Adoption Framework

Microsoft Cybersecurity
Reference Architectures
(MCRA)

End to End Security Architecture

following Zero Trust principles
 Adoption Framework

You are here

Top End to End Security Challenges
Adoption Framework
• Incomplete or network-centric architectures
aren’t agile & can’t keep up with continuous
change (security threats, technology platform,
and business requirements)
• Challenges with
• Creating integrated end to end architecture
• Integrating security technologies
• Overview of Security Adoption Framework and
• Planning and prioritizing security End to End Cybersecurity Architecture
modernization initiatives • End to End Security: Consider the whole problem
• Ruthlessly Prioritize: Identify top gaps + quick wins
MCRA is a subset of the full Security • Get started: Start somewhere & continuously improve
Architecture Design Session (ADS)
module 1 workshop: • Antipatterns and best practices
• Guiding Rules and Laws for security
• Diagrams and references
Applying Zero Trust principles
Whiteboard – Current Security Architecture

What types of attacks and

adversaries are top of mind?
 Security Adoption Framework
Align security to business scenarios using initiatives that progressively get closer to full ‘Zero Trust’

1. Strategic
Strategic Framework
Framework 2. Strategic initiatives
End to End Strategy, Architecture, Clearly defined architecture and
Business Scenarios and Operating Model implementation plans
Guiding North Star
CISO Workshop
Security Program and Strategy Security Hygiene: Backup and Patching
1 - I want people to do their job
End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams

securely from anywhere

2 - I want to minimize business

Secure Identities and Access
Module 2 – Secure Identities and Access

damage from security incidents

3 - I want to identify and protect Modern

Module Security
3 – Modern Operations
Security Operations (SecOps/SOC)
critical business assets

4 - Security
I want to proactively meetDesign Session Infrastructure and Development
Module 4 – Infrastructure & Development Security
Architecture
regulatory requirements
Module 1 – Zero Trust Architecture and
Module 5 – Data Security & Governance, Risk, Compliance (GRC)
Ransomware
5 - I want to have confidence in my
Data Security & Governance, Risk, Compliance (GRC)
security posture and programs

OT and
Module IoT
6 – IoT andSecurity
OT Security
Security Adoption Framework
Reduce risk by rapidly modernizing security capabilities and practices

CEO

Securing Digital
Transformation Engaging Business
Business Leadership Leaders on Security
Business and
Security
Integration Security Strategy and Program
CIO CISO

Technical Leadership Security Strategy,

Programs, and
Epics Zero Trust Architecture

Microsoft Cybersecurity Reference Architectures (MCRA)

Architecture and
Policy Secure Modern Infrastructure & Data Security IoT and OT
Architects & Technical Managers Identities and Security Development & Governance Security
Technical Planning Access Operations Security
(SecOps/SOC)
Implementation
> > > > > > > > > > > > > >
and Operation
Assess current plans, configurations, and operations for Microsoft security capabilities
Implementation

Includes
Reference Plans
Security Adoption Framework
Reference Plans

CEO
Securing Digital
Transformation

Business Leadership Business and Enables a Zero Trust transformation

Security
Integration
CIO CISO
Security Strategy,
Technical Leadership Program, and
Epics / Initiatives

Architecture and
Policy
Architects & Technical Managers
Technical Planning

Implementation
Implementation and Operation

Documentation
Step by Step Instructions on
Microsoft Docs site
Common Security Antipatterns - Technical Architecture
Common mistakes that impede security effectiveness and increase organizational risk

Skipping basic maintenance Best Practices

Skipping backups, disaster recovery exercises,
and software updates/patching on assets Develop and implement an end to end technical security
strategy focused on durable capabilities and Zero Trust
Securing cloud like on premises Principles
Attempting to force on-prem controls and This workshop helps you define and rapidly improve on best
practices directly onto cloud resources
practices across security including:
Wasting resources on legacy • Asset-centric security aligned to business priorities &
Legacy system maintenance and costs draining technical estate (beyond network perimeter)
ability to effectively secure business assets
• Consistent principle-driven approach throughout security
Artisan Security lifecycle
Focused on custom manual solutions instead of • Pragmatic prioritization based on attacker motivations,
automation and off the shelf tooling behavior, and return on investment
Disconnected security approach • Balance investments between innovation and rigorous
Independent security teams, strategies, tech, application of security maintenance/hygiene
and processes for network, identity, devices, etc. • ‘Configure before customize’ approach that embraces
automation, innovation, and continuous improvement
Lack of commitment to lifecycle
Treating security controls and processes as • Security is a team sport across security, technology, and
points in time instead of an ongoing lifecycle business teams
Improving Resiliency
Enable business mission while continuously increasing security assurances

‘Left of Bang’ ‘Right of Bang’

Prevent or lessen impact of attacks Rapidly and effectively manage attacks

IDENTIFY PROTECT DETECT RESPOND RECOVER

GOVERN
NIST Cybersecurity Framework v2
The job will never be ‘done’ or ‘perfect’, but it’s
important to keep doing (like cleaning a house)
End to End Security
Enable business mission and increasing security assurances with intentional approach
Security Strategy and Program
Zero Trust Architecture

Security Posture Management Modern Security Operations (SecOps/SOC)

Secure Identities and Access

Infrastructure & Development Security

IoT and OT Security

Data Security & Governance

‘Left of Bang’ ‘Right of Bang’

Prevent or lessen impact of attacks Rapidly and effectively manage attacks

IDENTIFY PROTECT DETECT RESPOND RECOVER

GOVERN
Defenders must focus on
A. Strong security controls + effective placement
B. Rapid response to attacks
C. Continuously testing & monitoring controls
 High
Looks like they have
NGFW, IDS/IPS, and DLP

Low

I bet their admins

1. Check email from Found passwords.xls
admin workstations
2. Click on links for
higher paying jobs
Phishing email to admin
Now, let’s see if admins save
service account passwords
in a spreadsheet…
 Sensitive Data Protection & Monitoring
• Discover business critical assets with business, technology, and
security teams
• Increase security protections and monitoring processes
• Encrypt data with Azure Information Protection

Replace password.xls ‘process’ with

• PIM/PAM
• Workload identities

Modernize Security Operations Protect Privileged Accounts

Rigorous Security Hygiene
• Add XDR for identity, endpoint (EDR), Require separate accounts for Admins
• Rapid Patching
cloud apps, and other paths and enforce MFA/passwordless
• Secure Configuration
• Train SecOps analysts on endpoints and Privileged Access Workstations (PAWs)
• Secure Operational Practices
identity authentication flows + enforce with Conditional Access
Security is complex and challenging

Hybrid of Everything, Everywhere, All at Once

Must secure across everything Nothing gets retired! ‘Data swamp’ accumulates
 Brand New - IoT, DevOps, and Cloud services, devices and products Usually for fear of breaking managed data + unmanaged ‘dark’ data
 Current/Aging - 5-25 year old enterprise IT servers, products, etc. something (& getting blamed)
 Legacy/Ancient - 30+ year old Operational Technology (OT) systems

Data
Attackers have a lot of options
People Application
 Forcing security into a holistic
complex approach Infrastructure

 Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies

 Threats – Continuously changing threat landscape
 Security Tools – dozens or hundreds of tools at customers
Goal: Zero Assumed Trust
With 30+ years of backlog at most organizations, it will
take a while to burn down the backlog of assumed trust

Reduce risk by finding and removing implicit assumptions of trust

False Assumptions Zero Trust Mitigation

of implicit or explicit trust Systematically Build & Measure Trust

Security is the opposite of productivity Business Enablement

Align security to the organization’s mission, priorities, risks, and processes

All attacks can be prevented

Assume Compromise
Continuously reduce blast radius and attack surface through prevention and detection/response/recovery

Network security perimeter will keep attackers out

Shift to Asset-Centric Security Strategy
Revisit how to do access control, security operations, infrastructure and development security, and more

Passwords are strong enough Explicitly Validate Account Security

Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and more

Plan and Execute Privileged Access Strategy

IT Admins are safe
Establish security of accounts, workstations, and other privileged entities (aka.ms/spa)

Validate Infrastructure Integrity

IT Infrastructure is safe
Explicitly validate trust of operating systems, applications, services accounts, and more

Integrate security into development process

Developers always write secure code
Security education, issue detection and mitigation, response, and more

Supply chain security

The software and components we use are secure
Validate the integrity of software and hardware components from open source. vendors, and others
Zero Trust Security Architecture
End to End Prioritized Execution + Continuous Improvement
OBSERVE, ORIENT

Security is complex Resilience required

and challenging across the lifecycle

DECIDE

Prioritize backlog of Disrupt attacker return

trust assumptions on investment (ROI)

ACT

Microsoft Security Leverage reference plans

Adoption Framework and architectures
Zero Trust Commandments
5HTXLUHP HQWVWKDWUHSUHVHQWEHVWSUDFWLFHVIRUD=HUR7UXVW$UFKLWHFWXUH
=7$ DQGWUDQVIRUP DWLRQ7KH2 SHQ* URXS6WDQGDUG
Usage: * HQHUDOSODQQLQJ 7HVWLQJZ KHWKHUVRP HWKLQJLV¶=HUR7UXVW·RUQRW

10 Laws of Cybersecurity Risk

.H\WUXWKVDERXWP DQDJLQJVHFXULW\ULVNWKDWEXVWFRP P RQP \WKV
Usage: (QVXULQJVHFXULW\VWUDWHJ\FRQWUROVDQGULVNDUHP DQDJHGZ LWK
UHDOLVWLFXQGHUVWDQGLQJRIKRZ DWWDFNVKXP DQVDQGWHFKQRORJ\Z RUN

Immutable Laws of Security

.H\WUXWKVDERXWVHFXULW\FODLP VDQGFRQWUROVWKDWEXVWFRP P RQP \WKV
Usage: 9DOLGDWLQJGHVLJQRIVHFXULW\FRQWUROVV\VWHP VDQGSURFHVVHVWR
HQVXUHWKH\DUHWHFKQLFDOO\VRXQG
Zero Trust Commandments Assume Assume
Success Failure
Standardized Rules for Zero Trust security

Practice Deliberate Security Support Business Objectives

Establishes pragmatic view of ‘trust’ in today’s world of Aligns security explicitly to business priorities and assets (vs.
continuous threats + how to prioritize applying that in a networks) and considers long term implications
world of complex and continuously changing requirements
• Enable the Organization’s Mission
• Secure Assets by Organizational Risk
• Implement Asset-Centric Controls
• Validate Trust Explicitly • Enable Sustainable Security

Develop a Security-Centric Culture Deploy Agile and Adaptive Security

Guides the application of security across all teams Ensures security can keep up with continuous change
• Practice Accountability • Make Informed Decisions
• Enable Pervasive Security • Improve and Evolve Security Controls
• Utilize Least Privilege • Utilize Defense in Depth
• Deploy Simple (User-Friendly) Security • Enable Resiliency
From pubs.opengroup.org/security/zero-trust-commandments
 aka.ms/SecurityLaws
10 Laws of Cybersecurity Risk

1 Security success is ruining the 6 Cybersecurity is a team sport

attacker ROI (return on investment)

2 Not keeping up is falling 7 Your network isn’t as

behind trustworthy as you think it is

3 Productivity always wins 8 Isolated networks aren’t

automatically secure

4 Attackers don't care 9 Encryption alone isn’t a data

protection solution

5 Ruthless Prioritization is a 10 Technology doesn't solve

survival skill people & process problems
 aka.ms/SecurityLaws
Immutable Laws of Security
If a bad actor can persuade you to run
A computer is only as secure as the
1 their program on your computer, it's not 6 administrator is trustworthy.
solely your computer anymore.

If a bad actor can alter the operating

Encrypted data is only as secure as its
2 system on your computer, it's not your 7 decryption key.
computer anymore.

If a bad actor has unrestricted physical An out-of-date antimalware scanner is

3 access to your computer, it's not your 8 only marginally better than no scanner
computer anymore. at all.

If you allow a bad actor to run active

Absolute anonymity isn't practically
4 content in your website, it's not your 9 achievable, online or offline.
website anymore.

5 Weak passwords trump strong security. 10 Technology isn't a panacea.

End to End Security Architecture People Cybersecurity Reference Architectures

Diagrams & References

Zero Trust Adaptive Access
Threat Environment Artificial Intelligence
(AI) and Security

Journey

Attack Chain Zero Trust

Coverage
Privileged Access

Security Operations
Development / DevSecOps

Microsoft Security Capabilities

Infrastructure Operational Technology (OT)

Multi-Cloud & Build Slide
Cross-Platform

Device Types
Patch Microsoft 365 E5 Role Mapping
Modernization

aka.ms/MCRA | aka.ms/MCRA-videos | December 2023

Security Adoption Framework
Reduce risk by rapidly modernizing security capabilities and practices

Securing Digital
Transformation Engaging Business
Leaders on Security
Business and
Security
Integration Security Strategy and Program

Security Strategy,
Programs, and
Epics Zero Trust Architecture

Microsoft Cybersecurity Reference Architectures (MCRA)

Architecture and
Policy Secure Identities and Access Modern Security Operations Infrastructure & Development
(SecOps/SOC) Security
Technical Planning

Implementation
and Operation

Includes
Reference Plans
Where do you want to Start?
There’s no wrong place to start 
Topic Full
Summary workshop
Zero Trust Architecture 4 hours
End to End Strategy 2-3 days
MCRA
and Planning
Product Adoption
2-3 days

Security Strategy and Program CISO Workshop

Secure Identities and Access

4 hours
Plan and Execute
Initiatives
Modern Security Operations (SecOps/SOC)
4 hours 2-3 days

Infrastructure & Development Security

4 hours
Let’s get next steps locked in
Capture actions and who follows up on them

# Next Step Point of Contact

1

5
End to End Strategy and Planning
Use Case Title and Description Topic Full
Summary Workshop

Getting Overview and Scoping (Start here if you don't know where to start) 4 hours ‐
Started This short conversation is like a 'trail head’ to help you pick the best path to get started (from the below)
with security modernization planning based on your current needs and priorities.

Product The Security Capability Adoption Planning helps you maximize value from your current product licenses ‐ 2 days
Adoption and entitlements by providing an overview of these Microsoft product capabilities. This includes a
prioritization and planning exercise to rapidly get the most security benefit out of the capabilities you have
access to (often including Microsoft 365 E5 and Microsoft Unified)

End to End Microsoft Cybersecurity Reference Architectures provide guidance on end to end technical architectures 4 hours 2 Days
Technical including a summary of Microsoft security capabilities, integration, and more. Based on aka.ms/MCRA. (MCRA) (Security
Architecture The Security Architecture Design Session (ADS) Module 1 guides you through additional architectural ADS 1)
context including guiding principles, a 'Rosetta Stone' of security models, cross‐discipline integrated
scenarios, shared responsibility models, technical plans, and more.

Strategy and The CISO workshop enables senior security and technology leaders (CISOs, CIOs, directors, and others) to 4 hours Custom
Program accelerate security strategy and program modernization with best practices and lessons learned. The scope
workshop covers all aspects of a comprehensive security program including recommended strategic
initiatives, roles and responsibilities guidance, reference success metrics, maturity models, Zero Trust
principles, and more. Based on aka.ms/CISOWorkshop
Plan and Execute Initiatives
Use Case Title and Description Topic Full
Summary Workshop
Access Security ADS Module 2 ‐ Secure Identities and Access provides guidance for planning and architecting access 4 hours TBD when
Control control to secure access to a 'hybrid of everything' modern enterprise, mitigate attacks on privileged available
(Identity, accounts, and integrate identity and network access strategies together.
The full workshop (currently in development) provides additional detail on a policy‐driven adaptive access
Network, and control (integrating identity, network, and other access controls) including includes maturity models, success
more) criteria, recommended technical architectures, a Microsoft case study, and a planning exercise to map out
your journey by tailoring reference plans to your unique needs.
Security Security ADS Module 3 ‐ Modern Security Operations (SecOps/SOC) provides guidance for modernizing 4 hours 2‐3 days
Operations SecOps strategy, processes, architecture, and technology to address the simultaneous challenges of rapidly
(SecOps/SOC) evolving threat actors, covering a 'hybrid of everything' technical estate, aligning SecOps to business goals,
mitigating analyst fatigue/burnout, and more.
The full workshop provides additional detail on attacks and incident response, recommended processes and
metrics, putting an XDR + SIEM + Security Data Lake Strategy into action, Microsoft case study, advanced
functions (threat hunting, detection engineering, incident management, threat intelligence), outsourcing
considerations, and a planning exercise to map out your journey.
Infrastructure Security ADS Module 4 ‐ Infrastructure & Development Security provides guidance for planning and 4 hours TBD when
& architecting infrastructure and development security for multi cloud environments, including how to address available
Development the simultaneous challenges of rapidly evolving infrastructure, securing workloads and applications as you
develop them, and building a teamwork‐oriented DevSecOps approach for keeping up with rapidly evolving
/ DevSecOps threats, technology, and business requirements.
Security The full workshop (currently in development) provides additional detail on models, methodologies, and
technologies to modernize infrastructure & development security.
Security Resources
Security Adoption Framework Security Documentation
aka.ms/saf aka.ms/SecurityDocs

• CISO Workshop – aka.ms/CISOworkshop | -videos • Driving Business Outcomes Using Zero Trust
Security Strategy and Program • Cloud Adoption Framework (CAF) – aka.ms/cafsecure ▪ Rapidly modernize your security posture for Zero Trust
▪ Secure remote and hybrid work with Zero Trust
▪ Identify and protect sensitive business data with Zero Trust
• Microsoft Cybersecurity Reference Architectures (MCRA) - aka.ms/MCRA | -videos ▪ Meet regulatory and compliance requirements with Zero Trust
Zero Trust • Ransomware and Extortion Mitigation - aka.ms/humanoperated
Architecture • Backup and restore plan to protect against ransomware - aka.ms/backup • Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp

Secure Identities and Modern Security Infrastructure & Data Security & IoT and OT Security
Access Operations (SecOps/SOC) Development Security Governance
• Securing Privileged Access (SPA) • Incident Response - aka.ms/IR • Microsoft Cloud Security • Secure data with Zero Trust • Ninja Training
Guidance • CDOC Case Study - aka.ms/ITSOC Benchmark (MCSB) • Ninja Training • Defender for IoT Training
aka.ms/SPA • Ninja Training aka.ms/benchmarkdocs • Microsoft Purview Information Protection • MCRA Videos
aka.ms/MIPNinja • MCRA Video OT & IIoT Security
• Access Control Discipline • Microsoft 365 Defender • Well Architected Framework (WAF)
aka.ms/m365dninja aka.ms/wafsecure
• Microsoft Purview Data Loss Prevention • Defender for IoT Documentation
• Ninja Training aka.ms/DLPNinja
• Microsoft Defender for Office 365 aka.ms/D4IoTDocs
• Microsoft Defender for Identity • Azure Security Top 10 • Insider Risk Management
aka.ms/mdoninja
aka.ms/mdininja aka.ms/azuresecuritytop10 • Microsoft Purview Documentation
• Microsoft Defender for Endpoint
• MCRA Video aka.ms/mdeninja • Ninja Training aka.ms/purviewdocs
• Zero Trust User Access • Microsoft Cloud App Security • Defender for Cloud
• Microsoft Entra Documentation aka.ms/mcasninja
• Microsoft Sentinel • MCRA Video
aka.ms/entradocs
• Infrastructure Security
• MCRA Videos
• Security Operations • Defender for Cloud Documentation
• SecOps Integration

Product Capabilities • Security Product Documentation Microsoft Security Response Center (MSRC)
www.microsoft.com/security/business Azure | Microsoft 365 www.microsoft.com/en-us/msrc
Key Industry References and Resources

Zero Trust Commandments - https://pubs.opengroup.org/security/zero-trust-commandments/

Zero Trust Reference Model - https://publications.opengroup.org/security-library
Security Principles for Architecture - https://publications.opengroup.org/security-library

Cybersecurity Framework - https://www.nist.gov/cyberframework

Zero Trust Architecture - https://www.nist.gov/publications/zero-trust-architecture
NCCoE Zero Trust Project - https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture

Secure Software Development Framework (SSDF) - https://csrc.nist.gov/pubs/sp/800/218/final

Zero Trust Maturity Model - https://www.cisa.gov/zero-trust-maturity-model

CIS Benchmarks – https://www.cisecurity.org/cis-benchmarks/

Why are we having a Zero Trust conversation?

3. Assets increasingly leave the network

• BYOD, WFH, Mobile, and SaaS

4. Attackers shift to identity attacks

• Phishing and credential theft
• Security teams often overwhelmed
Security Modernization with Zero Trust Principles
Business Enablement Security Strategy and Program
Align security to the organization’s
mission, priorities, risks, and processes

Assume Breach (Assume Compromise)

Assume attackers can and will successfully attack anything (identity, network, device,
app, infrastructure, etc.) and plan accordingly

Verify Explicitly
Protect assets against attacker control by explicitly validating that all trust and security
decisions use all relevant available information and telemetry.

Use least-privilege access

Limit access of a potentially compromised asset, typically with just-in-time and just-
enough-access (JIT/JEA) and risk-based polices like adaptive access control.

Zero Trust Architecture

Secure Identities Infrastructure & IoT and OT Modern Security Data Security &
and Access Development Security Security Operations (SecOps/SOC) Governance
 Zero Trust Principles
Business Enablement
Align security to the organization’s mission, priorities, risks, and processes
Assume Breach (Assume Compromise)
Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly

 Transforms from “defend the network” to “enable secure productivity on any network”

Asset/Node = account, app, device,

VM, container, data, API, etc.

Verify explicitly Use least privilege access

Protect assets against attacker control by Limit access of a potentially compromised
explicitly validating that all trust and security asset, typically with just-in-time and just-
decisions use all relevant available information enough-access (JIT/JEA) and risk-based polices
and telemetry. like adaptive access control.

 Reduces “attack surface” of each asset  Reduce “blast radius“ of compromises

Apply Zero Trust principles All elements informed by threat and business intelligence,
assisted by security engineering/automation
Key changes across security disciplines
Business Enablement

Assume
Assume breach
Compromise
General strategy shift from
| Explicitly Verify
Verify Explicitly
Reduce attack surface
| Least privileged
Least Privileged
Reduce blast radius both
Security Disciplines ‘assume safe network’ and exposure to risk proactive and reactively
Just-in-time & Just-enough-access (JIT/JEA)
Access Control Adaptive Access
Risk-based polices Always make security decisions using all available data points, including Secure Access Cloud Infrastructure Entitlement
identity, location, device health, resource, data classification, and anomalies. Service Edge (SASE) Management (CIEM)
Micro-segmentation

Automated threat response

Security Operations Asset–centric detection and
Privileged Access
Workstations (PAWs)
response (XDR) For SOC Analysts, IT Admins,
End to end visibility (SIEM) and business critical assets

Classify assets and apply controls per asset

type and classification (CA policies, encryption, Dependency/impact analysis
Asset Protection Asset-centric protections monitoring, detection, response etc.) backups, service accounts and privileges that
control other systems/services, etc.

Threat modelling
Innovation Security DevSecOps and CI/CD process integration
of best practices (Static and dynamic analysis, etc.)

Continuous Monitoring Enablement Hygiene Remediation

Security Governance Posture Management
Continuous improvement of security posture and of security posture Patching, configuration, process updates, etc.
standards/policies
Key Industry Collaborations

US National Institute of
Standards and
The Open Group Technology (NIST)
Focused on integration Focused on architecture
with business and and implementation with
IT/Enterprise/Security available technology
architecture

Many organizations are contributing valuable perspectives and guidance like the Cybersecurity and
Infrastructure Security Agency (CISA), Cloud Security Alliance (CSA), and some technology vendors
Key Zero Trust Models and Architectures

Focused on integration with business

and IT/Enterprise/Security architecture Focused on architecture and
implementation with available technology
Key Zero Trust Capabilities
Increase security and flexibility for continuously changing business, technology, threats, and regulations

Risk Controls - establish overall security framework based on organizational risk

Asset Centricity - foundational capability to identify, classify, and maintain the asset

Asset-Centric Protection
(Data-Centric & System-Centric)

Digital Ecosystems
Data/Information
Adaptive
Access Control
• Centralized policy control Apps & Systems
• Distributed enforcement

Digital Identity
Decentralized portable identities Security Security Zones

Zones

Asset-Centric Security Operations – rapid and complete detection, response, and recovery from attacks
Posture Management – continuous improvement of attack prevention measures
Zero Trust Governance – continuous monitoring and audit on demand to meet risk and compliance
Zero Trust Components

Digital Ecosystems

Data/Information

Distributed Policy
Enforcement Points (PEPs) Apps & Systems

Security Zones
Microsoft Security Capability Mapping
The Open Group Zero Trust Components
Microsoft Entra ID
ID Protection
Workload ID Governance Microsoft
Visibility and Policy Purview
Entra ID Governance
Access Control Asset Protection
Defender for Identity
Classification, Protection, Tokenization
Identity and Network - Multi-factor Authentication
Digital Ecosystems
Data/Information
Microsoft Entra
Conditional Access Microsoft Purview
Microsoft Priva
Entra Internet Access
Entra Private Access

Distributed Policy
Apps & Systems Innovation
Enforcement Points (PEPs)
Defender for Cloud
Security
Defender for
Azure Arc
APIs (preview)
Intune
Device Management 65+ Trillion signals per GitHub Advanced Security
day of security context & Azure DevOps Security
Security Zones
Defender for Endpoint Secure development and
software supply chain
Endpoint Detection and Microsoft Entra
Response (EDR) Conditional Access
Asset-Centric Azure Firewall (Illumio partnership)

Security Operations
Security telemetry from across the environment

Microsoft Sentinel
Microsoft Defender • Security Information and Event
Management (SIEM)

Defender for Endpoint Rapid Threat

Defender for Office 365 Detection,
Defender for Identity Response, and
Defender for Cloud Apps Recovery
Defender for Cloud
• Security Orchestration, Automation, and
Response (SOAR)
 Zero Trust Architecture (ZTA)
Security Analytics

Endpoint ICAM PE/PA Protected Resources

Security POLICY
IDENTITY ACCESS & CREDENTIALS
Evaluate Access
• User • Management
User • Device • Authentication CLOUD
(SSO/MFA) APPS & WORKLOADS
• Authorization PEP
Device
GRANT ACCESS
FEDERATION GOVERNANCE (Micro‐
segmentation)
Mobile
Device ON‐PREM
APPS & WORKLOADS

GRANT ACCESS (File Share, Database, Storage, Apps)

(SDP)
Device SDP (example: TLS Tunnel)
(with SDP Client)

Data Security

Classified as Microsoft Confidential

 Implemented in NCCoE lab
Microsoft Zero Trust Capability Mapping (Summer 2023)
Key

NIST Area
Security Analytics
NIST Sub-Area Microsoft Sentinel
• Sub-Area
Microsoft Defender XDR • Security Information and Event
Management (SIEM)
Security Orchestration, Automation, and
Microsoft Service
•
Defender for Endpoint Defender for Office 365 Defender for Identity Defender for Cloud Apps Defender for Cloud Response (SOAR)

Security telemetry from across the environment

Endpoint Security Policy Enforcement / Admin (PE/PA) Protected Resources

Identity, Credentials, and Access
Microsoft Entra Management (ICAM) CLOUD APPS & WORKLOADS
Policy
Conditional Access Determine Access Defender for
Global Secure Identity Access & Cloud Apps 3P SaaS
• User Credential Mgmt. Defender forCloud
Office
Access client User Device Apps
• Authentication Entra ID
Workloads Microsoft 365
• 365
• Authorization
Conditional
Access Entra Permissions
Entra ID Grant Access
Management
Devices Defender for Cloud
Intune Entra ID Governance Entra Internet Access Microsoft Cloud
Azure IaaS
Security Benchmark
Device Management Grant Access
Software Defined Perimeter(SDP)
Federation Governance ON-PREM APPS & WORKLOADS
Policy Enforcement Point (PEP) Database File share Storage
Mobile Data Purview Azure Arc
Information
Protection Scanner
Defender for Endpoint Device
Feedback mechanisms enable
Endpoint Detection and Secure Admin continuous improvement Apps Defender Application Guard
Virtual Desktops
Response (EDR) Workstations
Entra Private Access Infrastructure & Access
Entra Azure Virtual Connector
Azure Arc
Devices w/ Desktop Defender
Intune for Identity Azure
SDP Intune Windows 365 Automanage
VPN Backend Connector

Data Data Loss

Prevention
Purview
Document
Purview
Office Intune Defender for Purview Cloud Infra Defender
DLP Information Mobile App Cloud Apps Information
Security (DLP)
Protection Protection
365 Mgmt Protection
SQL DB/Files for Cloud
Zero Trust
architecture Policy Optimization
Governance
Compliance
Data
Classify,
Security Posture Assessment Emails & documents
label,
Productivity Optimization encrypt Structured data

Identities
Strong
Human authentication

Non-human

Apps
Zero Trust Policies Network
Request Adaptive SaaS
enhancement Public Access
Evaluation
On-premises
Traffic filtering Private
Enforcement
& segmentation
(as available)

Endpoints Infrastructure
Device Risk
compliance assessment Serverless
Corporate
Runtime Containers
Personal
control
IaaS
Threat Protection Paas

Continuous Assessment Internal Sites

Threat Intelligence
Forensics
Response Automation
Telemetry/analytics/assessment

JIT & Version Control

Zero Trust Policy Optimization

architecture
Governance
Compliance
Data
Classify,
Security Posture Assessment Emails & documents
label,
Productivity Optimization encrypt Structured data

Microsoft Defender for Cloud Defender for Office 365

Identities Secure Score Microsoft Purview
Strong
Human authentication Compliance Manager Microsoft Priva
Non-human

Microsoft Entra ID Apps

Zero Trust Policies Network
ID Protection
Request Adaptive SaaS
Workload ID enhancement Evaluation
Public Access
Microsoft Entra On-premises
Entra ID Governance Conditional Access Traffic filtering Private
Enforcement
& segmentation GitHub Advanced Security
(as available)
Defender for Identity Azure Networking
Defender for Cloud Apps
Entra Internet Access
Entra Private Access
Defender for
Endpoints APIs (preview) Infrastructure
Device Risk
compliance assessment Serverless
Corporate
Runtime Containers
Personal
control
IaaS

Intune Threat Protection Microsoft Entra Paas

Device Management Continuous Assessment
Permissions Management Internal Sites

Threat Intelligence
Defender for Endpoint Defender for Cloud
Endpoint Detection and Forensics Azure Arc

Response (EDR) Response Automation

Microsoft Sentinel
Telemetry/analytics/assessment
Microsoft Defender • Security Information and Event
Management (SIEM)
JIT & Version Control • Security Orchestration, Automation,
Defender for Endpoint Defender for Office 365 Defender for Identity Defender for Cloud Apps Defender for Cloud and Response (SOAR)
Managing Information/Cyber Risk February 2023 -
Security responsibilities or “jobs to be done” https://aka.ms/SecurityRoles

Information Risk Management Program Management Office (PMO)

Supply Chain Risk (People, Process, Technology)
Incident
Posture Management Preparation

Incident
Response
Incident
Management

Threat
Hunting
Microsoft security capability mapping
Which roles typically use which capabilities
https://aka.ms/MCRA

Access Control Security Operations Security Governance Asset Protection

Establish Zero Trust access model to modern and Detect, Respond, and Recover from attacks; Hunt Protect sensitive data and systems. Continuously Continuously Identify, measure, and manage security
legacy assets using identity & network controls for hidden threats; share threat intelligence broadly discover, classify & secure assets posture to reduce risk & maintain compliance

Identity Admin, Identity Architect, Incident preparation Security architecture Infrastructure and endpoint security,
Microsoft Entra

Identity Security • Microsoft Cybersecurity Reference Architecture IT Ops, DevOps

https://aka.ms/MCRA
• Entra ID (Formerly Azure AD) Security Operations Analyst • Microsoft Defender for Cloud
• Multifactor Authentication Posture management, Policy and (including Azure Arc)
Microsoft Defender XDR
• Conditional Access • Entra Permission Management
• Application Proxy • Microsoft Defender for Endpoint standards, Compliance management • Azure Blueprints
• External Identities / B2B & B2C • Microsoft Defender for Office 365
• Microsoft Defender for Identity • Microsoft Defender for Cloud • Azure Policy
Security Service Edge (SSE)
Microsoft Defender

• • Secure Score • Azure Firewall

• and more.. • Microsoft Defender for Cloud Apps
• Compliance Dashboard
• Microsoft Entra Identity Protection • Azure Monitor
• Entra Permission Management • Azure Security Benchmark
• Microsoft Defender for Cloud • Azure Blueprints • Azure Web Application Firewall
• Windows Hello for Business Microsoft Defender for DevOps
•
• Azure Policy • Azure DDoS
• Microsoft 365 Defender Microsoft Defender for Servers
• Microsoft Defender for Identity
•
• Microsoft Defender External Attack • Azure Backup and Site Recovery
• Microsoft Defender for Storage • Azure Networking Design
• Microsoft Defender for Cloud Apps • Microsoft Defender for SQL Surface Management (MD-EASM) • Virtual Network, NSG, ASG, VPN, etc.
• Microsoft 365 Lighthouse • Microsoft Defender for Containers • Azure Administrative Model • PrivateLink / Private EndPoint
[multi-tenant]
• Azure Lighthouse • Microsoft Defender for App Service • Portal, Management Groups, Subscriptions
• Azure Resource Locks
• Azure Bastion • Microsoft Defender for APIs (preview) • Azure RBAC & ABAC
• Azure Administrative Model • Microsoft Defender for Key Vault • Microsoft Purview
• Compliance manager OT and IoT Security
• Portal, Management Groups, Subscriptions • Microsoft Defender for DNS
• Azure RBAC & ABAC • Microsoft Defender for open-source • Microsoft Defender for IoT (& OT)

Microsoft Purview
Network Security relational databases Data security • Azure Sphere
• Microsoft Defender for Azure
• Azure Firewall Cosmos DB • Microsoft Purview
• Azure Firewall Manager • Microsoft Security Copilot (preview) • Information Protection
•
•
Azure DDoS
Azure Web Application Firewall
• Microsoft Sentinel • Data Loss Prevention
• Microsoft 365 Defender
Innovation Security
• Microsoft Security Experts
• Azure Networking Design • Microsoft Incident Response • Microsoft Defender for Cloud Apps Integrate Security into DevSecOps
• Virtual Network, NSG, ASG, VPN, etc. Detection and Response Team (DART) processes. Align security, development,
• PrivateLink / Private EndPoint People security and operations practices.
• Attack Simulator
Endpoint / Device Admin • Insider Risk Management Application security and DevSecOps
Threat intelligence Analyst
• Microsoft Intune • (Same as Infrastructure Roles)
• Configuration Management • Microsoft Defender Threat Privacy Manager • GitHub Advanced Security
• Microsoft Defender for Endpoint Intelligence (Defender TI) • Microsoft Priva • Azure DevOps Security
• Microsoft Sentinel
 Microsoft Security Experts

Microsoft Defender XDR

aka.ms/MCRA
Unified Threat Detection and Response across IT, OT, and IoT Assets Microsoft
Sentinel
Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Entra Internet Access
Cloud Native
SIEM, SOAR,
Microsoft Security Copilot (Preview) and UEBA

Security Adoption Framework

&ORXG (QGSRLQW 2 IILFH ,GHQWLW\ 6DD6 ' DWD 2 7,R7 2 WKHU
$]XUH$: 6 : RUNVWDWLRQV (P DLO7HDP V &ORXG  &ORXG$SSV 64 /' /3  GHYLFHV 7RROV/RJV
Security Documentation
Benchmarks
*&32 Q3UHP  6HUYHU90  DQGP RUH 2 Q3UHP LVHV P RUH ' DWD
P RUH &RQWDLQHUVHWF

Microsoft Entra

Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM)

Discover
Monitor Classify
Protect

Microsoft Entra Private

Access & App Proxy Azure Key Vault 6
Beyond User VPN

Azure Backup
Security & Other Services

aka.ms/SPA

Secure Score Compliance Score CSPM: Defender for Cloud Microsoft Defender External Attack Surface Management (EASM) Vulnerability Management

GitHub Advanced Security & Azure DevOps Security

Secure development and software supply chain
 Microsoft Security Experts

Microsoft Defender XDR

aka.ms/MCRA
Unified Threat Detection and Response across IT, OT, and IoT Assets Microsoft
Sentinel
Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Entra Internet Access
Cloud Native

Changes
SIEM, SOAR,
Microsoft Security Copilot (Preview) and UEBA

Security Adoption Framework

&ORXG (QGSRLQW 2 IILFH ,GHQWLW\ 6DD6 ' DWD 2 7,R7 2 WKHU
$]XUH$: 6 : RUNVWDWLRQV (P DLO7HDP V &ORXG  &ORXG$SSV 64 /' /3  GHYLFHV 7RROV/RJV
Security Documentation
Benchmarks
*&32 Q3UHP  6HUYHU90  DQGP RUH 2 Q3UHP LVHV P RUH ' DWD
P RUH &RQWDLQHUVHWF

Microsoft Entra

Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM)

Discover
Monitor Classify
Protect

Microsoft Entra Private

Access & App Proxy Azure Key Vault 6
Beyond User VPN

Azure Backup
Security & Other Services

aka.ms/SPA

Secure Score Compliance Score CSPM: Defender for Cloud Microsoft Defender External Attack Surface Management (EASM) Vulnerability Management

GitHub Advanced Security & Azure DevOps Security

Secure development and software supply chain
 Microsoft Security Experts

Microsoft Defender XDR

aka.ms/MCRA
Unified Threat Detection and Response across IT, OT, and IoT Assets Microsoft
Sentinel
Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Entra Internet Access
Cloud Native
SIEM, SOAR,
Microsoft Security Copilot (Preview) and UEBA

Security Adoption Framework

&ORXG (QGSRLQW 2 IILFH ,GHQWLW\ 6DD6 ' DWD 2 7,R7 2 WKHU
$]XUH$: 6 : RUNVWDWLRQV (P DLO7HDP V &ORXG  &ORXG$SSV 64 /' /3  GHYLFHV 7RROV/RJV
Security Documentation
Benchmarks
*&32 Q3UHP  6HUYHU90  DQGP RUH 2 Q3UHP LVHV P RUH ' DWD
P RUH &RQWDLQHUVHWF

Microsoft Entra

Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM)

Discover
Monitor Classify
Protect

Microsoft Entra Private

Access & App Proxy Azure Key Vault 6
Beyond User VPN

Azure Backup
Security & Other Services

aka.ms/SPA

Secure Score Compliance Score CSPM: Defender for Cloud Microsoft Defender External Attack Surface Management (EASM) Vulnerability Management

GitHub Advanced Security & Azure DevOps Security

Secure development and software supply chain
 https://aka.ms/MCRA

6
 https://aka.ms/MCRA

6

On-Premises IaaS PaaS

Key cross-platform and multi-cloud guidance
Microsoft Defender for Cloud multicloud solution
Multi-cloud & hybrid protection in Microsoft Defender for Cloud

Azure Arc
 Organizational policy

Conditional
Access

Security context
Behavior analytics Threat intelligence User and session risk Device risk

Centralized control Consistent enforcement

Unified Zero Trust architecture and policy engine simplifies Centralized policy is consistently applied across all resources where the
management of access controls and technologies (Directory, SSO, action happens (identity, data, network + infra and apps across cloud,
Federation, RBAC, proxy, and more) on-premises, IoT, OT, and more)
Access Management Capabilities
Can be implemented today using Microsoft and partner capabilities

Employee

Partner

Customer Direct Application Access

Core adaptive access policy
Workload

Security Service Edge (SSE)

Security Policy Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure web
Engine gateway (SWG), Cloud Access Security Broker
(CASB), and Firewall-as-a-Service (FWaaS)

Virtual Private Network (VPN)

Legacy technology being retired

Macro- and Micro-segmentation

Workload isolation using identity,
network, app, and other controls
Access Management Capabilities
Using Microsoft Technology
Can be implemented today using Microsoft and partner capabilities
Microsoft Entra ID
(formerly Azure AD)
Entra Internet Access (preview),
Entra Private Access (preview),
Employee
Microsoft Entra and Partners
Conditional Access
Partner

Customer Direct Application Access

Core adaptive access policy
Workload

Security Service Edge (SSE)

Security Policy Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure web
Microsoft Threat Intelligence
Engine gateway (SWG), Cloud Access Security Broker
(CASB), and Firewall-as-a-Service (FWaaS)
65+ Trillion signals per day of
security context & Human Expertise

Virtual Private Network (VPN)

Legacy technology being retired

Illumio partnership, LAPS

Entra ID Self Service Macro- and Micro-segmentation

Microsoft Defender + Intune Password Reset (SSPR) Workload isolation using identity,
network, app, and other controls

https://aka.ms/MCRA
 Business Critical Assets

Devices/Workstations Account Interface

Intermediaries

Intermediaries

Devices/Workstations Account Interface

Potential Attack Surface

 Asset Protection also required
Security updates, DevSecOps,
data at rest / in transit, etc.

Business Critical Assets

Devices/Workstations Account Interface

Intermediaries

Intermediaries

Devices/Workstations Account Interface

 Align to Mission + Continuously Improve
Measure and reduce attacker dwell time
(attacker access to business assets) via
Mean Time to Remediate (MTTR)
Case Management
Analysts
and Hunters
Incident Response/Recovery Assistance
Security Information and Event Management (SIEM)

Managed Detection and Response

Threat Intelligence (TI)

Automation (SOAR) Generative AI
Simplifies tasks and performs
advanced tasks through chat interface

Extended Detection and Response (XDR)

Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more

https://aka.ms/MCRA
 https://aka.ms/MCRA

Align to Mission + Continuously Improve

Measure and reduce attacker dwell time
(attacker access to business assets) via
Mean Time to Remediate (MTTR)

Analysts
and Hunters

Microsoft Security Copilot (Preview)

Simplifies experience for complex tasks/skills

Provide actionable security

detections, raw logs, or both
Operational Technology (OT) Security Reference Architecture https://aka.ms/MCRA

Apply zero trust principles to securing OT and industrial IoT environments

Business Analytics Security Analytics

Azure Analytics
Cloud • Native plug-in for Microsoft Defender for IoT
Blended cybersecurity attacks are 3rd party 3rd party
driving convergence of IT, OT, and IoT Analytics IoT Hub, PowerBI, Azure Edge,
Digital Twins, and more
Environments Analytics Microsoft Sentinel
• Native OT investigation & remediation playbooks
• Correlation with other data sources and
Strategic Threat intelligence (attack groups & context)
security architectures and capabilities

IIoT / OT Digital Transformation drivers Operational Technology Information Technology

• Business Efficiency - Data to enable business agility
• Governance & Regulatory Compliance with safety and other (OT) Environments (IT) Environments
TLS with mutual
standards Safety/Integrity/Availability Confidentiality/Integrity/Availability authentication
• Emerging Security Standards like CMMC • Hardware Age: 50-100 years (mechanical + electronic overlay) • Hardware Age: 5-10 years
• Warranty length: up to 30-50 years • Warranty length 3-5 years
• Protocols: Industry Specific (often bridged to IP networks) • Protocols: Native IP, HTTP(S), Others
• Security Hygiene: Isolation, threat monitoring, managing vendor • Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware
Purdue Model access risk, (patching rarely)

Level 3 – Site Operations Business Analytic Sensor(s)

Control & monitoring for physical site
with multiple functions (e.g. plant)
Business Analytics
NETWORK
Level 2 – Supervisory Control TAP/SPAN Sensor(s) + Analytics Cloud Connection (OPTIONAL)
Monitoring & Control for discrete
business functions (e.g. production line)
Plant security console Microsoft Defender for IoT (and OT)
(optional)  Manager 3rd party SIEM
 Security Console
Level 1 – Basic Control
Electronics controlling or monitoring
physical systems Isolation and Segmentation Transform with Zero Trust Principles
Purdue model assumed static site/enterprise model
Internal Hard Boundary Soft(ware) Boundary • Datacenter Segments – Align network/identity/other
Level 0 – Process segmentation
Physical machinery Physically disconnect People, Process, and Tech (network controls to business workloads and business risk
As business from IT network(s) + identity access control, boundary • End user access - Dynamically grant access based on explicit
processes allow patching and security hygiene) validation of current user and device risk level
S A F E T Y S Y S T E M S

©Microsoft Corporation
Azure
Zero Trust Principles - Assume breach, verify explicitly, Use least privilege access (identity and network)
End to End IT, OT, and IoT Device Security
Most Industries
Physical Industries

Monitor and Control Physical Process Enable Human Process Consumer IoT

OT/ICS Industrial IoT General-purpose IoT Network Devices Business IoT IT Endpoints
Industrial automation, Sensors, meters Cameras, VoIP phones, badge Routers, switches, ATMs, Point of Servers, laptops,
PLCs, Building detectors, and readers, printers, smart TVs, access points Sale, voting, tablets, mobile
Management Systems purpose-built smart appliances, smart meters,
(HVAC, smoke alarms, medical, kiosks,
elevators, etc.) connected cars

Micro Agent
(for greenfield)

Microsoft Defender for IoT & OT Defender for

OT Network Sensor IT/IoT Network Sensor & EDR Agent Sensor Endpoints
ReFirm

Start with Life/Safety Impact first

 https://aka.ms/MCRA

• Automated User Provisioning • Privileged Identity Management (PIM)

• Entitlement Management • Terms of Use
• Access Reviews

On-Premises & Other

Cloud Resources/Data

Azure Resources/Data

Microsoft Defender XDR

Unified Threat Detection and Response across IT, OT, and IoT Assets
Microsoft Microsoft Defender for Cloud - Detections across assets and tenants
Incident Response | Automation | Threat Hunting | Threat Intelligence Sentinel
Cloud Native
Microsoft Security Copilot (Preview) SIEM, SOAR,
and UEBA

Microsoft Defender for

Entra ID Protection Microsoft Defender for Identity
Endpoint
 ·
Normalize rigorous security maintenance for software
OBJECTIVES & KEY RESULTS (OKRs) WHO WHAT
Summary of Outcomes Directly Responsible Individuals (DRIs) Implementation Workstreams and Leads
Reduce organizational risk EXECUTIVE CEO or Delegate <add name(s)>
OBJECTIVE caused by neglect of basic  Update Organizational Accountability
SPONSOR (frequently CFO) designated by
security maintenance. to reflect organizational nature of risk
CEO/CFO
PROJECT
CIO or delegate
LEADERSHIP  Update Budget and Acquisition policy <add name(s)>
for accountability and technology lifetime Designated by CFO
PROJECT TEAM(S)
<add name(s)>
Business / Application / Cloud Teams  Update Security Patching/Maintenance Policy
CISO/CIO and
to reflect accountability model
• <add name(s)> governance team
WHY
IT/OT/IoT Asset Management
<add name(s)>
• <add name(s)>  User Device Patching
IT Productivity / End
to apply updated organizational policy
Purchasing/Vendor Management User Team(s)
• <add name(s)>
<add name(s)>
Central and Business Unit IT Infrastructure  Domain Controllers and DNS Patching
Identity/Networking/
to apply updated organizational policy
• <add name(s)> Server Infra Teams
KEY Productivity / End User Team(s)
RESULTS (Technical and Communications Teams)  Server Infrastructure Patching <add name(s)>
to apply updated organizational policy Server Infra Teams
• <add name(s)>
Security Policy and Standards  Container Patching <add name(s)>
TIMELINES / DEADLINES • <add name(s)> to apply updated organizational policy Server Infra Teams
Security Compliance Management  Application Patching <add name(s)>
• <add name(s)> to apply updated organizational policy Multiple Teams
Security & IT/Enterprise Architecture <add name(s)>
 Firmware and Device Patching
• <add name(s)> to apply updated organizational policy Multiple Teams
 ·
WHAT - Implementation Workstreams and Leads HOW – Key directional guidance
• Define accountability and shared responsibility model to reflect the organization-wide nature of cybersecurity risk and
<add name(s)> distributed responsibility of mitigation via applying patches.
 Update Organizational Accountability
designated by • Set up a team model where system owners are accountable, system managers are responsible for patching assets, and
to reflect organizational nature of risk security is responsible for advising and assisting
CEO/CFO
• Update incentive structures and measurements include scorecards, and objectives and key results (OKRs), etc.
• Allocate budget to support performing required security maintenance and application sustainment
 Update Budget and Acquisition policy <add name(s)>
• Update revenue projections based on any required changes to schedule and uptime
for accountability and technology lifetime Designated by CFO • Update acquisition policy to require vendor support is available for expected lifetime of the technology

 Update Security Patching/Maintenance <add name(s)> Reference Policy

Define and approve organizational policy and standards
Policy CISO/CIO and and Standards
that reflects updated accountability model and acquisition policy
to reflect accountability model governance team

<add name(s)> Update processes, tooling, and Scope: Update all user devices (corporate issued, BYOD, mobile, PC, Mac, etc.) while
 User Device Patching skills for all components including giving users limited control over reboot scheduling.
Productivity / End
to apply updated organizational policy supply chain:
User Team(s) Key Tooling: Intune, SCCM (Dynamic Updates | WaaS) , WSUS, 3rd party tools
• Change – adopt to a ‘patch by
<add name(s)> default’ approach to rapidly Scope: Active Directory Domain Controllers, Exchange Servers, and DNS Servers
 Domain Controllers and DNS Patching
Identity/Networking/ update assets while enabling (high network exposure, high impact, and high resiliency/redundancy built in)
to apply updated organizational policy asset owners limited control of Key Tooling: WSUS / SCCM, Azure VM Patching, 3rd party tools
Server Infra Teams
timing for testing and reboots
• Build – Automate deployment Scope: All server operating systems instances (VMs, physical servers, hypervisors, etc.)
 Server Infrastructure Patching <add name(s)>
(CI/CD, IaC, etc.) and include Key Tooling: Azure VM Patching, Azure Update Management Center (Preview)
to apply updated organizational policy Server Infra Teams
security updates and RPM, APT-GET, Chef, Ansible, Puppet, Windows Update, WSUS, SCCM, 3rd party tools)
configuration
• Restore – Build and test ability Scope: Container orchestration, images, and image repositories
 Container Patching <add name(s)>
to rapidly recover systems after Key Tooling: Standard server patching for orchestration/infrastructure, container creation
to apply updated organizational policy Server Infra Teams and repository management tools for containers, Defender for Containers
an attack
• Retire – Ensure all asset types
 Application Patching <add name(s)> Scope: All apps, middleware, and supply chain components for all formats and platforms
support exception process and
to apply updated organizational policy Multiple Teams replace/isolate un-securable
Key Tooling: Standard user device and server tooling, additional 3rd party tooling
assets Scope: Firmware & embedded OS/applications for user devices, servers, printers,
 Firmware and Device Patching <add name(s)>
Continuously improve until routers/Switches, IoT devices, OT Devices, others with work data / network connectivity
to apply updated organizational policy Multiple Teams reaching ideal state Key Tooling: WSUS (Surface devices and other OEMs), 3rd party tools
Idea Incubation First Production Release Production DevSecOps

Architecture & Governance

Security, Compliance, Identity, & Other Standards

Continuous Improvement of DevSecOps Lifecycle

1. MVP definitions – Update minimum requirements for Dev, Sec, and Ops (agility, stability, security, identity standards, and more)
2. Continuously improve process, program, education, tooling, etc. to improve developer productivity, efficiency, security, identity, and more)
 Defend across attack chains
https://aka.ms/MCRA

Defender for Defender for IoT (& OT) Microsoft Entra Defender for
Office 365 ID Protection Cloud Apps
IoT Device Disrupt OT
Phishing Open Exploitation Environment Exfiltration
Brute force account Attacker
mail attachment accesses of data
or use stolen account
credentials sensitive data
Defender for Endpoint
Attacker collects Domain
Click a URL
Exploitation Command Defender for reconnaissance & compromised
and Installation and Control User account is
Identity compromised configuration data

Browse
a website Microsoft Defender Attacker attempts
for Cloud lateral movement
Privileged account
compromised

Leading Insider risk

indicators
History of violations management
Data
Distracted and careless leakage

Disgruntled or disenchanted
Potential
Insider has access Anomalous
sabotage
Subject to stressors to sensitive data activity detected
 Static
Defend across attack chains Slide

https://aka.ms/MCRA

Defender for Defender for IoT (& OT) Microsoft Entra Defender for
Office 365 ID Protection Cloud Apps
IoT Device Disrupt OT
Phishing Open Exploitation Environment Exfiltration
Brute force account Attacker
mail attachment accesses of data
or use stolen account
credentials sensitive data
Defender for Endpoint
Attacker collects Domain
Click a URL
Exploitation Command Defender for reconnaissance & compromised
and Installation and Control User account is
Identity compromised configuration data

Browse
a website Microsoft Defender Attacker attempts
for Cloud lateral movement
Privileged account
compromised

Leading Insider risk

indicators
History of violations management
Data
Distracted and careless leakage

Disgruntled or disenchanted
Potential
Insider has access Anomalous
sabotage
Subject to stressors to sensitive data activity detected
It’s bad out there! Attacker techniques,
business models, and
For sale in “bad neighborhoods” on the internet skills/technology, are
continuously evolving

Attacker for hire (per job)

$250 per job (and up)
Other Services Ransomware Kits
Continuous attack $66 upfront
supply chain innovation (or 30% of the profit / affiliate model)

Compromised PCs / Devices

PC: $0.13 to $0.89
Mobile: $0.82 to $2.78

Spearphishing for hire

$100 to $1,000
(per successful account takeover)

Attackers Stolen Passwords

$0.97 per 1,000 (average)
(Bulk: $150 for 400M)

Denial of Service Many attack tools and

$766.67 per month tutorials/videos available
for free on internet
Threat environment is continually evolving
Attackers must change to overcome defenses (in big or small ways)

Leading Edge - pushed forward by sophisticated groups & researchers

• Adoption & exploitation of Artificial Intelligence (AI)
• Supply chain techniques
Note: Sophisticated attackers sometimes
• OT and IoT threats use commodity toolkits to hide their origin
• Insider risk
• Stealth - Evading indicators of compromise (IOCs) and other detections
• Improve existing techniques – Identity/MFA evolution, zero day vulnerabilities,
exploit line of business (LOB) apps, etc.

Commoditization – increases scale and impact of attacks

• Criminal gangs copy or purchase advanced techniques, integrate into toolkits
• Also evolve financial and social aspects of extortion/ransomware models

Agile Security is required to keep up with continuous changes

https://aka.ms/humanoperated
Attack Chain Models
Describe stages of an attack
Simple model for business leaders and other non-technical stakeholders

MITRE ATT&CK Framework Detailed model for technical detection coverage assessments and planning

Lockheed Martin Kill Chain Legacy Reference Model (missing lateral traversal)

Actions on the
Reconnaissance Weaponization Delivery Exploitation Installation Command and Control
Objective

Reconnaissance Persistence Lateral Exfiltration

Movement
Resource Initial Access Command and Control Impact
Development
Defense Evasion
Privilege Escalation
Discovery
Credential Access
aka.ms/HumanOperated
 What’s in Microsoft 365 E5
Product
Licensing
Details https://aka.ms/MCRA

Product Name Product Category(ies) Security Modernization Initiative(s)

Previous Product Names
Extended Detection and Response (XDR) • Modern Security Operations
Microsoft Defender for Endpoint (MDE) Endpoint Detection and Response (EDR)
Formerly Microsoft Defender ATP, Windows Defender ATP, Threat and Vulnerability Management (TVM)
• Infrastructure and Development
Windows Defender Antivirus Endpoint Protection Platforms (EPP) • Security Hygiene: Backup and Patching
Microsoft Defender for Identity (MDI) Extended Detection and Response (XDR)
• Modern Security Operations
Formerly Azure ATP
Microsoft Defender for Office (MDO) Extended Detection and Response (XDR) • Modern Security Operations
Formerly Office 365 ATP
• Secure Identities and Access
Microsoft Defender for Cloud Apps (MDCA) Cloud App Security Broker (CASB)
• Modern Security Operations
Formerly Microsoft Cloud App Security Extended Detection and Response (XDR)
• Data Security & Governance
Entra ID (Formerly Azure AD)
• Multifactor Authentication
• Microsoft Entra Conditional Access • Secure Identities and Access
Access Management
• Self-service password management • Modern Security Operations
• Identity Governance
• Privileged Identity Management (PIM)
Microsoft Purview
• Compliance Management
• Data Lifecycle Management • Data Security & Governance
• eDiscovery and auditing
• Insider Risk Management
Windows 10 & Windows 11
• Windows Hello for Business • Secure Identities and Access
• Windows AutoPilot
• Advanced Windows Security
Microsoft Intune Unified Endpoint Management (UEM) • Secure Identities and Access
Reference Mapping of Security Product Details https://aka.ms/MCRA

Simple Name Product Capability Name Simple Name Product Capability Name
Microsoft Entra ID P2
Microsoft Defender for Endpoint Plan 1
Microsoft Defender for Endpoint (formerly Azure Active Directory Premium Plan 2)
Microsoft Defender for Endpoint Plan 2 User Provisioning
Entra ID (formerly Azure AD)
Microsoft Defender for Identity Advanced Security Reports
Microsoft Defender for Identity
Microsoft Advanced Threat Analytics • Multifactor Authentication Multifactor Authentication
• Microsoft Entra Conditional Access Conditional Access
Microsoft Defender for Office 365 Plan 2
• Microsoft Entra ID Protection Risk Based Conditional Access / Identity Protection
Microsoft Defender for Office Application Guard for Office 365 Self-service password change
• Self-service password management
Safe Documents Self-service password unlock/reset
Microsoft Defender for Cloud Apps Microsoft Defender for Cloud Apps Access Reviews
• Identity Governance
Entitlement Management
Microsoft Defender Antimalware Microsoft Defender Antimalware
• Privileged Identity Management Privileged Identity Management
Microsoft Defender Firewall Windows Hello for Business Windows Hello for Business
Microsoft Defender Exploit Guard Microsoft Defender for Identity
Microsoft Defender for Identity
Advanced Windows Security Microsoft Defender Credential Guard Microsoft Advanced Threat Analytics

BitLocker and BitLocker To Go Simple Name Product Capability Name

Compliance Management Compliance Management
Windows Information Protection
Manual retention labels
Data Lifecycle Management
Basic org-wide or location-wide retention policies
Simple Name Product Capability Name
eDiscovery and auditing eDiscovery and auditing
Microsoft Intune Insider Risk Management
Microsoft Intune Mobile Device Management Communication Compliance
Insider Risk Management Information Barriers
Mobile application management
Customer Lockbox
Windows AutoPilot Windows AutoPilot Privileged Access Management

Details at https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans
Product Families Enable Modernization Initiatives

Security Strategy and Program

Zero Trust Architecture

Secure Identities Infrastructure & IoT and OT Modern Security Data Security &
and Access Development Security Security Operations (SecOps/SOC) Governance

Entra Defender Purview

Security Copilot (Preview)

Intune Azure Sentinel Priva

Provided by someone else

Spans on-premises &

multi-cloud environments
 Provided by someone else

Unmanaged Internet
Basic network monitoring for guests,
partners, new/unmanaged devices

Managed Internet
Monitored network for validated devices to communicate
peer to peer (patching, collaboration, etc.)

Spans on-premises & multi-cloud environments

 Provided by someone else

Unmanaged Internet
Basic network monitoring for guests,
partners, new/unmanaged devices

Managed Internet
Microsoft Entra
Monitored network for validated devices to communicate application proxy
peer to peer (patching, collaboration, etc.)

Spans on-premises & multi-cloud environments

 Provided by someone else

High Impact IoT/OT

IoT/OT With Life/Safety Impact

Unmanaged Internet
Basic network monitoring for guests,
Low Impact IoT/OT
partners, new/unmanaged devices Printers, VoIP phones, etc.
Managed Internet
Microsoft Entra
Monitored network for validated devices to communicate application proxy
peer to peer (patching, collaboration, etc.)

Spans on-premises & multi-cloud environments

 Sanctioned and Internet and Private and Managed in
Managed Services Unsanctioned/Unmanaged Apps the cloud or on-premises

Privileged Accounts Privileged Devices

Business critical system
users, developers, admins

Managed Devices
Specialized Accounts Specialized Devices
Sensitive System users,
developers, & admins Adaptive
Enterprise Accounts Access Control Enterprise Devices

Employee Partner

Anonymous and Consumer Unmanaged devices

identities s
p
p
A
/
s
t
i
BYOD, partners, etc.
n
U
s
s
e
n
i
s
u
B
e
v
i
t
i
s
n
e
tS
c
a
p
m
)
Is
y(
tt
en
fe
a
m
Sg
/e
eS
fl
ia
Lc
h
i
t
ii
W
r
T
C
O
.s
/cs
T
te
o
en
I,i
s
eu
B
n
T
o
O
h
/
p
T
P
o
II
o
t
V
c
,
a
s
p
r
m
e
I
t
h
n
g
ii
r
H
P

T
O
/
T
o
I
t
c
a
p
m
I
w
o
L
Effective implementation requires completeness and consistency.
Align business processes, people readiness, and all technical controls
(network, identity, application, management tools, etc.)
 Ability (and speed) to
accomplish advanced tasks
Native
Native Human
Computer Skills and learning required
to become productive

Direct Command Graphical User Chat/Conversation

programming Prompt Interface (GUI) using generative AI
Machine Learning (ML) already processes security data
Integrated into XDR, SIEM, posture management, and other tools

Adopt AI Security Capabilities Mitigate Attacker AI

Adopt generative AI capabilities to Continuously learn about
enhance cyber defenses and human Attacker AI to protect against it
skills (e.g. Security Copilot) and educate stakeholders

Protect AI Applications & Data

Integrate security from design to production
Education
Data Systems
Human generated data Protect custom
& Policy
is high value asset for models from
training AI models attacks AI App Design & Usage Use of External AI
AI Shared Responsibility Model
Illustrates which responsibilities are typically performed by an organization
and which are performed by their AI provider (such as Microsoft)

AI Usage

AI Application

Model
AI Platform Dependent
Establish clarity: Implement responsible Prioritize greatest needs and
Your data is your data AI principles opportunities for security
 Your data is your data

Built with security, Your data is not used to train the foundation
AI models
privacy, and
compliance
Your data is protected by the most
comprehensive enterprise compliance and
security controls
Grounded in responsible AI principles

Building blocks to enact principles

Privacy and security

Tools and processes

Reliability and safety Inclusiveness

Microsoft’s Training and practices

responsible AI
principles
Fairness Accountability Rules

Transparency Governance
Security Copilot Incident Surface an ongoing incident, assess its scale, and
get instructions to begin remediation based on
Priority Scenarios response proven tactics from real-world security incidents.

Summarize any event, incident, or threat in

Security seconds and prepare the information in a
reporting ready-to-share, customizable report for your
desired audience.

Security Discover whether your organization is susceptible

to known vulnerabilities and exploits. Prioritize
posture
risks and address vulnerabilities with guided
management recommendations.
Review – Artificial Intelligence (AI)

• Dynamic conversational chat is a new interface

• Makes technology easier to use and learn Comparing AI
Generations
• Enables people to do more advanced tasks

• Critical to adapt quickly to this technology

• Educate on and mitigate attacker use of AI
• Embrace security use of AI
• Protect business use of AI Resources and
References
• Securing AI is a shared responsibility
• Microsoft Approach to AI
• Establish clarity: your data is your data
• Implement responsible AI principles
• Focus initial security priorities on greatest needs
AI Security Resources and References
Microsoft
• Best practices for AI security risk management
www.microsoft.com/security/blog/2021/12/09/best-practices-for-ai-security-risk-management/

• Threat Modeling AI/ML Systems and Dependencies

learn.microsoft.com/security/engineering/threat-modeling-aiml

NIST: AI Risk Management Framework

www.nist.gov/itl/ai-risk-management-framework

MITRE | ATLAS - Adversarial Threat Landscape for AI Systems

https://atlas.mitre.org/
 Two ‘Generations’ of AI
Classic/Traditional AI Traditional AI

Is AI that detects and classifies, can work on vast amounts of data, for
use in real-time applications and automation of capabilities.
• Traditional AI is good at: Looking at a large field of data and
finding patterns or continuations (like making recommendations).
• Traditional AI is bad at: Understanding highly complex smaller
things like language.

Generative AI (GAI)
Is AI that understands and creates content, such as GPT. It works on relatively
small chunks of data – text, images, sounds, videos – and has a “linguistic” Generative AI
understanding. Large language models (LLMs) are a kind of GAI and the term is
often used as a synonym, but LLMs are ones that work on text.
• GAI is good at: Understanding language, summarizing, translating concepts
(e.g. from language to code or vice-versa); roleplaying as characters
• GAI is bad at: Processing large amounts of data.
[Note: All AI’s are trained on large amounts of data; this is about what they
can do after they’re trained]

Generative AI Terminology.docx