enterprise mobility + security (ems)€¦ · management pc protection from malware pc software...

Helping you grow your business with

scalable IT services & solutionsfor today’s challenges & tomorrow’s vision.

© 2019 Peters & Associates, Inc. All rights reserved.

Enterprise Mobility + Security (EMS)

Apply EM+S to the Real World

January 24th, 2019

Bruce Ward, VP of Business StrategyAdam Gassensmith, Manager of Client Engagement


IT SecuritySolutionsPeters & Associates Security Wheel

DATAControls surround Data

+EMS E5

Azure Active Directory P2

Risk based conditional access

Identity Protection Portal

Identity and access management


Single sign-on (SSO) for all apps

Conditional MFA, Password Self Service, Dynamic Groups

Cloud App Security - ALL

Visibility and control for all cloud apps

Identity-driven security

Advanced Threat Analytics

Identify advanced threats in on premises identities

Azure Information Protection Plan 2

Automated intelligent classification and labeling of data + AIP Scanner

Information protection

Managed mobile productivity

Intune

App management (MAM)

Device management (MDM)

PC management


Tracking and notifications for shared documents

+EMS E3


IT SecuritySolutionsLicensing Overview


Identity and Access Management



DATAIdentity

+EMS E5

















Intune



PC management



+EMS E3

Network Perimeter

Office 365

Approved Cloud Services

Unmanaged Devices

Shadow ITThreatsPersistent

Network perimeter works…except for threats such as• Phishing • Credential theft

+ External Data and Devices

= Identity security perimeter▪ Multi-factor Authentication ▪ Conditional Access ▪ Login Risk intelligence

Resources

Identity Perimeter


IT SecuritySolutionsWhiteboard

EMS connects your workforce to 1000s of cloud and on-premises applications using one unified identity.

Single sign-on to Office 365 and all other applications

User

SINGLE SIGN-ON TO ALL APPS

On-premises

applications

Microsoft Azure

Cloud HR

Web apps

(Azure Active Directory Application Proxy)

Integrated

custom apps

SaaS apps

HR and other directories

2500+ popular SaaS apps

Connect and sync on-premises directories

with Azure

Easily publish on-premises web apps via

Application Proxy + Custom apps

through a rich standards-based platform

Microsoft Azure AD

Account, apps and group management

Self-service password reset

Application access requests

Integrated Office 365 app launching

Self-service capabilities in EMS include:

Conditional Access Controls

Conditions

Allow access

Or

Block access

Actions

Enforce MFA

per user/per

app

Location

Device state

User/Application

MFA

Risk

User

IDENTITY – DRIVEN SECURITY

USER

Role: Sales Account Rep

Group: London Users

Client: Mobile

Config: Corp Proxy

Location: London, UK

Last Sign-in: 5 hrs ago

CONDITIONAL

ACCESS RISK

Health: Fully patched

Config:Managed

Last seen: London, UK

High

Medium

Low Allow access

TRAVEL EXPENSE

APP

USER

Role: VP Marketing

Group: Executive Users

Client: Mobile

Config: Corp Proxy



CONDITIONAL

ACCESS RISK

Health: Fully patched

Config:Managed

Last seen: London, UK

High

Medium

Low Require MFA

CONFIDENTIAL

SALES APP

CONDITIONAL

ACCESS POLICY

User is a member of

a sensitive group.

Application is classified

High Business Impact.

USER

Role: Sales Account Representative

Group: London Users

Client: Mobile

Config: Corp Proxy



SALES APP

CONDITIONAL

ACCESS RISK

Health: Unknown

Client: Browser

Config: Anonymous

Last seen: Asia

High

Medium

Low

Anonymous IP

Unfamiliar sign-in location for this user

Block access

Force password reset

Infected devices

Suspicious sign-in activities

Brute force attacks

Leaked credentials

Configuration vulnerabilities

Block attacks

Change bad credentials

MFA challengerisky logins ?Risk based Conditional Access

automatically protects against suspicious logins and compromised credentials

Detect and remediate configuration vulnerabilities to improve your security posture

Gain insights from a consolidated view of machine learning based threat detection

Risk-based policies

+EMS E5

















Intune



PC management



+EMS E3


IT SecuritySolutionsImplementation Overview

Department Leaders

Company Leaders

Representative User Group

Technology Team

What Decisions Need to be Made?

Who Needs to be Involved?

Challenges and Considerations

What login scenarios do we want to account for?

What conditions should be met?

Application Selection

Impact on User Experience

Plan, Test, Adjust, Plan

Early involvement of non-IT parties


IT SecuritySolutionsOFFER: MFA POC


IT SecuritySolutionsOFFER: MFA POC

Technology User Experience

Conditions Expertise

MFA POC

Results-driven


Identity Driven Security

+EMS E5

















Intune



PC management



+EMS E3

Unique insights, informed by trillions of signals

On-premises abnormal behavior and advanced threat detection

Identity-based attack and threat detection

Anomaly detectionfor cloud apps

!!

!


IT SecuritySolutionsO365 Activity


IT SecuritySolutionsAAD Activity


IT SecuritySolutionsAD Activity

Analyze1 After installation:

• Simple non-intrusive port mirroring, or

deployed directly onto domain controllers

• Remains invisible to the attackers

• Analyzes all Active Directory network traffic

• Collects relevant events from SIEM and

information from Active Directory (titles,

groups membership, and more)

ATA:

• Automatically starts learning and profiling

entity behavior

• Identifies normal behavior for entities

• Learns continuously to update the activities

of the users, devices, and resources

Learn2

What is entity?

Entity represents users, devices, or resources

Detect3 Microsoft Advanced Threat Analytics:

• Looks for abnormal behavior and identifies

suspicious activities

• Only raises red flags if abnormal activities are

contextually aggregated

• Leverages world-class security research to detect

security risks and attacks in near real-time based on

attackers Tactics, Techniques, and Procedures (TTPs)

ATA not only compares the entity’s behavior

to its own, but also to the behavior of

entities in its interaction path.

Abnormal resource access

Account enumeration

Net Session enumeration

DNS enumeration

Abnormal working hours

Brute force using NTLM, Kerberos or LDAP

Sensitive accounts exposed in plain text authentication

Service accounts exposed in plain text authentication

Honey Token account suspicious activities

Unusual protocol implementation

Malicious Data Protection Private Information (DPAPI) Request

Abnormal authentication requests

Abnormal resource access

Pass-the-Ticket

Pass-the-Hash

Overpass-the-Hash

MS14-068 exploit (Forged PAC)

MS11-013 exploit (Silver PAC)

Skeleton key malware

Golden ticket

Remote execution

Malicious replication requests

Reconnaissance

Compromised

Credential

Lateral

Movement

Privilege

Escalation

Domain

Dominance


IT SecuritySolutionsO365 Activity

Discover

Investigate

Alerts

Control

OFFER: ALARM TRIAL

+EMS E5

















Intune



PC management



+EMS E3



Department Leaders

Company Leaders

Compliance or Governance Team

Technology Team




What activity are we concerned about?

Who should be alerted and what action should be

taken?

Data and alert overload

Understanding alert thresholds

Total App Coverage


Managed Mobile Productivity



DATAApps and Devices

+EMS E5

















Intune



PC management



+EMS E3

Mobile application management (MAM)

Manage PC / MAC (Intune or SCCM)

Mobile device management (MDM)

ITUser

Microsoft Intune

Mobile App Management (MAM)Protecting App and Data on unmanaged devices

Personal apps

Managed apps

User

Enroll

• Provide a self-service Company

Portal for users to enroll devices

• Deliver custom terms and

conditions at enrollment

• Bulk enroll devices using Apple

Configurator or service account

• Restrict access to Exchange

email if a device is not enrolled

Retire

• Revoke access to corporate

resources

• Perform selective wipe

• Audit lost and stolen devices

Provision

• Deploy certificates, email, VPN,

and WiFi profiles

• Deploy security policy

• Install mandatory apps

• Deploy app restriction policies

• Deploy data protection policies

Manage and Protect

• Restrict access to corporate

resources if policies are violated

(e.g., jailbroken device)

• Protect corporate data by

restricting actions such as

copy/cut/paste/save outside of

managed app ecosystem

• Report on device and app

compliance

User IT

Intune standalone (cloud only)

Lightweight, agentless OR agent-based

management

PC protection from malware

PC software update management

Software distribution

Proactive monitoring and alerts

Hardware and software inventory

Policies for Windows Firewall management

Intune SCCM

Lightweight, agentless OR agent-based

management

Lightweight, agentless OR comprehensive agent-based management

PC protection from malware PC protection from malware

PC software update management PC software update management

Software distribution Software distribution

Proactive monitoring and alerts Proactive monitoring and alerts

Hardware and software inventory Hardware and software inventory

Policies for Windows Firewall management Policies for Windows Firewall management

Operating system deployment

PC, mobile device, Windows Server, Linux/Unix, Mac, and virtual desktop

management

Power management

Custom reporting


IT SecuritySolutionsIntune Differentiators


IT SecuritySolutionsOFFER: EMS Proof of Concept

https://www.peters.com/solutions-services/cloud-architecture/ems-fasttrack/

https://www.peters.com/solutions-services/cloud-architecture/ems-fasttrack/

+EMS E5

















Intune



PC management



+EMS E3



Company Leaders


Technology Team




What level of control do we need?

Legal or compliance requirements?

Device mix

Applications

Handling device mix

Organization Security vs User privacy

Determining which applications hold data


Data



DATAData = crown jewels

+EMS E5

















Intune



PC management



+EMS E3

Enterprise Mobility + Security

Protect yourdata anywhere

of workers have accidentally shared sensitive data to the wrong person

58%

Stroz Friedberg


IT SecuritySolutionsAzure Information Protection (AIP)

Data protection at rest



Data Protection in motion Data Protection in motion

Information can be protected with RMS at rest or in motion


Constoso Page|1 CONFIDENTIAL

DueDiligenceDocumentationDueDiligenceCategory DocumentationTask Owner Status

BusinessPlan,CorporateStructure,Financing

Businessplan Currentfive-yearbusinessplan

Priorbusinessplan

Corporateorganization

Articlesofincorporation

Bylaws

Recentchangesincorporatestructure

Parent,subsidiaries,andaffiliates

Shareholders’agreements

Minutesfromboardmeetings

Shareholders Numberofoutstandingshares

Stockoptionplan

Samplesofcommonandpreferredstockcertificates,debentures,andotheroutstandingsecurities

Warrants,options,andotherrightstoacquireequitysecurities

Currentshareholders,includingnumberofsharesowned,datesthatshareswereacquired,considerationsreceived,andcontact

information

Relevantprivateplacementmemorandaandotherofferingcirculars

Lenders Convertible,senior,orotherdebtfinancing

Banklinesofcredit,loanagreements,orguarantees

Loandefaultsorexpecteddefaults

Recentcorporatetransactions

Descriptionandrationaleforeachtransaction

Purchaseandsaleagreements

Regulations Businesslicenses

Environmentalpermits

Workers’healthandsafetypermits

Marketing,Products,Sales,Service

Marketanalysis Competitionbyproductline(includecontactdetails,marketsize,marketshare,andcompetitiveadvantagesanddisadvantages)

Industryandmarketresearch

Tradepublicationsandcontactinformation

+EMS E5

















Intune



PC management



+EMS E3



Department Leaders

Company Leaders


Technology Team




What document types do we have?

Who should have access to what?

Can automatic tagging be used?

Data classification efforts

User Experience

Monitoring automatic classification efforts


IT SecuritySolutions

1. Data Subject Requests (DSR, DSAR)

• Have obligation to find, produce, and delete/change PII– Extremely difficult (data all over the place, O365, file shares, etc)

– Need to comb through a lot of data in a short period of time (30 days)

– Need full audit trail/technology enablement

– Need a repeatable and defensible process

2. Breach prevention/notification – Protect data at perimeter, source, and in-transit

– Detect and notify of breaches

GDPR Technical Risk Areas


IT SecuritySolutions

Recap

OFFERS:

"It was an eye-opening exercise to put our security goals / use-cases to paper - then map out the process and Microsoft technology required. In the end, Microsoft Conditional Access allowed us to balance our need for stringent security with a solid user experience.“

- Director of Information Systems, International Manufacturer in Chicagoland

1801 S. Meyers Road, Suite 120Oakbrook Terrace, IL 60181

(630) 832-0075

Thank you!


Bruce Ward

[email protected]

mailto:[email protected]

enterprise mobility + security (ems)€¦ · management pc protection from malware pc software...

Documents