention
Use to detect sensitive content as it's used in the
cloud and on devices and helps prevent accidental
data loss
eDiscovery
Use to preserve, collect, review, analyze and retrieve
user data held for legal purposes
Information governance
Use to manage content lifecycle so that you can keep
data that you need and delete what you don’t.
Information protection
Use to discover, classify and protect sensitive content
across the organization.
 Data growing at exponential rate

KNOW
88
Unified approach
%
YOUR DATA

Information Discover Classify

Protection & 88
PROTECT
%
YOUR DATA Apply Policy
Governance •
•
Prevent data loss
Encryption
• Archiving
• Retention & deletion
• Restrict access • Records management
PREVENT
Protect and
• Watermark • Disposition reviews
DATA LOSS
govern data – Monitor
wherever it lives • Sensitive info discovery
• Audit trial
GOVERN • Content explorer
YOUR DATA • Activity explorer • Proof of disposals

Devices Apps Cloud Services On-premises

 Data labelling – Overview
Microsoft Information Protection (MIP), formerly AIP, is a cloud-based solution that allows administrators to
discover, classify and protect documents and emails by applying labels to documents. MIP extends tagging and
classification capabilities to all services provided by Microsoft 365 (EXO, SPO, OneDrive, Teams)

2 types of content classification are available in MIP:

• Classification based on document’s sensitivity (Sensitive Labels): This

document classification types are defined by administrators and are made
available to company employees to allow them to manually classify their
own documents. The labels are stored persistently in the document
properties wherever the document is stored.

• Classification on keywords / predefined structures (Sensitive Info

Type): These types of document classifications are provided by Microsoft
and are based on predefined structures, such as credit card numbers, Swiss
AHV numbers. This classification can be automatic.

37
 Sensitive Label – Sample

Very sensitive information for which document encryption is mandatory. Access

IT admin sets policies,
templates, and rules
SECRET restrictions are to be defined manually when applying the sensitivity. External sharing
with partners or customers is allowed but limited to the access restrictions.

SECRET
Sensitive information that must remain within the company, such as the budget,
CONFIDENTIAL
CONFIDENTIAL minutes, AHV number etc. Any external sharing of this data is prohibited and can
GENERAL
PUBLIC seriously damage the company's reputation.

Non-sensitive information. These documents contain business information that can be

GENERAL shared internally or externally in a targeted manner. By default, all information is de
facto considered general.

Public company information. This data can be distributed to any internal or external
PUBLIC
person without prejudice to the company.
38
 Containers labelling (SPO / Teams)

Using sensitivity labels to classify and protect documents and emails, it is also possible to use these privacy
labels to protect content in the following containers: Microsoft Teams sites, Microsoft 365 Groups and
SharePoint sites. 

This feature will allow to classify and protect directly at the container level, not only on the documents. The
following parameters can be used:

• Confidentiality of Teams sites and M365 groups: This option allows you to define whether an M365
group (the basis of a Teams site) is public within the company or by invitation only.

• External user access: This option allows the addition of external people (Guest) to the company
within the Teams site.

• External sharing from SharePoint sites: This option defines whether documents can be shared
individually with people outside the company.

• Access from registered devices: This option allows you to define whether employees can log into this
Teams site with a non-company-managed workstation.
39
 Data Loss Prevention

To comply with corporate standards and regulations, it is necessary to protect sensitive information and prevent accidental
disclosure. The data loss protection (DLP) policies available in Microsoft 365 allow you to automatically identify, monitor,
and protect sensitive information.

DLP rules are based on the following criteria:

Criteria for identifying content, sensitive

information, a specific classification or
external sharing.

Apply an action, such as restricting external

sharing, blocking the sending of mail, etc.

User Notification

Allow end user to overrides the limitations

Automatically create an incident based on the

criteria
40
 Data Loss Prevention
Protective actions of DLP policies
•show a pop-up policy tip to the user that warns them that they may be trying to share a sensitive item inappropriately
•block the sharing and, via a policy tip, allow the user to override the block and capture the users' justification
•block the sharing without the override option
•for data at rest, sensitive items can be locked and moved to a secure quarantine location
•for Teams chat, the sensitive information will not be displayed

DLP policy configuration overview

1.Choose what you want to monitor - Microsoft 365 comes with many predefined policy templates to help you get started or you can create a custom policy.
•A predefined policy template: Financial data, Medical and health data, Privacy data all for various countries and regions.
•A custom policy that uses the available sensitive information types, retention labels, and sensitivity labels.
2.Choose where you want to monitor - You pick one or more locations that you want DLP to monitor for sensitive information.
You can monitor: Exchange emails, SPO sites, OneDrive accounts, Teams chat, Windows 10 devices, Microsoft Cloud App security, on-premises repository.
3.Choose the conditions that must be matched for a policy to be applied to an item - you can accept pre-configured conditions or define custom conditions:
•item contains a specified kind of sensitive information that is being used in a certain context. For example, 95 social security numbers being emailed to recipient outside
your org.
•item has a specified sensitivity label
•item with sensitive information is shared either internally or externally
4.Choose the action to take when the policy conditions are met - The actions depend on the location where the activity is happening. Some examples are:
•SharePoint/Exchange/OneDrive: Block people who are outside your organization form accessing the content.
•Show the user a tip and send them an email notification that they are taking an action that is prohibited by the DLP policy.
•Teams Chat and Channel: Block sensitive information from being shared in the chat or channel
•Windows 10 Devices: Audit or restrict copying a sensitive item to a removeable USB device
•Office Apps: Show a popup notifying the user that they are engaging in a risky behavior and block or block but allow override.
•On-premises file shares: move the file from where it is stored to a quarantine folder
 Office 365 - How do we retain our data?

Retention policies:
• Retaining content for specific period of time
• Retaining content that contains sensitive information
• Choose locations
• Know the principles
Building the Microsoft Threat Protection suite
Microsoft 365 Security Center
Builds on best of breed
security workloads Incidents, investigations, threat hunting, threat analytics

Introduces new layers of Automated protection and remediation playbooks

cross product knowledge Upstream and downstream orchestrated semantics

and capabilities
Unified entity reputation (Users, machines, email, files, IP, URLs)
Provides coordinated
protection to stop attacks Signal sharing

and automated remediation

Identity Endpoint Email & Collab Applications
to self heal affected assets
Azure Active Microsoft Microsoft Defender for Microsoft Cloud
Enables security teams to Directory Defender for Endpoint Office App Security
investigate, hunt or Microsoft Defender for
remediate attacks through Identity

a single suite portal Microsoft Cloud

App Security
 Exchange Online Protection(EOP)
• EOP is included in all Microsoft 365 organizations with
Exchange Online mailboxes
• It's the cloud-based filtering service that helps protect your
organization against spam and malware.
• All the TLS connections setup on MCC will be recreated in
Exchange online to ensure the same level of security.
Nonis Pistol, 27.04.2021, MAM

• During the project, Swisscom will review the specific

configuration from the the MCC tenant and migrate it to the
new solution.

44
 Ersteller, Datum, Dokumentenname, C2 Internal

45
EOP – how it works
Microsoft Defender for Office 365
 EOP vs MS Defender for O365

Exchange Online Protection

Microsoft Defender for O365 plans P1+ P2
Prevent/Detect Investigate Respond
Prevent/Detect Investigate Respond
Technologies • Audit log search • Zero-hour Auto-
include: • Message Trace Purge (ZAP) Technologies include • SIEM integration API • Automated Investigation and
• spam • Refinement and everything in EOP plus: for detections Response (P2)
• phish testing of Allow • Safe attachments • Real-time detections • AIR from Threat Explorer (P2)
• malware and Block lists • Safe links tools • AIR for compromised users (P2)
• bulk mail • Microsoft Defender for • URL trace • SIEM Integration API for
• spoof intelligence Office 365 protection for • Threat Explorer (P2) Automated Investigations (P2)
• impersonation workloads (ex. • Threat Trackers (P2)
detection SharePoint Online, • Campaign views (P2)
• Admin Quarantine Teams, OneDrive for
• Admin and user Business)
submissions of • Time-of-click protection
False Positives in email, Office clients,
and False and Teams
Negatives • anti-phishing in Defender
• Allow/Block for for Office 365
URLs and Files • User and domain
• Reports impersonation protection
• Alerts and SIEM
integration API for alerts

47
 Nonis Pistol, 27.04.2021, MAM

48
Q&A