You’ve entrusted all of your company’s data to Microsoft’s cloud…what could go wrong? In 2018 you’ve either moved your data to Office365, you’re thinking about it, or you’ve locked your entire business into Lotus Notes. As cloud providers eat away traditional infrastructure, IT and Security teams must either adapt to this brave new world, or be left behind. In this talk we will provide real-world examples and how to apply both traditional and new security controls/tools to secure Office 365 & Azure. We will give specific, actionable recommendations you can make to your Microsoft Office 365 and Azure tenants. Recommendations like how to prevent external threats like account takeovers, internal threats like Shadow cloud Apps, effective monitoring and processes to follow to minimize the likelihood that your company becomes the Next Big Breach. The new perimeter is identities in the cloud, so learn to protect them with Azure Active Directory.
Boost PC performance: How more available memory can improve productivity
Office 365 Security - Its 2am do you know whos in your office 365
1. Its 2am…Do you know who’s in your Office (365)?
By Jack Nichelson and Jason Middaugh
October 25, 2018
Technical Advisor: Kevin Merolla
2. Jack Nichelson
Chief Information Security Officer
MRK Technologies
I defend my companies competitive advantage by helping
solve business problems through technology to work faster
and safer.
Executive MBA from Baldwin-Wallace University
Recognized as one of the “People Who Made a Difference
in Security” by the SANS Institute and Received the CSO50
award for connecting security initiatives to business value.
Adviser for Baldwin Wallace’s, State winner Collegiate
Cyber Defense Competition (CCDC) team.
3. Jason Middaugh
Manager of Infrastructure & Security Services
Cleveland-Cliffs Inc.
Jason holds a bachelor’s degree in information
systems/operations management from the University of
Toledo, an executive master’s degree in business
administration from The Ohio State University.
Holds several IT based certifications (CISSP, MCSE, VCP,
CCNA, CCDA).
He is currently a member of the North East Ohio Cyber
Consortium and InfraGard.
He is also a graduate of the FBI Citizens Academy and a
skiing enthusiast.
4. In the past Microsoft only, licensed software by device for individual
products. But now they offer licensing by user and as a bundle of products
to better meet the needs of a modern mobile workforce.
Microsoft has introduced a new software-as-a-service subscription plan
called Office 365 that provides Email and Office and another plan called
Microsoft 365 that includes Office 365, Windows 10, Mobility and Security.
• Office Applications – The regular Office applications (Word, Excel,
PowerPoint, etc.) you know and love, updated to take advantage of the
collaboration and cloud file syncing features.
• Office Mobile – Native mobile apps available for Windows Phone,
iPhone, iPad, and various Android devices.
• Office Web Apps – Online versions of Word, Excel, PowerPoint, and
OneNote, available on any computer with a web browser.
To put it simply, Office 365 brings the Microsoft Office
suite of applications into the 21st century.
Office 365 Overview
5. • Security related O365 Services & Licenses
• As with every cloud service you are building on the
foundation of your contract and licenses. Get this wrong
and your hands will be tied before you start.
Office 365 Licensing
6. • Point 1
• Point2
Enterprise Mobility + Security Licensing
Don’t go to Office 365 without EMS
8. Azure Security Overview
Network Security Groups (NSG)
Site-to-Site VPN
Point-to-Site VPN
ExpressRoute
Network Security Appliances
Host-based firewalls
Security Center
Role-Based Access Control
Key Vault
Microsoft anti-malware
Rights Management/Information Protection
Cloud App Discovery
Infrastructure Securing assets
Connect Health
Identity Protection
Privileged Identity Management
OMS Security & Audit
Multi-Factor Authentication
Azure Active Directory
9. Office 365 Security Architecture
63% of Office 365 data breaches involve weak, default, or stolen passwords.
10. Azure Active Directory (Azure AD) is Microsoft’s multi-tenant,
cloud-based directory, and identity management service.
Azure AD combines core directory services, application
access management, and identity protection in a single
solution.
The heart of security in Office 365 & Azure is Identity and
Access Management controls in Azure AD.
Identities, Management and Security
• The core of each Azure subscription is Azure AD
• You can have multiple AAD tenants within the same
Azure subscription
• Users, groups, licenses, permissions, apps, app proxies,
domains… All controlled in Azure AD
• It’s important to understand the difference between AAD,
AD and AAD Connect (and AAD DS)
Heart of Security: Azure Active Directory
The new perimeter is identities in the cloud
11. We started looking at Office
365 back in 2014
When did the
Journey Begin?
Main drivers were to move
Exchange Online and Skype
for Business
Why?
We are now fully in the cloud
for email and instant
messaging/collaboration (no
on-premise)
Current State
Cliffs is an Enterprise Cloud
Suite / E3 / M365-E3 (not E5)
Licensing
My Journey to Office 365
12. Pilot, pilot, pilot!
01
02
03
We spent close to 12 months
Piloting O365
Worked out all the kinks before
mass migrations
For Example:
Conference Rooms and Voicemail while in Hybrid
Configuration.
Taking this approach made
conversions much easier,
Except for those 25-50gb mailboxes! (you currently
get a 100gb mailbox with O365)
13. 01 Started Elsewhere
Account was comprised, password was being
used between different sites/accounts
02Covert and Waited
Waited to launch attack until user was on plane,
figured that out via email and calendar
03 Payload
Attacker attempted to get a fake invoice paid
and wired immediately
04Extent of Compromise
They were in the user’s voicemail and faked
approvals from Senior Executives
05 Near-miss
Internal processed stop this large transaction
from happening
06Prevention
IF MFA would have been in place, this attack
would have never got off the ground
Story On Why You Need MFA in Front of O365
14. Threat Vector
The second you move to
O365 you become a bigger
target and susceptible to the
“O365 logon page” phishing
scam to try and harvest
credentials
Requirement
Multi-Factor Authentication
is not a question; it is a must
have!
Simplicity
We were able to
eliminate ADFS
Consistency
We implement the same IDP
for on-premise and the cloud
to have a consistent end-
user experience
Ease of Use
In my opinion, Microsoft
MFA was clunky and
complex for a end-user to
understand
Multi-factor is a must in the cloud
User name and password are not enough
15. Whether you know it or not, when you
commit to O365 you are committing to
keeping your version of Office under
Mainstream Support
Mainstream Support
You can no longer kick the can on Office
upgrades until the product gets close to the
Extended Support date
Rate of Change
You won’t get them to say this, but Microsoft
is slowly pushing everyone to the “Click to
Run” / Office Pro Plus. Watch out Office plug-
ins!
Future
Software Lifecycle Management Acceleration
16. Microsoft Support Dates You Need to Know
Mainstream support
ends: No longer
supported
Extended support ends:
Oct. 13, 2020
Office 2010
01
Mainstream support
ends: No longer
supported
Extended support ends:
April 11, 2023
Office 2013
Mainstream support
ends: Oct. 13, 2020
Office 365 System
Requirements support:
October 2023
Extended support ends:
Oct. 14, 2025
Office 2016
Mainstream support
ends: No longer
supported
Extended support ends:
Jan. 14, 2020
Windows 7
Mainstream support
ends: Oct. 13, 2020
Extended support ends:
Oct. 14, 2025
Windows 10
02 03 04 05
17. P.S.A.
Freebie – Executive Protection
(please thank Phillip Samson for
this!)
Security First
The #1 vector for Security
Breaches is email/phishing
attacks, this is not the area to
skimp in the budget
Invest in Best of Breed
Microsoft product is improving
but not as good as dedicated
products
Features
Last time I checked, things like
end user digests and automated
integration with on-premise
firewall block lists are not
available with Exchange Online
Protection
Email Security Gateway Product
18. Understanding Office 365 Account Management
Backups?
You need to really know
this, because there are
no backups in O365
Restores?
You cannot call up
Microsoft and ask them
for a restore
Policies
You might have to re-
write or adjust IT policies
Settings
Settings can be adjusted
on a per-product level
(Exchange, Skype,
SharePoint …)
Example
Walk through of how we
keep mailboxes for 90
post termination
19. 01
02
03
04
05
Office 365, People will start using everything!
My Advice
Get in and work with the early adopters of these new Microsoft products
and try to identify potential issues before they become problems
Rapid Change
Skype is becoming Teams. We’ve had some Skype issues and continue to work on them, but Skype isn’t the
greatest collaboration tool. But it was A LOT cheaper than WebEx and maybe they’ll fix it with Teams
Bad News
Bad because it can have undesired consequences
• Teams example
Good News
Great because Microsoft is giving you access to new tools as soon
as they become available
Before you know it; someone will find they have
access to Teams and Planner and Yammer and ….
Before you even have had time to look at the Products
20. So, how secure is your Office 365?
Office 365 Secure Score analyzes your Office 365 security settings and
assigns a score and makes recommendations to improve your score.
• Secure Score is a proactive security management service for Office
365 to help you find & fix risks. https://securescore.office.com
• Secure Score will provide a list of actions for things to fix, in order to
improve your security posture and baseline score. The baseline score
is comprised of seven groups of different sizes for you to compare
against based on your company size
• You get 100 points just by enabling MFA for global admins
Secure Office 365 with Secure Score
21. CIS Microsoft 365 Foundations Benchmark
The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in
establishing the foundation level of security for anyone adopting Microsoft 365. The
benchmark should not be considered as an exhaustive list of all possible security
configurations and architecture but as a starting point. Each organization must still
evaluate their specific situation, workloads, and compliance requirements and tailor
their environment accordingly.
The CIS benchmark contains two levels, each with slightly different technical
specifications:
• Level 1—Recommended minimum security settings that should be configured on
any system and should cause little or no interruption of service or reduced
functionality.
• Level 2—Recommended security settings for highly secure environments and could
result in some reduced functionality.
• https://www.microsoft.com/security/blog/2019/01/10/best-practices-for-securely-
using-microsoft-365-the-cis-microsoft-365-foundations-benchmark-now-available/
Secure Office 365 with Secure Score
22. Azure Security Center
So, how secure are your Azure Servers?
Security Center is the dashboard for Azure security
Azure Security Center provides unified security management and
advanced threat protection across your cloud workloads.
Security Center can apply security policies, limit your exposure to
threats, and detect and respond to attacks.
• A simple way to view what’s secured and what’s not in Azure
• Includes behavioral analytics and incident reporting
• Standard license gives advanced threat detection & intelligence
• Centralized policy management
• Continuous security assessment
• Actionable recommendations
• Prioritized alerts and incidents
23. Azure AD Connect is a tool for connecting on premises AD identity
infrastructure to Microsoft Azure AD. It includes a number of
technologies:
• AAD Connect Sync
• AAD Connect Health
• ADFS (Active Directory Federation Services)
• The PHS/PTA/SSSO Provisioning Connector
Securing and monitoring Azure AD Connect, ADFS and on-premises AD configuration
with Azure AD Connect Health.
• Monitors your AD FS, AD FS Proxy, AAD Domain Services and AAD Connect status
• Can alert you when things break down – useful for many directory-related
services, and especially for Azure AD Connect issues
• Deploying is easy:
• Install agents for AD FS, AAD Connect and AD DS servers
• Verify configuration on AAD CH blade in Azure Portal
• This feature requires AAD Premium licenses
Securing Azure AD Connect
24. Modern Authentication
What to need to know before you turn it on
• Turned on at the tenant level
• You need to be running Office 2016 before go to Modern Auth
• By default, Exchange and Skype for Business Online tenants are not
enabled for Modern Authentication
• Closes loop hole in Outlook clients where you can access a mailbox with
only user name & password
• You must manually enable it via PowerShell
Why?
Why? - Because no wants to enter their password every time they open
Outlook (every user is going to cache their credentials)
Modern Auth enables MFA, SAML-based third party Identity Providers with
Office clients, smart card and certificate-based authentication, and removes
the need for Outlook to use the basic authentication protocol.
25. The vast majority of security breaches take place when
attackers gain access to an environment by stealing a
user’s identity.
Safeguarding for users who log in from weird countries with Azure AD
Identity Protection by Monitoring for risk events, vulnerabilities and
policy changes
• Automatically flags suspicious events, such as users who perform impossible
travel times.
• Detect potential vulnerabilities affecting your organization’s identities
• Configure automated responses to detected suspicious actions that are related
to your organization’s identities
• Investigate suspicious incidents and take appropriate action to resolve them to
automatically flag suspicious events
• Reports such as Users flagged for risk, Risk events and Vulnerabilities
• Providing custom recommendations to improve overall security posture by
highlighting vulnerabilities like calculating sign-in & user risk levels
Azure AD Identity Protection
26. Cloud App Security is a great component of the Microsoft
Cloud Security stack
• Cloud Discovery: Discover all cloud use in your organization, including
Shadow IT reporting and control and risk assessment.
• Data Protection: Monitor and control your data in the cloud by gaining
visibility, enforcing DLP policies, alerting and investigation.
• Threat Protection: Detect anomalous use and security incidents by
recording all activities of users, including external users
Finding Shadow IT within the organization with Cloud App
Discovery
• Discover unmanaged (and managed) cloud apps in use
• Works by dropping an agent on workstations
• Discover apps, amount of data transferred and who uses what
Microsoft Cloud App Security
27. Where is the True Issue?
This was much easier when everything
was in your Data Center
• The path was from the office,
across the WAN, to the Data
Center and back
• What if the problem is on the
Internet? And not your
connection, but several hops down
the path?
• User are complaining they
cannot get their mail
• Network Engineers say
everything is “Good/Green”
Application Selection
We selected a tool the constantly
monitors from all of our internet
break-outs the path to many of our
Cloud Applications, the path they take
to get there, and the speed/latency it
normally takes,. It then alerts us when
anything changes, goes offline, or
when the latency greatly increases
New World
So now you have moved to the
cloud, how do you troubleshoot
the path your users take to get to
these services? And monitor and
alert on consistent/inconsistent
end user experiences?
Knowledge is Power
While this does not “solve or fix” the
issues when it happens, it does let us
know immediately so we can
communicate, and we also do not
have to waste a ton of time looking are
our equipment to see if the problem is
on our end
Look to invest in Non-traditional IT monitoring tools
28. Microsoft Office 365 Security
The new perimeter is identities in the cloud
Disable POP3, IMAP and ActiveSync
Shutdown Legacy Protocols
Don’t go to Office 365 without
MFA enabled for everyone
Multi-factor Authentication
Enable modern
authentication for all users
Modern Authentication
Review Secure Score
monthly and implement the
recommended changes
Secure Score
Review cloud app security to
watch with suspicious
activities in Office 365
Cloud App Security
Review the logs daily to
check for risky logins
Identity Protection
Conclusions
29. Information Security Summit
THANK YOU
Jason.Middaugh@ClevelandCliffs.com Jack@Nichelson.net
Jack D. Nichelson
Chief Information Security Officer
MRK Technologies
Jason Middaugh
Manager of Infrastructure & Security
Cleveland-Cliffs Inc.
They love to change / rename the same products
So how many people are O365 customers today?
How many people are looking at O365?
Who says there is no way I am ever moving my email off-premise?
I think that this presentation has a little something no matter where they are in their journey, well maybe not that last group
Since we have put MFA in place, we have eliminated this attack vector
Version of Office – need to be under Main stream Support or Microsoft can cut you off!
Office 2019 will only be available with an .exe, will not auto-update
We strongly recommend using a third-party gateway
(Thousandeyes)
So don’t try and fight the cloud, embrace it, and hopefully my journey has taught you a few things to consider in your journey
Title:
Its 2am…Do you know who’s in your Office (365)?
Abstract:
You’ve entrusted all of your company’s data to Microsoft’s cloud…what could go wrong? In 2018 you’ve either moved your data to Office365, you’re thinking about it, or you’ve locked your entire business into Lotus Notes. As cloud providers eat away traditional infrastructure, IT and Security teams must either adapt to this brave new world, or be left behind. In this talk we will provide real-world examples and how to apply both traditional and new security controls/tools to secure Office 365 & Azure. We will give specific, actionable recommendations you can make to your Microsoft Office 365 and Azure tenants. Recommendations like how to prevent external threats like account takeovers, internal threats like Shadow cloud Apps, effective monitoring and processes to follow to minimize the likelihood that your company becomes the Next Big Breach. The new perimeter is identities in the cloud, so learn to protect them with Azure Active Directory.
Talk Outline:
The Big Picture - Office 365 review of its most common parts and different security controls.
Office 365 Licensing – As with every cloud service you are building on the foundation of your contract and licenses. Get this wrong and your hands will be tied before you start.
Overview of Azure Active Directory – The heart of security in Office 365 & Azure is Identity and Access Management. The new perimeter is identities in the cloud, so learn to protect them with Azure Active Directory.
Preventing External Threats – Recommendation like: Securing Authentication, Azure AD ID Protection, Privileged ID Management, Baseline with SecureScore.office.com, Azure Security Center, Operations Management Suite, Azure AD Application Proxy.
Preventing Internal Threats – How to discover Shadow IT like unmanaged cloud apps, Cloud App Security, Advanced Threat Analytics, Compliance Manager, Azure Key Vault.
Monitoring & Auditing – Azure Monitoring throughout tenants and resource groups, Azure AD Connect, Common Risk Events, Vulnerabilities, and Policy changes. Q&A