Microsoft Cybersecurity Reference Architecture

, , , ,

I’m writing this blog because I’m preparing for the SC-100 exam, and part of this exam is on the Microsoft Cybersecurity Reference Architecture (MCRA). I’m writing this blog in a way to teach you, the reader. I’d highly recommend you looking at Microsoft Learn’s page as well as Peter Rising’s video on MCRA. I’m going to be basing a lot of the information in this blog off the Microsoft docs.

So, what is the MCRA

The MCRA are the components of Microsoft Security adoption framework (SAF). What’s SAF? SAF provides guidance for organizations through end-to-end security modernization across a ‘hybrid of everything’ technical estate. The point of it is to be a end-to-end approach to security, it’s about putting security into every building block of a development. It’s used to flexibly adapt to the continuously evolving attackers, changing business requirements, and technology platform changes. The MCRA basically describes how Microsoft security capabilities integrate with Microsoft platforms. I think MCRA are good for organizations who have paid for E5 licenses but don’t actually utilize them to the full extent.

But what does the MCRA include?

The MCRA includes important information on

  • Antipatterns (Common mistakes, such as not patching in time)
  • Best practices (Like using MFA, everywhere)
  • Threat trends, and attack patters (How people typically break in, such as phishing)
  • Mapping Microsoft capabilities to people within your organization (Not pushing it to a single person or team)
  • Mapping Zero Trust to your organization
  • Securing privileged access
  • Reference plans in SAF
  • Prioritizing using attackers return on investment

It also provides lots of technical digrams.

Why and how to use the MCRA

The MCRA is a really good starting template for security architecture. The most common use case is organizations using the MCRA to define a target state for there cybersecurity capabilities. The whole point of the MCRA is an approach that any organization can adopt and you can go through the MCRA thinking “We’re here, but this is where we could be”. MCRA is also good to compare recommendations for solutions that they already own, such as the Defender suite of products, or maybe how they could best utilize a SIEM tool like Microsoft Sentinel. The MCRA also allows you to learn about Microsoft capabilities, I’ll tell you that when I first started on the SC-100 certifications, there were so many benefits I realized that we are just not utilizing yet. The MCRA is also a good tool for people who are more new to the cybersecurity space and are looking to learn something new.

Let’s dive in

First, I’m going to talk about the ‘Path of least resistance’. The path of least resistance is the easiest path someone would take to go from no access, to the keys to the castle. Maybe an attacker first takes a look at your website, they run vulnerability scans and common attacks but don’t get in. So they change course to try to figure out what is the most common attack you may become victim to. In most instances, this is phishing. So, maybe they first get access by phishing one of your employees. They get full access to there computer. That attacker then contacts your IT administrator, where you raise a false help desk request to fix an issue. The IT administrator connects to your machine and enters privileged password information, now they have access to your IT administrator’s account. In this instance, it did not matter how up-to-date you kept your website, or how secure you kept your login information – Attackers were still able to break in using a fairly simple path. Of course, this changes from company to company – but it’s important to understand that all areas of security need to be covered and that the attacker will always take the easiest and most reliable path in most instances. Often companies fall pray to common security antipatterns. I’ve put Microsoft’s common security antipatterns below:

  • Skipping basic maintenance (Skipping backups, software updates/patching)
  • Securing the cloud like on-prem (Attempting to force on-prem controls to the cloud, especially when migrating)
  • Wasting resources on legacy systems and applications (If your application is no longer secure or is outdated, look for a new application)
  • Artisan security (Focused on manual solutions instead of automation and off the shelf tooling)
  • Disconnected security approach (This is someones else’s job to secure, not mine)
  • Lack of commitment to life cycle (Treating security controls and processes as points in time instead of an ongoing lifecycle)

Here are some of the Microsoft’s recommended best practices

  • Asset-centric security aligned to business priority & technical estate
  • Consistent principle-driven approach throughout security lifecycle
  • Pragmatic prioritization based on attackers motivations, behavior and return on investment
  • Balance investments between innovation and application security maintence
  • Configure before customize approach to embrace automation, innovation and continuous improvement
  • Security is a team sport, don’t rely on a individual or team

Security is complex and challenging but you must secure across everything. New IOT and Cloud services, should be configured securely. Legacy systems must be secured or changed. Do not have the approach of ‘Nothing gets retired’ in the fear it will break something – create a project plan and fix the issue. If your users have access to sensitive data, it doesn’t matter how secure your application of infrastructure is, as data tends to be what the attacker came for.

False Assumptions vs the Zero Trust Mitigation
Security is the opposite of productivity is often a false assumption, it’s often thought that security just ‘makes things harder’ and often – it can. However, if align security to the organizations mission and processes, often you can make a system secure without making it more difficult to access. ‘All attacks can be prevented’ is a bad assumption. If you had a virtual machine that was air-gaped, why would you not install anti-virus on it? ‘X security perimeter will keep attackers out’ is a bad assumption – thinking that a certain perimeter will keep your organization safe always false. ‘Passwords are strong enough’, this tends to be the bare minimum for security but commonly all the security that organizations use. Use multi-factor authentication everywhere. On top of that, use Conditional Access, as well as other tools such as Entra ID Protection. Often organizations think that IT administrator are safe but this is rarely the case, often they do have more offsec training than regular employees, but often are targeted quite highly. Organizations often believe that code is written securely, often it is, but it only takes 1 wrong line of code to breach a company. ‘Our vendors are secure’ is another false assumption. Always assume breach, and assume that your vendors security is bad. Plan for ‘when’ not ‘if’ your vendor gets breached.

The 3 Microsoft recommended instructions is to first look end to-to-end (Look at the whole security problem), then prioritize based on critical issues and quick wins. Lastly, get started somewhere and continuously improve.

The 10 laws of Cybersecurity risk
– Security success is ruining the attackers return on investment
– Not keeping up is falling behind
– Productivity always wins
– Attackers don’t care
– Ruthless prioritization is a skill
– Cybersecurity is a team sport
– Your network isn’t as trustworthy as you think
– Isolated networks aren’t automatically secure
– Encryption alone isn’t a data protection solution
– Technology doesn’t solve people & process problems

Immutable Laws of Security
– If a bad actor can persuade you to run a their program on your machine, it’s not really your machine
– If the bad actor can access or change the OS of your computer, it’s not your computer anymore
– If a bad actor has unrestricted physical access to your computer, it’s not your computer anymore
– If you allow a bad actor to run active content in your website, it’s not your website anymore
– Weak passwords trump strong security
– A computer is only as secure as the administrator is trustworthy
– Encrypted data is only as strong as the decryption key
– An out-of-date malware scanner is only marginally better than no scanner at all
– Absolute anonymity isn’t practically achievable, online or offline
– Technology isn’t a panacea (For all those who don’t know, a panacea is a “solution or remedy for all difficulties”)

Zero Trust commandments
– Practices deliberate security
– Support business objectives
– Develop a security-centric culture
– Deploy agile and adaptive security

Microsoft Security Capabilities – Security Operations / SOC
You have Microsoft Security Expert / Defender export with detection and response teams.
Microsoft Security Operations using Microsoft Security.
Microsoft Defender XDR suite of tools which include incident response, automation, threat hunting, threat intelligence.

Endpoints & Devices
Intune / Configuration manager
Microsoft Defender for Endpoint (EDR). This also includes Web Content Filtering, Threat & Vulnerability management, Endpoint Data Loss Prevention (DLP)

Hybrid Infrastructure (IaaS, PaaS, On-prem)
– Azure Firewall & Firewall manager
– Azure WAF
– DDoS protection
– Azure Key Vault
– Azure Bastion
– Azure Lighthouse / Azure ARC
– Azure Backup
– Express Route & Private Link

Software as a Service (SaaS)
– App Discovery & Risk Scoring (Shadow IT)
– Threat Detection & Response
– Policy Audit & Enforcement
– Session monitoring & control
– Information Protection & Data Loss Prevention (DLP)

Conclusion

Now this was far from all that’s included in the MCRA, I thought I’d give some slight summary of what it is is why it’s important. I have not dived deep into the different security tools because there is just to much to cover, I highly recommend you download and have a read of the MCRA’s PowerPoint presentation

Leave a comment