Professional Documents
Culture Documents
Optional Attendees
• Business IT leads, Business initiative owners that sparked discussion – helps integrate security
into business initiatives and better understand security dependencies
• Cloud Lead / Cloud Team (if formed) – help integrate security into cloud initiatives and reduce
unhealthy friction between teams
• Any supporting partners and integrators chosen by those roles
Note: This workshop is essential for people performing the functions that align with the roles
above and is also useful to many other roles within an organization
Agenda
A. Key Context and Fundamentals
Threat trends, Role & Responsibility Evolution, Strategy and Recommended
Strategic Initiatives to structure security transformation
B. Business Alignment
Engage business leaders on security, align to business priorities and risk
management, integrate security in IT/Business and build business resilience
C. Security Disciplines
Provide a clear structure for durable security program elements
Exercises
1. Assess against maturity model based on real world journey
2. Discuss prescriptive recommendations to improve programs
3. Assign next steps
This presentation is interactive!
Using PowerPoint Zoom Navigation
Introductions
Expectations
Name Role
for today
❑ Modern Access Control
❑ Modern Security Operations
❑ Infrastructure and Development
❑ OT and IoT Security
❑ Data Security & GRC
What’s on your current priority list?
# Modern Security
Module 3 – Modern Operations
Security Operations (SecOps/SOC) Start Date / In Progress
# Infrastructure
Module 4 – Infrastructureand Development
& Development Security Start Date / In Progress
# OT and
Module 6 – IoTIoT Security
and OT Security Start Date / In Progress
# Other
________________________________ Start Date / In Progress
Common Security Initiatives
Mapping business outcomes to technical initiatives
CEO
Align security to business priorities
Security Program and Strategy / Cloud Adoption Framework (CAF) - Secure Methodology
Business Leadership
Secure hybrid Modernize Secure cloud Find and protect Protect Industrial
work incident response migration critical data Control Systems
CIO CISO
Technical Leadership
Secure Identities Modern Security Infrastructure and Data Security & IoT and OT
and Access Operations (SOC) Development Governance, Risk, Security
Security Compliance (GRC)
Implementation
CISO Workshop &
Architecture Design Session (ADS)
CEO
Securing Digital
Transformation
Engaging Business
Business and Leaders on Security
Business Leadership
Security
Integration CISO Workshop
CIO CISO Security Program and Strategy
Security Strategy,
End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams
Strategy
CISO Workshop Business Alignment and Cloud Transformation Success Metrics
Security Program and Strategy Role and Responsibility Evolution
End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams
Implementation
Product Documentation
Learning Operation
Planning for each role
Reference plans for 3 entry points
➢ Complete end to end security modernization
➢ Quick wins across all initiatives (Zero Trust RaMP)
➢ Microsoft 365 Zero Trust capabilities
CEO
Securing Digital
Transformation
Security
Integration
CIO CISO
Security Strategy,
Technical Leadership Programs, and
Epics
Architecture and
Policy
Architects & Technical Managers
Technical Planning
Implementation
and Operation
Implementation
Documentation
Step by Step Instructions on
Microsoft Docs site
A security program bridges two worlds
Aligning security to business outcomes + apply Zero Trust security principles and best practices
Adopt
Define strategy Plan Ready
CISO Workshop
End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams
Govern Manage
Browse
a website
Exploitation Command
Attacker attempts
and Installation and Control
lateral movement
Privileged account
compromised
Disgruntled or disenchanted
Potential
Subject to stressors Insider has access Anomalous
sabotage
to sensitive data activity detected
For sale in “bad neighborhoods” on the internet
Attacker for hire (per job) How this complicates fact validation
$250 per job (and up)
Other Services Ransomware Kits
Continuous attack $66 upfront
supply chain innovation (or 30% of the profit / affiliate model)
Denial of Service
$766.67 per month
How this shaped Microsoft investments
Don’t believe
Note: Sophisticated everything
attackers sometimes
use commodity toolkits to hide their origin
you see
Facts are naturally obscured Attack economy adds complexity Deliberate Deception Hides More
Demand for facts far exceeds Profit driven actors re-use tools, sell Sophisticated attackers often
ability to provide (expensive to ready made kits, and monetize attacks in deliberately pretend to be something
positively identify attackers, multiple ways (extortion / ransomware, else (use commercial tools, hide data
most useful defenses, etc.) selling passwords/access, data, etc.) theft in DDoS attacks, etc.)
Azure Security Capabilities and Guidance
Attacker for hire (per job)
Cloud Adoption
Denial of Service
Native Firewall and Network Security
Framework (CAF)
Protect business-critical assets with Azure Firewall, DDoS →
protection, & integrated web application firewall (WAF) Well Architected
Framework (WAF)
Attackers
Industry Collaboration
→ +
with customers, NIST, CIS, The Open Group, and others
(hundreds of millions of dollars paid)
2021 Microsoft Digital Defense Report contents
CHAPTER 1 CHAPTER 4 CHAPTER 6
•
•
Next Up:
1A – Strategy and Recommended Initiatives
Managing Information/Cyber Risk December 2021 -
Security responsibilities or “jobs to be done” https://aka.ms/SecurityRoles
Incident
Response
Incident
Management
(IT, IoT, OT)
Threat
Hunting
Working Together on Information/Cyber Risk
Increase collaboration across teams
Prevention
Information Risk Management Program Management Office (PMO)
Supply Chain Risk (People, Process, Technology)
Incident
Posture Management Preparation
Incident
Response
Response
Incident
Management
Threat
Hunting
Mapping Roles to Disciplines
Requires collaboration between IT and Security teams
Business Leadership
CEO, Board, Other CxOs, and Business Unit/Line Leaders
Infrastructure security
Data Security IT Admin / IT Leadership Application Owners
(Servers, Endpoints, Containers, Storage, etc.)
Feedback loop
Identify Protect Detect, Respond, Recover
Security Roles and Responsibilities
Business and Plan Build Run
technology outcomes Identify opportunities Execute and capture value Sustain and adapt
Feedback loop
Identify Protect Detect, Respond, Recover
Security Roles and Responsibilities
Business and Plan Build Run
technology outcomes Identify opportunities Execute and capture value Sustain and adapt
Feedback loop
Identify Protect Detect, Respond, Recover
Security Roles and Responsibilities
Business and Plan Build Run
technology outcomes Identify opportunities Execute and capture value Sustain and adapt
Feedback loop
Identify Protect Detect, Respond, Recover
CISO Workshop
1 Security Team
2 IT Operations
3 Cloud Teams
4 DevOps/DevSecOps Teams
5 <Other Stakeholders>
CISO Workshop
1. Designate
Decision Makers
2. Publish
and Update list
3. Socialize
and follow-up
Next Up:
Roles and Responsibilities Summary
CISO Workshop
Review – Roles and
Responsibilities
• Different security specialties reduce
organizational risk differently
• Prevent, respond, govern, architect, compliance,
and more
Market
Business
Attackers
Technology
Security
Working together
Business Digital Transformation
Market
Attackers
Technology Security
Zero Trust Transformation
Cloud Transformation
Security Shifts to Continuous Improvement Security Imperatives
Governance
Driving Continuous Improvement
Innovate with
Access Assets Assets
Asset
Protection
Security Imperatives Context to inform
decisions, tools, & automation
Known, Trusted, Allowed
Governance On every access request
Module 5
Security
Asset
Access
Security
Innovation
Secure Manage Govern
Governance
Protection
Control
Operations
Security
Risk insights Business commitments Business risks
Business resilience Operations baseline Policy & compliance
Asset protection Operations maturity Governance maturity
https://aka.ms/CAFSecure
Microsoft Cloud Adoption Framework (CAF)
Achieve balance
Align business, people and technology strategy to achieve business goals with actionable,
efficient, and comprehensive guidance to deliver fast results with control and stability.
Cloud Adoption Framework | Secure Methodology
Security Program and Strategy Guidance
Security
Productivity
Shadow IT
Increased Risk
Increase Business Agility and Mitigate Security Risk
Capture business Strengthen
opportunities Security
Assume breach
and technologies with regular contact between business, radius with asset centric protections, micro-segmentation,
IT, and security. continuous monitoring, and automated threat response
Explicitly Verify
Sustainable – Ensure sponsors, developers, users, IT, and Verify explicitly Always make security decisions using all
security maintain a constant pace (and budget) available data points, including identity, location, device
indefinitely. health, resource, data classification, and anomalies.
CFO COO
Forrester
ZTX Model
Data
Infrastructure
Endpoints
Network
Device Infrastructure
compliance Continuous
Containers
Serverless
Device risk assessment
Int. Sites
Corporate Runtime
PaaS
Threat
IaaS
control
Personal Protection
Risk Assessment JIT and Version Control
Response Automation
Threat Intelligence
Forensics
Telemetry/analytics/assessment
CISO Workshop
Review - Strategy and
Recommended Initiatives
Business
What would you restore first if everything was down?
IT / Technology
What are technical components • What security threats could cause this?
of business critical assets? • How to protect assets without disruption?
and more
Clients Servers Databases Apps Clouds
Reduced Business Friction = Increased Business Agility (and ability to capture opportunities)
Security is not a technical problem (to be ‘solved’).
Security is an ongoing risk to be managed
(driven by groups of well funded humans)
Never plan to
‘Just pay the ransom’
‘Planning to Pay’ has hidden costs …and doesn’t avoid security investments
Secure cloud adoption enables rapid secure innovation
Secure innovation is the beating heart of an organization in today’s digital landscape
Secure
Enables rapid secure innovation
Cloud Adoption DevSecOps, IaC security, distributed security workflow
Secure hybrid
work
Modern security
incident response
Security Improvement
Business
Are we getting better Enablement
every month?
Starting Points
Security Response
How good are we at responding to
and recovering from attacks?
Board Questions Metrics
Example Metrics
Focus on continuous improvement
Security
Scorecard Business Enablement Security Posture Security Response Security Improvement
Metrics
Mean Time for security % of new apps/etc. Mean Time to Recover # of modernization
Supporting review reviewed (MTTR) projects open
Performance
# days for application Mean Time to # modernization project
Measurements Secure score
Acknowledge (MTTA) milestones achieved in
security review
last 60 days
Average boot/logon Time to Restore Critical
% Compliant apps
time for managed Systems
Number of repetitive
devices. # of high severity
# of privileged accounts manual steps removed
Number of security meeting 100% of incidents from workflows
interruptions in user requirements Incident growth rate
workflow # of Lessons learned
# of accounts meeting (overall)
% of IT help desk time from internal/external
spent on low-value 100% of requirements incidents
security activities
Help focus on key business outcomes
• What is our financial exposure to security risk?
• How prepared are we for extortion/ransomware attack?
• Are processes aligned to identifying and protecting business critical
processes? (without breaking them)
• Are we securing all business-critical assets? (including IT, IoT, and OT)
• Can we recover them quickly?
• Are we measuring continuous improvement for security?
• Is security program balanced across people, process, and tech?
• Are the security risk decisions by the right people? Are they prepared and
informed to do so?
• Business Models and Partnerships
• Technology Trends
• Regulatory, Geopolitical, Cultural Employee → supplier → partners
Forces
• Disruptive Events
• Paradigm Shift to Remote Work
Better security and user experience with Passwordless + working anywhere you want
NIST 800-40 on security
maintenance
https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
CISO Workshop
Next Up:
1B Risk Insights, Security Integration, Business Resilience
• Business/asset owners should be accountable for security risk
• Security should be responsible to inform and help them.
Asset owners need to balance security risks against all other risks and benefits
with security providing subject matter expertise as a trusted advisor.
CRIMINAL ENTERPRISES
GOVERNMENTS
HACKTIVISTS
CISO Workshop
Review – Risk Insights
Next Up:
1B Risk Insights, Security Integration, Business Resilience
CEO
CFO COO
Healthy Friction – Critical thinking that reduces
risk but doesn’t break processes.
Unhealthy friction – impedes more value than it
CIO CISO protects.
Security Management – Key Operational Functions
Two operational functions for prevention (potential risk) and response (realized risk)
IT Operations
• Accountable for Operational Uptime Recover
• Responsible for change implementation
Security Collaboration
Posture Management
No threat
Major/New
incidents
Traditional Vulnerability
Management
Focused on Operating System vulnerabilities
Posture management is large and complex
Posture Management
Manage potential security risk (vulnerabilities)
Collaboratively enabling many teams to secure a continuously changing technical estate Security Teams
Productivity Team Business Leads Application Developers DevOps Teams Database Teams Privacy Team(s)
IT Operations
(Multi-Cloud (Infrastructure and Endpoint)
and Hybrid)
Network Teams
Posture Management
Rapid Modernization Plan (RaMP)
4. Establish Automated Guardrails Enables business agility by reducing process friction and delays
• Automate – security into DevOps & Infrastructure as code (IaC) with Azure Policy, ARM, Terraform, etc.
Next Up:
1B Risk Insights, Security Integration, Business Resilience
T = Patch Ready T + 48 hours T + 7 days
Extended Testing
Workload owner Requires Approved Exception
Enterprise IT &
Security Teams
N
N
Next Up:
Business Alignment Exercise
CISO Workshop
Proactive
Integration See ‘Engaging Business Leaders
natural aspect of risk on Security’ for metrics guidance
and enablement decisions
Basic Business Alignment
Risk viewed per project or ad hoc,
limited business enablement focus
Security as Technical Risk
Security program focused on technical
view of risk (limited business alignment)
1. How are you investing into integrating security into business and IT processes?
a. How prepared are organizational leaders to make security/risk decisions?
b. How prepared are business line leaders to make security/risk decisions?
2. What would business and IT leaders say about the progress on that
integration?
3. How is security budgeted? Proportional to IT? to organization’s FTEs or
revenue? Ad Hoc/Custom?
Program Maturity Path
1. Assess 2. Discuss 3. Assign
Learning
Organization
All teams focused on
learning from internal &
external incidents
Balanced Investment
SOC drives increased investment into
meaningful incident prevention
Response Focus (or overpivot)
Building and maturing new separate security
operations/SOC function (often after major incident)
Compliance Focus
Preventive program focused on meeting
compliance obligation and control configurations
Discuss Improvement Steps
1. Assess 2. Discuss 3. Assign
Balanced Investment
SOC drives increased investment into • Integrate incident response learnings into
meaningful incident prevention strategy and preventive controls
• Shift security left (earlier) in technical processes
Response Focus (or overpivot)
Building and maturing new separate security
operations/SOC function (often after major incident)
• Build incident response capability
Compliance Focus (Security Operations / SOC)
Preventive program focused on meeting
compliance obligation and control configurations
Next: Assign Next Steps
1. What security framework do you adhere to today?
2. How are lessons learned from incidents integrated into security, IT, and
business processes?
3. How well do you balance investments across prevention vs.
detection/response/recovery?
a. Do you have a dedicated operations function focused on incident
response? (aka Security Operations Center or SOC)
b. Do you have a dedicated operations function focused on prevention?
(e.g. security posture management team)
c. Are these functions represented in technology leadership meetings?
Capture next step and who
1. Assess 2. Discuss 3. Assign owns following up on it
5
CISO Workshop
1. Assess
Current State
2. Discuss
Focus Areas
3. Assign
Next Steps
Next Up:
1C – Security Disciplines
Zero Trust principles transform access control
Secure assets wherever they go
Evolution of Authentication and Authorization
KNOWN
TRUSTED
Airport Security
(Identity System)
ALLOWED
Airline
(Application)
https://aka.ms/accessmodel
API
Next Up:
1C – Access Control, Security Operations, Asset
Protection, Security Governance, Innovation Security
Mission
Reduce organizational risk by limiting the time successful
attackers can access enterprise assets (dwell time) through rapid
detection and response.
Case Management
Analysts
and Hunters
Incident Response/Recovery Assistance
Security Information and Event Management (SIEM)
Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more
CEO
PRACTICE EXERCISES / TABLETOPS
BUSINESS PRIORITIES
Next Up:
1C – Access Control, Security Operations, Asset
Protection, Security Governance, Innovation Security
More Details in
Module 4 Modern Security Operations
Asset Protection
Effectiveness requires prioritization and consistency/automation for scale Discovering
Business-Critical Assets
1. Focus on Business-Critical Assets Business assets have intrinsic value to the business
2. Plan for Scale and Speed Technical assets host and run those assets
Workload Infrastructure
Shared Infrastructure
Hybrid and Multi-cloud
CISO Workshop
Review – Asset Protection
More Details in
Module 4 – Infrastructure & Development
Module 5 – Data Security & Governance,
Risk, Compliance (GRC)
Module 6 – IoT and OT Security
Asset Protection – Get Secure and Stay Secure
Get Secure – Apply security standards Stay Secure – Ongoing Asset Maintenance
• Protect data at rest and in transit • Keep software/firmware/etc. patched & up to date
• Asset specific configurations & protections • Keep software and protocols current
Continuously Improve
• Standards
• Discovery Mechanisms
• Application and
automation of standards
Architecture, Policy,
Hybrid estate of multi-cloud and Standards
& on-prem IT + OT + IoT
Origin & Evolution Ideal End State Rapid Modernization Integration into Process
Plan (RaMP)
Protecting and Monitoring Assets
Identify & Prevent – continuous improvement
Security Governance
Risk, Architecture, Compliance, Threat Intelligence (Strategic) Asset Protection
IT Operations
Posture Management
Manage potential security risk (vulnerabilities)
Innovation Security
Plan - Set measurable standards/baselines DevOps Teams
Start simple and work as a team
Do – Integrate standards/baselines
Check – Monitor standards (CSPM and other tools) Citizen
Developers
Act – Remediate Deviations (with posture management help)
Continuously improve - Standards/baselines
Collaborative Team Effort
5
Security Governance
Key Functions and Relationships
Next Up:
1C – Access Control, Security Operations, Asset
Protection, Security Governance, Innovation Security
Secure innovation is the beating heart of an organization in today’s digital landscape
Feedback Loop
Idea Incubation DevOperations
More Details in
• Module 4 Infrastructure & Development
• CAF Secure – Innovation Security
aka.ms/CAFSecure-InnovationSecurity
1. Assess 2. Discuss 3. Assign
Current State Focus Areas Next Steps
Security
Governance Access Security Asset Innovation
Continuously Identify, measure, Control Operations Protection Security
and manage security posture to Protect sensitive data and Integrate Security into
Establish Zero Trust access Detect, Respond, and Recover
reduce risk & maintain systems. Continuously DevSecOps processes. Align
model to modern and from attacks; Hunt for hidden
compliance discover, classify & security, development, and
legacy assets using identity threats; share threat
& network controls intelligence broadly secure assets operations practices.
CISO workshop and
Security ADS Module 1 Security ADS Security ADS Security ADS Security ADS
(same exercise) Module 2 Module 3 Modules 4 & 6 Module 4
Program Maturity Path
Integrated
Security
Architecture
integrated enterprise-wide
and with all new initiatives
Basic Security Architecture
Ad Hoc documentation of non-network
security capabilities and solutions
Network Security Diagram
Describe network security zones and
supporting capabilities
No Security Architecture
No meaningful architectural documentation
Discuss Improvement Steps
1. Assess 2. Discuss 3. Assign
• Build enterprise-wide integrated security
architectures (diagrams and documentation)
• Integrate with enterprise architecture (if present)
Integrated and business architectures (as appropriate)
Security • Ensure universal adoption by engineering and
Architecture implementation teams (IT, OT, IoT, DevOps)
integrated enterprise-wide • Continuously update and refine architectures,
and with all new initiatives policies, and standards based on threats, business
Basic Security Architecture intelligence, technical platforms, and more
Ad Hoc documentation of non-network
security capabilities and solutions
• Document enterprise-wide security
Network Security Diagram capabilities (beyond network)
Describe network security zones and • Integrate security in new enterprise solutions
supporting capabilities • Start integrating with standards and policies
No Security Architecture
No meaningful architectural documentation
Next: Posture Management
Program Maturity Path
Continuous
Posture
Improvement
Automated guardrails and
continuous risk reduction
Proactive Posture Management Posture management data helps business case for
Establish self-service model for executive sponsorship of security maintenance and
remediating clients, servers, and more monitor progress against goals.
Vulnerability Scanning
Use TVM to scan operating systems and applications for
missing security patches/updates
Discuss Improvement Steps
1. Assess 2. Discuss 3. Assign
None / Inconsistent
Security patches & configuration not a priority for IT Ops /
DevOps teams, only applied on a reactive basis (emergencies)
Discuss Maturity Status Self-Service
Patching model
Next:
Assign Next Steps
Limited Scope
1-6 months
/ Low Priority
None /
6+ months
Inconsistent
Capture next step and who
1. Assess 2. Discuss 3. Assign owns following up on it
5
CISO Workshop
1. Assess
Current State
2. Discuss
Focus Areas
3. Assign
Next Steps
Next Up:
Module 1 Key Takeaways and Next Steps
Secure Access Modernize Security Manage Compliance, Commit to a Zero
starting with MFA Posture & Operations Risk, and Privacy Trust Strategy
Rapidly reduce risk from Modernize tools and processes Manage compliance and risk Commit to a security
common threats by with cloud technology (XDR, processes for data with modernization roadmap
modernizing access control SIEM, CSPM) to proactively modern cloud technology based on zero trust
with passwordless & multi- manage security posture and (eDiscovery, insider risk, and principles.
factor authentication (MFA) rapidly respond to attacks more)
Engage your teams to drive and plan critical security modernization initiatives
CISO Workshop
Next Up:
Security Architecture Design Session (ADS)
Security Guidance December 2021 - https://aka.ms/MCRA
CEO
Securing Digital
Transformation
aka.ms/CAFSecure aka.ms/MCRA
aka.ms/MCRA-Videos
Zero Trust Resources
aka.ms/zerotrust
aka.ms/ztbizplan
Identities Applications
Microsoft
Microsoft Defender for
Azure AD Cloud
Data
Microsoft
Defender Microsoft
Information
for Identity
Protection Infrastructure
Endpoints
Microsoft
Defender
Microsoft
Cloud App Network
Microsoft Security
Endpoint
Manager
Azure Sentinel
Business Alignment
Risk Insights Security Integration Business Resilience
Integrate security insights Integrate security insights and Ensure organization can
into risk management practices into business and IT operate during attacks
framework and digital processes, integrate security and rapidly regain full
initiatives disciplines together operational status
Security disciplines