Adoption Framework

Microsoft Cybersecurity
Reference Architectures
(MCRA)

End to End Security Architecture

following Zero Trust principles
Microsoft Cybersecurity Reference Adoption Framework
Architectures (MCRA)
What: Guide organizations through an end-to-end security modernization
from strategy and program level through architecture and technical planning
using Zero Trust principles.

Why: Rapidly increase security posture & align security to business priorities

How: Provide best practices, references, and other guidance based on real
world lessons learned for
Strategy and Program (CISO Workshop)
Architectures and Technical Plans You are here
Security Capability Adoption Planning

Set a North Star and Keep Going – A journey of incremental progress towards a clear vision
Tips Mix of old & new - Bring your experience and knowledge, but expect changes
Top End to End Security Challenges
Adoption Framework
• Incomplete or network-centric architectures
aren’t agile & can’t keep up with continuous
change (security threats, technology platform,
and business requirements)
• Challenges with
MCRA Agenda
• Creating integrated end to end architecture
• Integrating security technologies
• Overview of Security Adoption Framework and
• Planning and prioritizing security End to End Cybersecurity Architecture
modernization initiatives • End to End Security: Consider the whole problem
• Ruthlessly Prioritize: Identify top gaps + quick wins
MCRA is a subset of the full Security • Get started: Start somewhere & continuously improve
Architecture Design Session (ADS)
module 1 workshop: • Antipatterns and best practices
• Guiding Rules and Laws for security
• Diagrams and references
Applying Zero Trust principles
Whiteboard – Current Security Architecture
Architecture, Policy, and Collaboration
Describe how teams work together on end to end security + guiding documents/artifacts
Enterprise-wide security architecture approach and documentation
Business and Technical Drivers
Policy update, monitoring, and related governance processes
What is top of mind for business stakeholders?
Posture and vulnerability management processes
What risks are important to the business?
Technical collaboration processes (e.g. sharing learnings, joint technical planning, etc.
Business/technology initiatives driving change? with security operations, architects, engineers, posture management, governance, others)
What metrics are important to your program? Differences between on premises vs. cloud processes

Geography and Cloud Usage Compliance Threats

Where does your organization operate? Large & notable What types of attacks and
Which workloads are in the cloud? Which regulatory adversaries are top of mind?
major cloud providers? (SaaS, PaaS, IaaS) requirements
Security Adoption Framework
Align security to business scenarios using initiatives that progressively get closer to full ‘Zero Trust’

1. Strategic
Strategic Framework
Framework 2. Strategic initiatives
End to End Strategy, Architecture, Clearly defined architecture and
Business Scenarios and Operating Model implementation plans
Guiding North Star
CISO Workshop
Security Program and Strategy Security Hygiene: Backup and Patching
1 - I want people to do their job
End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams

securely from anywhere

2 - I want to minimize business

Secure Identities and Access
Module 2 – Secure Identities and Access

damage from security incidents

3 - I want to identify and protect Modern

Module Security
3 – Modern Operations
Security Operations (SecOps/SOC)
critical business assets

4 - Security
I want to proactively meetDesign Session Infrastructure
Module and
4 – Infrastructure Development
& Development Security
Architecture
regulatory requirements
Module 1 – Zero Trust Architecture and
Module 5 – Data Security & Governance, Risk, Compliance (GRC)
Ransomware
5 - I want to have confidence in my
Data Security & Governance, Risk, Compliance (GRC)
security posture and programs

OT and
Module IoT
6 – IoT andSecurity
OT Security
Security Adoption Framework
Reduce risk by rapidly modernizing security capabilities and practices

CEO

Securing Digital
Transformation Engaging Business
Business Leadership Leaders on Security
Business and
Security
Integration Security Strategy and Program
CIO CISO
CISO Workshop
Technical Leadership Security Strategy,
Programs, and
Epics Zero Trust Architecture

Microsoft Cybersecurity Reference Architectures (MCRA)

Architecture and
Policy Secure Modern Infrastructure & Data Security IoT and OT
Architects & Technical Managers Identities and Security Development & Governance Security
Technical Planning Access Operations Security
(SecOps/SOC)
Implementation
> > > > > > > > > > > > > >
and Operation
Assess current plans, configurations, and operations for Microsoft security capabilities
Implementation

Includes Workshops available in the Microsoft Unified catalog

Reference Plans All are holistic for the ‘hybrid of everything’ technical estate (on-premises, multi-cloud, IoT, OT, etc.)
Common Security Antipatterns - Technical Architecture
Common mistakes that impede security effectiveness and increase organizational risk

Skipping basic maintenance Best Practices

Skipping backups, disaster recovery exercises,
and software updates/patching on assets Develop and implement an end to end technical security
strategy focused on durable capabilities and Zero Trust
Securing cloud like on premises Principles
Attempting to force on-prem controls and This workshop helps you define and rapidly improve on best
practices directly onto cloud resources
practices across security including:
Wasting resources on legacy • Asset-centric security aligned to business priorities &
Legacy system maintenance and costs draining technical estate (beyond network perimeter)
ability to effectively secure business assets
• Consistent principle-driven approach throughout security
Artisan Security lifecycle
Focused on custom manual solutions instead of • Pragmatic prioritization based on attacker motivations,
automation and off the shelf tooling behavior, and return on investment
Disconnected security approach • Balance investments between innovation and rigorous
Independent security teams, strategies, tech, application of security maintenance/hygiene
and processes for network, identity, devices, etc. • ‘Configure before customize’ approach that embraces
automation, innovation, and continuous improvement
Lack of commitment to lifecycle
Treating security controls and processes as • Security is a team sport across security, technology, and
points in time instead of an ongoing lifecycle business teams
Improving Resiliency
Enable business mission while continuously increasing security assurances

‘Left of Bang’ ‘Right of Bang’

Prevent or lessen impact of attacks Rapidly and effectively manage attacks

IDENTIFY PROTECT DETECT RESPOND RECOVER

GOVERN
NIST Cybersecurity Framework v2
The job will never be ‘done’ or ‘perfect’, but it’s
important to keep doing (like cleaning a house)
End to End Security
Enable business mission and increasing security assurances with intentional approach
Security Strategy and Program
Zero Trust Architecture

Security Posture Management Modern Security Operations (SecOps/SOC)

Secure Identities and Access

Infrastructure & Development Security

IoT and OT Security

Data Security & Governance

‘Left of Bang’ ‘Right of Bang’

Prevent or lessen impact of attacks Rapidly and effectively manage attacks

IDENTIFY PROTECT DETECT RESPOND RECOVER

GOVERN
Attackers choose the path of least cost/resistance
Antipattern: Believing attackers will follow the planned path

Defenders must focus on

A. Strong security controls + effective placement
B. Rapid response to attacks
C. Continuously testing & monitoring controls
Attacker Perspective: shaped by experience & ‘fog of war’
Attackers use what they see, know, and can guess

High
Looks like they have
NGFW, IDS/IPS, and DLP

Low

I bet their admins

1. Check email from Found passwords.xls
admin workstations
2. Click on links for
higher paying jobs
Phishing email to admin
Now, let’s see if admins save
service account passwords
in a spreadsheet…
Strategically position security investments
Raise cost and friction on attacker’s easiest and highest impact paths

Sensitive Data Protection & Monitoring

• Discover business critical assets with business, technology, and
security teams
• Increase security protections and monitoring processes
• Encrypt data with Azure Information Protection

Replace password.xls ‘process’ with

• PIM/PAM
• Workload identities

Modernize Security Operations Protect Privileged Accounts

Rigorous Security Hygiene
• Add XDR for identity, endpoint (EDR), Require separate accounts for Admins
• Rapid Patching
cloud apps, and other paths and enforce MFA/passwordless
• Secure Configuration
• Train SecOps analysts on endpoints and Privileged Access Workstations (PAWs)
• Secure Operational Practices
identity authentication flows + enforce with Conditional Access
Security is complex and challenging
Attacks can shut all business operations down, creating board level risk

Hybrid of Everything, Everywhere, All at Once

Must secure across everything Nothing gets retired! ‘Data swamp’ accumulates
➢ Brand New - IoT, DevOps, and Cloud services, devices and products Usually for fear of breaking managed data + unmanaged ‘dark’ data
➢ Current/Aging - 5-25 year old enterprise IT servers, products, etc. something (& getting blamed)
➢ Legacy/Ancient - 30+ year old Operational Technology (OT) systems

Data
Attackers have a lot of options
People Application
➢ Forcing security into a holistic
complex approach Infrastructure

➢ Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies

➢ Threats – Continuously changing threat landscape
➢ Security Tools – dozens or hundreds of tools at customers
Goal: Zero Assumed Trust
With 30+ years of backlog at most organizations, it will
take a while to burn down the backlog of assumed trust

Reduce risk by finding and removing implicit assumptions of trust

False Assumptions Zero Trust Mitigation

of implicit or explicit trust Systematically Build & Measure Trust

Security is the opposite of productivity Business Enablement

Align security to the organization’s mission, priorities, risks, and processes

All attacks can be prevented

Assume Compromise
Continuously reduce blast radius and attack surface through prevention and detection/response/recovery

Network security perimeter will keep attackers out

Shift to Asset-Centric Security Strategy
Revisit how to do access control, security operations, infrastructure and development security, and more

Passwords are strong enough Explicitly Validate Account Security

Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and more

Plan and Execute Privileged Access Strategy

IT Admins are safe
Establish security of accounts, workstations, and other privileged entities (aka.ms/spa)

Validate Infrastructure Integrity

IT Infrastructure is safe
Explicitly validate trust of operating systems, applications, services accounts, and more

Integrate security into development process

Developers always write secure code
Security education, issue detection and mitigation, response, and more

Supply chain security

The software and components we use are secure Validate the integrity of software and hardware components from open source. vendors, and others
Zero Trust Security Architecture
End to End Prioritized Execution + Continuous Improvement

1. Look End to End: Consider the whole security problem OBSERVE, ORIENT

Security is complex Resilience required

and challenging across the lifecycle

2. Ruthlessly Prioritize: Identify top gaps + quick wins DECIDE

1
2
3
Prioritize backlog of Disrupt attacker return
... trust assumptions on investment (ROI)

3. Get started: Start somewhere and continuously improve ACT

Microsoft Security Leverage reference plans

Adoption Framework and architectures
Guiding Rulesets for End to End Architecture
Zero Trust Commandments
Requirements that represent best practices for a Zero Trust Architecture
(ZTA) and transformation. (The Open Group Standard)
Usage: General planning + Testing whether something is ‘Zero Trust’ or not

10 Laws of Cybersecurity Risk

Key truths about managing security risk that bust common myths.
Usage: Ensuring security strategy, controls, and risk are managed with
realistic understanding of how attacks, humans, and technology work

Immutable Laws of Security

Key truths about security claims and controls that bust common myths.
Usage: Validating design of security controls, systems, and processes to
ensure they are technically sound
End to End Security Architecture People Cybersecurity Reference Architectures

Diagrams & References Roles and Risk Management

Zero Trust Adaptive Access

Threat Environment Artificial Intelligence
Security Service Edge (SSE)
Ransomware/Extortion, Data Theft, and more (AI) and Security

Journey

Attack Chain Zero Trust

Coverage
Privileged Access

Security Operations
Development / DevSecOps (SecOps/SOC)
Enabling Security & Business Goals

Microsoft Security Capabilities

Infrastructure Operational Technology (OT)

Multi-Cloud & Industrial Control Systems
Multi-cloud, cross-platform, native controls Build Slide
Cross-Platform

Device Types
Patch Microsoft 365 E5 Role Mapping
Modernization

aka.ms/MCRA | aka.ms/MCRA-videos | December 2023 Slide notes have speaker notes & change history
Security Adoption Framework
Reduce risk by rapidly modernizing security capabilities and practices

Securing Digital
Transformation Engaging Business
Leaders on Security
Business and
Security
Integration Security Strategy and Program
CISO Workshop
Security Strategy,
Programs, and
Epics Zero Trust Architecture

Microsoft Cybersecurity Reference Architectures (MCRA)

Architecture and
Policy Secure Identities and Access Modern Security Operations Infrastructure & Development
(SecOps/SOC) Security
Technical Planning

Implementation
and Operation

Includes Workshops available in the Microsoft Unified catalog

Reference Plans All are holistic for the ‘hybrid of everything’ technical estate (on-premises, multi-cloud, IoT, OT, etc.)
Where do you want to Start?
There’s no wrong place to start ☺
Topic Full
Summary workshop
Zero Trust Architecture 4 hours
End to End Strategy 2-3 days
Security ADS Module 1 – Zero Trust Architecture MCRA
and Planning
Product Adoption
Security Capability Adoption Planning
2-3 days

Security Strategy and Program CISO Workshop

Secure Identities and Access

4 hours
Plan and Execute Module 2 – Secure Identities and Access

Initiatives
Modern Security Operations (SecOps/SOC)
Module 3 – Modern Security Operations (SecOps/SOC)
4 hours 2-3 days

Infrastructure & Development Security

Module 4 – Infrastructure & Development Security
4 hours
Let’s get next steps locked in
Capture actions and who follows up on them

# Next Step Point of Contact

1

5
Security Resources
Security Adoption Framework Security Documentation
aka.ms/saf aka.ms/SecurityDocs

• CISO Workshop – aka.ms/CISOworkshop | -videos • Driving Business Outcomes Using Zero Trust
Security Strategy and Program • Cloud Adoption Framework (CAF) – aka.ms/cafsecure ▪ Rapidly modernize your security posture for Zero Trust
▪ Secure remote and hybrid work with Zero Trust
▪ Identify and protect sensitive business data with Zero Trust
• Microsoft Cybersecurity Reference Architectures (MCRA) - aka.ms/MCRA | -videos ▪ Meet regulatory and compliance requirements with Zero Trust
Zero Trust • Ransomware and Extortion Mitigation - aka.ms/humanoperated
Architecture • Backup and restore plan to protect against ransomware - aka.ms/backup • Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp

Secure Identities and Modern Security Infrastructure & Data Security & IoT and OT Security
Access Operations (SecOps/SOC) Development Security Governance
• Securing Privileged Access (SPA) • Incident Response - aka.ms/IR • Microsoft Cloud Security • Secure data with Zero Trust • Ninja Training
Guidance • CDOC Case Study - aka.ms/ITSOC Benchmark (MCSB) • Ninja Training • Defender for IoT Training
aka.ms/SPA • Ninja Training aka.ms/benchmarkdocs • Microsoft Purview Information Protection • MCRA Videos
aka.ms/MIPNinja • MCRA Video OT & IIoT Security
• Access Control Discipline • Microsoft 365 Defender • Well Architected Framework (WAF)
aka.ms/m365dninja aka.ms/wafsecure
• Microsoft Purview Data Loss Prevention • Defender for IoT Documentation
• Ninja Training aka.ms/DLPNinja
• Microsoft Defender for Office 365 aka.ms/D4IoTDocs
• Microsoft Defender for Identity • Azure Security Top 10 • Insider Risk Management
aka.ms/mdoninja
aka.ms/mdininja aka.ms/azuresecuritytop10 • Microsoft Purview Documentation
• Microsoft Defender for Endpoint
• MCRA Video aka.ms/mdeninja • Ninja Training aka.ms/purviewdocs
• Zero Trust User Access • Microsoft Cloud App Security • Defender for Cloud
• Microsoft Entra Documentation aka.ms/mcasninja
• Microsoft Sentinel • MCRA Video
aka.ms/entradocs
• Infrastructure Security
• MCRA Videos
• Security Operations • Defender for Cloud Documentation
• SecOps Integration

Product Capabilities • Security Product Documentation Microsoft Security Response Center (MSRC)
www.microsoft.com/security/business Azure | Microsoft 365 www.microsoft.com/en-us/msrc
Key Industry References and Resources
The Open Group
Zero Trust Commandments - https://pubs.opengroup.org/security/zero-trust-commandments/
Zero Trust Reference Model - https://publications.opengroup.org/security-library
Security Principles for Architecture - https://publications.opengroup.org/security-library

US National Institute of Standards and Technology (NIST)

Cybersecurity Framework - https://www.nist.gov/cyberframework
Zero Trust Architecture - https://www.nist.gov/publications/zero-trust-architecture
NCCoE Zero Trust Project - https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture

Secure Software Development Framework (SSDF) - https://csrc.nist.gov/pubs/sp/800/218/final

Cybersecurity and Infrastructure Security Agency (CISA)

Zero Trust Maturity Model - https://www.cisa.gov/zero-trust-maturity-model

Center for Internet Security (CIS)

CIS Benchmarks – https://www.cisecurity.org/cis-benchmarks/
Security Modernization with Zero Trust Principles
Business Enablement Security Strategy and Program
Align security to the organization’s
mission, priorities, risks, and processes

Assume Breach (Assume Compromise)

Assume attackers can and will successfully attack anything (identity, network, device,
app, infrastructure, etc.) and plan accordingly

Verify Explicitly
Protect assets against attacker control by explicitly validating that all trust and security
decisions use all relevant available information and telemetry.

Use least-privilege access

Limit access of a potentially compromised asset, typically with just-in-time and just-
enough-access (JIT/JEA) and risk-based polices like adaptive access control.

Zero Trust Architecture

Secure Identities Infrastructure & IoT and OT Modern Security Data Security &
and Access Development Security Security Operations (SecOps/SOC) Governance
Zero Trust Principles
Business Enablement
Align security to the organization’s mission, priorities, risks, and processes
Assume Breach (Assume Compromise)
Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly

→ Transforms from “defend the network” to “enable secure productivity on any network”

Asset/Node = account, app, device,

VM, container, data, API, etc.

Verify explicitly Use least privilege access

Protect assets against attacker control by Limit access of a potentially compromised
explicitly validating that all trust and security asset, typically with just-in-time and just-
decisions use all relevant available information enough-access (JIT/JEA) and risk-based polices
and telemetry. like adaptive access control.

→ Reduces “attack surface” of each asset → Reduce “blast radius“ of compromises

Apply Zero Trust principles All elements informed by threat and business intelligence,
assisted by security engineering/automation
Key changes across security disciplines
Business Enablement

Assume
Assume Compromise breach
General strategy shift from
| Explicitly Verify
Verify Explicitly
Reduce attack surface
| Least privileged
Least Privileged
Reduce blast radius both
Security Disciplines ‘assume safe network’ and exposure to risk proactive and reactively
Just-in-time & Just-enough-access (JIT/JEA)
Access Control Adaptive Access
Risk-based polices Always make security decisions using all available data points, including Secure Access Cloud Infrastructure Entitlement
identity, location, device health, resource, data classification, and anomalies. Service Edge (SASE) Management (CIEM)
Micro-segmentation

Automated threat response

Security Operations Asset–centric detection and
Privileged Access
Workstations (PAWs)
response (XDR) For SOC Analysts, IT Admins,
End to end visibility (SIEM) and business critical assets

Classify assets and apply controls per asset

type and classification (CA policies, encryption, Dependency/impact analysis
Asset Protection Asset-centric protections monitoring, detection, response etc.) backups, service accounts and privileges that
control other systems/services, etc.

Threat modelling
Innovation Security DevSecOps and CI/CD process integration
of best practices (Static and dynamic analysis, etc.)

Continuous Monitoring Enablement Hygiene Remediation

Security Governance Posture Management
Continuous improvement of security posture and of security posture Patching, configuration, process updates, etc.
standards/policies
Key Industry Collaborations

US National Institute of
Standards and
The Open Group Technology (NIST)
Focused on integration Focused on architecture
with business and and implementation with
IT/Enterprise/Security available technology
architecture

Many organizations are contributing valuable perspectives and guidance like the Cybersecurity and
Infrastructure Security Agency (CISA), Cloud Security Alliance (CSA), and some technology vendors
Key Zero Trust Models and Architectures

The Open Group US National Institute of Standards

Focused on integration with business and Technology (NIST)
and IT/Enterprise/Security architecture Focused on architecture and
implementation with available technology
Key Zero Trust Capabilities
Increase security and flexibility for continuously changing business, technology, threats, and regulations

Risk Controls - establish overall security framework based on organizational risk

Asset Centricity - foundational capability to identify, classify, and maintain the asset

Asset-Centric Protection
(Data-Centric & System-Centric)

Digital Ecosystems
Data/Information
Adaptive
Access Control
• Centralized policy control Apps & Systems
• Distributed enforcement </> APIs

Digital Identity
Decentralized portable identities Security Security Zones

Zones

Asset-Centric Security Operations – rapid and complete detection, response, and recovery from attacks
Posture Management – continuous improvement of attack prevention measures
Zero Trust Governance – continuous monitoring and audit on demand to meet risk and compliance
Zero Trust Components
Clarity, Automation, and Metrics-Driven Approach
Governance
Visibility and Policy
Access Control
Asset Protection
Classification, Protection, Tokenization
Identity and Network - Multi-factor Authentication
Centralized Security Digital Ecosystems
Policy Decisions
Data/Information

Distributed Policy Innovation

Enforcement Points (PEPs) Apps & Systems Security
Securing
</> APIs
new asset
development
Threat
Intelligence Security Zones

Asset-Centric
Security Operations

Rapid Threat Detection, Response, and Recovery

Microsoft Security Capability Mapping
The Open Group Zero Trust Components
Microsoft Entra ID
Clarity, Automation, and Metrics-Driven Approach
ID Protection
Governance Microsoft
Workload ID
Visibility and Policy Purview
Entra ID Governance Asset Protection
Access Control
Defender for Identity
Classification, Protection, Tokenization
Identity and Network - Multi-factor Authentication
Centralized Security Digital Ecosystems
Policy Decisions
Data/Information
Microsoft Entra
Conditional Access Microsoft Purview
Microsoft Priva
Entra Internet Access
Entra Private Access

Distributed Policy Innovation

Enforcement Points (PEPs) Apps & Systems
Defender for Cloud
Security
Defender for
Azure Arc
APIs (preview)
Intune
Device Management Threat 65+ Trillion signals per GitHub Advanced Security
Intelligence day of security context & Azure DevOps Security
Security Zones
Defender for Endpoint Secure development and
software supply chain
Endpoint Detection and Microsoft Entra
Response (EDR) Conditional Access
Asset-Centric Azure Firewall (Illumio partnership)

Security Operations
Security telemetry from across the environment

Microsoft Sentinel
Microsoft Defender • Security Information and Event
Management (SIEM)
• Security Orchestration, Automation, and
Defender for Endpoint Rapid Threat
Defender for Office 365 Detection,
Defender for Identity Response, and
Defender for Cloud Apps Recovery
Defender for Cloud Response (SOAR)
Zero Trust Architecture (ZTA)
Security Analytics

Endpoint ICAM PE/PA Protected Resources

Security POLICY
IDENTITY ACCESS & CREDENTIALS
Evaluate Access
• User • Management
User • Device • Authentication CLOUD
(SSO/MFA) APPS & WORKLOADS
• Authorization PEP
Device
GRANT ACCESS
FEDERATION GOVERNANCE (Micro-
segmentation)
Mobile
Device ON-PREM
APPS & WORKLOADS

GRANT ACCESS (File Share, Database, Storage, Apps)

(SDP)
Device SDP (example: TLS Tunnel)
(with SDP Client)

Data Security

Classified as Microsoft Confidential

Implemented in NCCoE lab
Microsoft Zero Trust Capability Mapping (Summer 2023)
Key

NIST Area
Security Analytics
NIST Sub-Area Microsoft Sentinel
• Sub-Area
Microsoft Defender XDR • Security Information and Event
Management (SIEM)
Security Orchestration, Automation, and
Microsoft Service
•
Defender for Endpoint Defender for Office 365 Defender for Identity Defender for Cloud Apps Defender for Cloud Response (SOAR)

Security telemetry from across the environment

Endpoint Security Policy Enforcement / Admin (PE/PA) Protected Resources

Identity, Credentials, and Access
Microsoft Entra Management (ICAM) CLOUD APPS & WORKLOADS
Policy
Conditional Access Determine Access Defender for
Global Secure Identity Access & Cloud Apps 3P SaaS
• User Credential Mgmt. Defender forCloud
Office
Access client User Device Apps
• Authentication Entra ID
Workloads Microsoft 365
• 365
• Authorization
Conditional
Access Entra Permissions
Entra ID Grant Access
Management
Devices Defender for Cloud
Intune Entra ID Governance Entra Internet Access Microsoft Cloud
Azure IaaS
Security Benchmark
Device Management Grant Access
Software Defined Perimeter(SDP)
Federation Governance ON-PREM APPS & WORKLOADS
Policy Enforcement Point (PEP) Database File share Storage
Mobile Data Purview Azure Arc
Information
Protection Scanner
Defender for Endpoint Device
Feedback mechanisms enable
Endpoint Detection and Secure Admin continuous improvement Apps Defender Application Guard
Virtual Desktops
Response (EDR) Workstations
Entra Private Access Infrastructure & Access
Entra Azure Virtual Connector
Azure Arc
Devices w/ Desktop Defender
Intune for Identity Azure
SDP Intune Windows 365 Automanage
VPN Backend Connector

Data Data Loss

Prevention
Purview
Document
Purview
Office Intune
Mobile App
Defender for
Cloud Apps
Purview Cloud Infra Defender
DLP Information Information
Security (DLP)
Protection Protection
365 Mgmt Protection
SQL DB/Files for Cloud
Zero Trust
architecture Policy Optimization
Governance
Compliance
Data
Classify,
Security Posture Assessment Emails & documents
label,
Productivity Optimization encrypt Structured data

Identities
Strong
Human authentication

Non-human

Apps
Zero Trust Policies Network
Request Adaptive SaaS
enhancement Public Access
Evaluation
On-premises
Traffic filtering Private
Enforcement
& segmentation
(as available)

Endpoints Infrastructure
Device Risk
compliance assessment Serverless
Corporate
Runtime Containers
Personal
control
IaaS
Threat Protection Paas

Continuous Assessment Internal Sites

Threat Intelligence
Forensics
Response Automation
Telemetry/analytics/assessment

JIT & Version Control

Zero Trust Policy Optimization

architecture
Governance
Compliance
Data
Classify,
Security Posture Assessment Emails & documents
label,
Productivity Optimization encrypt Structured data

Microsoft Defender for Cloud Defender for Office 365

Identities Secure Score Microsoft Purview
Strong
Human authentication Compliance Manager Microsoft Priva
Non-human

Microsoft Entra ID Apps

Zero Trust Policies Network
ID Protection
Request Adaptive SaaS
Workload ID enhancement Evaluation
Public Access
Microsoft Entra On-premises
Entra ID Governance Conditional Access Traffic filtering Private
Enforcement
& segmentation GitHub Advanced Security
(as available)
Defender for Identity Azure Networking
Defender for Cloud Apps
Entra Internet Access
Entra Private Access
Defender for
Endpoints APIs (preview) Infrastructure
Device Risk
compliance assessment Serverless
Corporate
Runtime Containers
Personal
control
IaaS

Intune Threat Protection Microsoft Entra Paas

Device Management Continuous Assessment Permissions Management Internal Sites

Threat Intelligence
Defender for Endpoint Defender for Cloud
Endpoint Detection and Forensics Azure Arc

Response (EDR) Response Automation

Microsoft Sentinel
Telemetry/analytics/assessment
Microsoft Defender • Security Information and Event
Management (SIEM)
JIT & Version Control • Security Orchestration, Automation,
Defender for Endpoint Defender for Office 365 Defender for Identity Defender for Cloud Apps Defender for Cloud and Response (SOAR)
Managing organizational risk
Organizational Leadership Board Management
Organizational & Risk Oversight Business Model and Vision Organizational Risk Appetite

Natural Disasters Market Relevancy IT Operations Cybersecurity …

Competition from startups is Cybersecurity is emerging from IT

disrupting markets, requiring as a distinct risk discipline for
businesses to digitally transform business leaders and boards
Managing Information/Cyber Risk February 2023 -
Security responsibilities or “jobs to be done” https://aka.ms/SecurityRoles

Organizational Leadership External

Threat Intelligence Sources
Board Management Intelligence
Organizational & Risk Oversight Business Model and Vision Organizational Risk Appetite
Strategic Threat Risk
Insight/Trends Scenarios

Information Risk Management Security Leadership

Program Management Office (PMO)

Security Operations [Center] (SOC)

Supply Chain Risk (People, Process, Technology) Leadership and Culture
Incident
Risk Management Posture Management Preparation
Enable Productivity and Security
Stay Agile - Adapt to changes to threat environment, Policy & Standards Monitor & Remediate Risk
technology, regulations, business model, and more (Conditional Access, Secure Score, Sharing
Risks, Threat and Vulnerability Management
(TVM) User & Asset Scores, etc.)
Practice
Technical Risk Management People Exercises
People
User Education & Awareness Insider Risk Teams Tactical Threat
Insight/Trends
Privacy & Apps & Data App &
Compliance Requirements App Security / DevSecOps IoT Security Data Security Data
Requirements Translation Teams
Incident
Infrastructure & Endpoint Response
Compliance Architecture &
Reporting Risk Assessments Infrastructure & Endpoint Deploy Mitigate IT Operations
Network Security Security Tools Vulnerabilities Incident
Technical Policy Technical Policy Management
Monitoring Authoring Identity & Keys
Administrator Identity System Identity Threat
Key Management
Compliance Security Security Security Teams
Hunting
Management Architecture
Operational Technology (OT) Security OT Operations

Plan (Governance) Build Run (Operations)

Microsoft security capability mapping
Which roles typically use which capabilities
December 2023 – https://aka.ms/MCRA

Access Control Security Operations Security Governance Asset Protection

Establish Zero Trust access model to modern and Detect, Respond, and Recover from attacks; Hunt Protect sensitive data and systems. Continuously Continuously Identify, measure, and manage security
legacy assets using identity & network controls for hidden threats; share threat intelligence broadly discover, classify & secure assets posture to reduce risk & maintain compliance

Identity Admin, Identity Architect, Incident preparation Security architecture Infrastructure and endpoint security,
Microsoft Entra

Identity Security • Microsoft Cybersecurity Reference Architecture IT Ops, DevOps

https://aka.ms/MCRA
• Entra ID (Formerly Azure AD) Security Operations Analyst • Microsoft Defender for Cloud
• Multifactor Authentication Posture management, Policy and (including Azure Arc)
Microsoft Defender XDR
• Conditional Access • Entra Permission Management
• Application Proxy • Microsoft Defender for Endpoint standards, Compliance management • Azure Blueprints
• External Identities / B2B & B2C • Microsoft Defender for Office 365
• Microsoft Defender for Identity • Microsoft Defender for Cloud • Azure Policy
Security Service Edge (SSE)

Microsoft Defender
• • Secure Score • Azure Firewall
• and more.. • Microsoft Defender for Cloud Apps
• Compliance Dashboard • Azure Monitor
• Microsoft Entra Identity Protection
• Entra Permission Management • Azure Security Benchmark
• Microsoft Defender for Cloud • Azure Blueprints • Azure Web Application Firewall
• Windows Hello for Business Microsoft Defender for DevOps
•
• Azure Policy • Azure DDoS
• Microsoft 365 Defender Microsoft Defender for Servers
• Microsoft Defender for Identity
•
• Microsoft Defender External Attack • Azure Backup and Site Recovery
• Microsoft Defender for Storage • Azure Networking Design
• Microsoft Defender for Cloud Apps • Microsoft Defender for SQL Surface Management (MD-EASM)
• Virtual Network, NSG, ASG, VPN, etc.
• Microsoft 365 Lighthouse • Microsoft Defender for Containers • Azure Administrative Model • PrivateLink / Private EndPoint
[multi-tenant]
• Azure Lighthouse • Microsoft Defender for App Service • Portal, Management Groups, Subscriptions • Azure Resource Locks
• Azure Bastion • Microsoft Defender for APIs (preview) • Azure RBAC & ABAC
• Azure Administrative Model • Microsoft Defender for Key Vault • Microsoft Purview
• Compliance manager OT and IoT Security
• Portal, Management Groups, Subscriptions • Microsoft Defender for DNS
• Azure RBAC & ABAC • Microsoft Defender for open-source • Microsoft Defender for IoT (& OT)

Microsoft Purview
Network Security relational databases Data security • Azure Sphere
• Microsoft Defender for Azure
• Azure Firewall Cosmos DB • Microsoft Purview
• Azure Firewall Manager • Microsoft Security Copilot (preview) • Information Protection
• Azure DDoS • Microsoft Sentinel • Data Loss Prevention Innovation Security
• Azure Web Application Firewall • Microsoft Security Experts • Microsoft 365 Defender
• Azure Networking Design • Microsoft Incident Response • Microsoft Defender for Cloud Apps Integrate Security into DevSecOps
• Virtual Network, NSG, ASG, VPN, etc. Detection and Response Team (DART) processes. Align security, development,
• PrivateLink / Private EndPoint People security and operations practices.
• Attack Simulator
Endpoint / Device Admin • Insider Risk Management Application security and DevSecOps
Threat intelligence Analyst
• Microsoft Intune • (Same as Infrastructure Roles)
• Configuration Management • Microsoft Defender Threat Privacy Manager • GitHub Advanced Security
• Microsoft Defender for Endpoint Intelligence (Defender TI) • Microsoft Priva • Azure DevOps Security
• Microsoft Sentinel
Security Operations / SOC Software as a Service (SaaS)
Microsoft Security Experts
Defender Experts | Detection and Response Team (DART)
Managed Security Operations
Using Microsoft Security
Cybersecurity Reference Architecture Microsoft Defender
for Cloud Apps
Security modernization with Zero Trust Principles App Discovery & Risk Scoring
Microsoft Defender XDR (Shadow IT)
December 2023 – aka.ms/MCRA Threat Detection & Response
Unified Threat Detection and Response across IT, OT, and IoT Assets Microsoft
Sentinel Policy Audit & Enforcement
Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Entra Internet Access
Cloud Native Session monitoring & control
Microsoft Security Copilot (Preview)
SIEM, SOAR,
and UEBA
This is interactive! Security Guidance Information Protection &
Data Loss Prevention (DLP)
Present Slide Security Adoption Framework Identity & Access
Cloud Endpoint Office 365 Identity SaaS Data OT/IoT Other
Azure, AWS, Workstations, Email, Teams, Cloud & Cloud Apps SQL, DLP, &
Hover for Description Security Documentation
devices Tools, Logs,
GCP, On Prem
& more
Server/VM,
Containers, etc.
and more On-Premises more & Data Click for more information Cloud Security Benchmarks Conditional Access – Zero Trust Access Control decisions
based on explicit validation of user trust and endpoint integrity

Endpoints & Devices Hybrid Infrastructure – IaaS, PaaS, On-Premises Information Protection Microsoft Entra

Unified Endpoint Management (UEM) Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM) Secure Score Microsoft Purview Passwordless & MFA
Information protection and Hello for Business
Intune Configuration Manager Compliance Dashboard

Classification Labels
governance across data lifecycle
On Premises Datacenter(s) 3rd party IaaS & PaaS Microsoft Azure Discover
Authenticator App
FIDO2 Keys
Azure Marketplace
Azure Firewall Monitor Classify
Extranet

NGFW Protect Entra ID Protection

& Firewall Manager
Leaked cred protection
Edge DLP File Scanner
Azure WAF Behavioral Analytics
(on-premises and cloud)
IPS/IDS/NDR
DDoS Protection
Microsoft Defender for Endpoint VPN &
Microsoft Entra Proxy
Private ID Governance
Unified Endpoint Security Access & App Proxy
Express Route Azure Key Vault S3
Beyond User VPN Microsoft Entra PIM
Endpoint Detection & Response (EDR)
Private Link Azure Bastion Data Governance External Identities
Intranet

Web Content Filtering

Azure Arc Azure Lighthouse
Threat & Vuln Management
Advanced eDiscovery Defender for Identity
Endpoint Data Loss Protection (DLP) Azure Stack Azure Backup
Security & Other Services Compliance Manager Active Directory

Securing Privileged Access – aka.ms/SPA Entra Permission Management – Discover and Mitigate Cloud Infrastructure Permission Creep Privileged Access Workstations (PAWs) - Secure workstations for administrators, developers, and other sensitive users

Security Posture Management – Monitor and mitigate technical security risks using Secure Score, Compliance Score, CSPM: Defender for Cloud, Microsoft Defender External Attack Surface Management (EASM) and Vulnerability Management

Windows 11 & 10 Security IoT and Operational Technology (OT) Defender for Cloud – Cross-Platform, Multi-Cloud XDR People Security
Network protection App control
Detection and response capabilities for infrastructure and
Credential protection Exploit protection
Microsoft Defender for IoT (and OT) development across IaaS, PaaS, and on-premises Attack Simulator Insider Risk Management Communication Compliance
Full Disk Encryption Behavior monitoring
ICS, SCADA, OT Asset & Vulnerability
Attack surface Next-generation management
reduction protection Internet of Things (IoT)
Threat Detection
Azure Sphere Industrial IoT (IIoT)
& Response GitHub Advanced Security & Azure DevOps Security
Defender for APIs (preview)
Secure development and software supply chain

Threat Intelligence – 65+ Trillion signals per day of security context Service Trust Portal – How Microsoft secures cloud services Security Development Lifecycle (SDL)
Security Operations / SOC Software as a Service (SaaS)
Microsoft Security Experts
Defender Experts | Detection and Response Team (DART)
Managed Security Operations
Using Microsoft Security
Cybersecurity Reference Architecture Microsoft Defender
for Cloud Apps
Security modernization with Zero Trust Principles App Discovery & Risk Scoring
Microsoft Defender XDR (Shadow IT)
December 2023 – aka.ms/MCRA Threat Detection & Response
Unified Threat Detection and Response across IT, OT, and IoT Assets Microsoft
Sentinel Policy Audit & Enforcement
Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Entra Internet Access
Cloud Native Session monitoring & control
Microsoft Security Copilot (Preview)
SIEM, SOAR,
and UEBA
This is interactive! Security Guidance Information Protection &
Data Loss Prevention (DLP)
Present Slide Security Adoption Framework Identity & Access
Cloud Endpoint Office 365 Identity SaaS Data OT/IoT Other
Azure, AWS, Workstations, Email, Teams, Cloud & Cloud Apps SQL, DLP, &
Hover for Description Security Documentation
devices Tools, Logs,
GCP, On Prem
& more
Server/VM,
Containers, etc.
and more On-Premises more & Data Click for more information Cloud Security Benchmarks Conditional Access – Zero Trust Access Control decisions
based on explicit validation of user trust and endpoint integrity

Endpoints & Devices Hybrid Infrastructure – IaaS, PaaS, On-Premises Information Protection Microsoft Entra

Unified Endpoint Management (UEM) Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM) Secure Score Microsoft Purview Passwordless & MFA
Information protection and Hello for Business
Intune Configuration Manager Compliance Dashboard

Classification Labels
governance across data lifecycle
On Premises Datacenter(s) 3rd party IaaS & PaaS Microsoft Azure Discover
Authenticator App
FIDO2 Keys
Azure Marketplace
Azure Firewall Monitor Classify
Extranet

NGFW Protect Entra ID Protection

& Firewall Manager
Leaked cred protection
Edge DLP File Scanner
Azure WAF Behavioral Analytics
(on-premises and cloud)
IPS/IDS/NDR
DDoS Protection
Microsoft Defender for Endpoint VPN &
Microsoft Entra Proxy
Private ID Governance
Unified Endpoint Security Access & App Proxy
Express Route Azure Key Vault S3
Beyond User VPN Microsoft Entra PIM
Endpoint Detection & Response (EDR)
Private Link Azure Bastion Data Governance External Identities
Intranet

Web Content Filtering

Azure Arc Azure Lighthouse
Threat & Vuln Management
Advanced eDiscovery Defender for Identity
Endpoint Data Loss Protection (DLP) Azure Stack Azure Backup
Security & Other Services Compliance Manager Active Directory

Securing Privileged Access – aka.ms/SPA Entra Permission Management – Discover and Mitigate Cloud Infrastructure Permission Creep Privileged Access Workstations (PAWs) - Secure workstations for administrators, developers, and other sensitive users

Security Posture Management – Monitor and mitigate technical security risks using Secure Score, Compliance Score, CSPM: Defender for Cloud, Microsoft Defender External Attack Surface Management (EASM) and Vulnerability Management

Windows 11 & 10 Security IoT and Operational Technology (OT) Defender for Cloud – Cross-Platform, Multi-Cloud XDR People Security
Network protection App control
Detection and response capabilities for infrastructure and
Credential protection Exploit protection
Microsoft Defender for IoT (and OT) development across IaaS, PaaS, and on-premises Attack Simulator Insider Risk Management Communication Compliance
Full Disk Encryption Behavior monitoring
ICS, SCADA, OT Asset & Vulnerability
Attack surface Next-generation management
reduction protection Internet of Things (IoT)
Threat Detection
Azure Sphere Industrial IoT (IIoT)
& Response GitHub Advanced Security & Azure DevOps Security
Defender for APIs (preview)
Secure development and software supply chain

Threat Intelligence – 65+ Trillion signals per day of security context Service Trust Portal – How Microsoft secures cloud services Security Development Lifecycle (SDL)
Cross-cloud and cross-platform
Comprehensive Security, Compliance and Identity capabilities that integrate with your existing solutions December 2023
https://aka.ms/MCRA

Industry Partnerships
NIST / CIS / The Open Group / Others Microsoft Intelligent Security Association Solution Integration and MDR/MSSP Partners CERTs / ISACs / Others Law Enforcement

Microsoft Security, Compliance, and Identity Capabilities

Threat Intelligence – 65+ Trillion signals per day of security context

Access Control Modern Security Operations Asset Protection Technical Governance

Identity and Network Rapid Resolution with XDR, SIEM, SOAR, UEBA and more Information Protection and App Security / DevSecOps Risk Visibility, Scoring, and Policy Enforcement

People Security – User Education/Empowerment and Insider Threats

S3

Endpoints & Devices Software as a Service (SaaS) Hybrid Infrastructure – IaaS, PaaS, On-Premises IoT Devices

Operational Technology (OT)

Security Operations [Center] (SOC) – Reduce attacker time/opportunity to impact business

Multi-Cloud and Cross-Platform Technology December 2023
Secure the enterprise you have https://aka.ms/MCRA

Microsoft Purview
Discovery, Classify, Protect, and Monitor across unstructured data (documents, spreadsheets, files, etc.) and structured data (SQL, Databases, etc.) to identify and mitigate critical risks

Information Protection
Identity & Access S3

Identity Enablement Microsoft Entra Identity Security

Access cloud and legacy applications for Enterprise users and formerly Azure AD Zero Trust Access Control using Behavioral Analytics, Threat Intelligence,
External Identities like Partners (B2B) and Customers/Citizens (B2C) and integration of device and app trust signals

GitHub Advanced Security – Secure development capabilities Securing components common most enterprise software supply chains

Endpoints & Devices Software as a Service (SaaS) Hybrid Infrastructure – IaaS, PaaS, On-Premises IoT Devices

On-Premises IaaS PaaS

Microsoft Intune Cloud-native application protection platform (CNAPP)
Unified Endpoint Management (UEM) Microsoft Defender (CSPM+CWPP), Entra Permissions Management (CIEM), Azure Security (CSNS), DevSecOps Operational Technology (OT)

Security Operations [Center] (SOC)

Microsoft Sentinel – Cloud Native SIEM, SOAR, and UEBA for IT, OT, and IoT

Microsoft Defender XDR - Extended Detection and Response Microsoft Defender for Cloud Microsoft Defender for IoT
Threat visibility and capabilities tailored to resources IaaS, PaaS, and On-Premises
Microsoft Defender for Endpoint ICS, SCADA, OT Asset &
Microsoft Defender for Cloud Apps Threat & Vulnerability Management Advanced Detection & Remediation VMs, Servers, App Environments Internet of Things (IoT) Vulnerability management
Unified Endpoint Security
Integrated data classification Automated Investigation & Remediation Storage and Databases Industrial IoT (IIoT) Threat Detection & Response
App Discovery & Risk Scoring (Shadow IT)
Endpoint Detection & Response (EDR) Threat analytics on top attacks Advanced Threat Hunting Containers and Orchestration
Threat Detection & Response DevOps, APIs, CI/CD, and more
Data Loss Protection (DLP)
Policy Audit & Enforcement
Web Content Filtering Session monitoring & control
Threat & Vuln Management Info Protection & Data Loss Prevention (DLP) Azure Arc Threat Intelligence – 65+ Trillion
signals per day of security context
Key cross-platform and multi-cloud guidance
Microsoft Defender for Cloud multicloud solution

Microsoft Defender for Endpoint – Linux Support

Azure security solutions for AWS

Entra ID identity and access

management for AWS
Multi-cloud & hybrid protection in Microsoft Defender for Cloud

Google Amazon On-prem Microsoft

Cloud Web Services Azure

Azure Arc

Security posture
& compliance
Secure score Asset management Policy

Server protection
(Microsoft Defender for Cloud for VMs)
Threat detection Vulnerability Assessment Application control

Automation &
management at scale
Automation SIEM integration Export
Access Management Capabilities Trust Signal Adaptive Access Policy
Legend
Threat Intelligence Additional Policy & Monitoring

Adaptive Access applying Zero Trust Principles Can be implemented today using Microsoft and partner capabilities

Organization Policy Any apps

and resources
User/Identity Risk Employee

Multi-factor Authentication?
Impossible Travel? Partner
Microsoft 365 apps
Unusual Locations? and resources
Password Leaked? Customer
Direct Application Access
…and more Core adaptive access policy
Workload

Internet and
Security Service Edge (SSE)
SaaS apps
Integrated Threat Intelligence Security Policy Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure web
Engine gateway (SWG), Cloud Access Security Broker
(CASB), and Firewall-as-a-Service (FWaaS)

Continuous Risk All private apps

Evaluation
Virtual Private Network (VPN)
Device Risk
Legacy technology being retired
Managed?
Compliant? Remediate
Infected with Malware? User and Private web apps
Device Risk
…and more

Macro- and Micro-segmentation

Workload isolation using identity,
network, app, and other controls

Signal Decision Enablement and Enforcement

to make an informed decision based on organizational policy of policy across resources
Access Management Capabilities Trust Signal Adaptive Access Policy
Legend
Threat Intelligence Additional Policy & Monitoring

Adaptive Access applying Zero Trust Principles Using Microsoft Technology Can be implemented today using Microsoft and partner capabilities
Microsoft Entra ID
(formerly Azure AD)
Organization Policy Entra Internet Access (preview), Any apps
Entra Private Access (preview), and resources
User/Identity Risk Employee
Microsoft Entra and Partners
Multi-factor Authentication? Conditional Access
Impossible Travel? Partner
Microsoft 365 apps
Unusual Locations? and resources
Password Leaked? Customer
Direct Application Access
…and more Core adaptive access policy
Workload

Internet and
Security Service Edge (SSE)
SaaS apps
Integrated Threat Intelligence Security Policy Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure web
Microsoft Threat Intelligence
Engine gateway (SWG), Cloud Access Security Broker
(CASB), and Firewall-as-a-Service (FWaaS)
65+ Trillion signals per day of
security context & Human Expertise Continuous Risk All private apps
Evaluation
Virtual Private Network (VPN)
Device Risk
Legacy technology being retired
Managed?
Compliant? Remediate
Infected with Malware? User and Private web apps
Device Risk
…and more
Illumio partnership, LAPS

Entra ID Self Service Macro- and Micro-segmentation

Microsoft Defender + Intune Password Reset (SSPR) Workload isolation using identity,
network, app, and other controls

Signal Decision Enablement and Enforcement

to make an informed decision based on organizational policy of policy across resources December 2023
https://aka.ms/MCRA
Attackers have options
to compromise privileged access

Business Critical Assets

Across On-Premises, Cloud, OT, & IoT

Privileged Access
Devices/Workstations Account Interface
Intermediaries Identity Systems

s
ize

ath
Cloud Service Admin

or
nP
Identity Systems

th
tio
Au
Intermediaries

va
Ele
User Access Business Critical Systems
Devices/Workstations Account Interface

Potential Attack Surface

Limit and protect pathways to privileged access
Prevention and rapid response Asset Protection also required
Security updates, DevSecOps,
data at rest / in transit, etc.

Business Critical Assets

Across On-Premises, Cloud, OT, & IoT

Privileged Access
Devices/Workstations Account Interface
Intermediaries Identity Systems

s
ize

ath
Cloud Service Admin

or
nP
Identity Systems

th
tio
Au
Intermediaries

va
Ele
User Access Business Critical Systems
Devices/Workstations Account Interface

Complete End-to-end approach

Required for meaningful security
Security Operations Capabilities
Enabling a people-centric function focused rapid remediation of realized risk

Align to Mission + Continuously Improve

Measure and reduce attacker dwell time
Broad Enterprise View (attacker access to business assets) via
Correlated/Unified Mean Time to Remediate (MTTR)
Incident View (Case Management Expert Assistance
Ensure consistent workflow and measurement of success Enabling analysts with scarce skills
Analysts
and Hunters
Incident Response/Recovery Assistance
Security Information and Event Management (SIEM) technical, legal, communication, and other
Hunting + Investigation platform with Automation and Orchestration
(including machine learning (ML), User/ Entity Behavior Analytics (UEBA), & Security Data Lake)

API integration Managed Detection and Response

Outsourced technical functions
Threat Intelligence (TI)
Critical security context
Automation (SOAR) Generative AI
reduces analyst effort/time per Simplifies tasks and performs
incident, increasing SecOps capacity advanced tasks through chat interface

Deep Insights
Actionable alerts derived from deep Extended Detection and Response (XDR)
knowledge of assets and advanced analytics High quality detection for each asset + investigation remediation capabilities

Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more
Raw Data Platform as a Identity & Access Endpoint Applications
Security & Network Infrastructure & Apps OT & IoT Information & Data
Service (PaaS) Management & Mobile (SaaS, AI, legacy, DevOps, and other)
Activity Logs

December 2023 – https://aka.ms/MCRA

Legend Outsourcing

Security Operations Event Log Based Monitoring

Investigation & Proactive Hunting
Consulting and Escalation
Native Resource Monitoring December 2023 – https://aka.ms/MCRA

Microsoft Reference Architecture

Align to Mission + Continuously Improve
Measure and reduce attacker dwell time
Broad Enterprise View (attacker access to business assets) via
Correlated/Unified Microsoft Machine Learning (ML) & AI
Mean Time to Remediate (MTTR)
Incident View Sentinel
Behavioral Analytics (UEBA)
Expert Assistance
Enabling analysts with scarce skills

(Case Management
Security Orchestration, Automation, Analysts
Microsoft Security Experts
and Remediation (SOAR) and Hunters Managed XDR Incident response Security Operations
Security Incident & Event Managed threat hunting Formerly Detection & Modernization
Security Data Lake response team (DART)
Management (SIEM)

Managed Security Operations

(Classic SIEM

Microsoft Threat Intelligence

API integration 65+ Trillion signals per day of security
context & Human Expertise

SOAR reduces analyst

effort/time per incident, Microsoft Security Copilot (Preview)
increasing SecOps capacity Simplifies experience for complex tasks/skills

Deep Insights Security & Network

Extended Detection and Response
SOAR (XDR)
- Automated investigation and response (AutoIR)
Actionable detections
from an XDR tool with Provide actionable security Defender for Cloud Microsoft Defender XDR
deep knowledge of detections, raw logs, or both Servers Azure app Network Defender for Defender for Entra ID Defender for Defender for Defender for
Containers SQL
assets, AI/ML, UEBA, & VMs services traffic IoT & OT Identity Protection Endpoint Office 365 Cloud Apps
and SOAR

Infrastructure & Apps PaaS OT & IoT Identity & Access Endpoint Applications Information
Management & Mobile (SaaS, AI, legacy, DevOps, and other)
Raw Data
Security & {LDAP}

Activity Logs
Operational Technology (OT) Security Reference Architecture December 2023 – https://aka.ms/MCRA

Apply zero trust principles to securing OT and industrial IoT environments

Business Analytics Security Analytics Threat Intelligence – 65+ Trillion

signals per day of security context

Azure Analytics
Cloud • Native plug-in for Microsoft Defender for IoT
Blended cybersecurity attacks are 3rd party 3rd party
driving convergence of IT, OT, and IoT Analytics IoT Hub, PowerBI, Azure Edge,
Digital Twins, and more
Environments Analytics Microsoft Sentinel
• Native OT investigation & remediation playbooks
• Correlation with other data sources and
Strategic Threat intelligence (attack groups & context)
security architectures and capabilities

IIoT / OT Digital Transformation drivers Operational Technology Information Technology

• Business Efficiency - Data to enable business agility
• Governance & Regulatory Compliance with safety and other (OT) Environments (IT) Environments
TLS with mutual
standards Safety/Integrity/Availability Confidentiality/Integrity/Availability authentication
• Emerging Security Standards like CMMC • Hardware Age: 50-100 years (mechanical + electronic overlay) • Hardware Age: 5-10 years
• Warranty length: up to 30-50 years • Warranty length 3-5 years
• Protocols: Industry Specific (often bridged to IP networks) • Protocols: Native IP, HTTP(S), Others
• Security Hygiene: Isolation, threat monitoring, managing vendor • Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware
Purdue Model access risk, (patching rarely)

Level 3 – Site Operations

Purdue Levels 4 + 5 and Zero Trust
Business Analytic Sensor(s)
Control & monitoring for physical site
with multiple functions (e.g. plant)
Business Analytics
NETWORK
Level 2 – Supervisory Control TAP/SPAN Sensor(s) + Analytics Cloud Connection (OPTIONAL)
Monitoring & Control for discrete
business functions (e.g. production line)
Plant security console Microsoft Defender for IoT (and OT)
(optional) ▪ Manager 3rd party SIEM
▪ Security Console
Level 1 – Basic Control
Electronics controlling or monitoring
physical systems Isolation and Segmentation Transform with Zero Trust Principles
Purdue model assumed static site/enterprise model
Internal Hard Boundary Soft(ware) Boundary • Datacenter Segments – Align network/identity/other
Level 0 – Process segmentation
Physical machinery Physically disconnect People, Process, and Tech (network controls to business workloads and business risk
As business from IT network(s) + identity access control, boundary • End user access - Dynamically grant access based on explicit
processes allow patching and security hygiene) validation of current user and device risk level
S A F E T Y S Y S T E M S

©Microsoft Corporation
Azure
Zero Trust Principles - Assume breach, verify explicitly, Use least privilege access (identity and network)
December 2023 – https://aka.ms/MCRA

Infrastructure Security Capabilities Azure Cloud Adoption Framework (CAF)

Guidance on security strategy, planning, roles and responsibilities https://aka.ms/CAF
Top 10 Azure Security Best Practices

Apply Zero Trust principles Infrastructure & Platform as a Service (IaaS & PaaS)
Management Plane Security
across multi-cloud cross-platform environments Platform provided security guardrails, governance, policy, and more

Azure Blueprints Azure Policy Management Groups Role Based Access Control (RBAC)

Microsoft Defender for Cloud Azure Lighthouse Resource Locks Azure Backup & Site Recovery
Governance & Microsoft Entra ID Governance
Policy Enforcement • Automated User Provisioning • Privileged Identity Management (PIM)
• Entitlement Management • Terms of Use Data Plane Security
• Access Reviews Per-Application/Workload Controls Internal Communications (East/West) External Communications (North/South)
Unified Endpoint Network/App Security Groups API Management Gateway Defender for APIs (preview)
Management Azure Well Architected
Zero Trust Access Control
Control Intune Explicit trust validation for users and devices before allowing access Framework (WAF)
PrivateLink & Service Endpoints Azure DDoS and Web Application Firewall (WAF)

Encryption & Azure Key Vault, Application RBAC Model

Configuration Manager Entra App Proxy
MFA and Passwordless Azure Firewall and Firewall Management
Entra Privileged Identity Microsoft Cloud Security
Preventive Controls Azure Bastion
Entra MFA
Management (PIM)
Benchmark (MCSB) Defender for DevOps
Microsoft 365 Defender Entra ID Protection Prescriptive Best Practices and Controls
Windows Hello Azure DevOps Security
Entra Private Access (preview)
Existing MFA GitHub Advanced Security
Full Time Employees, Partners, Privileged Access Workstation (PAW) Microsoft Defender for Cloud Apps
and/or outsourced providers Entra Permissions Management

Conditional Access

On-Premises & Other

Business Users Access Applications
Cloud Resources/Data
External Identities

Developers CI/CD Pipeline

Customers
Microsoft Entra ID Application
(and ‘External’ Partners)
Administrators Azure Resource
& External Identities Management (ARM) Azure Resources/Data
Formerly Azure AD API
App/Service Azure Portal
Command Line Interface (CLI)
and Automation Active Directory Azure IoT Hub
Azure Sphere
Internet of Things
Automation/API (IoT) Devices
Existing/Other

‘Internal’ Access Workstations Accounts Identity Access and Privileges Interfaces Infrastructure Resources Network & ‘External’ Access

Microsoft Secure Score Microsoft Defender for Cloud - Risk & Regulatory Compliance Reporting Microsoft Defender External Attack Surface Management (EASM)

Microsoft Defender XDR Entra Permissions Management Azure Policy (audit) & Azure resource graph API
Security Posture
Unified Threat Detection and Response across IT, OT, and IoT Assets
Microsoft Microsoft Defender for Cloud - Detections across assets and tenants
Threat Detection & Response Incident Response | Automation | Threat Hunting | Threat Intelligence Azure WAF Alerts
Sentinel VMs & Tenants (Azure, On-prem, 3rd party clouds) CI/CD Pipelines
Microsoft Defender for Cloud Apps
Cloud Native Azure Firewall Alerts
Containers and Kubernetes Azure SQL & Cosmos DB
Microsoft Security Copilot (Preview) SIEM, SOAR,

Visibility Microsoft Defender for

and UEBA
MDCA Alerts
IoT and Legacy OT Devices (SCADA, ICS, etc.)
Application Programming Interfaces (APIs)
Azure Storage Accounts
And More… Azure DDOS Alerts

Entra ID Protection Microsoft Defender for Identity

Endpoint
Application Logs
MDCA Logs
Network Watcher – IP Flow logs, Packet Capture, Virtual TAP
Raw Logs and Signal for Endpoint logs Entra ID logs, access logs, alerts, risk scoring PIM Logs
Azure activity log Azure Service Diagnostic Logs & Metrics
Investigation & Hunting
DevSecOps – Agile security for workloads
Idea Incubation First Production Release Production DevSecOps
New Product or Service Continuous improvement
Minimum viable product (MVP) for:
Dev - Business / Technical Requirements
Sec - Compliance / Security / Safety
Ops - Quality / Performance / Support

Architecture & Governance

Security, Compliance, Identity, & Other Standards

DES
DESIGN/CODE BUILD DEPLOY RUN IG
N N

RU

/C
OD
Secure Design Secure Code Secure CI/CD Pipeline Secure the Operations

E
Developer

DE

LD
OY I

PL
BU

Go

t
en
rn

ve
an m
ce ve
– Co p ro
n ti n u o u s I m

Continuous Improvement of DevSecOps Lifecycle

1. MVP definitions – Update minimum requirements for Dev, Sec, and Ops (agility, stability, security, identity standards, and more)
2. Continuously improve process, program, education, tooling, etc. to improve developer productivity, efficiency, security, identity, and more)
It’s bad out there! Attacker techniques,
business models, and
For sale in “bad neighborhoods” on the internet skills/technology, are
continuously evolving

Attacker for hire (per job)

$250 per job (and up)
Other Services Ransomware Kits
Continuous attack $66 upfront
supply chain innovation (or 30% of the profit / affiliate model)

Compromised PCs / Devices

PC: $0.13 to $0.89
Mobile: $0.82 to $2.78

Spearphishing for hire

$100 to $1,000
(per successful account takeover)

Attackers Stolen Passwords

$0.97 per 1,000 (average)
(Bulk: $150 for 400M)

Denial of Service Many attack tools and

$766.67 per month tutorials/videos available
for free on internet
Continuously Evolving Threats
Require consistency, visibility, prioritization, and continuous learning

Attack Chain Models Broad & Deep Visibility Ransomware and Extortion
Consistently describe attacks & techniques Required across assets & techniques Should influence defense prioritization

Use MITRE Attack Framework to Ensure you have visibility and Prioritize ransomware defenses pragmatically
evaluate detection coverage and plan coverage across asset types and https://aka.ms/humanoperated
to fill visibility gaps common attack patterns
Use PETE to describe incidents simply
and consistently (including to
business leaders)
Attack Chain Models
Describe stages of an attack
PETE Simple model for business leaders and other non-technical stakeholders

MITRE ATT&CK Framework Detailed model for technical detection coverage assessments and planning

Lockheed Martin Kill Chain Legacy Reference Model (missing lateral traversal)

PREPARE ENTER TRAVERSE EXECUTE

OBJECTIVES
Actions on the
Reconnaissance Weaponization Delivery Exploitation Installation Command and Control
Objective

Reconnaissance Persistence Lateral Exfiltration

Movement
Resource Initial Access Command and Control Impact
Development
Defense Evasion
Privilege Escalation
Discovery
Credential Access
Ransomware and Extortion Attacks
Evolution of ransomware/extortion
Rapidly became top threat to many organizations
Driven by attacker business model evolution

High impact and likelihood attack

High attacker profitability driving massive growth

Common attack pattern has weaknesses

All extortion relies on getting access to assets (via admin privileges)
Ransomware extortion relies on denying recovery (via backups)

Prioritize Defenses
Focus on disrupting attacker motivations and techniques first

aka.ms/HumanOperated
What’s in Microsoft 365 E5
Product
Licensing
Details December 2023 – https://aka.ms/MCRA

Product Name Product Category(ies) Security Modernization Initiative(s)

Previous Product Names
Extended Detection and Response (XDR)
Microsoft Defender for Endpoint (MDE) • Modern Security Operations
Endpoint Detection and Response (EDR)
Formerly Microsoft Defender ATP, Windows Defender ATP, Threat and Vulnerability Management (TVM)
• Infrastructure and Development
Windows Defender Antivirus Endpoint​ Protection Platforms (EPP) • Security Hygiene: Backup and Patching
Microsoft Defender for Identity (MDI) Extended Detection and Response (XDR)
• Modern Security Operations
Formerly Azure ATP
Microsoft Defender for Office (MDO) Extended Detection and Response (XDR) • Modern Security Operations
Formerly Office 365 ATP
• Secure Identities and Access
Microsoft Defender for Cloud Apps (MDCA) Cloud App Security Broker (CASB)
• Modern Security Operations
Formerly Microsoft Cloud App Security Extended Detection and Response (XDR)
• Data Security & Governance
Entra ID (Formerly Azure AD)
• Multifactor Authentication
• Microsoft Entra Conditional Access • Secure Identities and Access
Access​ Management​
• Self-service password management • Modern Security Operations
• Identity Governance
• Privileged Identity Management (PIM)
Microsoft Purview
• Compliance Management
• Data Lifecycle Management • Data Security & Governance
• eDiscovery and auditing
• Insider Risk Management
Windows 10 & Windows 11
• Windows Hello for Business • Secure Identities and Access
• Windows AutoPilot
• Advanced Windows Security
Microsoft Intune Unified Endpoint​ Management ​(UEM) • Secure Identities and Access
Product Families Enable Modernization Initiatives

Security Strategy and Program

Zero Trust Architecture

Secure Identities Infrastructure & IoT and OT Modern Security Data Security &
and Access Development Security Security Operations (SecOps/SOC) Governance

Entra Defender Purview

Security Copilot (Preview)

Intune Azure Sentinel Priva

Typical ‘Flat’ Network
Office Azure

Open Internet
Provided by someone else

Privileged Access Workstations (PAWs)

Managed CORP
Spans on-premises &
All corporate devices multi-cloud environments
and access
Zero Trust – Client Security Transformation
Office Azure
User Access Devices
Open Internet
Provided by someone else

Managed Devices
Security based on explicit validation
of trust signals on any network Managed
Virtual Desktop
for unmanaged
device scenarios
Privileged Access Workstations (PAWs) like BYOD, partners,
Managed devices with strict security enforced and visitors (often
via cloud policy enforcement cloud hosted)

Unmanaged Internet
Basic network monitoring for guests,
partners, new/unmanaged devices

Managed Internet
Monitored network for validated devices to communicate
peer to peer (patching, collaboration, etc.)

Validated Resource Access Managed CORP

All devices can access internet Limited general
Managed and compliant devices client access
can access corporate resources

Spans on-premises & multi-cloud environments

Zero Trust – App Access for Clients
Office Azure
User Access Devices
Open Internet
Provided by someone else

Managed Devices
Security based on explicit validation
of trust signals on any network Managed
Virtual Desktop
for unmanaged
device scenarios
Privileged Access Workstations (PAWs) like BYOD, partners,
Managed devices with strict security enforced and visitors (often
via cloud policy enforcement cloud hosted)

Unmanaged Internet
Basic network monitoring for guests, Published Applications VPN Access
partners, new/unmanaged devices
secure access from anywhere Fallback access + app usage discovery
Managed Internet
Microsoft Entra
Monitored network for validated devices to communicate application proxy
peer to peer (patching, collaboration, etc.)

Validated Resource Access Managed CORP

All devices can access internet Limited general
Managed and compliant devices client access
can access corporate resources

Spans on-premises & multi-cloud environments

Zero Trust – Network Segment Transformation
Office Azure
User Access Devices Controlled / Sensitive Devices
Open Internet
Provided by someone else
Don’t Firewall
and Forget

Managed Devices
Security based on explicit validation Business Critical and/or
of trust signals on any network Managed Legacy/Vulnerable Assets
Virtual Desktop Sensitive Business Units/Apps
for unmanaged
device scenarios
Privileged Access Workstations (PAWs) like BYOD, partners,
Managed devices with strict security enforced and visitors (often High Impact IoT/OT
via cloud policy enforcement cloud hosted)
IoT/OT With Life/Safety Impact

Unmanaged Internet
Basic network monitoring for guests,
Low Impact IoT/OT
partners, new/unmanaged devices Printers, VoIP phones, etc.
Managed Internet
Microsoft Entra
Monitored network for validated devices to communicate application proxy
peer to peer (patching, collaboration, etc.)

Validated Resource Access Managed CORP

Specialized Segments
All devices can access internet
Isolate well-defined life/safety and
Managed and compliant devices business-critical assets (as possible)
can access corporate resources

Spans on-premises & multi-cloud environments

End State - Secure Identities and Access
Full Adaptive Access bridging both worlds and fulfilling Zero Trust and SASE visions

Differentiated Resources
Sanctioned and Internet and Private and Managed in
Managed Services Unsanctioned/Unmanaged Apps the cloud or on-premises

Differentiated Identities Differentiated Devices

Privileged Accounts Privileged Devices
Business critical system
users, developers, admins

Managed Devices
Specialized Accounts Specialized Devices
Sensitive System users,
developers, & admins Adaptive
Enterprise Accounts Access Control Enterprise Devices

Grants access based on

Employee Partner
explicitly verified trust
Anonymous and Consumer and organizational policy Unmanaged devices
identities BYOD, partners, etc.
Network Segments
s
p
p
A
/
s
t
i
n
U
s
s
e
n
i
s
u
B
e
v
i
t
i
s
n
e
tS
c
a
p
m
)
Is
y(
tt
en
fe
a
m
Sg
/e
eS
fl
ia
Lc
h
i
tt
i
W
r
T
C
O
.s
/cs
T
te
o
en
I,i
s
eu
B
n
T
o
O
h
/
p
T
P
o
I
I
o
t
V
c
,
a
s
p
r
m
e
I
t
h
n
g
i
i
r
H
P

T
O
/
T
o
I
t
c
a
p
m
I
w
o
L
Evolution of Computer Interfaces
Progressively becoming more natural/native human models

Ability (and speed) to

accomplish advanced tasks
Native
Native Human
Computer Skills and learning required
to become productive

Direct Command Graphical User Chat/Conversation

programming Prompt Interface (GUI) using generative AI
Key Implications of AI for Security
Multiple dimensions of security risk to manage

Machine Learning (ML) already processes security data

Integrated into XDR, SIEM, posture management, and other tools

Adopt AI Security Capabilities Mitigate Attacker AI

Adopt generative AI capabilities to Continuously learn about
enhance cyber defenses and human Attacker AI to protect against it
skills (e.g. Security Copilot) and educate stakeholders

Protect AI Applications & Data

Integrate security from design to production
Education
Data Systems
Human generated data Protect custom
& Policy
is high value asset for models from
training AI models attacks AI App Design & Usage Use of External AI
AI Shared Responsibility Model
Illustrates which responsibilities are typically performed by an organization
and which are performed by their AI provider (such as Microsoft)
IaaS PaaS SaaS
(BYO Model) (Azure AI) (Copilot)

User Training and Accountability

Usage Policy, Admin Controls
AI Usage
Identity, Device, and Access Management
Data Governance

AI Plugins and Data Connections

Application Design and Implementation
AI Application
Application Infrastructure
Application Safety Systems

Model Safety & Security Systems

Model Accountability Microsoft

Model Tuning Model

AI Platform Dependent
Model Design & Implementation
Shared
Model Training Data Governance
Customer
AI Compute Infrastructure
Microsoft Approach
Focused on responsible rapid integration of technology

Establish clarity: Implement responsible Prioritize greatest needs and

Your data is your data AI principles opportunities for security
Review – Artificial Intelligence (AI)

• Dynamic conversational chat is a new interface

• Makes technology easier to use and learn Comparing AI
• Enables people to do more advanced tasks Generations

• Critical to adapt quickly to this technology

• Educate on and mitigate attacker use of AI
• Embrace security use of AI
• Protect business use of AI Resources and
References
• Securing AI is a shared responsibility
• Microsoft Approach to AI
• Establish clarity: your data is your data
• Implement responsible AI principles
• Focus initial security priorities on greatest needs