1. TURNING THE TABLES Dean Iacovelli
Director, Secure Enterprise
Microsoft State and Local Government
deaniac@microsoft.comEvolving cybersecurity strategies

2. A LITTLE ABOUT ME – DEAN IACOVELLI
13 years working with Microsoft State and Local customers
Roles
▪ First Chief Security Advisor for Microsoft State and Local
▪ First Cloud Services Director, incubated team of specialists on
what would become Office 365
▪ Currently Director of Secure Enterprise, managing a team of
cybersecurity specialists focused on security for Office 365, Identity,
Threat Protection, and Windows security

3. ANATOMY OF A BREACH…OR SEVERAL
IMPACT
Own domain Delete backups Exfiltrate data Redirect funds Ransom Botnet
ESCALATION
Pass the hash Pass the ticket
RECON
Target recon Network traversal Mailbox persistence Device persistence
ENTRY
PHISHING
Spear, whaling, trusted user
PASSWORD
Brute force, spray
KNOWN VULNERABILITIES
OS, database, apps

4. “THE STATE OF THE STATE” IN CYBERSECURITY
ASYMMETRICAL
threat creates
resource drain
Profit-motivated, well
resourced HUMAN
adversary with attacks
getting cheaper
PERFECT STORM #1:
They use your
transparency against
you
Attacks are
becoming
AUTOMATED,
responses are not
PERFECT STORM #2:
Second lowest security
rating, second highest
rate of attack (NPR)
Global shortage of
cybersecurity talent
The cost can be
enormous and it’s
ASYMMETRICAL to org
size – see OPM
Outcome ? Only 5% of
security alerts get
investigated (Forbes)
CONCLUSION: Trying to solve the security problem at an individual org level
with current approaches isn’t sufficient and may bankrupt your organization.
So what can we do differently ? Two arguments/ideas for your consideration.

5. 1. BEGIN MOVING TO BEST OF BREED SECURITY PLATFORM
Complexity is the enemy
of security – too many
disparate “best of breed”
solutions, too much data
and little
integration/coordination
If you choose to integrate
these, significant cost and
complexity
If not, humans become the
integration and limit
response time and
decision quality – i.e.
attacks at Internet speed,
response at human speed
Need to begin moving to
a security platform that is
pre-integrated, identity-
driven, policy-based
“Simplify the scope of EPP by using OS-embedded security features, such as
disk encryption and USB device control, especially when migrating to Windows 10”
- Gartner “Redefining Endpoint Protection” report, Sep 2017

6. AUTOMATION
of insights and response
INTEGRATION of all components
for coordinated response
FOUNDATIONS OF A MODERN SECURITY PLATFORM
MACHINE LEARNING and AI to
separate signal and noise
CLOUD SCALE
real-time
threat intel

7. Identity
Devices
Apps and Data
Security Operations
Azure Active Directory Advanced Threat Analytics
O365 Advanced Threat Protection O365 Threat Intelligence
Win 10 Identity Protection Intune
Win 10 Threat Resistance Win 10 Post Breach Analysis
Win 10 Info Protection
Azure Info Protection Data Loss Prevention
Cloud App Security
INTELLIGENT SECURITY GRAPH
INTELLIGENT SECURITY GRAPH
ELEMENTS OF A MODERN SECURITY PLATFORM
Cyber Defense Operations Center Digital Crimes Unit (DCU)
Secure Score

8. Internet of Things
Unmanaged & Mobile Clients
Sensitive
Workloads
CYBERSECURITY REFERENCE ARCHITECTURE
Extranet
Azure Key Vault
Azure Security
Center
• Threat Protection
• Threat Detection
System Center Configuration Manager + Intune
Microsoft Azure
On Premises
Datacenter(s)
NGFW
Nearly all customer breaches that Microsoft’s
Incident Response team investigates involve
credential theft
63% of confirmed data breaches involve weak,
default, or stolen passwords (Verizon 2016 DBR)
Colocation
$
EPP - Windows Defender
EDR - Windows Defender
ATP
Mac
OS
Multi-Factor
Authenticatio
n
MIM PAMAzure App Gateway
Network Security Groups
Azure AD PIM
Azure Antimalware
Disk & Storage
Encryption
SQL Encryption &
Firewall
Hello for
Business
Windows
Info Protection
Enterprise Servers
VPN
VPN
VMs VMs
Certification
Authority
(PKI)
Incident
Response
Vulnerability
Managemen
t
Enterprise
Threat
Detection
Analytic
s
Managed
Security
Provider OMS
ATA
SIEM
Security Operations
Center (SOC)
Logs & Analytics
Active Threat Detection
Hunting
Teams
Investigation
and Recovery
WE
F
SIEM
Integration
IoT
Identity &
AccessUEBA
Windows 10
Windows 10 Security
• Secure Boot
• Device Guard
• Application Guard
• Credential Guard
• Windows Hello
Managed Clients
Windows Server 2016 Security
Shielded VMs, Device Guard, Credential Guard, Just Enough Admin,
Hyper-V Containers, Nano server, …
Software as a Service
ATA
Privileged Access Workstations (PAWs)
• Device Health
Attestation
• Remote
Credential
Guard
Intune
MDM/MAM
Conditional Access
Cloud App
Security
Azure
Information
Protection
(AIP)
• Classify
• Label
• Protect
• Report
Office 365 DLP
Endpoint DLP
Structured Data &
3rd party Apps
DDoS attack mitigation
ClassificationLabels
ASM
Lockbo
x
Office 365
Information
Protection
Legacy
Window
s
Backup and Site
Recovery
Shielded VMs
Domain
Controllers
Office 365 ATP
• Email Gateway
• Anti-malware
Hold Your
Own Key
(HYOK)
ESAE
Admin
Forest
PADS
80% + of employees admit
using non-approved SaaS
apps for work (Stratecast,
December 2013)
IPS
Edge DLP
SSL Proxy
Security Development Lifecycle
(SDL)
Azure AD
Identity
Protection
Security
Appliances

9. 2. MOVE TO
CLOUD FIRST OR
EVEN CLOUD
ONLY POLICY
1B annual spend on cyber security – TRANSFORMATIONAL
economics of cloud let you pool risk and resources
Stay continuously patched and compliant
“Built in, not bolt on”
Intelligent Security Graph is a game changer
Certs AND a track record
“Gartner predicts that by 2018, increased security will displace cost savings and agility as the
primary driver for government agencies to move to public cloud within their jurisdictions.”
– Gartner 2016 prediction

11. BRAKES ARE WHAT ALLOW THE CAR TO GO FASTER.
FINALLY, PLEASE REMEMBER…

12. Q & A

13. THANK YOU !
Dean Iacovelli
deaniac@microsoft.com

15. Behavioral Analytics
Machine learning baselines your environment,
then scans for anomalies.
Detection for known threats
Forensic tools to search for known security
attacks such as “pass the hash”
ADVANCED THREAT ANALYTICS
Identify advanced on-premises security attacks before
they cause damage
Focus on what’s important
Clear, efficient, and convenient timeline feed that
surfaces the right things along with
recommendations for investigation and
remediation

16. Reduce the threat of malicious content
Move beyond signature-based defense to heuristic
analysis and cloud-based pre-detonation of attack
content.
Increase understanding of threats
Global visibility to real-time threat trends allow
dynamic policy adjustment.
OFFICE 365 ADVANCED
THREAT PROTECTION
Simplify management
Single console for both cloud-side and client-side
threat analysis.

17. Broad visibility into attack trends
Billions of data points from
Office, Windows, and Azure
OFFICE 365 THREAT INTELLIGENCE
Integrated data from external
cyber threat hunters
Intuitive dashboards with drill-
down capabilities

18. Windows hello
• Enterprise grade alternative to passwords
• Natural (biometrics) or familiar (PIN) as a
means to validate a user’s identity
• Security benefits of smartcards without the
complexity
WINDOWS 10 IDENTITY PROTECTION
Protecting user identities from theft and misuse
Credential guard
• Prevents theft of user credentials via
common attacks like Pass-the-Hash (PtH))
• Credentials are secured by placing them
within a hardware isolated container, safe
even if OS is compromised

19. Access management
• Conditional access
• Compliance enforcement
• Multi-identity support
Mobile device &and app
management
• Manage iOS, Android, and Windows devices
• Protect data in corporate apps with or
without a device enrollment
INTUNE
Manage and secure mobile productivity

20. WINDOWS 10 THREAT RESISTANCE
PRE-BREACH
Protect devices and networks with a comprehensive set of
pre-breach defenses
Trusted boot
• Tamper free boot via modern hardware (TPM/UEFI)
• Automatically remediate and self-heal from any
tampering
Device guard
• System hardening offers zero day protection for the
system core
• Next-gen app control ensures only trusted apps can
run on the device
Windows defender AV
• Integrated enterprise grade protection from against
viruses, malware, spyware, and other threats
Source: AV-comparatives.org

21. WINDOWS 10 THREAT RESISTANCE
POST-BREACH
Windows Defender Advanced Threat Protection helps
detect, investigate, and respond to advanced attacks
Built into Windows, cloud-powered
• No additional deployment and infrastructure
• Continuously up-to-date, lower costs
Behavior-based, post-breach detection
• Actionable, correlated alerts for known and
unknown adversaries
• Real-time and historical data
Unique threat intelligence knowledge base
• Unparalleled threat optics provide detailed actor
profiles
• First and third-party threat intelligence data

22. WINDOWS 10 INFORMATION
PROTECTION
Protect business data when devices are lost or stolen
and from accidental data leaks
Bitlocker
• Highly customizable full-volume encryption
• Single sign-on experience on modern devices
• Easily manageable with advanced provisioning,
reporting, and self-service recovery options for
users
Enterprise data protection
• Business data containment for sensitive information
• Block docs from managed apps from being
transferred to consumer apps
• Remotely wipe business data from a device while
leaving personal data untouched
0101
1001

23. Persistent classification and
protection
• Policy driven classification and protection
• Data security regardless of where data is
stored or shared
Visibility and control
• Data use/abuse tracking for IT and users
• Document revocation in case of unexpected
distribution
AZURE INFORMATION PROTECTION
Better secure your sensitive information - anytime, anywhere
Simple, intuitive for users
• Intuitive interface for users
• Integrated into common apps and services
• In-product notifications help users make right
decisions

24. Detect
• Scan for sensitive information in Exchange,
SharePoint, and OneDrive for Business
• Find over 80 sensitive content types (PII, credit
card, HIPAA)
Protect
• Auto-encrypt docs, tie to forced authentication
• Block egress of sensitive data
DATA LOSS PREVENTION
IN OFFICE 365
Detect, protect, and monitor your sensitive information
Monitor
• Track policy violations though inbox reports

25. Discover
• Gain complete visibility and context for
cloud usage and shadow IT—no agents
required
Control
• Shape your cloud environment with
granular controls and policy setting for
access, data sharing, and DLP
CLOUD APP SECURITY
Enterprise-grade security for your cloud apps
Investigate
• Identify high-risk usage and security
incidents, detect abnormal user behavior,
and prevent threats
0101
1001

26. THE MICROSOFT CYBER DEFENSE
OPERATIONS CENTER

27. THE MICROSOFT DIGITAL
CRIMES UNIT (DCU)
Combining creative legal strategies, cutting edge
data analytics and public/private partnerships to
fight cybercrime
Combat Internet Fraud
• Partner with law enforcement globally to detect
and prosecute Internet scammers
Botnet Takedown
• Collect 250M records of sensor data per day to
detect and locate global botnets
• Use variety of legal and technical approaches
to have them shut down or neutralized

28. “SECURE SCORE” CLOUD
BEST PRACTICE ANALYZER
Security analytics based on proven cloud security
best practices
Baseline on what you own in Office 365
• Up to 60 different controls/practices are
assessed
Reports deliver a plan for score
improvement
• See your score improve over time. Export data
to Excel for use in project management, task
assignment, etc..
• Global context
Compare your score against other Office 365
organizations worldwide.

29. Our most unique global asset in the
fight, informed by trillions of feeds.
Machine learning helps sort the
signal from the noise. This signal is
leveraged across all of Microsoft’s
security services.
450B
monthly
authentications
18+B
Bing web pages
scanned750M+
Azure user
accounts
Enterprise
security for
90%
of Fortune 500
Malware data
from Windows
Defender
Shared threat
data from partners,
researchers and law
Enforcement
worldwide
Botnet data from
Microsoft Digital
Crimes Unit
1.2B
devices scanned
each month
400B
emails analyzed
200+
global cloud
consumer and
Commercial services
INTELLIGENT SECURITY GRAPH
Back