Office 365 Advanced Security Management

CHANGE IS CONSTANT Evolving threat landscape We all know that change is constant the only thing that does not change is change. And we have seen that peoples work expectations have really changed a lot. They want to bring their own device to work. They want to have easy access to information wherever they are and from whatever device they have. When you think about securing company data there is also an evolving threat landscape. The way that hackers are approaching hacking has really changed and so the ways that we need to protect ourselves have also changed. And lastly industry regulations and standards have not only changed but also increased. As we have things like cloud computing we see people ask how do the existing and new industrial regulations and standards that companies have to comply with apply to this new world where customers don’t have the computing resources on premise. Industry regulations and standards Peoples work expectations

80%+ of employees admit to using non- approved SaaS apps in their jobs 10/1/2017 11:45 PM Security Challenges 73% of enterprises indicated security as a top challenge holding back SaaS adoption 80%+ of employees admit to using non- approved SaaS apps in their jobs 75%+ of all network intrusions are due to compromised user credentials 87% Of senior managers admit to regularly uploading work files to a personal email or cloud account 200+ The median number of days that attackers reside within a victim’s network before detection Many of these issues have influenced how organizations look at SaaS solutions. For example, we have heard that 73% of enterprises indicated security as a top challenge holding back SaaS adoption. At Microsoft we try to help alleviate these concerns and we will talk more about this in a minute. We also know that 80% of employees admit to using non-approved SaaS apps in their jobs and 87% of senior managers admit to regularly uploading work files to a personal email or cloud account. We have also heard that 75%+ of all network intrusions are due to compromised user credentials and that once someone in is, that the median number of days that attackers reside within a victim’s network before detection is over 200. Many organizations tell us that they have limited if not any visibility and lack the controls necessary to help solve issues like these. Cloud Security Alliance (CSA) survey, Cloud Adoption, Practices and Priorities Survey Report 2015 - https://downloads.cloudsecurityalliance.org/initiatives/surveys/capp/Cloud_Adoption_Practices_Priorities_Survey_Final.pdf http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report 87% quotes is from: http://www.strozfriedberg.com/wp-content/uploads/2014/01/Stroz-Friedberg_On-the-Pulse_Information-Security-in-American-Business.pdf 200+ days quote from Microsoft Consulting Services & Mandiant. 75%+ quote is from http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Discovery and Insights ADVANCED SECURITY MANAGEMENT Enhanced visibility and control for Office 365 Identify high-risk and abnormal usage, security incidents, and threats Threat Detection Shape your Office 365 environment with granular security controls and policies Enhanced Control Gain enhanced visibility and context into your Office 365 usage and shadow IT – no agents required. Discovery and Insights To help organizations with this problem we built Office 365 Advanced Security Management which provides you with enhanced visibility and control into your Office 365 environment. At a high level, it does this in three ways. You get the ability to detect threats by helping you identify high-risk and abnormal usage, security incidents, and threats. Advanced Security Management also provides you with enhanced control by leveraging granular controls and security policies that can help you shape your Office 365 environment. You also get enhanced visibility and context into your Office 365 usage and shadow IT though the discovery and insights that the solution provides, all without installing an end point agent. Let’s go a bit deeper into each one of these areas starting with how we give you the ability to detect threats.

THREAT DETECTION INSIGHT INTO POTENTIAL BREACHES ASSESS YOUR RISK Identify anomalies in your Office 365 environment which may be indicative of a breach To provide the threat detection that some organizations are looking for, Advanced Security Management gives you a robust policy and alerting engine that provides insight into potential breaches by being able to setup anomaly detection policies for your Office 365 environment. Anomalies are detected by scanning user activity and evaluating its risk. The risk is determined by looking at over 70 different indicators. Some of the risk factors are things like: login failures, administrator activity, inactive accounts, location, impossible travel, and device and user agent. Setting up an anomaly detection policy is fairly straight forward. Most of the work is around deciding which of the risk factors if not all you want to monitor for, what the sensitivity of the policy and the maximum amount of daily alerts you want to receive. The reason you might want to limit the number of alerts is an anomaly might not be an issue. For example, if your company opens up a new office, Advanced Security Management may see all the new logins from that office as an anomaly until it learns that this is normal. Advanced Security Management also leverages behavioral analytics as part of anomaly detection to assess risk in what your users are doing. It does this by understanding how the user interacts with Office 365 on a daily basis. Once it has this baseline it can then determine if a user’s activity/session is suspicious and give it risk score to help you determine as part of your investigation if you should take further action. Advanced Security Management is also enhanced with the vast amount of threat intelligence information that Microsoft has. Microsoft’s unique insights into the threat landscape, informed by trillions of signals from billions of sources uniquely positions them to better protect customers and their data. ASSESS YOUR RISK Leverage behavioral analytics to assess risk Leverage Microsoft’s threat intelligence Identify known attack pattern activities originating from risky sources leveraging Microsoft’s threat intelligence

Threat detection – experience Anomaly Alert Here is a quick look at an anomaly detection alert. You can see at the top that a user triggered a suspicious session with a very high risk score since the session was done over an anonymous proxy, the user is a admin, they used a ISP that they had not used before, there were multiple failed login attempts and the user was in an impossible travel scenario. You can also see the details of the user’s activity and dive into more aspects of it. For example, you can click on the IP address and see if there was other activity from this address. Note that if you decide that this set of combined activities are too risky, then you can suspend the user right from the alert. *Prototype image. This may not reflect the final product experience

Enhanced control Easy To Use and customizable Use out of the box policies or customize your own Visibility into violations Identify policy violations, investigate alerts on a user, location, or activity level Stop Questionable Activities Enforce actions like user suspension As I mentioned earlier another big focus for Advanced Security Management is around providing enhanced controls which is done through another set of policies called activity policies. These policies give you the ability to track specific activities that you are interested in. This is done with out of the box there are templates that you can use to easily create policies that can help you see when someone is downloading a lot of data, has multiple failed logon attempts, or logs in from a new ip address. You will also likely want to create additional policies that are more customized to your unique environment and you can do this too. Using activity filters you can look for specific items like the location of the person, a user or group, the device type (mobile, PC, tablet), ip address, if a new user is created, or if someone is granted admin rights. Based on these activities happening once or a repeated number of times in a specific timeframe, you can create an alert, or notify or someone in IT. The alerts are what give you the visibility into the activities that you want monitored and Advanced Security Management gives you an easy way to see all of these and start your investigation. Some alerts alone like a user logging in from a new location might not be an issue as they might be on vacation and leveraging Office 365 to check mail. However, you might want to check to see if they are doing other things that might be suspect like accessing documents that you know are sensitive, or failing to log in multiple times. To help you with this, Advanced Security Management give you the power to drill down and get additional details around what else the user was doing or the IP address being used as it might have additional activities that this user or other users have done. Based on the investigation, you might deem that the behavior is risky and you want to stop the user from doing anything else. Instead of going into another section of the Office 365 management console to suspend the user’s account, you can do that directly from the alert. Microsoft also knows that sometimes the activities you are monitoring for are so risky that if they are discovered you may not want to wait for an IT Pro to review the alert and suspend the account. To help with this, you can configure a policy so that an account is automatically suspended if the activity takes place. We have also heard from organizations that they are also looking for better control and visibility into applications that users are plugging into Office 365. Usually when users leverage applications they are unaware of what the app has permissions to. They are just trying to be more productive. To help IT Pro’s get better visibility and context into these apps we give them a way to see these apps, which users are using them, and the permissions they have. Based on this info, they have the ability to revoke that applications permissions from all the users with one button press. Lower your risk Assess risk from apps that have permissions into Office 365 data and remove their rights centrally

Enhanced control – experience Policy Creation To help you better understand the process of creating an activity policy here is a quick screenshot of what the page looks like. As you can see the first drop down allows you to choose a template, but you can create your own custom one by choosing the right activity filers and customizing the match parameters *Prototype image. This may not reflect the final product experience

Enhanced control – experience App Permissions Here is also a quick look at the App Permissions feature where you can see the applications plugged into Office 365, the number of users using them, their granted permissions, the assigned risk level to these permissions, how common this app is used outside your company, and (click mouse) the actions you can take like revoking access or notifying the users. *Prototype image. This may not reflect the final product experience Expected to be available in Q3 calendar year 2016

Discovery and Insights View into your Office 365 Usage Easy to understand dashboard into Office 365 consumption Advanced Security Management also gives you the ability to discover information and get insights into your Office 365 usage and other cloud services to help you with any shadow IT problems. How this is done is through an app discovery dashboard that makes it easy for you to get a snapshot of pertinent information around your Office 365 usage. You can see things like the amount of traffic your Office 365 use is generating and the number and who are the top users of O365. It also gives you the ability to see if your users are leveraging other cloud services that are similar to Office 365. With the ability to discover about 1000 applications that fall into categories like collaboration, cloud storage, webmail, and others, you can better determine if there shadow IT happening in your organization. Advanced Security Management will also give you details around the top apps in each category. For example, you can see how much data is being sent to cloud storage services like OneDrive for Business, Box, Dropbox and other similar providers. What is also great about this solution is that there is nothing to install on the user end points to collect this data. Microsoft knows that it is not always possible to install an agent on a device maybe because you have a BYOD program and you don’t want to install an agent on the user’s device. To load the data into the dashboard, all you have to do is take the logs from your network devices and upload them via an easy to use UI. There is support for many network vendors like Blue Coat, Check Point, Cisco, Juniper, Microsoft, Palo Alto, and Websense. See What shadow IT is happening Discover ~1000 cloud applications that have similar functionality to Office 365 Nothing to Install No agent required on end points to gather data

Discovery and Insights – experience App Discovery Dashboard To give you a better idea of what the dashboard looks like here is a screenshot. You can see at the top the high level stats, under that is the top categories and the amount of traffic that being sent to Office 365 and other apps. Near the bottom you can see the top apps for a specific category and data on their use. *Prototype image. This may not reflect the final product experience Expected to be available in Q3 calendar year 2016

Discovery and Insights ADVANCED SECURITY MANAGEMENT Enhanced visibility and control for Office 365 Identify high-risk and abnormal usage, security incidents, and threats Threat Detection Shape your Office 365 environment with granular security controls and policies Enhanced Control Gain enhanced visibility and context into your Office 365 usage and shadow IT – no agents required. Discovery and Insights As you can see Office 365 Advanced Security Management provides you with enhanced visibility and control into your Office 365 environment though: The ability to detect threats by helping you identify high-risk and abnormal usage, security incidents, and threats. Providing you with enhanced control by leveraging granular controls and security policies that can help you shape your Office 365 environment. Giving you enhanced visibility and context into your Office 365 usage and shadow IT though the discovery and insights that the solution provides, all without installing an end point agent. I would also note that as like all of our cloud services they get better over time and today we talked about all the scenarios that Advanced Security Management can help you solve. However as of June 1st only the features available are the anomaly and activity policies, alerts for these policies and the ability to investigate the alerts. The app permissions and the cloud app discovery dashboard will be available in Q3 calendar year 2016. Advanced Security Management has level A support in the Office 365 Compliance Framework which shows it strong privacy and security commitments to not mining customer data for advertising and no voluntary disclosure to law enforcement agencies. We are actively working toward moving toward level B though obtaining ISO and PCI certification in H2 of calendar year 2016 and SOC and HIPAA certifications in H1 of calendar year 2017. Thanks for your time and happy to take any additional questions.

10/1/2017 © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.