Presentation is loading. Please wait.

Presentation is loading. Please wait.

7/17/2018 9:54 PM BRK3263 Secure Exchange on-premises as well as Microsoft secures Exchange Online Andrew Higginbotham Microsoft MVP Raji Dani Group Program.

Similar presentations


Presentation on theme: "7/17/2018 9:54 PM BRK3263 Secure Exchange on-premises as well as Microsoft secures Exchange Online Andrew Higginbotham Microsoft MVP Raji Dani Group Program."— Presentation transcript:

1 7/17/2018 9:54 PM BRK3263 Secure Exchange on-premises as well as Microsoft secures Exchange Online Andrew Higginbotham Microsoft MVP Raji Dani Group Program Manager, Office 365 Security © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Agenda Discuss Exchange security concerns
Microsoft Ignite 2016 7/17/2018 9:54 PM Agenda Discuss Exchange security concerns Operational Infrastructure Feature-Based Detail how they can be mitigated on-premises Detail how Microsoft handles those challenges in Office 365 Secure Score & Threat Finder demo Mail Sniper/Ruler Attack demo © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Office 365 momentum 100+ MILLION $19B+ monthly active commercial users
43% Office 365 commercial revenue growth $19B+ annual commercial cloud revenue run rate MILLION monthly active commercial users 89% Fortune 500 have at least three of our cloud offerings 80% Fortune 1000 have Office 365 89% Global 1000 have Office 365

4 Prevention begins with visibility into the threat landscape
7/17/2018 9:54 PM Prevention begins with visibility into the threat landscape The Microsoft intelligent security graph 1 billion Windows devices updated 18+billion Bing web pages scanned 450 billion Microsoft Azure user authentications 200+ global cloud consumer and commercial services 400 billion Office s analyzed © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Securing infrastructure in an Exchange environment
7/17/2018 9:54 PM Securing infrastructure in an Exchange environment © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Bitlocker on Exchange Servers
7/17/2018 9:54 PM Bitlocker on Exchange Servers Aligns with Preferred Architecture OS and Database volumes Use TPM 2.0 for FIPS compliance Cannot rely upon TPM when virtualizing Must rely upon Password or USB key if encrypting OS volume Plan for time and performance impact of encryption process 3TB disk=8hrs to encrypt entire disk ~90% CPU Utilization) Understand prerequisites (AD, Group Policy, etc.) Understand operational challenges © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 TLS & SSL best practices
7/17/2018 9:54 PM TLS & SSL best practices An operational challenge with no singular solution Disable SSL 3.0 on browsers/clients/servers Prioritize TLS 1.2 ciphers Etc. TLS 1.0 is dependent upon multiple factors Exchange Server version support Server OS support Client OS support June TLS 1.0 deadline for PCI compliance © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Data Protection in Office 365
Built into the service Helps meet compliance needs Service capabilities and customer managed controls Content In-transit At-rest Device

9 Data secured by default in Office 365
In transit TLS encryption protects: Client to server communications Server to server communications Datacenter to datacenter communications At rest encryption: Bitlocker protects theft or inappropriate handling of a disk or server Service encryption provides separation of duty between OS admin and data and provides option for customers to control and manage their encryption keys Office 365 Server to server: TLS protected Office 365 Server Server Data disk Data disk Data disk Office 365 server Files and mailboxes Customer Client server: TLS protected Windows PC

10 New! Customer Key Added compliance and control Built into the service
Manage and control your encryption keys for Office 365 data at-rest Added compliance and control Built into the service Auditable and verified

11 Anti-virus best practices
7/17/2018 9:54 PM Anti-virus best practices Always follow recommended folder/process/file exclusions Understand what changes occur and how often they do “But nothing has changed!” Definition and engine updates are changes Very common for Support to request Anti-V be disabled during troubleshooting Have operational plan in place for this © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 7/17/2018 9:54 PM Run State: PAVC 700k machines scanned every 24 hours for vulnerabilities. Unauthenticated Network Scans Authenticated scans of the patch state in each host Automatic patching with Repair box when vulnerabilities are found © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Intrusion Detection/Prevention
7/17/2018 9:54 PM Intrusion Detection/Prevention Sometimes the best defense is a good offense Block ports & restrict access, but who’s manning the guard tower? Deploy intelligent standalone or monitored solutions Proper monitoring and alerting critical for timely response Many attacks occur from internal IP ranges No need to “Swiss cheese” internal routers/firewalls You should not be blocking ports between internal Exchange servers EX: Servers within a DAG still use RPC for communications © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Where SHOULD your firewall be?
7/17/2018 9:54 PM Where SHOULD your firewall be? SMTP via Edge Transport E2013 CAS SMTP Load Balancer SMTP HTTPS HTTPS HTTPS HTTPS SIP HTTPS HTTPS Edge Transport HTTPS E2013 Mailbox Server SIP Telephony Infrastructure Outlook User SIP+RTP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Security strategy beyond defense
Red team Our own Office 365 pen testers test our services Simulate outsider and insider attack scenarios Strict rules of engagement (“do no harm”) Practice incident response

16 AttackBot: Automated Pen Testing
Simulates diverse attacker behaviors against the service Used to validate security detections: how well are we catching the attacks? Runs once/hour automatically, with randomized attack scenario and target selection

17 Collecting and processing security data
HostIDS Data Windows OS events (security, disk, etc.) Analyst Tools and Dashboards O(100) results/day Vanquish Cluster (Spark/Cassandra) O(100K) machines scored/15 mins NRT processing with intelligent logic for combining signals (triangulation) Built on the O365 Customer Fabric platform Context Data (inventory, deployment, users) O365 Substrate Infrastructure O(M) events/sec Application Data (Torus usage, cmdlets, etc.) Other On-Box Components (Malware, WPS Scanner) Alerting and Automation O(1) paging alerts/day

18 Detection data: A closer look
Raw Events (4M/sec) Signals of interest (10K/hour) Processed automatically (Vanquish) Detections (100s/day) Triaged by analysts

19 Detection example Heatmap: Visualizing malicious activity
7/17/2018 9:54 PM Detection example Heatmap: Visualizing malicious activity Shading indicates presence of security signals on the machine. Red cells indicate multiple signals present at the same time (triangulation). More signals means higher fidelity – it’s less likely that they all occur at once due to system noise. In this example: red cells are AttackBot adding a new user to admin. This generates 3 distinct attack signals (C2, encoded cmdlet, local user added to group) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Security response model
DevOps Engaged Security Team Engaged Event Detected Incident Assessment Security Event Confirmed Customer Process Step 1 Event Start or Bug Bounty $ Customer Notification $ Determine Affected Customers Determine Customer Impact Customer Notification

21 Publishing Exchange externally
7/17/2018 9:54 PM Publishing Exchange externally Load balancers provide good reverse proxy solutions Death of TMG was met with much panic Windows Application Proxy also a viable option for some environments Do you actually need Pre-Authentication? Hint: Exchange Online doesn’t do it © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Change Management 7/17/2018 9:54 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 7/17/2018 9:54 PM How we ship secure code? It all starts from the developers/people who write code. Training Standards of Business Conduct/Ethics Security & Privacy Training Application Security Fundamentals Internal phishing campaigns © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Every feature begins with GRC review
7/17/2018 9:54 PM Every feature begins with GRC review Governance Risk and Compliance (GRC) team reviews: Data flow diagrams Data classification Threat models Compliance requirements Privacy requirements Legal requirements © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 Can’t check-in anything without a code review
7/17/2018 9:54 PM Can’t check-in anything without a code review © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 Engineering Score credits developers
7/17/2018 9:54 PM Engineering Score credits developers Engineers earn credit for completing best practices before they commit code to a master branch. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 7/17/2018 9:54 PM Build signing Signing Encryption Hash Using Private Key Hash Signature Hash Function Product code that runs in the datacenter must be digitally signed Secure build pipeline with build manifest signing mechanism Detections and paging alert against unsigned binaries (Encrypted Hash & Time Stamp) Original Code Signed Code Code Signing Certificate Verification Decrypt Hash Using Public Key Signature Hash (Encrypted Hash & Time Stamp) Hash is Compared to Verify Authenticity Signed Code Hash Original Code Hash Function © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Staged deployment RING 4 RING 3 RING 2 RING 1 RING 0 7/17/2018 9:54 PM
WORLDWIDE RING 3 FIRST RELEASE RING 2 MICROSOFT RING 1 OFFICE 365 TEAM RING 0 FEATURE TEAMS Office 365 US Government Office 365 Germany Office 365 Operated by 21 Vianet © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Exchange security features
7/17/2018 9:54 PM Exchange security features © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 Modern Authentication
7/17/2018 9:54 PM Modern Authentication Based on Active Directory Authentication Library (ADAL) and OAuth 2.0 Enabled at Exchange Organization level Outlook Client Dependencies (2013/2016 with proper update) General Availability in Spring of 2016 for O365 But what about On-Premises? Modern authentication for Exchange Server on-premises - BRK3249 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Multi-Factor Authentication
7/17/2018 9:54 PM Multi-Factor Authentication Modern Authentication is the key for an all-Microsoft multi-factor authentication solution See the recording of Greg’s session for more information Third-party solutions have lead the charge in years past Know the difference between two-factor and the same factor twice © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32  If you do nothing else…MFA Mobile Apps Phone Calls Text Messages
Build 2012 7/17/2018 If you do nothing else…MFA Mobile Apps Push Notification One-Time-Passcode (OTP) Token Phone Calls Out-of-Band* Call Text Messages One-Time Passcode (OTP) by Text *Out of band refers to being able to use a second factor with no modification to the existing app UX. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33 7/17/2018 9:54 PM Safe links via ATP Web servers perform latest URL reputation check Protect against sites with malicious content, phishing sites Provides admins visibility into compromised users Rewriting the URLs to proxy them through another server User clicking URL is taken to EOP web servers for the latest check at the “time of click” IP + envelop filter Signature- based AV Blocking known exploits Antispam filter EOP user without ATP Rewriting URLs to redirect to a web server EOP user with ATP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 TechReady 17 7/17/2018 Data Loss Prevention Identify Monitor Helps to identify, monitor, and protect sensitive data through deep content analysis Protect End user education © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 Protecting against Rogue Administrators
7/17/2018 9:54 PM Protecting against Rogue Administrators Separate infrastructure admins from Exchange admins where possible Benefit of Preferred Architecture is fewer teams required SAN Team vs Network Team vs Platform Team vs Exchange Team Tips and Techniques Limit Enterprise Admins/Domain Admins RBAC only covers Exchange toolset (ADSIEDIT can still be used) Implement mailbox and admin audit logging Limit usable applications via AppLocker Remove access to destructive cmdlets via RBAC © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 State-of-the-art access control
Service excellence OCE excellence Technology excellence Customer content isolated from service operations Task-based execution model with least privilege access Minimal human touch Background check and clearances Multi-factor authentication Multiple levels of approvals Zero standing admin rights Just-in-time access Just-enough access Time bound Logging and auditing

37 Lockbox: access control management system
Microsoft engineer Lockbox system Microsoft Approver Microsoft engineer Submits request Microsoft approval Scoped, least privileged access Just-in-time access for limited duration Access only after approval from Approvers Audit logs for all access available

38 Office 365 management activity API
Comprehensive Complete rich instrumentation: 150+ Events, 80+ Fields Exchange Extended Properties Operation Result Logon Type Internal Logon Type Mailbox Guide Mailbox Owner UPN Mailbox Owner SID Mailbox Owner Master Account Sid Logon User Sid Logon User Display Name Exchange Folder ID Exchange Folder Path Name Exchange Item ID Exchange Item Subject Exchange Item Parent Folder Folder Cross Mailbox Operation Dest Mailbox Guide Dest Mailbox Owner UPN Dest Mailbox Owner Sid Dest Mailbox Owner Master AccountSid Dest Folder Folders Source Items Modified Object Resolved Name Succeeded Error Parameters Modified Properties SP/OD Extended Properties Site Item Type Event Source Source Name User Agent Custom Event Event Data Modified Properties Machine Domain Info Machine ID Site URL Source Relative URL Source File Name Source File Extension Destination Relative URL Destination File Name Destination File Extension User Shared With Sharing Type Azure AD Extended Properties Inter Systems ID Intra Systems ID Result Support Ticket ID Target Credential Type Login Type Client Login Time Client Mode Credential Flag Device ID Login Status Mobile Keep Signed In Mobile Login Time Mobile Market Mobile User Agent String Purpose Sender PUID Service End Point STS Login Option Consistent Base Audit Schema ID Record ID Client IP Audit Log Record Type Workload Object ID Audit Log Record Name Workload Name Geography CreationTime Event Time IP of Client Operation Action Taken Entity ID Organization ID Tenant ID Geo of IP User Type User Role User Key User ID from AAD

39 Customer lockbox Now we want to extend Lockbox approval to you for Microsoft human access to customer content. Microsoft engineer Lockbox system Microsoft Approver Customer Customer Submits request Microsoft approved Customer approved Customer controls authorization of Office 365 personnel access.

40 Attend this week or watch online
7/17/2018 9:54 PM Attend this week or watch online Taming the Beast - How We Secure the World's Largest Enterprise Cloud Service - BRK2141 Implementing Exchange Online Protection for on-premises Exchange - BRK3262 Anatomy of an Attack: Defending Yourself in the Office 365 Cloud - BRK2150 Modern authentication for Exchange Server on-premises - BRK3249 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41 Secure score / Threat finder demo
7/17/2018 9:54 PM Secure score / Threat finder demo Mail Sniper/Ruler Attack demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

42 Q & A Mail Sniper/Ruler Attack demo 7/17/2018 9:54 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43 Mail Sniper/Ruler Attack demo
7/17/2018 9:54 PM Mail Sniper/Ruler Attack demo Mail Sniper/Ruler Attack demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 Please evaluate this session
Tech Ready 15 7/17/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45 7/17/2018 9:54 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "7/17/2018 9:54 PM BRK3263 Secure Exchange on-premises as well as Microsoft secures Exchange Online Andrew Higginbotham Microsoft MVP Raji Dani Group Program."

Similar presentations


Ads by Google