Security Compass Presentation
Security Compass Presentation
WORKSHOP OBJECTIVE:
Learn how to securely operate your workloads on Azure
N
Make the right security decisions with best practices, choices and
context/recommendations
Increase familiarity with Azure Platform Security and Azure Security Center
• Mix of old & new - Bring your experience and knowledge, but expect changes
Tips • You can’t learn everything - Cloud capabilities evolve too fast to master them all,
prioritization is critical
Guidance Structure
Actionable and Prioritized
CRITICAL GENERAL
Governance, Risk,
16 10
and Compliance
Administration 12 2
Information
Protection & 3 0
Storage
Security
4 4
Operations
Total 42 26
COMPLIANT ≠ SECURE
NT = Meets a specific standard at point in time (e.g. not negligent)
Lowers business risk to acceptable level by disrupting attacker return
n investment (ROI)
SECURE
LEVEL OF
ACCEPTABLE
RISK
COMPLIANT
Whiteboard – Your Journey and Goals
AZ URE
COM PON EN TS SECURITY
TRANSFORMING & M ODEL S CEN TER ( ASC)
TOOLS, SKILLS, &
PRACTICES
S T R AT E G I E S &
T H R E AT S E VO LV E
G OV E R N A N C E ,
SECURITY IDENTITY
RISK, &
O P E R AT I O N S
COMPLIANCE
AZURE REGIONS
& SERVICES
A D M I N I S T R AT I O INFO
NETWORK PROTECTION &
MICROSOFT SECURITY C O N TA I N M E N T N
STORAGE
PRACTICES
Ransomware:
$66 upfront
Attack services are inexpensive Or
30% of the profit (affiliate
model)
0days price ATTACKS AGAINST THE PC ATTACKS AGAINST
range varies from THE EMPLOYEES AND CUSTOMERS
$5,000 to
$350,000
Loads (compromised
device) average price
Spearphishing
ranges
services
• PC - $0.13 to $0.89
range from $100 to
• Mobile - from $0.82 to
$1,000 per successful
$2.78
account take over
Denial of Service
(DOS) average
prices
day: $102.05 Compromised
week: $327.00 accounts
month: $766.67 As low as $150 for
Proxy services to SERVICES AIDING
400M. Averages $0.97
evade IP geolocation THE “CASH OUT” per 1k.
prices vary ATTACKER
As low as $100 per INFRASTRUCTURE
week for 100,000
proxies. COLLECTIVE KNOWLEDGE
M AIN
SaaS adoption
Modern Enterprise
Perimeter
Infrastructure as a Platform as a
Service Service
MODERN PERIMETER
(Identity Controls)
CLASSIC PERIMETER
(Network Controls)
Evolution of Roles and Responsibilities
Modern
MODERN PERIMETER
(Identity Controls)
Architectures &
CLASSIC PERIMETER
Legacy Operating Models
(Network Controls)
Architectures &
Operating
Models
“STOP THE PRESSES!” CONTINUOUS VALIDATION
On-
pre
Responsibility SaaSPaaS IaaS m
Operating system
Physical hosts
“TRUST BUT VERIFY” EACH CLOUD
Physical network PROVIDER
Physical datacenter
Microsof Custome
t r
IaaS and PaaS Application Models
Standalone Applications or Components of Larger Solutions
Other Components – Services/databases on-premises or on a 3rd party cloud, IoT devices, etc.
Network controls
Operating system
Transferred for IaaS and PaaS
Denial of Service*
Physical hosts Attacks on
Racking/Stacking Servers,
Delays in Adding Capacity • Physical Attacks
Physical network
Fabric/Virtualization Patching, • Virtualization Fabric
Physical datacenter Maintenance & Troubleshooting • Hardware/Firmware
Fabric Availability / Uptime • Network Infrastructure
Microsof Custome SLA from Microsoft
t r
M AIN
PaaS IaaS
EXISTING TECHNIQUES (AT COMPARABLE
LEVELS)
EXPLOIT/ENTER TRAVERSAL MONETIZATION
CREDENTIAL THEFT &
SOCIAL ENGINEERING ABUSE (HASHES, RANSOMWARE
SSH…)
TARGETED DATA
PHISHING SCAN & EXPLOIT
THEFT
GEO-FILTERING
COMMODITY
EVASION WITH
BOTNET/DDOS/ETC
PROXY
54 Azure
regions 100K+
& subsea
cable
150+ 200+
Miles of fiber Edge
sites
ExpressRoute
partners
Microsoft protecting Microsoft
Hardening (Physical, OS
Continual Scanning
App/Data, etc.)
Penetration Testing
Whitelisting Red Team Ops
Auto-Patching Bug Bounties
and more… One Hunt
Rigorous Security
For Privileged Access
The Microsoft Intelligent Security Graph
+1B Windows
devices
Extensive machine learning to: updated &
• Reduce manual effort scanned
• Reduce wasted effort 450B monthly
on false positives authentications
• Speed up detection
18+ billion
web pages scanned
400B e-mails
930M threats analyzed
detected on devices
every month
Office 365
Windows
Microsoft Azure
Malicious
Bing Products instrumented to
Defender
AV
Software
Removal Tool
strict
Sample Dark Threat Sinkholes and Detonation Services IR
zoos markets feeds honeypots and sandboxes intelligence
PRODUCT AND SERVICE TELEMETRY privacy/compliance standards
[ Privacy/Compliance See Microsoft Trust Center
boundary ]
Azure
Office 365 Products generate data
Azure Advanced
Security Active Windows Threat which feeds back into the
Center
(ASC)
Directory
Identity
Azure
Advanced
Defender
Advanced Threat
Protection
(ATP)
Microsoft
Cloud
graph
Operations
Protection Threat Protection (ATP) Applicatio
Hunters Hunters identify attacks,
Protectio Exchange n Security
Manageme
nt Suite
Microsoft n (ATP) Online (MCAS) improve analytics, feed
Defender
(OMS)
Accounts
Anti-malware
Protection
(EOP)
back into product design
Technical Details on Azure internal
architecture
Most current information in documentation
https://docs.microsoft.com/en-us/azure/security/azur
e-security-infrastructure
3rd party validated information in Service Trust
Portal (STP) -
https://servicetrust.microsoft.com/ - Requires NDA
Classification Labels
Leaked cred
Azure Security Center – Cross Platform Visibility, Protection, and Threat Detection
Configuration Hygiene Discover protection
Just in Time VM Access Classify Behavioral
Azure AD PIMAnalytics
Security operations
Virtual
Application Code (Security Development Lifecycle)
On prem Machines
& other Infrastructure App Machine
cloud Azure Logic Event IoT Containe
as a Service Service - Learnin
workload (IaaS) SQL Apps Hubs services rs
Web Apps g
s
Administration
Day to day use of privileged access accounts
Security Operations
Monitor for anomalies to “normal” admin operations
Management Root Management Group (Group of Subscriptions) – Enterprise-wide Policies, Permissions, & Tags
Groups
Segmentation Additional Segment(s)
Core Services
Strategy
Shared Multi-App Single App
Segment(s) Segment(s) Development Stage
Services (&
Edge Security) Segments
Core Services Segment 1 Segment 2 Segment 3 Segment 4 Segment 5
Resource
Groups &
Resources
Application( Application(
Virtual Primary Primary PaaS Apps Pro
Intranet Extranet s) s) Dev Test
Networks Dev Test Prod Dev Test Prod
d
Dev
DevTest
Test Prod
Prod
Understanding Azure Roles and RBAC
Azure Active Directory Tenant
Active
Directory
Global Administrator (Use sparingly)
Azure AD is
typically
synched with Enterprise Groups and Users
on prem AD
(though Admin
accounts Built-in
should be roles
separate)
Intune Office 365 Azure Tenant
Privileged Role (Enrollment)
Exchange Root management
Administrator group
Admin
App admin
Message Center
Billing admin Reader
Password Admin Management group
…
…
Azure RBAC roles
Owner
Contributor Account
Other Apps Intune Office 365 Reader admin
Subscriptions
Other Built-in Roles
…
Resource group
Service
admin
Notes Resource
Azure Security
Documentation Site
has extensive
information on
security topics
N
https://docs.microsoft.com/en-us/azure/architecture/security/governance
Governance, Risk, and Compliance (GRC)
• What – Designate the parties Network Typically existing network operations team
responsible for specific functions Management Enterprise-wide virtual network and subnet allocation
CRITICAL CHOICE
SEGMENTATION STRATEGY
USE OF ROOT MANAGEMENT GROUP (MG) PLAN & TEST ROOT MG CHANGES
• What – Carefully select what items to apply to the • What – Carefully plan and test all
entire enterprise with the root management group. enterprise-wide changes on the root
• How – Ensure root MG elements have a clear management group before applying
requirement to be applied across every resource • How – Test all changes to Root MG in a:
and/or low impact • Test Lab - Representative lab tenant
Good candidates include or lab segment in production tenant
Regulatory requirements with clear business • Production Pilot - Segment MG or
risk/impact (e.g. restrictions related to data Designated subset in subscription(s) /
sovereignty) MG
Near-zero potential negative impact on Testing should include manual changes,
operations such as policy with audit effect, Tag scripted changes, and implementation of
assignment, RBAC permissions assignments that Azure Blueprints
have been carefully reviewed.
• Why – Changes in the root management group can affect every resource on Azure. While this is
a powerful way to ensure consistency across the enterprise, errors or incorrect usage can negatively
impact production operations.
GRC – Top Risk BEST PRACTICE
CHOIC
E
CRITICAL GUIDANCE
CRITICAL GUIDANCE
INCIDENT NOTIFICATION
CRITICAL GUIDANCE
CRITICAL GUIDANCE
Why – Rapidly identifying and remediating common security hygiene risks can significantly reduce overall
risk
Governance – Access for Security
Personnel
CRITICAL BEST PRACTICES
BEST PRACTICE
• What – Use Azure Security Center to report • What – Use Azure Blueprints to rapidly and
on compliance with regulatory standards consistently deploy compliant workloads
• How – Azure Blueprint Service automates
deployment of environments including RBAC
roles, policies, resources
(VM/Net/Storage/etc.), and more. Several
Security and Compliance Blueprints
templates are available
• How –
https://docs.microsoft.com/en-us/azure/secu
rity-center/security-center-compliance-dash
board
Why – These capabilities help you stay compliant with regulatory standards
GRC – Benchmarks
GUIDANCE
Benchmark -
https://www.cisecurity.org/benchm
ark/azure/
GENERAL GUIDANCE
Confidential Computing
Identify whether you need to utilize Confidential Computing to meet regulatory or security requirements
https://azure.microsoft.com/en-us/blog/azure-confidential-computing/
GRC BEST PRACTICE
CHOIC
E
GENERAL GUIDANCE
Penetration Testing
Use Penetration Testing or Red Team activities to validate security defenses
https://technet.microsoft.com/en-us/mt784683
N
Security Operations
https://docs.microsoft.com/en-us/azure/architecture/security/security-operations
Microsoft’s approach
The First Big (from
Challenge our SOC)
of every SOC
Enforce Quality + Apply
Overwhelming SignalTechnology
& Limited Human Capacity
Detect Respond
Billions of events per
month
CONCERN 1
CONCERN 2
Miss real detections
Attackers operate freely
while chasing false positives Enforce 90% true positive until remediated
on alert feeds
Machine Learning
(Artificial Intelligence)
Hundreds of
investigations
SIEM Integration
Existing SIEM AZURE SENTINEL
Microsoft provides APIs and connectors Built-in 1st & 3rd party connectors
Office 365
Log & Alert Integration
Azure, Office 365, Azure
Azure Advanced Threat Prot
ection (ATP),
Microsoft Security Tools
Microsoft Defender ATP,
Microsoft Cloud App Security
CEF/Syslog/API
Integrated toolset for
rapid threat remediation SOC Reference
Architecture
Breadth
Microsoft Threat Protection • Unified Alert Queue
• Customized Alerts
Depth
• High quality alerts
• End to end investigation and remediation
Centralized Visibility
Azure Security Center Azure Sentinel
IDENTIFY PROTECT DETECT RESPOND RECOVER
Log
Flow
Generate
Alerts
CRITICAL GUIDANCE
GENERAL GUIDANCE
https://docs.microsoft.com/en-us/azure/architecture/security/identity
Identity as the Control Plane
Single Sign-On and Zero Trust Access Control Across Your Enterprise
Partner
Customerss
Commercial
IdPs BYOD
Azure
Consumer Active Directory
IdPs
On-
premises
Cloud
Managed identities for Azure resources
Simplifies Azure VM
Azure Service
authentication/security for Your code 3 (e.g. ARM, Azure
Storage)
developers (vs. service
principals) 1
lllllllll
Password Spray
200,000 accounts compromised in Aug 2018
(Primarily via legacy AuthN protocols)
Phishing
5B emails blocked in 2018
44M risk events in Aug 2018
lllllllll
Breach Replay
650,000 accounts with leaked credentials in 2018
[email protected] Password123
[email protected] Password123
Password Spray [email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
[email protected] Password123
Typical Attack [email protected] Password123
m Password123
1. Attempt a common password
[email protected] Password123
used against many, many [email protected] Password123
accounts. [email protected] Password123
(stay below account lockout
[email protected] Password123
threshold)
[email protected] Password123
2. After successful login, dump [email protected] Password123
the GAL. [email protected] Password123
3. Start pivoting in environment. m
Password123
Identity – Consistency
CRITICAL BEST PRACTICES
• What – Block legacy authentication protocols for • What – Don’t synchronize accounts to Azure AD
Azure AD that have high privileges in your existing Active
• Why – Weaknesses in older protocols are actively Directory
exploited by attackers daily, particularly for • Why – This mitigates the risk of adversaries
bypassing MFA and for password spray attacks pivoting from cloud to on premises assets
(majority use legacy auth) (creating a potential major incident).
• How – Configure Conditional Access to block legacy • How – This is blocked by default. Do not change
protocols the default Azure AD Connect configuration that
filters out these accounts
https://techcommunity.microsoft.com/t5/Azure-Ac
tive-Directory-Identity/Azure-AD-Conditional-Acce
ss-support-for-blocking-legacy-auth-is/ba-p/24541 See also the converse guidance in Administration
7 section:
• Critical Impact Admin - Account
• Critical Impact Admin - Workstation
For more information
https://www.youtube.com/watch?v=wGk0J4z90G
I
Identity – Password Synchronization
CRITICAL BEST PRACTICE
2. Automatic Enforcement
AZURE AD PASSWORD
PROTECTION Automatically remediate high risk passwords with Conditional Access
(leveraging Azure AD Identity Protection risk assessments)
https://docs.microsoft.com/en-us/azure/active-directory/identity-protectio
• What – Choose the level of n/overview
password protection in Azure
Active Directory
• Why – Static on-premises 1. Report & Remediate
defenses capabilities can no View reports and manually remediate accounts
longer protect password-based • Azure AD reporting - Risk events are part of Azure AD's security
accounts.
reports. For more information, see the users at risk security report
• Microsoft - and the risky sign-ins security report.
https://www.microsoft.com/en-us/re •
search/publication/password-guidan Azure AD Identity Protection - Risk events are also part of the
ce/ reporting capabilities of Azure Active Directory Identity Protection.
• Use the Identity Protection risk events API to gain programmatic
• NIST - access to security detections using Microsoft Graph.
https://pages.nist.gov/800-63-3/sp8
00-63b.html
GENERAL GUIDANCE
Administration
https://docs.microsoft.com/en-us/azure/architecture/security/critical-impact-accounts
Highest Protection for Highest Privileges
• Global Azure AD Admins + Azure Tenant You should consider applying similar
Admins procedures to other admins as well
2. Data Access
• Groups & Accounts with
read/write/delete access to business-
critical data
3. Operational Access
• Groups & Accounts with control
of business-critical systems
*Owners & Admins of Management Groups
MGs/Subscriptions containing
• Shared Services
• Business Critical Apps
Admin – Quantity BEST PRACTICE
CHOIC
E
• What – Ensure all critical impact • What – Ensure all critical impact
admins are managed Azure AD admins have a separate account for
accounts administrative tasks
• Why – This provides enterprise • Why – Adversaries regularly use
visibility into whether the policies of phishing and web browser attacks to
the organization and any regulatory compromise administrative accounts.
requirements are followed. • How – Create a separate administrative
• How – Ensure all critical impact account for critical privileges. For these
admins are in your enterprise Azure accounts, block productivity tools like
AD. Remove any consumer accounts Office 365 email (remove license) and
from these roles (e.g. Microsoft arbitrary web browsing (with proxy
accounts like @Hotmail.com, and/or application controls if available)
@live.com, @outlook.com, etc.)
Admin – Emergency Access
CRITICAL BEST PRACTICE
DEFAULT
RECOMMENDATION Native Cloud Management & Protection
Native Azure AD Accounts
• Join to Azure AD & Manage/Patch with Intune/other
Create Native Azure AD Accounts that are not
• Protect and Monitor with Windows Defender
synchronized with on-premises Active Directory
ATP/other
Note: Text Message based MFA is now relatively inexpensive for attackers to bypass, so focus on passwordless
&• stronger
3rd PartyMFA
MFA Solution
Admin – Workstation Security
CRITICAL BEST PRACTICES
IT OPERATION S / AD M IN S
• What – For critical impact
Enhanced Secured
Low Security High Security Specialized
admins, choose what admin PROFILES Workstation
Security
Workstation Workstation
Workstation –aka
Workstation PAW
workstation security level to • Productivity • Low Security • Enhanced • High Security • High Security
start with (and when you will Apps Plus… Security Plus… Plus…
• What – Use built-in roles for • What – Avoid permissions specifically referencing resources or
assigning permissions users
• Why – Customization leads • Why – Specific permissions create unneeded complexity and
to complexity that inhibits confusion, accumulating into a “legacy” configuration that is
human understanding, difficult to fix (without fear of “breaking something”)
security, automation, and • How –
governance.
Avoid Resource specific permissions – Instead, you should
• How – Evaluate the use
built-in roles designed to
Management Groups for enterprise wide permissions
cover most common
Resource groups for permissions within subscriptions
scenarios.
Automatic deprovisioning
Ensure you have a process for disabling or deleting administrative accounts when
admin personnel leave the organization (or leave administrative positions)
See also “Regularly Review Critical Access” in Governance, Risk, and Compliance
section
Attack Simulation
Regularly test administrative users using current attack techniques to educate
and empower them. You can use Office 365 Attack Simulation capabilities or a 3 rd
party offering
https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator
N
https://docs.microsoft.com/en-us/azure/architecture/security/network-security-containment
Azure Networking Services
CDN
Network Watcher
Front Door
ExpressRoute Monitor
Traffic Manager
Azure Monitor
Application Gateway
Virtual Network TAP
Load Balancer
Network protection services
NSG
NSG
12
Internet
NSG NSG
4 5
Physical vs. Software Defined Networking
Intercept points Controls on groups of assets
Azure Firewall
1
Public IP
Firewall
Virtual Network
2
Internet Subnet
NSG
Subnet
6
Web App Firewalls
Azure Firewall
1
Public IP
Firewall
Virtual Network
2
Internet Subnet
NSG
Subnet
Public IP
Web Application
Firewall
6
Distributed Denial of Service (DDoS)
protection
Basic Protection Built in + Available Advanced Protection
Azure Firewall
1
Public IP
Firewall
Virtual Network
2
Internet Subnet
NSG
DDoS Subnet
Protection
Public IP
Web Application
Firewall
6
Connecting to On Premises Resources
ExpressRoute or VPN provides connectivity
Azure Firewall
1
Public IP
Firewall
Virtual Network
2
Internet Subnet
NSG
DDoS Subnet
Protection
Public IP
Web Application
Firewall
NSG
Gateway Subnet
On Premises ExpressRoute
Network(s) ExpressRo
ute
Gateway
6
Reference Configuration with Native Controls
zure Firewall + Application Gateway with Web App Firewall (WAF)
Core Services
1
Public IP
Firewall
Virtual Network
2
Internet Subnet
NSG
DDoS Subnet
Protection
Public IP
Web Application
Firewall
NSG
Gateway Subnet
On Premises ExpressRoute
Network(s) ExpressRo
ute
Gateway
6
Reference Configuration with Virtual
Next Generation Firewall with Integrated WAF/Proxy
Appliance(s) Core Services
Public IP
Virtual Network
2
Internet
DMZ DMZ
Popular Next Generation outside N
I
C
NVA N
I
C
inside NSG
Subnet
Firewalls available in Azure Availability
set
Marketplace DDoS
N
NVA N
Protection Load balancer NS
I
C
I
C NS
addresses.
More Information online Network NSG
Subnet
NSG
Subnet
Security Group
https://docs.microsoft.com/en-us/a (NSG)
zure/architecture/reference-archite
ctures/hybrid-networking/shared-s
ervices
6
Reference Enterprise Design - Azure
Network Security
Hybrid Cloud Infrastructure – Network Architecture
Microsoft Azure
Additional
3rd party IaaS On Core Services
Premises Segment(s)
Development
Shared Services Segment(s)
Datacenter( Stage Segments
Edge Segment
s)
Security Organization
Public
IP Extranet
DDoS Applications
Extrane
Mitigation
Load
Balancer
(Optional)
t
NS
Firewall G Dev
NSG NSG
ExpressRoute Gateway
ExpressRoute Gateway subnet NSG
VNET PEERING
Domain Management &
Controllers Security
Test
Legend
NS NS
Intranet
G G
Subscription
Enterprise
Others as needed
Applications
Virtual Network
Subnet
NS NS
G G
Network Security
NSG
Group Application Prod
Virtual Network
2
Azure Network
(uses public IP address space)
Native PaaS Apps
(App Service Web
App, API, etc.)
Azure Tenant VM VM VM
ExpressRoute
ExpressRoute Gateway VM VM VM
IaaS App
On-premises Azure Services
Storage Account,
Event Hub, Database,
App or etc.
Component VM VM VM
VM VM VM
Networks & Containment – Enterprise
Consistency
CRITICAL BEST PRACTICES
EXPRESSROUTE TERMINATION
DDOS MITIGATIONS
GENERAL GUIDANCE
Network Logs
As required, integrate network logs into SIEM / analytics platform using Azure Monitor
• NSG Logs
• WAF Logs
• Azure Firewall Logs
Virtual TAP
If required, integrate virtual TAP into existing network monitoring program/analytics capability
N
Information Protection
& Storage
https://docs.microsoft.com/en-us/azure/architecture/security/storage-data-encryption
Azure Storage
REST REST REST REST SMB 3.1
Firewall
Authentication is still required Subnet Storage Access
to access storage (Azure AD, SAS Virtual
Control
Diagnostic Advanced
Log Threat Protection
https://docs.microsoft.com/en-us/a Developer
zure/storage/common/storage-adv (1) Turn on Advanced
anced-threat-protection Threat Protection
(3) Real-time
actionable alerts
Encryption
Azure Data Encryption is not a
panacea
CRITICAL GUIDANCE
Goal
Simplify and drive consistency in
our customers’ efforts to securely
deploy workloads to Azure
Benefits
CIS brings independence and
consensus driven approach
Benchmarks informed by
Microsoft’s experience & best
practices
What are CIS Benchmarks?
How to fix…
M AIN
Summary of CIS Controls v1.0 M EN
U
Control
Section Recommendations
Count
Identity & Access
Setting the appropriate IAM policies 23
Mgmt.
Azure Security Center Configuration and use of Azure Security Center 19
Total Recommendations 92