Microsoft Security関連、2024年末の振り返り

ディスクレーマ等 意見は私石川陽一の私見です。 機能等の理解が浅い、間違い等を 含む可能性があります。

youtube.com/@YoichiIshikawa 石川 陽一 ＠ishiayaya • Microsoft MVP for Data Platform (Power BI), Security (SIEM & XDR) • 2022/7～アント・キャピタル・パートナーズ株式会社 • ISACA 東京支部 副会長・理事 • Power BI、Power Platform、M365 Defender • 東京・町田在住、富山・奥中出身 • 心臓にIoTデバイスICD埋め込みあり • コミュニティ M365セキュリティ&ゼロトラスト勉強会 • コラボ・コミュニティ Power BI Weekly News with Yugo and Suto

• 等リアクション、チャットコメント • 質問はチャットで先頭に[Q]を • 発言したい場合は （挙手）を （ただし、できるだけ簡潔に） • 大事な話は脱線ある場合も • せっかくなので楽しく • 感謝の気持ちで カンゲイ

• 録画をYouTubeに公開します。 • スライドがある場合あとで共有します。 • ハッシュタグは「#m365sec」です。

〇 今日のアジェンダ  Microsoft Security関連、2024年末の振り返り  20時30分頃終了  次回、2月11日（火・祝）予定 テーマは 「Microsoft デジタル防衛レポート（MDDR）2024を読もう」  まずはアイスブレーク & 最近のトピックス

最近サイバー攻撃の話題多い • piyolog • 暗号資産事案その後、航空、銀行系他 • dポイント

Qiita Advent Calendar 2024 Microsoft Security - Qiita Advent Calendar 2024 - Qiita

• https://qiita.com/advent-calendar/2024/microsoft-security

今日お伝えしたいこと1

今日お伝えしたいこと2 • セキュリティはAIと仲良く （悪者は大活用。使えるところをいい感じで。） • セキュリティはチームスポーツ Security is a Team Sport • チームメイトにAIを

Security is a Team Sport

MS Ignite 2024 2024/11/19～23 • Book of News • サイトのセッションスケジューラ • 各ページのリソース • YouTubeのプレイリスト > Excel > Qiita, Power BIレポート • PowerPoint 要約 • YouTube文字起こし > Word > 翻訳 • 読みやすい日本語に > ChatGPT 4o mini

• https://qiita.com/ishiayaya/items/ac42a8b00ec8bc911df0
• https://bit.ly/MSIgnite2024Sec

https://bit.ly/MSIgnite2024Sec

• https://bit.ly/MSIgnite2024Sec

BRK333 引用元のセッションコード （IgniteサイトやYouTubeから検索等） 以降のスライドは全てIgniteのセッションの引用です。

BRK333 Adversaries will use GenAI in creative ways Customizing exploits​ Malware generation Automated vulnerability discovery​ Phishing and social engineering​ Password cracking​ Command and control communication Disguising malicious code​ Deepfakes: data, email, voice

Generative-AI threat landscape Generative AI app BRK312

Trends in 2024 BRK332 Unaddressed internet attack paths Unaddressed identity attack paths​ Increase in cybercrime Token replay attacks of attack paths involve internet exposure of attach paths involve identity compromise​ password attacks per second in 2024 increase since 2023

BRK321 your security with Copilot 1. Generative AI and Security Operations Center Productivity, November 2024 30%

• https://aka.ms/SecurityCopilotMTTRResearch

BRK333 Microsoft is prioritizing security above all else

BRK333 For Microsoft, security is job 1 …prioritizing security above all else is critical to our company’s future” Outcomes A More Resilient and Transparent Microsoft Satya Nadella Chairman and CEO Advanced Security Tools Principles of Microsoft’s Secure Future Initiative Security comes first when designing any product or service Security protections are enabled and enforced by default, require no extra effort, and are not optional Security controls and monitoring will continuously be improved to meet current and future threats

Microsoft Secure Future Initiative Report Inactive tenants were eliminated Eliminating unused apps from our production and productivity tenants New production-ready locked-down devices Physical assets on the production network are recorded in a central inventory system, of physical assets, infrastructure, and production network access controls, enriching ownership and compliance tracking. of our production is now using centrally governed pipeline templates, making builds more consistent, efficient, and trustworthy Secure future initiative Microsoft. Available at: https://www.microsoft.com/en-us/trust-center/security/secure-future-initiative (2024). BRK333 aka.ms/SecureF utureInitiative

BRK319 Imagine a world Workflows Autonomous Threats Neutralized Policies Decisions Satisfaction Compliant Strategic Thriving

Defenders need BRK307 ! ! ! ! ! 1. IBM: Cost of a Data Breach

• https://www.ibm.com/reports/data-breach

BRK307 Cyber skills and promptbooks Evergreen threat intelligence Plugins Security-specific orchestrator Hyperscale infrastructure

BRK307 your security with Copilot 1. Generative AI and Security Operations Center Productivity, November 2024 30%

• https://aka.ms/SecurityCopilotMTTRResearch

BRK307 Enrich analysis with unified TI Accelerate threat hunting Cloud risk exploration and remediation Firewall attack summarization

Prepare for the shift in Start Security Copilot trial/POC Explore prompt library/develop prompt engineering skills BRK307 Leverage Security Copilot automation with Sentinel & Defender XDR Use Copilot with Purview, Intune, Entra and 3P plugins Keep up with the latest AI trends in security and IT

BRK307

BRK313

BRK313 19 2 09 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 8 seconds 25 seconds

Purview Data Security BRK317 Strengthen data security across the digital estate Information Protection Automatically discover and classify sensitive data Create effective protection and prevention policies Discover and respond to hidden data usage risks Adaptive Protection Data Loss Prevention Insider Risk Management

BRK318 Common causes of oversharing Site privacy set to public Default sharing option is everyone Use of “everyone except external users” domain group Broken permission inheritance Sites and files without sensitivity labels

Organizations are exposed BRK324

BRK319 Blog: Microsoft recognized as a leader in the 2024 Gartner® Magic Quadrant for Desktop as a Service for the second year in a row Link to other session *Gartner, Magic Quadrant for Desktop as a Service, Stuart Downes, Craig Fisler, Sunil Kumar, Eri Hariu, Mark Margevicius, Tony Harvey, 5 September 16, 2024.

• https://www.gartner.com/doc/reprints?id=1-2ITTRYCT&ct=240917&st=sb

BRK319 purpose-built by Microsoft to connect securely to Windows 365 in seconds.

BRK319 Cloud-powered performance Secure by design Simplified IT management Learn more at aka.ms/IgniteBRK289

BRK320 AI’s Role In Shaping the future of IT Natural language data exploration for faster insights and streamlined actions. 360° insights for user persona across products to make informed decisions. Collaborative environment where AI handles tasks, humans focus on strategy.

BRK320 Explore your data using natural language, get a dynamic view across devices, users, applications and other entities and go from insights to actions in less than the time it took you to read this slide! “Connecting your business intent to the data schema” – Michael Wallent, CVP, Management

Building AI solutions with Copilot Studio and Azure AI BRK322 Copilot Rapid time to solution Control and customization Low Code AI Pro Code AI Rapid authoring environment Integrated into GitHub, Visual Studio Fully managed SaaS stack Complete control of the stack Copilot Studio Azure AI Copilo t & AI Stack Copilot Devices

BRK327 Microsoft Fabric Data Factory Analytics Databases Real-Time Intelligence AI OneLake Microsoft Purview Power BI Industry Solutions Partner workloads

Responsible data innovation in the era of AI BRK327 Fabric Purview Unified data + analytics platform Unified security + governance

BRK334 Microsoft Purview Integrated solutions to secure & govern your data Data security Data governance Data compliance Secure data across its lifecycle, wherever it lives Responsibly unlock value creation from data Manage critical risks and regulatory requirements Data Loss Prevention Insider Risk Management Information Protection Data Discovery Data Quality Data Curation Data Estate Insights Compliance Manager eDiscovery and Audit Communication Compliance Data Lifecycle Management Records Management Unstructured & Structured data Traditional and AI generated data Shared capabilities Data Map, Data Classification, Data Labels, Audit, Data Connectors Microsoft 365 and Azure data

BRK334 Strengthen data security with an integrated approach Automatically discover, classify and label sensitive data, and prevent its unauthorized use across apps, services, and devices. Information Protection Understand the user intent and context around the use of sensitive data to identify the most critical risks Enable Adaptive Protection to assign high-risk users to appropriate DLP, Data Lifecycle Management, and Entra Conditional Access policies Data Loss Prevention Insider Risk Management Support for hybrid, Cloud, SaaS, and devices | Partner ecosystem

Microsoft Purview can help… BRK334 Discover risks to sensitive data Protect and prevent data loss Investigate and mitigate risks New visibility into data security posture management and into data risks coming from the usage of GenAI apps. Bringing new capabilities into existing Purview solutions to strengthen data security and protect AI Increasing the integration between data security and the SOC experience

BRK328 Top Security Controls for each initiative Prioritization Criteria: Simple Implementation, Low Cost, High Impact Security Adoption Framework aka.ms/saf Security Documentation aka.ms/SecurityDocs Top Priority - Disaster Recovery and Backup/Restore Recover business critical systems if ransomware takes down everything All Users 1. Strong Authentication (Strong MFA, Passwordless) 2. Conditional Access Privileged Administrators 1. Local Admin Password Solution (LAPS) 2. Privileged Identity Management (PIM) XDR Detection for Primary Entry points: 1. Email 2. Endpoint 3. Identity Find and Fix Vulnerabilities: 1. Security Posture Management a. Implement Tooling Protect most important + easiest to secure resources (typically cloud hosted files) b. Establish Responsibilities and Processes 2. Extend to applications/ development, compliance reporting, and more 1. Discover and Monitor OT & IoT Devices 2. Protect (and Isolate) IoT and OT Devices Discover Monitor Increase security of devices: Classify Protect Note: More controls are recommended for larger organizations

• https://aka.ms/saf
• https://aka.ms/SecurityDocs

BRK328 Key Takeaways 1 2 3 ZTAF MCRA SAF

• https://aka.ms/zerotrustadoption

Top Controls – Identities and Access Attackers can rapidly and easily use stolen passwords to access your business assets • Multifactor authentication reduces the risk of account takeover by over 99 percent • Average cost for stolen passwords is $0.97 per 1k Strong Authentication (Strong MFA, Passwordless) BRK328 Documentation: aka.ms/mfa Requires: • Enable Security Defaults (not configurable) • Microsoft Entra ID P1 (configurable with Conditional Access) All users Attackers can compromise your assets through common attack techniques including: • Compromised or vulnerable user devices • Token theft and other advanced identity attacks Organizations need to integrate & customize policies Attackers can steal the local admin password (hash) from any Windows computer, and use it to access other computers with that same password (common configuration for managed PCs) • • Attackers can rapidly take over privileged accounts using lateral movement attack techniques Organizations struggle to provide basic discovery and management of privileged access Conditional Access and device management/measurement Local Admin Password Solution (LAPS) Documentation: aka.ms/ca Requires: Microsoft Entra ID P2 (P1 has some functionality) Device Documentation: aka.ms/IntuneDocs Requires: Microsoft Intune and Defender for Endpoint Documentation: aka.ms/LAPS Requires: Entra ID (any), Intune (Plan 1), and any Windows version after April 11, 2023 (10/11 or Server 2019/2022) Note: Legacy Microsoft LAPS is being retired (support expires with legacy operating systems) Privileged Identity Management (PIM) Notes • Administrators should have separate administrative account for privileged tasks • Next priority is Privileged Access Workstation (PAW) and separation of cloud vs. on-premises admins as part of Securing Privileged Access (SPA) Documentation: aka.ms/PIMdocs Requires: Microsoft Entra ID P2 or Microsoft Entra ID Governance

• https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW166lD?culture=en-us&country=us
• https://aka.ms/mfa
• https://learn.microsoft.com/microsoft-365/business-premium/m365bp-turn-on-mfa?view=o365-worldwide&tabs=secdefaults
• https://aka.ms/ca
• https://aka.ms/IntuneDocs
• https://aka.ms/LAPS
• https://aka.ms/PIMdocs
• https://aka.ms/paw

Top Controls – Security Operations (SecOps/SOC) Without integrated Extended Detection and Response (XDR) tools for email, endpoint, and identity: Email Threat Detection and Response Microsoft Defender for Office • Security analysts must perform investigation tasks using slow manual procedures • Giving attackers more time to operate (increasing impact and likelihood of damage) The initial access for most major (multi-stage) attacks is from identity, email, and/or endpoint attack techniques BRK328 Documentation: aka.ms/deployMDO Requires: Defender for Office (Microsoft 365 E5) Documentation: aka.ms/deployMDE Endpoint Detection and Response Microsoft Defender for Endpoint Requires: Defender for Endpoint Plan 2 (Microsoft 365 E5) Note: Some of these capabilities available for smaller organizations in Defender for Business Identity Threat Detection and Response Microsoft Defender for Identity / Entra ID Protection Next priorities for most organizations are • Increasing XDR coverage to cloud assets with Microsoft Defender for Cloud • Vendor/community-provided and custom detections with a SIEM like Microsoft Sentinel Documentation: aka.ms/deployMDI Requires: Microsoft Entra ID P2 (Entra ID Protection) Microsoft Defender for Identity (On premises) (Microsoft 365 E5 includes both)

• https://aka.ms/deployMDO
• https://learn.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability
• https://aka.ms/deployMDE
• https://learn.microsoft.com/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2
• https://learn.microsoft.com/microsoft-365/security/defender-business/
• https://aka.ms/deployMDI

Top Controls - Data Security & Governance Business critical assets often include intellectual property, unpatented trade secrets, and other forms of data. Regulators often require organizations to protect personal information they possess on their customers, employees, partners, and others. Classify Protect Enable consistent controls for similar data Start lifecycle and prioritize the most important + easiest to secure resources Protect your data Focus on regulated and business critical assets (which increases attacker focus on it) • Increasing the risk of inadvertent disclosure or use through AI-enabled applications with weak security controls Monitor Classify your data Organizations often don’t have a clear understanding of what data they own, it’s lineage, it’s value, or who can access it. Additionally, Generative Artificial Intelligence (AI) is dramatically changing the nature of data security: • Increasing the value of human generated data Discover Discover your data estate Understand what data you have BRK328 Monitor your data Establish responsibility and processes Documentation: Protect your sensitive data with Microsoft Purview Requires: Microsoft 365 E5 Note: Many cloud hosted files (unstructured data) are automatically discovered via Microsoft Graph

• https://learn.microsoft.com/purview/information-protection

Security Resources Security Adoption Framework aka.ms/saf Security Strategy and Program CISO Workshop aka.ms/CISOworkshop | -videos Cloud Adoption Framework (CAF) aka.ms/cafsecure Driving Business Outcomes Using Zero Trust • Microsoft Cybersecurity Reference Architectures (MCRA) • Rapidly modernize your security posture for Zero Trust • Secure remote and hybrid work with Zero Trust • Identify and protect sensitive business data with Zero Trust • Meet regulatory and compliance requirements with Zero Trust • Ransomware and Extortion Mitigation - aka.ms/humanoperated Modern Security Operations (SecOps/SOC) • Securing Privileged Access (SPA) Guidance aka.ms/SPA • Incident Response - aka.ms/IR • Access Control Discipline • Ninja Training • MCRA Video Zero Trust User Access • Microsoft Entra Documentation aka.ms/entradocs Security Documentation aka.ms/SecurityDocs Zero Trust Architecture Secure Identities and Access • Ninja Training Microsoft Defender for Identity aka.ms/mdininja BRK328 NIST NCCoE Project Page - Implementing a Zero Trust Architecture Blog post (including diagram with Microsoft products) Zero Trust Commandments Standard - https://publications.opengroup.org/c247 Zero Trust Reference Model - https://publications.opengroup.org/s232 Security Principles for Architecture - https://publications.opengroup.org/c246 • CDOC Case Study - aka.ms/ITSOC • Microsoft 365 Defender aka.ms/m365dninja • Microsoft Defender for Office 365 aka.ms/mdoninja • Microsoft Defender for Endpoint aka.ms/mdeninja • Microsoft Cloud App Security aka.ms/mcasninja • Microsoft Sentinel • Backup and restore plan to protect against ransomware - aka.ms/backup • Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp Infrastructure & Development Security • Microsoft Cloud Security Benchmark (MCSB) aka.ms/benchmarkdocs • Well Architected Framework (WAF) aka.ms/wafsecure • Azure Security Top 10 aka.ms/azuresecuritytop10 • Ninja Training Defender for Cloud • MCRA Video Infrastructure Security Data Security & Governance • Secure data with Zero Trust • Ninja Training IoT and OT Security • Ninja Training Defender for IoT Training • Microsoft Purview Information Protection aka.ms/MIPNinja • MCRA Videos MCRA Video OT & IIoT Security • Microsoft Purview Data Loss Prevention aka.ms/DLPNinja • Defender for IoT Documentation aka.ms/D4IoTDocs • Insider Risk Management • Microsoft Purview Documentation aka.ms/purviewdocs • Defender for Cloud Documentation • MCRA Videos Security Operations SecOps Integration Product Capabilities www.microsoft.com/security/business Security Product Documentation Azure | Microsoft 365 Microsoft Security Response Center (MSRC) www.microsoft.com/en-us/msrc

• https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
• https://www.microsoft.com/security/blog/2024/08/06/how-microsoft-and-nist-are-collaborating-to-advance-the-zero-trust-implementation/
• https://publications.opengroup.org/c247
• https://publications.opengroup.org/s232
• https://publications.opengroup.org/c246
• https://aka.ms/saf
• https://aka.ms/SecurityDocs
• https://aka.ms/CISOworkshop
• https://aka.ms/cafsecure
• https://learn.microsoft.com/security/zero-trust/adopt/rapidly-modernize-security-posture
• https://learn.microsoft.com/en-us/security/zero-trust/adopt/secure-remote-hybrid-work
• https://learn.microsoft.com/en-us/security/zero-trust/adopt/identify-protect-sensitive-business-data
• https://learn.microsoft.com/en-us/security/zero-trust/adopt/meet-regulatory-compliance-requirements
• https://aka.ms/humanoperated
• https://aka.ms/backup
• https://aka.ms/ztguide
• https://aka.ms/SPA
• https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/access-control
• https://aka.ms/mdininja
• https://www.youtube.com/watch?v=4alqTPMtSzU&list=PLtVMyW0H7aiOQwZSsn2d-tg2z729ce1BZ&index=15
• https://aka.ms/entradocs
• https://aka.ms/IR
• https://aka.ms/ITSOC
• https://aka.ms/m365dninja
• https://aka.ms/mdoninja
• https://aka.ms/mdeninja
• https://aka.ms/mcasninja
• https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310
• https://aka.ms/mcra-video-SecOps
• https://aka.ms/mcra-video-SecOpsIntegration
• https://aka.ms/benchmarkdocs
• https://aka.ms/wafsecure
• https://aka.ms/azuresecuritytop10
• https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/become-a-microsoft-defender-for-cloud-ninja/ba-p/1608761
• https://aka.ms/mcra-video-infra
• https://learn.microsoft.com/azure/defender-for-cloud/
• https://learn.microsoft.com/security/zero-trust/deploy/data
• https://aka.ms/MIPNinja
• https://aka.ms/DLPNinja
• https://techcommunity.microsoft.com/t5/security-compliance-and-identity/become-a-insider-risk-management-ninja/ba-p/3282306
• https://aka.ms/purviewdocs
• https://techcommunity.microsoft.com/t5/azure-defender-for-iot/microsoft-azure-defender-for-iot-training/ba-p/2428899
• https://www.youtube.com/watch?v=mlVxr_EzuME&list=PLtVMyW0H7aiOQwZSsn2d-tg2z729ce1BZ&index=6
• https://aka.ms/D4IoTDocs
• http://www.microsoft.com/security/business
• https://docs.microsoft.com/azure/security/
• https://docs.microsoft.com/microsoft-365/security
• https://www.microsoft.com/en-us/msrc