Mapping NIST CSF and GDPR Frameworks to Microsoft Technologies 6/12/2018 8:16 PM THR3084 Mapping NIST CSF and GDPR Frameworks to Microsoft Technologies Nathan Lasnoski Chief Technology Officer - Concurrency © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Risk Mitigation and Digital Transformation 1 The Digital Transformation is driving change in the way IT is leveraged and secured throughout the business 2 The way IT is secured and risks mitigated within the business will also rapidly evolve with new frameworks (NIST & GDPR). 3 The technologies for mitigating risks are a combination of longstanding best practices and modern capabilities. 4 The defense against the modern (and existing) threats of the Digital Transformation start now

The Digital Transformation is driving change in the way IT is secured throughout the business

Securing Areas of Transformation Customers Partners Employees Securing the customer experience with technology Securing partner interactions through technology Securing efficiency in internal operations

The way IT is secured and risks mitigated within the business will rapidly evolve as threats enter new vectors

Modern Security Layers to Mitigate Risk Network Operating System Identity Application Information Communications Management Physical

The NIST Framework – Intent Framework for Improving Critical Infrastructure Cybersecurity Despite the name, applicable to any organization or business A voluntary, risk-based approach to manage cybersecurity risk, in a cost-effective way, based on business needs The framework is not law There is no compliance requirement What do you do? How well do you do it? What do you need to do? It’s about MANAGING RISKS and making SOUND INVESTMENTS in cybersecurity efforts

NIST Security Framework & GDPR Identify Recover Protect Digital Transformation Respond Detect

Risk Mitigation Combining Layers and NIST Identify Network Cloud threat identification Operating System Recover Protect Identity Declarative configuration Cloud consistent protection patterns Application Digital Transformation Information Communications Respond Detect Management Automated response mechanisms Big data detection patterns Physical

The technologies for mitigating risks are a combination of longstanding best practices and modern capabilities

Mapping in Technology Solutions NIST CSF and GDPR to Category / Microsoft technology map …download the map here: https://www.concurrency.com/landing/nist Protect (PR) Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition PR.DS-4: Adequate capacity to ensure availability is maintained Cloud Datacenter Operations Management Suite & System Center Modern IT Management PR.DS-5: Protections against data leaks are implemented Customer Enablement Enterprise Mobility Suite Azure Resource Management Standards Office365 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity PR.DS-7: The development and testing environment(s) are separate from the production environment Visual Studio Team Services PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained Operations Management Suite &System Center ServiceNow PR.IP-2: A System Development Life Cycle to manage systems is implemented

Anatomy of Attacks and Defense ServiceNow Dynamics Power BI System Center SCCM MIM ATA Azure Stack Hypervisor Network EMS OMS USTS Azure ML Log Data ARM + DSC Code Inventory Automation Log Data/IDS ARM + Code DSC I IoT Suite

Demo

The defense against the modern threats of the Digital Transformation start now

Steps to Starting Out First Second Then Admit that you can do better Know that you can always do better Make a plan for addressing the security threats that are most relevant based on risk and financial impact

Who Do You Want to Be? Disorganized, Hidden, Unprepared Organized, Transparent, Prepared

Get Specific with Prioritization Discover Assess ID System Owner Business Process Hardware Product Software Product Configuration Threat Vulnerability Controls Impact (Low-Med-High) Complexity (Low-Med-High) Risk (Low-Med-Hgih) Priority 00001 Workstations and Servers Denise Smith X Privilege Escalation Local Administrators LAPS High Low 1 00002 Active Directory Qiong Wu Unauthorized Use Privileged Accounts MIM PAM Med 4 00003 Naoki Sato Code Execution Patching SCCM 3 00004 Business Culture Daniel Roth Social Engineering Phishing KnowBe4 2 00005 WiFi Andrea Dunker Pre-shared Key 802.1X 5 00006 Eric Gruber Business Data Loss Malicious Software Device Guard 6

Key points 1 Understand that security is not something to procrastinate on 2 Leverage NIST CSF and GDPR to develop a prioritized plan 3 Address key operating system and identity threats first 4 Don’t underestimate the importance of a security management platform

Please evaluate this session Tech Ready 15 6/12/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/12/2018 8:16 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.