Microsoft security concepts
This post contains contents from 2020. It was updated through my new post: Microsoft Security concepts.
Security is a term that is currently spread alot. Microsoft makes an investment of 1 billion us dollars annually and works with over 3500 security experts. The threat landscape has become more sophisticated and maliciously. Endpoints are mobile, may connect to the company network or have access to company resources and identities have turned to be the most important thing to protect. As you see, we have a lot challenges to handle.
This image shows enterprise-class technology security concept from Microsoft.
- Identity & access management - IAM is about your identities (user principals as well as service principals)
- Threat protection - active activities against threats or attacks
- Information protection - in the end it's all about protecting your data. This means having full authority over all organizational information.
- Security management - describes a general administration and governance with security.
SIEM and SOAR
- SIEM - security information event management, relates to event management based on information on a security landscape.
- SOAR security orchestration, automation and response, is kinda an evolutionized version of SIEM, that has its focus on security task automation.
Defense in depth
One security measure is no longer enough these days. Attacks have become more sophisticated and targeted, often security policies can be circumvented with insider knowledge or vulnerabilities. Thus, one perimeter can no longer be relied upon and multiple measures must be taken. This is defense in depth.
Verify explicitly, any authentication and authentication processes must be checked against all available information at any time
Least privileged access, user access should only be granted according to the concepts of just-in-time (only for a defined period of time for the corresponding actions) and just-enough access (dedicated authorizations for the respective action) (JIT/JEA)
Assume breach, all operations should always be considered as if they were a compromised attempt or attack
There are some free security features to secure your environment but the most useful are in a standard licenses such as Enterprise Mobility + Security (EMS) E3, that has a good amount with most important features for IAM. Office 365 E3 with the corresponding Office security tools (for example information protection) and Windows 10 E3 with OS security features. E5 has some more advanced features, as I would call it; for cloud-native environments or security geeks ;) Products like Defender for Endpoints (originally MDATP) and a complete Cloud app security are E5 license only.
Read more about license compliance.
Product & features
- Secure authentication (MFA) and conditional access should reach a zero trust model.
- Identity protection provides detection methods for risky/compromised user identities.
- Privileged accesss management (PIM) for just-in-time & enough admin.
- Self-service products like Self-service password reset (SSPR) or group management give the user more responsibility but also possibilities.
Recently many products of threat protection have changed their names. Read more. So this image is strictly speaking outdated. Although you will still hear these terms often:
- Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) delivers expanded features for Microsoft Defender will full automation capabilities.
- Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection) makes your Office tools even more secure with the cloud, because this is still the greatest vulnerability in most organizations.
- Microsoft Defender for Identity (previously Azure Advanced Threat Protection) requires an on-prem sensor on the domain controller that helps to detect threats in the domain.
Control your data wherever it's located - this is what Microsoft information protection products are made for. Control policies and actions for conditions on documents.
Enables you to have an eye on all security controls. Microsoft 365 Defender is a unified security center with current alerts, reports, hunting, classification and policies.
And Azure Sentinel is the central repository for all security events and intelligence as cloud-native SIEM + SOAR.
What can you connect with Intune?
Defender for Endpoints
Install the sensor with a device configuration profile in Intune and it will deliver all collected data in Windows 10 into the cloud portal. Set full remediation for threats on your machines and it will handle nearby everything for you. But you can still see the history of the device. You can also track the installed applications on the endpoint together with a vulnerability score and more information to the addressed CVE's (common vulnerability exposures). And if you want to go even more into detail you can even hunt with manual queries.
Cloud app security
As CASB (cloud access security broker) Microsoft Cloud app security gives you the full power over what SaaS cloud apps your users are working with. Today's Shadow IT has grown rapidly so it's critical how to manage this problem. The endpoint information is directly comming from the Defender for Endpoint sensor and all policies will be affected directly on the device without a firewall. That is stunning in my opinion!