Adoption Framework

Microsoft Cybersecurity
Reference Architectures
(MCRA)
Plan your end-to-end security
architecture using Zero Trust principles

April 2025 Release

Top End to End Security Challenges
Adoption Framework
• Incomplete or network-centric architectures
aren’t agile & can’t keep up with continuous
change (security threats, technology platform,
and business requirements)
• Challenges with
• Creating integrated end to end architecture
• Integrating security technologies • Overview of Security Adoption Framework and
• Planning and prioritizing security end to end cybersecurity architecture
modernization initiatives
• End to End Security: Consider the whole problem
• Ruthlessly Prioritize: Identify top gaps + quick wins
• Get started: Start somewhere & continuously improve
MCRA is a subset of the full Security
Architecture Design Session (ADS) • Antipatterns and best practices
module 1 workshop:
• Guiding rules and laws for security
• Diagrams and references
Applying Zero Trust principles

SAF Overview
Whiteboard – Current Security Architecture

What types of attacks and

adversaries are top of mind?
 Security Adoption Framework (SAF)
Security Adoption
Zero Trust security modernizationFramework
aligned to business goals(SAF)
and risks

End to End Reference Strategy, Architecture, & Implementation using Zero Trust principles

Business Scenarios Security Disciplines - Reference architectures, plans, and more Technology
Promised Outcomes Implementation

Strategy, Integration, and Governance

I want to rapidly and securely adopt Endpoints
AI (including protecting data)

Artificial Intelligence (AI)

Access and Identity Identities
I want people to do their job securely
from anywhere
Network
I want to minimize business damage Security Operations (SecOps/SOC)
from security incidents Apps

I want to identify and protect critical Infrastructure & Development Security AI

business assets

Data Security Data

I want to continuously improve my
security posture and compliance
Infrastructure
OT and IoT Security
Security Adoption Framework (SAF)
Zero Trust security modernization rapidly reduces organizational risk

CEO Business
Transformation Engaging Business
Leaders on Security
Business Leadership
Digital

CIO CISO
Transformation CISO Workshop
We are here Security Strategy and Program

Technical Leadership
Security Strategy,
Programs, & Epics
Microsoft Cybersecurity Reference Architectures (MCRA)
End to End Security Architecture Using Zero Trust Principles
Architecture and
Policy
Architects & Technical Managers Access and Security Infrastructure & Data Security OT and IoT
Technical
Planning Identity Operations Development Security
(SecOps/SOC) Security

Implementation
> > > > > > > > > > > > > >
and Operation
Implementation and Operation Technology Implementation & Optimization
Security Capability Adoption Planning (SCAP)

Includes
Reference Plans
Security must be integrated everywhere
and stay on a journey of continuous improvement

Continuous improvement, learning, and prioritization are critical to manage this

Common Security Antipatterns - Technical Architecture
Common mistakes that impede security effectiveness and increase organizational risk

Skipping basic maintenance Best Practices

Skipping backups, disaster recovery exercises,
and software updates/patching on assets Develop and implement an end to end technical security
strategy focused on durable capabilities and Zero Trust
Securing cloud like on premises Principles
Attempting to force on-prem controls and This workshop helps you define and rapidly improve on best
practices directly onto cloud resources
practices across security including:
Wasting resources on legacy • Asset-centric security aligned to business priorities &
Legacy system maintenance and costs draining technical estate (beyond network perimeter)
ability to effectively secure business assets
• Consistent principle-driven approach throughout security
Artisan Security lifecycle
Focused on custom manual solutions instead of • Pragmatic prioritization based on attacker motivations,
automation and off the shelf tooling behavior, and return on investment
Disconnected security approach • Balance investments between innovation and rigorous
Independent security teams, strategies, tech, application of security maintenance/hygiene
and processes for network, identity, devices, etc. • ‘Configure before customize’ approach that embraces
automation, innovation, and continuous improvement
Lack of commitment to lifecycle
Treating security controls and processes as • Security is a team sport across security, technology, and
points in time instead of an ongoing lifecycle business teams
Security Success
Invest intentionally into providing these durable outcomes

Attacker Failure + Increased Attacker Cost/Friction

Block Cheap and Easy Attacks Find and kick them out fast
Increase cost and friction for well known & Reduce dwell time (mean time to remediate)
proven attack methods (or easy to block options) with rapid detection and remediation

‘Left of Bang’ ‘Right of Bang’

Prevent or lessen impact of attacks Rapidly and effectively manage attacks

Requires end to end collaboration

Improving Resiliency
Enable business mission while continuously increasing security assurances

‘Left of Bang’ ‘Right of Bang’

Prevent or lessen impact of attacks Rapidly and effectively manage attacks

IDENTIFY PROTECT DETECT RESPOND RECOVER

GOVERN
NIST Cybersecurity Framework v2
The job will never be ‘done’ or ‘perfect’, but it’s
important to keep doing (like cleaning a house)
End to End Security
Enable business mission and increasing security assurances with intentional approach
Security Strategy and Program
Zero Trust Architecture

Security Posture Management Modern Security Operations (SecOps/SOC)

Access and Identity

Infrastructure & Development Security

IoT and OT Security

Data Security

‘Left of Bang’ ‘Right of Bang’

Prevent or lessen impact of attacks Rapidly and effectively manage attacks

IDENTIFY PROTECT DETECT RESPOND RECOVER

GOVERN
Defenders must focus on
A. Strong security controls + effective placement
B. Rapid response to attacks
C. Continuously testing & monitoring controls
 High
Looks like they have
NGFW, IDS/IPS, and DLP

Low

I bet their admins

1. Check email from Found passwords.xls
admin workstations
2. Click on links for
higher paying jobs
Phishing email to admin
Now, let’s see if admins save
service account passwords
in a spreadsheet…
 Sensitive Data Protection & Monitoring
• Discover business critical assets with business, technology, and
security teams
• Increase security protections and monitoring processes
• Encrypt data with Azure Information Protection

Replace password.xls ‘process’ with

• PIM/PAM
• Workload identities

Protect Privileged Accounts

Modernize Security Operations
Rigorous Security Hygiene
• Add XDR for identity, endpoint (EDR), Require separate accounts for Admins
• Rapid Patching
cloud apps, and other paths and enforce MFA/passwordless
• Secure Configuration
• Train SecOps analysts on endpoints and Privileged Access Workstations (PAWs)
• Secure Operational Practices
identity authentication flows + enforce with Conditional Access
Security is complex and challenging

Hybrid of Everything, Everywhere, All at Once

Must secure across everything

Nothing gets retired! ‘Data swamp’ accumulates
Ø Brand New - IoT, DevOps, and Cloud services, devices and products Usually for fear of breaking managed data + unmanaged ‘dark’ data
Ø Current/Aging - 5-25 year old enterprise IT servers, products, etc. something (& getting blamed)

Ø Legacy/Ancient - 30+ year old Operational Technology (OT) systems

Data
Attackers have a lot of options
People Application
Ø Forcing security into a holistic
Infrastructure
complex approach

Ø Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies

Ø Threats – Continuously changing threat landscape
Ø Security Tools – dozens or hundreds of tools at customers
Goal: Zero Assumed Trust
With 30+ years of backlog at most organizations, it will
take a while to burn down the backlog of assumed trust

Reduce risk by finding and removing implicit assumptions of trust

False Assumptions Zero Trust Mitigation

of implicit or explicit trust Systematically Build & Measure Trust
Business Enablement
Security is the opposite of productivity
Align security to the organization’s mission, priorities, risks, and processes

Assume Compromise
All attacks can be prevented
Continuously reduce blast radius and attack surface through prevention and detection/response/recovery

Shift to Asset-Centric Security Strategy

Network security perimeter will keep attackers out
Revisit how to do access control, security operations, infrastructure and development security, and more

Explicitly Validate Account Security

Passwords are strong enough Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and more

Plan and Execute Privileged Access Strategy

IT Admins are safe
Establish security of accounts, workstations, and other privileged entities (aka.ms/spa)

Validate Infrastructure Integrity

IT Infrastructure is safe
Explicitly validate trust of operating systems, applications, services accounts, and more

Integrate security into development process

Developers always write secure code Security education, issue detection and mitigation, response, and more

Supply chain security

The software and components we use are secure Validate the integrity of software and hardware components from open source. vendors, and others
Zero Trust Security Architecture
End to End Prioritized Execution + Continuous Improvement
OBSERVE, ORIENT

Security is complex Resilience required

and challenging across the lifecycle

DECIDE

Focus on prevalent Disrupt attacker return

attacks and use data on investment (ROI)

ACT

Microsoft Security Leverage reference plans

Adoption Framework and architectures
Zero Trust Commandments
Requirements that represent best practices for a Zero Trust Architecture
(ZTA) and transformation. (The Open Group Standard)
Usage: General planning + Testing whether something is ‘Zero Trust’ or not

10 Laws of Cybersecurity Risk

Key truths about managing security risk that bust common myths.
Usage: Ensuring security strategy, controls, and risk are managed with
realistic understanding of how attacks, humans, and technology work

Immutable Laws of Security

Key truths about security claims and controls that bust common myths.
Usage: Validating design of security controls, systems, and processes to
ensure they are technically sound
Microsoft Cybersecurity Reference Architectures (MCRA) Security Adoption Framework (SAF)
Architecture Diagrams & References
People
Zero Trust Adaptive Access
Threat Environment
Role Mapping Artificial Intelligence
(AI) and Security Journey

Attack Chain
Coverage Zero Trust Privileged Access

Security Operations
Development / DevSecOps

Microsoft Security Capabilities

Infrastructure Operational Technology (OT)

Multi-Cloud & Build Slide
Cross-Platform

Device Types
Patch Microsoft 365 E5 Standards Mapping
Modernization

aka.ms/MCRA | aka.ms/MCRA-videos | April 2025

Security Adoption Framework
Reduce risk by rapidly modernizing security capabilities and practices

Securing Digital
Transformation Engaging Business
Leaders on Security
Business and
Security
Integration Security Strategy and Program

Security Strategy,
Programs, and
Epics Zero Trust Architecture

Microsoft Cybersecurity Reference Architectures (MCRA)

Architecture and
Policy Access and Identity Modern Security Operations Infrastructure & Development
(SecOps/SOC) Security
Technical Planning

Implementation
and Operation

Includes
Reference Plans
 Recommend combination of:
Where do you want to go next? •
•
Context – Strategy/Architecture
Action – Technical Implementation
Engagements help navigate the vast complexity of security

Strategic Security Integration

What do we own? Are we using it? Security Strategy End to End Security Architecture
and Program Microsoft Cybersecurity Reference Architectures (MCRA)

Capabilities Review
Security Capability Adoption Planning (SCAP) Technical Architecture and Planning
Access and Modern Infrastructure & Data Security
Identity Security Development
How are we doing today? Operations Security
(SecOps/SOC)
End to End Security Assessment
Microsoft Product and Technology Implementation
Enterprise Security Assessment (ESA)
Defender Purview Entra

Sentinel Security Copilot Intune

Security
Modernization
Journey
Let’s get next steps locked in
Capture actions and who follows up on them

# Next Step Point of Contact

1

5
Security Resources
Security Adoption Framework Security Hub
aka.ms/saf aka.ms/SecurityDocs

• Driving Business Outcomes Using Zero Trust

Security Strategy and Program • CISO Workshop – aka.ms/CISOworkshop | -videos
Rapidly modernize your security posture for Zero Trust
Secure remote and hybrid work with Zero Trust
Identify and protect sensitive business data with Zero Trust
Meet regulatory and compliance requirements with Zero Trust
End to End • Microsoft Cybersecurity Reference Architectures (MCRA) - aka.ms/MCRA | -videos
Security • Ransomware and Extortion Mitigation - aka.ms/humanoperated
• Zero Trust Workshop - http://aka.ms/ztworkshop
• Backup and restore plan to protect against ransomware - aka.ms/backup
Architecture • Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp

Secure Access and Modern Security Infrastructure & Data Security IoT and OT Security
Identities Operations (SecOps/SOC) Development Security
• Securing Privileged Access (SPA) • Incident Response - aka.ms/IR • Security Development Lifecycle (SDL) • Secure data with Zero Trust • Ninja Training
Guidance • CDOC Case Study - aka.ms/ITSOC • Security Controls • Ninja Training • Defender for IoT Training
aka.ms/SPA • Ninja Training • Microsoft Cloud Security Benchmark • Microsoft Purview Information Protection • MCRA Videos
aka.ms/benchmarkdocs aka.ms/MIPNinja • MCRA Video OT & IIoT Security
• Access Control Discipline • Microsoft 365 Defender
aka.ms/m365dninja • Well Architected Framework (WAF)
• Microsoft Purview Data Loss Prevention • Defender for IoT Documentation
• Ninja Training aka.ms/DLPNinja
• Microsoft Defender for Identity
• Microsoft Sentinel • aka.ms/wafsecure • Microsoft Purview Insider Risk
aka.ms/D4IoTDocs
aka.ms/sentinelninja
aka.ms/mdininja
• Microsoft Defender for Office 365 • Azure Security Top 10 Management
• Insider Risk Management
• MCRA Video aka.ms/mdoninja • aka.ms/azuresecuritytop10
• Data Security for SOC
• Zero Trust User Access • Microsoft Defender for Endpoint • Ninja Training aka.ms/NinjaDSforSOC
• Microsoft Entra Documentation aka.ms/mdeninja
• Defender for Cloud
• Microsoft Cloud App Security
aka.ms/entradocs • MCRA Video • Microsoft Purview Documentation
aka.ms/mcasninja
aka.ms/purviewdocs
• MCRA Videos • Infrastructure Security
• Security Operations • Defender for Cloud Documentation
• SecOps Integration

Product Capabilities Security Product Documentation Microsoft Security Response Center (MSRC)
www.microsoft.com/security/business Azure | Microsoft 365 www.microsoft.com/en-us/msrc
Key Industry References and Resources

Zero Trust Commandments Standard - https://publications.opengroup.org/c247

Zero Trust Reference Model - https://publications.opengroup.org/s232
Security Principles for Architecture - https://publications.opengroup.org/c246

Cybersecurity Framework - https://www.nist.gov/cyberframework

Zero Trust Architecture - https://www.nist.gov/publications/zero-trust-architecture
NCCoE Zero Trust Project - https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture

Secure Software Development Framework (SSDF) - https://csrc.nist.gov/pubs/sp/800/218/final

Zero Trust Maturity Model - https://www.cisa.gov/zero-trust-maturity-model

CIS Benchmarks – https://www.cisecurity.org/cis-benchmarks/

 References

Zero Trust Capabilities

The Open Group
Zero Trust Model Zero Trust Model
The Open Group NIST

All capabilities ...mapped to NIST CSF

SecOps
Terminology
Asset-Centric Security Operations (SecOps/SOC)
Architecture
Building
Blocks (ABBs)

Microsoft
Mapping
Zero Trust Model Rapidly Report
Capabilities
Microsoft Regulatory Compliance
Identity and Adaptive Access Management (IAAM)
Architecture
Building
Blocks (ABBs)

Microsoft
Mapping

Capabilities
Asset-Centric Security Operations (ACSO)
Capabilities

ACSO-1
Asset-Centric ACSO-1.1.1 - Incident Investigation, Containment, and Remediation
Security Operations ACSO-1.1.2 - Incident Impact and Root Cause Analysis
ACSO-1.1.3 - Case Management
ACSO-1.1 - Rapid Incident Response
ACSO-1.1.4 - Major Incident Management

ACSO-1.2.1 - SecOps Continuous Operational Improvement

ACSO-1.2 - Continuous Organizational Improvement
ACSO-1.2.2 - Threat Intelligence Sharing, Education, and Advocacy

ACSO-1.3.1 - Threat Hunting

ACSO-1.3 - Undetected Attack Discovery ACSO-1.3.2 - Custom Detection Engineering

ACSO-1.4.1 - Simulated Attack Planning

ACSO-1.4 - Attack Simulation ACSO-1.4.2 - Simulated Attack Execution
ACSO-1.4.3 - Simulated Attack Learnings Integration

ACSO-1.5 - SecOps Data Analysis and Automation ACSO-1.5.1 - Common Attack Technique Detection
ACSO-1.5.2 - Data Aggregation, Storage, Correlation, and Analysis
ACSO-1.5.3 - SecOps Process Automation
ACSO-1.5.4 - Technical Threat Data Integration
ACSO-1.5.5 - SecOps Custom Development
Asset-Centric Security Operations Platform (ACSOP)
Architecture Building Blocks (ABBs) ACSOP-1.1.1.1 - User Interaction Process
ACSOP-1.1.1 - Incident Investigation and Forensic Analysis Process ACSOP-1.1.1.2 - Technology Team Interaction
ACSOP-1 Process
ACSOP-1.1.2 - Incident Containment and Asset Recovery Process
Asset-Centric Security ACSOP-1.1.3 - Incident Summarization Process ACSOP-1.1.5.1 - Technical Coordination Process
Operations Platform
ACSOP-1.1.4 - Incident Impact and Root Cause Analysis Process ACSOP-1.1.5.2 - Business Coordination Process
ACSOP-1.1.5 - Major Incident Management Process
ACSOP-1.1.6.1 - SecOps Trend and Pattern
ACSOP-1.1.6 - Operational Excellence Process
ACSOP-1.1 - SecOps Analysis Process
Core Reactive Processes ACSOP-1.2.1 - SecOps Data Management Process ACSOP-1.1.6.2 - SecOps Change Management
Process
ACSOP-1.2.2 - Custom Detection Engineering Process
ACSOP-1.2.3 - Threat Hunting Process ACSOP-1.1.6.3 - Detection Source Management
ACSOP-1.2 - SecOps
Proactive Processes ACSOP-1.2.4 - Threat Intelligence Development & Dissemination Process ACSOP-1.1.6.4 - User Reporting Process

ACSOP-1.2.5 - SecOps Automation Management Process

ACSOP-1.2.5.1 - SecOps Custom Development
ACSOP-1.2.6 - Attack Simulation Process Process
ACSOP-1.3 - SecOps
ACSOP-1.3.1 - Case Management Platform ACSOP-1.2.6.1 - Attack Scenario Planning Process
Data Analysis and
Automation Platform ACSOP-1.3.2 - SecOps Business Intelligence (BI) Platform
ACSOP-1.2.6.2 - Identify Friend/Foe (IFF) Process
ACSOP-1.3.3 - Extended Detection and Response (XDR)
ACSOP-1.2.6.3 - Technical Discussion-based
ACSOP-1.3.4 - Security Information and Event Management (SIEM) Simulation (Tabletop Exercise) Process
ACSOP-1.3.5 - Security Data Lake ACSOP-1.2.6.4 - Purple Team Process
ACSOP-1.3.6 - SecOps Automation Platform (SOAR) ACSOP-1.2.6.5 - Red Team Process
ACSOP-1.3.7 - Technical Anomaly Platform (Machine Learning, RE, etc.)
ACSOP-1.2.6.6 - Penetration Test Process
ACSOP-1.3.8 - Behavior Anomaly Platform (UEBA)
ACSOP-1.3.9 - Threat Intelligence Platform (TIP)
ACSOP-1.3.10 - SecOps Generative AI (GenAI) Platform
ABB # Architecture Building Block (ABB) Name Level Microsoft Technology
ACSOP-1.3 SecOps Data Analysis and Automation Platform 2 <All Below>
Microsoft 365 Defender
ACSOP-1.3.1 Case Management Platform 3
Microsoft Sentinel
ACSOP-1.3.2 SecOps Business Intelligence (BI) Platform 3 Microsoft PowerBI
Microsoft 365 Defender
ACSOP-1.3.3 Extended Detection and Response (XDR) 3
Microsoft Defender for Cloud

ACSOP-1.3.4 Security Information and Event Management (SIEM) 3 Microsoft Sentinel

ACSOP-1.3.5 Security Data Lake 3 Microsoft Azure Data Explorer (ADX)
Microsoft 365 Defender (AutoIR)
ACSOP-1.3.6 SecOps Automation Platform (SOAR) 3
Microsoft Sentinel
Microsoft 365 Defender
ACSOP-1.3.7 Technical Anomaly Platform (Machine Learning, RE, etc.) 3
Microsoft Defender for Cloud
ACSOP-1.3.8 Behavior Anomaly Platform (UEBA) 3 Microsoft Sentinel
Microsoft Defender Threat Intelligence
ACSOP-1.3.9 Threat Intelligence Platform (TIP) 3
Security Copilot
ACSOP-1.3.10 SecOps Generative AI (GenAI) Platform 3 Security Copilot
Note: Security Architecture Design Session (ADS) workshop for Security Operations (SecOps/SOC) includes
guidance for ACSOP-1.1 SecOps Core Reactive Processes and ACSOP-1.2 SecOps Proactive Processes ABBs
Identity and Adaptive Access Management (IAAM)
Capabilities
IAAM-1
Identity and Adaptive
Access Management

IAAM-1.1 -
Authentication (Known) IAAM-1.2.1 - Subject Security Status Determination
IAAM-1.2.2.1 - Adaptive Policy Determination For Subjects
IAAM-1.2.2 - Policy Decisioning IAAM-1.2.2.2 - Adaptive Policy Determination for Sessions
IAAM-1.2 - Trust IAAM-1.2.2.3 - Policy Enforcement
Validation (Trusted)
IAAM-1.3.1 - Subject Entitlements to Workloads/Assets
IAAM-1.3.2 - Workload-Specific Access Entitlements
IAAM-1.3 -
Authorization (Allowed) IAAM-1.3.3 - Identity Consent Management
IAAM-1.4.2.1 - Identity authority management

IAAM-1.4.1 - Policy Lifecycle Management IAAM-1.4.2.2 - User Identity Assignment

IAAM-1.4 - Identity and IAAM-1.4.2 - Identity Definition and Assignment IAAM-1.4.2.3 - Device Identity Assignment
Policy Lifecycle
Management IAAM-1.4.3 - Identity & Access Lifecycle Management IAAM-1.4.2.4 - Application and Services Identity Assignment

IAAM-1.4.4 - Access Monitoring & Anomaly Detection IAAM-1.4.2.5 - Data Identity Assignment

IAAM-1.4.2.6 - Ephemeral Identity Definition and Assignment

IAAM-1.4.2.7 - Other Identity Definition and Assignment

Identity and Adaptive Access Management Platform (IAAMP)
Architecture Building Blocks ( ABBs )

IAAMP-1 IAAMP-1.1.1 - Identity lifecycle management Process IAAMP-1.1.2.1 - Organizational access management process
Identity and Adaptive IAAMP-1.1.2.2 - App access & Consent management process
Access Management IAAMP-1.1.2 - Access Policy Lifecycle Management Process
Platform IAAMP-1.1.3 - Identity Protocol management IAAMP-1.1.4.1 - Access Trend, Pattern, and Problem
Management Process
IAAMP-1.1.4 - Access Management Operational Excellence Process
IAAMP-1.1.4.2 - Access Change Management Process
IAAMP-1.1 IAAMP-1.1.5 - Consent Management Lifecycle Process
Identity and Access IAAMP-1.1.4.3 - Access Problem Management Process
Management Processes IAAMP-1.1.6 - Access Management Integration Process
IAAMP-1.1.6.1 - Posture Management Integration Process
IAAMP-1.1.6.2 - SecOps Integration Process
IAAMP-1.2.1 - Adaptive Policy Information Point (PIP)
IAAMP-1.1.6.3 - Development Integration Process
IAAMP-1.2 IAAMP-1.2.2 - Adaptive Policy Decision Point (PDP)
Adaptive Access IAAMP-1.1.6.4 - Infrastructure Integration Process
Control Platform IAAMP-1.2.3 - Adaptive Policy Enforcement Point (PEP) IAAMP-1.1.6.5 - Data Integration Process
IAAMP-1.2.4 - Adaptive Policy Manager
IAAMP-1.2.5 - Policy Signal Source

IAAMP-1.3.1 - Identity Provider (IDP)

IAAMP-1.3
Identity, Key, and IAAMP-1.3.2 - Identity Lifecycle Management Platform
Access Management
Platform IAAMP-1.3.3 - Application Consent Management Platform
IAAMP-1.3.4 - Personal Data Consent Management Platform
IAAMP-1.3.5 - Certificate and Key Management Platform
IAAMP-1.3.6 - Authenticated Network Access Control Platform
IAAMP-1.3.7 - Workload Authorization Mechanisms
ABB Number ABB Level Microsoft Technology
IAAMP-1.2 Adaptive Access Control Platform 2 Microsoft Entra
IAAMP-1.2.1 Adaptive Policy Information Point (PIP) 3
Entra Conditional Access
IAAMP-1.2.2 Adaptive Policy Decision Point (PDP) 3
Entra Conditional Access
Entra Private Access / Internet Access
IAAMP-1.2.3 Adaptive Policy Enforcement Point (PEP) 3
Microsoft Intune
Purview Information Protection & DLP
IAAMP-1.2.4 Adaptive Policy Manager 3 Entra Conditional Access
Entra ID / Entra ID Protection
IAAMP-1.2.5 Policy Signal Source 3 Microsoft Intune
Microsoft 365 – Defender for Endpoint
IAAMP-1.3 Identity, Key, and Access Management Platform 2 Entra ID
IAAMP-1.3.1 Identity Provider (IDP) 3 Entra ID, Active Directory
IAAMP-1.3.2 Identity Lifecycle Management Platform 3 Entra ID Governance
IAAMP-1.3.3 Application Consent Management Platform 3 Entra ID
IAAMP-1.3.4 Personal Data Consent Management Platform 3 Priva Consent Management
IAAMP-1.3.5 Certificate and Key Management Platform Azure Key Vault
3 Active Directory Certificate Services
Microsoft Identity Manager Certificate Manager
IAAMP-1.3.6 Authenticated Network Access Control Platform Entra Private Access / Internet Access
3
Azure VPN
IAAMP-1.3.7 Workload Authorization Mechanisms 3 Microsoft Azure
Microsoft 365
Microsoft Dynamics 365
Custom Workload RBAC/ABAC/Permission models
Security Modernization with Zero Trust Principles
Business Enablement Security Strategy and Program
Align security to the organization’s
mission, priorities, risks, and processes

Assume Breach (Assume Compromise)

Assume attackers can and will successfully attack anything (identity, network, device,
app, infrastructure, etc.) and plan accordingly

Verify Explicitly
Protect assets against attacker control by explicitly validating that all trust and security
decisions use all relevant available information and telemetry.

Use least privilege access

Limit access of a potentially compromised asset, typically with just-in-time and just-
enough-access (JIT/JEA) and risk-based polices like adaptive access control.

Zero Trust Architecture

Access and Identity Infrastructure & IoT and OT Modern Security Data Security
Development Security Security Operations (SecOps/SOC)
 Zero Trust Principles
Business Enablement
Align security to the organization’s mission, priorities, risks, and processes
Assume Breach (Assume Compromise)
Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly

à Transforms from “defend the network” to “enable secure productivity on any network”

Asset/Node = account, app, device,

VM, container, data, API, etc.

Verify explicitly Use least privilege access

Protect assets against attacker control by Limit access of a potentially compromised
explicitly validating that all trust and security asset, typically with just-in-time and just-
decisions use all relevant available information enough-access (JIT/JEA) and risk-based polices
and telemetry. like adaptive access control.

à Reduces “attack surface” of each asset à Reduces “blast radius“ of compromises

Key Industry Collaborations

US National Institute of
Standards and
The Open Group Technology (NIST)
Focused on integration Focused on architecture
with business and and implementation with
IT/Enterprise/Security available technology
architecture

Many organizations are contributing valuable perspectives and guidance like the Cybersecurity and
Infrastructure Security Agency (CISA), Cloud Security Alliance (CSA), and some technology vendors
Key Zero Trust Models and Architectures

Focused on integration with business

and IT/Enterprise/Security architecture Focused on architecture and
implementation with available technology
Zero Trust Components

Digital Ecosystems

Data/Information

Distributed Policy
Enforcement Points (PEPs) Apps & Systems

Security Zones
Microsoft Security Capability Mapping
The Open Group Zero Trust Components
Microsoft Entra ID
ID Protection
Workload ID Governance Microsoft Security
Exposure Management
Visibility and Policy
Entra ID Governance
Access Control Asset Protection
Defender for Identity
Classification, Protection, Tokenization
Identity and Network - Multi-factor Authentication
Digital Ecosystems
Data/Information
Microsoft Entra
Conditional Access Microsoft Purview
Microsoft Priva
Entra Internet Access
Entra Private Access

Distributed Policy
Enforcement Points (PEPs) Apps & Systems
Innovation
Defender for Cloud
Security
Defender for
Azure Arc
APIs
Intune
Device Management 78+ Trillion signals per GitHub Advanced Security
day of security context & Azure DevOps Security
Security Zones
Defender for Endpoint Secure development and
software supply chain
Endpoint Detection and Microsoft Entra
Response (EDR) Conditional Access
Asset-Centric Azure Firewall (Illumio partnership)

Security Operations
Security telemetry from across the environment

Microsoft Sentinel
Microsoft Defender • Security Information and Event
Management (SIEM)

Rapid Threat Detection, Response, and

Apps Recovery
• Security Orchestration, Automation, and
Defender for Endpoint Defender for Office 365
Defender for Identity Defender for Cloud Defender for Cloud Response (SOAR)
Zero Trust Architecture (ZTA)
Security Analytics

Endpoint ICAM PE/PA Protected Resources

Security POLICY
IDENTITY ACCESS & CREDENTIALS
Evaluate Access
• User • Management
User Device Authentication
• • CLOUD
(SSO/MFA) APPS & WORKLOADS
• Authorization PEP
Device
GRANT ACCESS
FEDERATION GOVERNANCE (Micro-
segmentation)
Mobile
Device ON-PREM
APPS & WORKLOADS

GRANT ACCESS (File Share, Database, Storage, Apps)

(SDP)
Device SDP (example: TLS Tunnel)
(with SDP Client)

Data Security
Microsoft Zero Trust Capability Mapping Implemented as part of the NIST ZT
Architecture guide (published August 2024)
Key
Security Analytics
NIST Area
NIST Sub-Area Microsoft Sentinel
• Sub-Area
Microsoft Defender XDR • Security Information and Event
Management (SIEM)

Microsoft Service • Security Orchestration, Automation, and

Defender for Endpoint Defender for Office 365 Defender for Identity Defender for Cloud Apps Defender for Cloud Response (SOAR)

Security telemetry from across the environment

Endpoint Security Policy Enforcement / Admin (PE/PA) Protected Resources

Identity, Credentials, and Access
Microsoft Entra Management (ICAM) CLOUD APPS & WORKLOADS
Policy
Conditional Access Determine Access
Global Secure Identity Access & Defender for 3P SaaS
Cloud Apps
Access client User
• User Credential Mgmt. Cloud Apps
• Device • Authentication Entra ID Defender for Workloads
Office Microsoft 365
• Authorization
Conditional 365
Entra ID Grant Access Access
Defender for Cloud
Devices Microsoft Cloud
Intune Entra ID Governance Entra Internet Access Security Benchmark
Azure IaaS
Device Management Grant Access
Software Defined Perimeter(SDP)
Federation Governance ON-PREM APPS & WORKLOADS
Policy Enforcement Point (PEP) Database File share Storage
Mobile Data Purview Azure Arc
Information
Protection Scanner
Defender for Endpoint Device
Feedback
Endpoint Detection and Secure Admin Apps Defender Application Guard
Virtual Desktops mechanisms
Response (EDR) Workstations enable
continuous Entra Private Access Infrastructure & Access
Entra Azure Virtual Azure Arc
improvement Connector
Devices w/ Desktop Defender
Intune Azure
SDP Intune Windows 365 for Identity
VPN Backend Connector Automanage

Data Data Loss

Prevention
Purview
DLP
Document
Purview
Information
Office Intune
Mobile App
Defender for
Cloud Apps
Purview Cloud Infra Defender
Information for Cloud
Security (DLP)
Protection
Protection
365
Mgmt Protection
SQL DB/Files
Zero Trust
architecture
Policy Optimization
Governance
Compliance
Data
Classify,
Security Posture Assessment label, Emails & documents
encrypt Structured data
Productivity Optimization

Identities
Strong
Human authentication

Non-human

Apps
Zero Trust Policies Network
Request Adaptive SaaS
enhancement Public Access
Evaluation
On-premises
Traffic filtering Private
Enforcement
& segmentation
(as available)

Endpoints Infrastructure
Device Risk
compliance assessment Serverless
Corporate
Runtime Containers
Personal
control
IaaS
Threat Protection PaaS
Continuous Assessment Internal Sites
Threat Intelligence
Forensics
Response Automation
Telemetry/analytics/assessment

JIT & Version Control

Zero Trust Policy Optimization

architecture
Governance
Compliance
Data
Classify,
Security Posture Assessment label, Emails & documents
encrypt Structured data
Productivity Optimization

Microsoft Defender for Cloud Defender for Office 365

Identities Security Exposure Management Microsoft Purview
Strong
Human authentication Compliance Manager Microsoft Priva
Non-human

Microsoft Entra ID Apps

Zero Trust Policies Network
ID Protection
Request Adaptive SaaS
Workload ID enhancement Public Access
Evaluation Microsoft Entra On-premises
Entra ID Governance Conditional Access Traffic filtering Private
Enforcement
& segmentation GitHub Advanced Security
(as available)
Defender for Identity Azure Networking
Defender for Cloud Apps
Entra Internet Access
Entra Private Access
Defender for
Endpoints APIs Infrastructure
Device Risk
compliance assessment Serverless
Corporate
Runtime Containers
Personal
control
IaaS

Intune Threat Protection PaaS

Device Management Continuous Assessment Internal Sites
Threat Intelligence
Defender for Endpoint Defender for Cloud
Endpoint Detection and Forensics Azure Arc

Response (EDR) Response Automation

Microsoft Sentinel
Telemetry/analytics/assessment
Microsoft Defender • Security Information and Event
Management (SIEM)
JIT & Version Control • Security Orchestration, Automation,
Defender for Endpoint Defender for Office 365 Defender for Identity Defender for Cloud Apps Defender for Cloud and Response (SOAR)
Managing Information/Cyber Risk April 2025 - https://aka.ms/SecurityRoles
Security responsibilities or “jobs to be done”

Information Risk Management Program Management Office (PMO)

Supply Chain Risk (People, Process, Technology)
Incident
Posture Management Preparation

Incident
Response
Incident
Management

Threat
Hunting
 Microsoft security capability mapping
Which roles typically use which capabilities https://aka.ms/MCRA

Access Control Security Operations Security Governance Asset Protection

Establish Zero Trust access model to modern and Detect, Respond, and Recover from attacks; Hunt Protect sensitive data and systems. Continuously Continuously Identify, measure, and manage security
legacy assets using identity & network controls for hidden threats; share threat intelligence broadly discover, classify & secure assets posture to reduce risk & maintain compliance

Identity Admin, Identity Architect, Incident preparation Security architecture Infrastructure and endpoint security,
Microsoft Entra

Identity Security • Microsoft Cybersecurity Reference Architecture IT Ops, DevOps

https://aka.ms/MCRA
• Entra ID (Formerly Azure AD) Security Operations Analyst • Microsoft Defender for Cloud
• Multifactor Authentication Posture management, Policy and (including Azure Arc)
Conditional Access Microsoft Defender XDR
•
• Microsoft Defender for Endpoint • Azure Blueprints
Application Proxy standards, Compliance management
•
• Microsoft Defender for Office 365 • Azure Policy
• External Identities / B2B & B2C • Microsoft Defender for Cloud
• Internet/Private Access • Microsoft Defender for Identity • Azure Firewall
Microsoft Defender

• Microsoft Defender for Cloud Apps • Secure Score • Azure Monitor

• Identity Governance • Compliance Dashboard
• and more.. • Microsoft Entra Identity Protection • Azure Security Benchmark • Azure Web Application Firewall
• Windows Hello for Business • Microsoft Defender for Cloud • Azure Blueprints • Azure DDoS
• Microsoft Defender for DevOps
• Microsoft 365 Defender • Microsoft Defender for Servers • Azure Policy • Azure Backup and Site Recovery
• Microsoft Defender for Identity • Microsoft Defender for Storage • Microsoft Defender External Attack • Azure Networking Design
• Microsoft Defender for Cloud Apps Surface Management (MD-EASM) • Virtual Network, NSG, ASG, VPN, etc.
• Microsoft Defender for SQL • PrivateLink / Private EndPoint
• Microsoft 365 Lighthouse • Microsoft Defender for Containers • Azure Administrative Model
• Azure Lighthouse
[multi-tenant]
• Microsoft Defender for App Service • Portal, Management Groups, Subscriptions • Azure Resource Locks
• Azure Bastion • Microsoft Defender for APIs • Azure RBAC & ABAC
• Azure Administrative Model • Microsoft Defender for Key Vault • Microsoft Purview
• Portal, Management Groups, Subscriptions • Microsoft Defender for DNS • Compliance manager OT and IoT Security
• Azure RBAC & ABAC • Microsoft Defender for open-source • Microsoft Defender for IoT (& OT)

Microsoft Purview
Network Security relational databases Data security • Azure Sphere
• Azure Firewall • Microsoft Defender for Azure
Cosmos DB • Microsoft Purview
• Azure Firewall Manager • Microsoft Security Copilot • Information Protection
• Azure DDoS
• Azure Web Application Firewall
• Microsoft Sentinel • Data Loss Prevention
• Microsoft 365 Defender
Innovation Security
• Microsoft Security Experts
• Azure Networking Design • Microsoft Incident Response • Microsoft Defender for Cloud Apps Integrate Security into DevSecOps
• Virtual Network, NSG, ASG, VPN, etc. Detection and Response Team (DART)
• PrivateLink / Private EndPoint processes. Align security, development,
People security and operations practices.
• Attack Simulator
Endpoint / Device Admin • Insider Risk Management Application security and DevSecOps
Threat intelligence Analyst
• Microsoft Intune • (Same as Infrastructure Roles)
• Configuration Management • Microsoft Defender Threat Privacy Manager • GitHub Advanced Security
• Microsoft Defender for Endpoint Intelligence (Defender TI) • Microsoft Priva • Azure DevOps Security
• Microsoft Sentinel
Security accountabilities & responsibilities across the organization
People Security
Organizational Leadership & Oversight • Security Education and Engagement
• Member of Board of Directors Technical Leadership • Insider Risk Management
• Chief Executive Officer (CEO)
CEO • Chief Digital Officer (CDO)
• Chief Financial Officer (CFO) • Chief Information Officer (CIO) Security Posture Management
• Chief Operating Officer (COO) • Chief Technology Officer (CTO) • Security Posture Management
• Chief Legal Officer (CLO) • Chief Information Security Officer (CISO) • Security Governance & Compliance Management
• Product and Business Line Leaders • Software Delivery Vice President (VP)
• Technology Directors Technical Engineering and Operations
Business Management and Operations • Security Directors • Technology Managers
• Product Line Managers / Directors • Security Strategy, Integration, and Governance • Security Managers
• Product Owners • Software Development Directors • Automation Engineering
• Business Architects • Identity
• Business Analysts Architects • Network
• Information Worker / Frontline Worker • Enterprise Architects • User Endpoints
• Security Architects • User Productivity and Support
Security-Adjacent Disciplines • Infrastructure Architects • Infrastructure/Platform (Cloud, On-Prem, CI/CD, etc.)
• Chief Security Officer (CSO) and team • Data and Artificial Intelligence (AI) Architects • Data and Artificial Intelligence (AI)
• Chief Risk Officer (CRO) and team • Access Architects (Identity, Network, App, etc.) • Operational Technology (OT)
• Chief Privacy Officer (CPO) and team • Solution Architects • Security Engineering
• Data Officer / Data Governance and team • Software / Application Architects
• Compliance and Audit team Security Operations (SecOps/SOC)
• Anti-Fraud Team Application & Product Development • Security Operations (SecOps) Managers
• Technology Delivery Managers • Triage Analyst
Other Cross-Functional Disciplines • Software Testing/Quality Managers • Investigation Analyst (Digital Forensics)
• Legal Team • Software Security Engineers • Reverse Engineering
• Finance Team • Software Developers (including AI) • Threat Hunting and Detection Engineering
• Procurement & Acquisition • Software Testers • SecOps Platform and Data Engineering
• Human Resources • DevOps Leads • Attack Simulation (Red & Purple Teaming)
• Communications / Public Relations • Supply Chain Security • Incident Coordination and Management
• Organizational Readiness / Training • Internet of Things (IoT) • Threat Intelligence
Role Example – CEO proposed draft text for security
roles and glossary standard

Security Chief Executive Officer (CEO) – The CEO establishes the culture and strategic direction of the
responsibilities/ organization that guides everyone in the organization on how to prioritize funding, time, and energy across all aspects of the
accountabilities business, including security risk. The security accountabilities for a CEO include:
• Prioritizing security in the organization’s culture and sponsoring the Zero Trust transformation by embedding security in business decisions at all
levels (which may require shifting revenue vs. risk tradeoffs).
• Establish or correct security accountability structure - The CEO must ensure that anyone making a decision that impacts the organization’s
security risk is accountable for the full consequence of those decisions including the security risk implications of them.
• Position security team as an enabler - The CEO must empower the CISO and security team to provide the required security context to business and
technology roles across the organization (and hold them accountable for this enablement). This includes providing expertise to enable risk prevention,
management of incidents that do happen, and supporting the continuous learning by providing tailored recommendations to avoid or mitigate future
incidents.
• Sponsor or approve security-aware procurement and open source policy - The CEO must ensure that organizational policy requires analyzing the
security characteristics of all new software before the organization commits to purchasing or integrating it into their systems. Any software can
introduce organizational risk if it isn’t properly developed, tested, implemented, and maintained. A security review of software and vendors can
discover and mitigate security risks early and cost-effectively before the organization has invested into product implementation and integration.
This must be applied generally to all procurement because software is included in a high percentage of products purchased by organizations
(including many different types and sizes of equipment). Additionally, most technology and AI projects typically include open source software that
can introduce security risks to the organization (outside of purchasing process)

Consequences of Without the CEO prioritizing cybersecurity across the organization, the security team is often positioned as a scapegoat,
not doing this (or getting the accountability and blame for security incidents resulting from decisions made by other teams. This causes all non-security roles to lack understanding
and accountability for the security impacts of decisions they make, resulting in higher risk with every decision and action.
well /completely) This results in more security incidents, higher severity and business impact per incident, inability to accurately judge the organization’s actual risk, inability to
recruit security leaders / professionals, and reduced business agility because security teams often try to slow or block business initiatives for fear of being blamed.

Asset Scope and The CEO is ultimately accountable for all • Standard cybersecurity skills for information workers
Required Attack organizational assets of all types in
• Organizational security threats, risks, and challenges
Knowledge aggregate.
 Microsoft Security Experts

Microsoft Defender XDR

aka.ms/MCRA
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Entra Internet Access
Microsoft
Cloud Native SIEM, SOAR, and UEBA Sentinel
Security Adoption Framework
Cloud Endpoint Office 365 Identity SaaS Data OT/IoT Other
Azure, AWS, Workstations, Email, Teams, Cloud & Cloud Apps SQL, DLP, & devices Tools, Logs,
Security Documentation
GCP, On Prem Server/VM, and more On-Premises more
& more Containers, etc.
& Data
Benchmarks

Microsoft Entra

Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM)

Discover
Monitor Classify
Protect

Microsoft Entra Private

Access & App Proxy Azure Key Vault S3
Beyond User VPN

Azure Backup
Security & Other Services

aka.ms/SPA

GitHub Advanced Security & Azure DevOps Security

Secure development and software supply chain
 Microsoft Security Experts

Microsoft Defender XDR

aka.ms/MCRA
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence Microsoft Entra Internet Access
Microsoft
Cloud Native SIEM, SOAR, and UEBA Sentinel
Security Adoption Framework
Cloud Endpoint Office 365 Identity SaaS Data OT/IoT Other
Azure, AWS, Workstations, Email, Teams, Cloud & Cloud Apps SQL, DLP, & devices Tools, Logs,
Security Documentation
GCP, On Prem Server/VM, and more On-Premises more
& more Containers, etc.
& Data
Benchmarks

Microsoft Entra

Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM)

Discover
Monitor Classify
Protect

Microsoft Entra Private

Access & App Proxy Azure Key Vault S3
Beyond User VPN

Azure Backup
Security & Other Services

aka.ms/SPA

GitHub Advanced Security & Azure DevOps Security

Secure development and software supply chain
 https://aka.ms/MCRA

S3
 https://aka.ms/MCRA

S3

On-Premises IaaS PaaS

Key cross-platform and multi-cloud guidance
Microsoft Defender for Cloud multicloud solution
Multi-cloud & hybrid protection in Microsoft Defender for Cloud

Azure Arc
Access Management Capabilities
Can be implemented today using Microsoft and partner capabilities

Employee

Partner

Customer
Direct Application Access
Core adaptive access policy
Workload

Security Service Edge (SSE)

Security Policy Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure web
Engine gateway (SWG), Cloud Access Security Broker
(CASB), and Firewall-as-a-Service (FWaaS)

Virtual Private Network (VPN)

Legacy technology being retired

Macro- and Micro-segmentation

Workload isolation using identity,
network, app, and other controls
Access Management Capabilities
Using Microsoft Technology Can be implemented today using Microsoft and partner capabilities
Microsoft Entra ID Entra ID
(formerly Azure AD) Governance
Entra Internet Access,
Entra Private Access,
Employee
Microsoft Entra and Partners
Conditional Access
Partner

Customer
Direct Application Access
Core adaptive access policy
Workload

Security Service Edge (SSE)

Security Policy Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure web
Microsoft Threat Intelligence
Engine gateway (SWG), Cloud Access Security Broker
(CASB), and Firewall-as-a-Service (FWaaS)
78+ Trillion signals per day of
security context & Human Expertise

Virtual Private Network (VPN)

Legacy technology being retired

Illumio partnership, LAPS

Entra ID Self Service Macro- and Micro-segmentation

Microsoft Defender + Intune Password Reset (SSPR) Workload isolation using identity,
network, app, and other controls

https://aka.ms/MCRA
 Business Critical Assets

Devices/Workstations Account Interface

Intermediaries

Intermediaries

Devices/Workstations Account Interface

Potential Attack Surface

 Asset Protection also required
Security updates, DevSecOps,
data at rest / in transit, etc.

Business Critical Assets

Devices/Workstations Account Interface

Intermediaries

Intermediaries

Devices/Workstations Account Interface

 Align to Mission + Continuously Improve
Measure and reduce attacker dwell time
(attacker access to business assets) via
Mean Time to Remediate (MTTR)
Case Management
Analysts
and Hunters
Incident Response/Recovery Assistance
Security Information and Event Management (SIEM)

Managed Detection and Response

Threat Intelligence (TI)

Automation (SOAR) Generative AI
Simplifies tasks and performs
advanced tasks through chat interface

Extended Detection and Response (XDR)

Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more

https://aka.ms/MCRA
 https://aka.ms/MCRA

Align to Mission + Continuously Improve

Measure and reduce attacker dwell time
(attacker access to business assets) via
Mean Time to Remediate (MTTR)

Analysts
and Hunters

Microsoft Security Copilot

Simplifies experience for complex tasks/skills

Provide actionable security

detections, raw logs, or both
Operational Technology (OT) Security Reference Architecture
Apply zero trust principles to securing OT and industrial IoT environments https://aka.ms/MCRA

Business Analytics Security Analytics

Azure Analytics
Cloud • Native plug-in for Microsoft Defender for IoT
Blended cybersecurity attacks are 3rd party 3rd party
driving convergence of IT, OT, and IoT Analytics
IoT Hub, PowerBI, Azure Edge,
Digital Twins, and more
Environments Analytics Microsoft Sentinel
• Native OT investigation & remediation playbooks
• Correlation with other data sources and
Strategic Threat intelligence (attack groups & context)
security architectures and capabilities

IIoT / OT Digital Transformation drivers Operational Technology Information Technology

• Business Efficiency - Data to enable business agility
• Governance & Regulatory Compliance with safety and other (OT) Environments (IT) Environments
TLS with mutual
standards Safety/Integrity/Availability Confidentiality/Integrity/Availability
• Emerging Security Standards like CMMC authentication
• Hardware Age: 50-100 years (mechanical + electronic overlay) • Hardware Age: 5-10 years
• Warranty length: up to 30-50 years • Warranty length 3-5 years
• Protocols: Industry Specific (often bridged to IP networks) • Protocols: Native IP, HTTP(S), Others
• Security Hygiene: Isolation, threat monitoring, managing vendor • Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware
Purdue Model access risk, (patching rarely)

Level 3 – Site Operations Business Analytic Sensor(s)

Control & monitoring for physical site
with multiple functions (e.g. plant)
Business Analytics
NETWORK Cloud Connection (OPTIONAL)
Level 2 – Supervisory Control TAP/SPAN Sensor(s) + Analytics
Monitoring & Control for discrete
business functions (e.g. production line)
Plant security console Microsoft Defender for IoT (and OT)
(optional) § Manager 3rd party SIEM
§ Security Console
Level 1 – Basic Control
Electronics controlling or monitoring
physical systems Isolation and Segmentation Transform with Zero Trust Principles
Purdue model assumed static site/enterprise model
Internal Hard Boundary Soft(ware) Boundary • Datacenter Segments – Align network/identity/other
Level 0 – Process segmentation
Physical machinery Physically disconnect People, Process, and Tech (network controls to business workloads and business risk
As business from IT network(s) + identity access control, boundary • End user access - Dynamically grant access based on explicit
processes allow patching and security hygiene) validation of current user and device risk level
S A F E T Y S YS T E M S

©Microsoft Corporation
Azure
Zero Trust Principles - Assume breach, verify explicitly, Use least privilege access (identity and network)
 https://aka.ms/MCRA

• Automated User Provisioning • Privileged Identity Management (PIM)

• Entitlement Management • Terms of Use
• Access Reviews

On-Premises & Other

Cloud Resources/Data

Azure Resources/Data

Microsoft Defender XDR

Unified Threat Detection and Response across IT, OT, and IoT Assets
Microsoft Defender for Cloud - Detections across assets and tenants
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft
Sentinel
Cloud Native SIEM, SOAR, and UEBA
Microsoft Defender for
Endpoint Entra ID Protection Microsoft Defender for Identity
Idea Incubation First Production Release Production DevSecOps

Architecture & Governance

Security, Compliance, Identity, & Other Standards

Continuous Improvement of DevSecOps Lifecycle

1. MVP definitions – Update minimum requirements for Dev, Sec, and Ops (agility, stability, security, identity standards, and more)
2. Continuously improve process, program, education, tooling, etc. to improve developer productivity, efficiency, security, identity, and more)
It’s bad out there! Attacker techniques,
business models, and
For sale in “bad neighborhoods” on the internet skills/technology, are
continuously evolving

Attacker for hire (per job)

$250 per job (and up)
Other Services Ransomware Kits
Continuous attack $66 upfront
supply chain innovation (or 30% of the profit / affiliate model)

Compromised PCs / Devices

PC: $0.13 to $0.89
Mobile: $0.82 to $2.78

Spearphishing for hire

$100 to $1,000
(per successful account takeover)

Attackers Stolen Passwords

$0.97 per 1,000 (average)
(Bulk: $150 for 400M)

Denial of Service Many attack tools and

$766.67 per month tutorials/videos available
for free on internet
https://aka.ms/humanoperated
Attack Chain Models
Describe stages of an attack
Simple model for business leaders and other non-technical stakeholders

MITRE ATT&CK Framework Detailed model for technical detection coverage assessments and planning

Lockheed Martin Kill Chain Legacy Reference Model (missing lateral traversal)

Actions on the
Reconnaissance Weaponization Delivery Exploitation Installation Command and Control
Objective

Reconnaissance Persistence Lateral Exfiltration

Movement
Resource Initial Access Command and Control Impact
Development
Defense Evasion
Privilege Escalation
Discovery
Credential Access
aka.ms/HumanOperated
 Always prioritize critical business
assets and direct paths to them
Security events (and threat intelligence research)
can increase attack technique priority

1. Prevalent
• Used against you
• Used on similar
organizations
(industry peers,
similar/related data,
A bottomless pit, but an expensive one
etc.)
Attackers have potentially infinite ability to
abuse complex systems, but each new approach
Common for everyone
1. Phishing
2. Proven costs time/resources/money or increased
2. Pass the hash/ticket • Works in the wild chances for failure/detection.
3. Password spray somewhere against
4. Password re-use from dissimilar
known breaches
organizations 3. Potential
• Possible but not recently used in active attacks
 What’s in Microsoft 365 E5
Product
Licensing
Details https://aka.ms/MCRA

Product Name (& Previous Product Names) Product Category(ies) Security Modernization Initiative(s)
Extended Detection and Response (XDR) • Modern Security Operations
Microsoft Defender for Endpoint (MDE) Endpoint Detection and Response (EDR)
Formerly Microsoft Defender ATP, Windows Defender ATP, Threat and Vulnerability Management (TVM)
• Infrastructure and Development
Windows Defender Antivirus Endpoint Protection Platforms (EPP) • Security Hygiene: Backup and Patching
Microsoft Defender for Identity (MDI) Extended Detection and Response (XDR)
• Modern Security Operations
Formerly Azure ATP
Microsoft Defender for Office (MDO) Extended Detection and Response (XDR) • Modern Security Operations
Formerly Office 365 ATP
• Access and Identity
Microsoft Defender for Cloud Apps (MDCA) Cloud App Security Broker (CASB)
• Modern Security Operations
Formerly Microsoft Cloud App Security Extended Detection and Response (XDR)
• Data Security
Entra ID (Formerly Azure AD)
• Multifactor Authentication
• Microsoft Entra Conditional Access • Access and Identity
• Self-service password management Access Management
• Modern Security Operations
• Identity Protection
• Identity Governance
• Privileged Identity Management (PIM)
Microsoft Purview
• Compliance Management
• Data Lifecycle Management • Data Security
• eDiscovery and auditing
• Insider Risk Management
• Information Protection
Windows 10 & Windows 11
• Windows Hello for Business • Access and Identity
• Windows AutoPilot
• Advanced Windows Security
Microsoft Intune Unified Endpoint Management (UEM) • Access and Identity
Product Families Enable Modernization Initiatives

Security Strategy and Program

Zero Trust Architecture

Access and Identity Infrastructure & IoT and OT Modern Security Data Security
Development Security Security Operations (SecOps/SOC)

Entra Defender Purview

Security Copilot

Intune Azure Sentinel Priva

Provided by someone else

Spans on-premises &

multi-cloud environments
 Provided by someone else

Unmanaged Internet
Basic network monitoring for guests,
partners, new/unmanaged devices

Managed Internet
Monitored network for validated devices to communicate
peer to peer (patching, collaboration, etc.)

Spans on-premises & multi-cloud environments

 Provided by someone else

Unmanaged Internet
Basic network monitoring for guests,
partners, new/unmanaged devices

Managed Internet
Microsoft Entra
Monitored network for validated devices to communicate application proxy
peer to peer (patching, collaboration, etc.)

Spans on-premises & multi-cloud environments

 Provided by someone else

High Impact IoT/OT

IoT/OT With Life/Safety Impact

Unmanaged Internet
Basic network monitoring for guests,
Low Impact IoT/OT
partners, new/unmanaged devices Printers, VoIP phones, etc.
Managed Internet
Microsoft Entra
Monitored network for validated devices to communicate application proxy
peer to peer (patching, collaboration, etc.)

Spans on-premises & multi-cloud environments

 Sanctioned and Internet and Private and Managed in
Managed Services Unsanctioned/Unmanaged Apps the cloud or on-premises

Privileged Accounts Privileged Devices

Business critical system
users, developers, admins

Managed Devices
Specialized Accounts Specialized Devices
Sensitive System users,
developers, & admins Adaptive
Enterprise Accounts Access Control Enterprise Devices

Employee Partner

Anonymous and Consumer Unmanaged devices

identities s
p
p
A
/
s
t
n
i
BYOD, partners, etc.
U
s
s
e
n
i
s
u
B
e
iv
t
i
s
n
e
Stc
a
p
)m
sI
(y
tt
n e
e a
f
m S
g /
e e
S f
a
li
cL
i
th
it
riW
C O
T
s/.
sT c
e o t
n e
siI,
u es
B n
O
T o
/h
T p
o P
I
to
cV
a ,
p s
mer
It
g
hn
ii
Hr
P

T
O
/
T
o
I
t
c
a
p
m
w
I
o
L
 Provide policy Expect, plan for, and
and education track attacker use of AI

Protect AI data
and applications

Adopt AI security
capabilities
 New/different interface Elevates Focus on Data Requires new controls

AI Requires & Accelerates Zero Trust AI Shared responsibility Microsoft Approach

AI amplifies existing data security/governance challenges
AI makes data discovery easy, so you must fix any existing issues with data
discovery, classification, & excessive permissions

AI increases value of data

AI relies on data and creates new value from it, increasing urgency to protect
data from attackers trying to steal/resell it

AI introduces new avenue of potential data leakage

Must secure AI applications and models to ensure their design, implementation,
and use don’t allow for unauthorized leakage to internal or external users
 AI is typically an application
component, so both defense
types required

Classic Application Artificial Intelligence

Components (AI) Components

Logic Predictable Logic Dynamic Logic

Type Consistent (deterministic) outcomes Variable outcomes

Running à same results à similar results

Multiple Times • not the same
• not completely different

Exploitation & Precise interruption / redirection General biases & hallucinations

Mitigation of logic flow in outcomes
 AI
AI requires Zero Trust AI accelerates Zero Trust
AI is data-centric technology and AI accelerates learning and
drives continuous changes to productivity by automating complex
business, technology, and security Zero Trust tasks and acting as an ‘on-demand
threats mentor’
AI Shared Responsibility Model
Illustrates which responsibilities are typically performed by an organization
and which are performed by their AI provider (such as Microsoft)

AI Usage

AI Application

Model
AI Platform Dependent
Establish clarity: Implement responsible Prioritize greatest needs and
Your data is your data AI principles opportunities for security
 Guidance for incident response, including
Investigate and directions for triage, investigation, containment,

Key Use Cases

summarize and remediation. Easily summarize incidents to
incidents enable collaboration, escalation, business impact
analysis, and more.
Microsoft Security Copilot
Explore risks Summarize threat intelligence (TI) for threat actors
and manage Research relevant TI for an artifact to contextualize
security posture an incident or threat, including associated MITRE
ATT&CK techniques, tactics, and procedures (TTPs)

Manage and Reduce errors that could create operational

Troubleshoot disruptions (directly or via incidents) by identifying
Policy and conflicting or misconfigured policies. Streamline
Controls policy creation with recommended configurations

Build & Reverse Reverse engineer attacker scripts to quickly

understand their intent and capabilities
engineer
scripts Easily build query-language and task automation
scripts.

Agents perform specific

tasks autonomously
AI Agents Perform Specific Tasks Autonomously
Agentic AI - AI Agents build on Generative AI and other automation technology to
perform specific tasks without requiring humans to oversee every action they take

Examples from Microsoft Security Copilot

• Phishing Triage Agent in Microsoft Defender triages phishing alerts with accuracy to identify real
cyberthreats and false alarms. It provides easy-to-understand explanations for its decisions and improves
detection based on admin feedback.
• Alert Triage Agents in Microsoft Purview triage data loss prevention and insider risk alerts, prioritize
critical incidents, and continuously improve accuracy based on admin feedback.
• Conditional Access Optimization Agent in Microsoft Entra monitors for new users or apps not covered
by existing policies, identifies necessary updates to close security gaps, and recommends quick fixes for
identity teams to apply with a single click.
• Vulnerability Remediation Agent in Microsoft Intune monitors and prioritizes vulnerabilities and
remediation tasks to address app and policy configuration issues and expedites Windows OS patches with
admin approval.
• Threat Intelligence Briefing Agent in Security Copilot automatically curates relevant and timely threat
intelligence based on an organization’s unique attributes and cyberthreat exposure.
Review – Artificial Intelligence (AI)

• GenAI enables a new interface (natural language) Resources and

• Makes technology easier to use and learn References
• Enables people to do more advanced tasks

• Critical to adapt quickly to this technology

• Educate on and mitigate attacker use of AI
• Embrace security use of AI
• Protect business use of AI

• Securing AI is a shared responsibility

• Microsoft Approach to AI
• Establish clarity: your data is your data
• Implement responsible AI principles
• Focus initial security priorities on greatest needs