Mac-nificent - How Platform SSO empowers security and usability en

In this session, we will demonstrate how to configure Platform SSO in Intune and explore the benefits of this feature in terms of user experience, security, and management capabilities. We will delve into the technical implementation of the latest integration options on macOS, highlighting the differences compared to other SSO implementations, including those on Windows. This demo-driven session will also address the limitations and security considerations specific to Apple’s device platform, particularly where Secure Enclave does not protect sensitive key and token artifacts.

Take aways:
- Deep Dive in Platform SSO and Secure Enclave Security
- Unsecured tokens on macOS devices
- Comparison to previous deployment and integration options

Live Demos and visualization of technical architecture included

macOS at Work: Enterprise-Ready or Just for Coffee Shops? en

Many companies are still hesitant to introduce macOS in the workplace, believing it is too complex to manage alongside Windows. But is macOS really that difficult to secure and control, or is it just a long-standing misconception?

In this session, we will explore how to manage macOS devices easily and effectively with Microsoft Intune. You will learn best practices for setting up and configuring devices quickly, ensuring a smooth and efficient deployment process. We’ll also cover how to secure macOS using built-in technologies like Secure Enclave, along with the Microsoft Security Stack. Managing applications and keeping devices up to date doesn’t have to be a challenge - discover how to simplify app deployment and patch management while maintaining a great user experience. Whether you’re just getting started or looking to improve your existing setup, this session will give you the tools and confidence to make macOS work in your organization.

Ma(e)stering your identity security posture in Microsoft Entra en

Microsoft Entra takes the leading role as Zero Trust policy and serves as unified control plane to integrate sensitive cloud resources, -apps and hybrid infrastructure. Often, organizations underestimate the importance of continuous reviewing (default) security settings and policies. But what are security-related configurations that should be considered and evaluated? How can you track and operationalize your posture management changes and their impact on your environment?

In this session, I will provide an overview of various critical configuration areas and demonstrate how to discover and automate the tracking of (mis)configurations using community tools such as Maester, EntraOps, and EIDSCA. Additionally, we will explore integrated signals and features in Microsoft Entra that enhance identity security configuration. Join this session to learn how to take control and elevate your identity security posture!

First public delivery of this session in English
Many live demos including:
- Identity Security Posture and usual misconfiguration of security-related tenant settings
- Unprotected privileged groups and users
- App Integration health and overprivileged workload identities

Hunt the Tokens - Uncovering Post-Authentication Attacks Across Your Environment en

With the increasing number of attacks involving token theft and replay, incorporating post-authentication attacks into your Identity Threat Detection and Response (ITDR) is crucial. However, detecting and hunting of those attacks across various data sources and signals can be a significant challenge. In this session, we will explore how to correlate authentication and activity logs to track the usage of issued tokens effectively. Additionally, we will delve into the details of enriching the data to identify unusual or sensitive access and operations. Enhance your hunting skills to track user and workload activities and detect those sophisticated token-based threats.

How to build an Entra-ordinary Security Monitoring en

Effective security monitoring goes beyond simply enabling Defender products and deploying rule templates. It requires a strategic approach which includes a phased rollout and defined maturity model. This session explores how to start with Defender XDR signals and alerts as a foundation to identify critical threats and go far beyond this with custom detection engineering.

We'll discuss key gaps in the threat landscape, highlighting areas that require adjustment or development for detection engineering in certain areas. Learn how to choose and adjust Analytic Rules to create a well-tuned, actionable rule set while customizing detections from the Content Hub and community solutions.

Alert fatigue is a common challenge — so we'll explore scenario-based incidents using correlation as a more efficient approach to signal management. Additionally, UEBA-driven anomaly detection will be covered, showcasing how behavioral analytics can help identify emerging threats.

Join us to gain practical insights, optimize detection rules, and learn which strategies are effective to achieve a happy SOC by reducing noise and effort in your environment.

Demos:
- Examples of noisy (default) analytic rule templates from Content Hub and how to optimize them.
- Benefits of Entity enrichment for more context-based investigation.
- Capabilities by UEBA and Behaviors table in XDR.

Exploring and Preventing Attack Paths with Defender for Cloud CSPM en

In this deep dive session, we will explore practical insights and strategies for adopting and taking benefits of Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud. You will gain a thorough understanding of how to identify critical assets and related potential attack paths within your Azure infrastructure. We will cover the prioritization of findings to effectively address vulnerabilities and initiate proactive threat hunting on lateral movement paths.

The session will also delve into managing CSPM at scale, ensuring robust security across extensive cloud environments. Additionally, we will discuss the integration of CSPM with other essential security features, such as Data Security Posture Management (DSPM) and Exposure Management.
Join us to enhance your cloud security posture, mitigate risks, and safeguard your organization's critical assets with Microsoft Defender for Cloud CSPM.

Taking Control of Your Cloud’s Control Plane en

Microsoft introduced the Enterprise Access Model, as an evolution of ESAE, in December 2020. Core principles (e.g., tiered administration) have not been changed but the practical implementation can be still a challenge for many organizations and is much different between cloud and on-premises infrastructure. However, the concept should be an important part of your privileged access strategy to avoid unauthorized pathways which leads to lateral movements and also applies for cloud administration.

In this session, I will share my experiences in designing, managing and monitoring privileged access based on Enterprise Access Model. We will look at a practical approach to design a classification model for tiered administration. The real-world challenges in adopting the privileged access design in enterprise environments and current technical limitations will be one the topics in this talk. We will also discuss some fundamental design questions, for example using a dedicated tenant to host an administrative environment (”Red Tenant”) for privileged assets. Integration of security operations to identify breach of tiered administration and practical guidance on daily operations will be covered in the live demos.

Zero Trust - Zero Gap? Spotlight on (new) uncovered aspects of your CA design en

Conditional Access is the heart of Microsoft's Zero Trust implementation as its policy enforcement engine and Microsoft introduces constantly new features to cover more and more use cases and integrations. This includes granular conditions and controls for specific authentication methods, restricted sessions and authentication flows but also new capabilities to re-trigger a policy evaluation.

In this session, we will discuss the latest features and their use cases and also challenges that you may not address in your current ruleset. Starting from automation for deployment, exclusion handling and gap monitoring, up to missing strong policy design to prevent rogue devices or protect privileged users.

Fantastic tokens in Microsoft Entra ID and how to protect them... en

Post-authentication attacks are on the rise and offer attackers the opportunity to satisfy strong security controls (such as MFA or compliant device requirements). Token artifacts take the essential role in the process of verifying identity of the user and obtaining an access to resources in Microsoft Entra. Therefore, it's important to consider token theft scenarios which allow to steal those artifacts and use them elsewhere.

Monitoring of anomaly and threat signals to enforce re-authentication but also timely response to policy violations are just a few defense aspects which should apply to your ITDR and Security Operations.

In this session, I will give an overview about the different types of token artifacts and how to protect them from token replay attacks.

- How and when does TPM help us to protect keys?
- Which detection sources and signals are important?
- What type of tokens are particularly vulnerable?
- Why Continuous Access Evaluation becomes an essential part for tackling abuse of tokens?

Empowering Identity Threat Detection & Response with Microsoft Security en de

Identities are still one of the main attack scenarios and many different threats and attack techniques will be used to gain credentials and access. Microsoft security products offers many capabilities to detect those threats and risks on identities by using built-in ML-based signals but also implementing custom detections.

But which integrations between the individual products (such as Microsoft Defender XDR, Sentinel and Entra ID Protection) are essential? How can you take advantage of "User and Entity Behavior Analytics" to detect suspicious activities? Which practical use cases and solutions are available to fine-tune or enrich built-in detections?

In this talk, I would like to give a practical view on the implementation of the Microsoft Security stack for Identity Threat Detection & Response with notes from the field. This will cover also advanced multi-stage attack scenarios and custom detections.

Identity Detection & Response mit Microsoft Security en de

Identitäten von Mitarbeiter sind heutzutage das Angriffsziel Nr. 1 und dabei einer Vielzahl von unterschiedlichen Angriffsmethoden ausgesetzt. Innerhalb des Microsoft Security Portfolio gibt es verschiedene Produkte, die zum Schutz sowie Überwachung von Benutzerkonten in Microsoft Entra ID genutzt werden können.

Aber welche Integration gibt es zwischen den einzelnen Produkten, wie z.B. Microsoft Defender XDR und Entra ID Protection? Wie können "User and Entity Behavior Analytics" helfen, ungewöhnliche Aktivitäten festzustellen? Welche automatische Reaktionen auf Incidents sollten unbedingt berücksichtigt werden?

In dieser Session werfen wir einen praxisnahen Blick auf wichtige Integrationen und Funktionen von Microsoft Defender XDR und Microsoft Sentinel, die für Identity und Security Admins sehr hilfreich sind.

Securing and monitoring your Azure AD identities en

Azure Active Directory is one of the keys for implementing a "Zero Trust" approach. The perimeter is moving from network to identity (as the new control plane).

During my session I will talk about several aspects to secure and monitor hybrid identities and (cloud-only) privileged accounts.

The session includes overview, recommendation and considerations of the following topics:

- Plan, draft and test Conditional Access Policies
- Automated response to address user and sign-in risk with Azure AD Identity protection
- Detect suspicious user activities and protect cloud app sessions with MCAS
- Auditing and insights of accounts and (suspicious) authentication attempts with Azure Sentinel

Demystify Microsoft Entra ID workload identities en

Identities of apps and services (workloads) are gaining privileged access and are used on a wide scale (especially in DevOps or large high-automated environments).
Attack techniques (for example, in case of NOBELIUM attacks) has shown that service principals will be used for initial and persistent access (to create a "backdoor" in Microsoft Entra ID).
Securing credentials, limit and detecting suspicious access or managing lifecycle of workload identities can be a challenge.

Security concepts of privileged user account can not be (fully) applied to non-human identities and would be limited applicable.
Strictly monitoring and classification of this types of identities are often neglected in the past.

In this session, I like to give an overview about the different types of workload identities, common (sensitive) use cases and how attacks or abuse can be mitigated of the different phases in the lifecycle.

- What is a workload identity?
- Different types of workload identities in Entra ID
- Common and real-world use cases
- Management of lifecycle and visibility
- Securing delegated management by Entra ID RBAC
- Monitoring and detection to prevent privilege escalation
- Securing access and protection of workload identities
(by Entra Conditional Access and Identity Protection)

Effective measures to improve your identity security posture in Microsoft Entra en de

Microsoft Entra ID has become an essential part of the "Identity & Access Management" in many organizations. Critical business applications and cloud services are integrated to Microsoft's cloud-based identity platform but also components to support hybrid identity scenarios in Active Directory (on-premises) have been implemented.

On the other hand, the "new control plane" is a growing target for cybercriminals. Microsoft Entra offers many security features and integration to other (Microsoft) security solutions to protect (hybrid) identities. But what are security considerations that should be considered in the design and implementation of a modern identity infrastructure? How can you track posture management changes and their impact in your environment?

In this session, I will talk and demonstrate a few usual examples of "misconfiguration" or weak implementations regarding the following four subject areas:

- Identity Security Posture and usual misconfiguration of security-related tenant settings
- Weakness in Conditional Access Policy Designs and risks of Token replay attacks
- Privileged Identity and Access in Microsoft Entra ID and "overlooked" privileged access paths
- App Integration and abuse by overprivileged workload identities

Effektive Maßnahmen für mehr Sicherheit in Azure Active Directory en de

Microsoft Azure Active Directory ist für viele Unternehmen zu einem essentiellen Bestandteil des Identitäts- und Zugriffsmanagement geworden. Geschäftskritische Anwendungen und Infrastruktur-Komponenten wurden angebunden, aber auch Komponenten und Dienste zur Integration von hybriden Identitäten mit dem bestehenden Active Directory wurden implementiert.

Allerdings rückt der cloudbasierte Identitätsdienst auch in das Interesse von Angreifern.

Azure AD bietet einige Sicherheitsfunktionen und auch umfangreiche Integrationen in Microsoft Sicherheitslösungen an.
Aber welche Features sollten berücksichtigt werden und was ist bei dem Design sowie deren Implementierung zu beachten?

In dieser Session möchte ich einen Überblick zu möglichen Schwachstellen bei der Standard-Konfiguration aber auch dem Monitoring im Azure AD geben. Dies beinhaltet folgende Themenbereiche:

- Identity Security Posture Management und "Privilege Escalation" von Azure AD Connect
- Design von Richtlinien im Conditional Access und Sicherheit von ausgestellten Tokens
- Unterschätzte Berechtigungen und Rollen im Azure AD RBAC
- Integrationen von Apps und Schutz von Workload Identities bzw. Service Principals

Control Plane under Control: Securing Privileged Access by Microsoft Enterprise Access Model en

Over the last years, Microsoft has released many design principles, best practices and security concepts for securing privileged access in a Microsoft Cloud environment. This includes also the "Enterprise Access Model" as an evolution of the previously known (Active Directory) ESAE approach.

But what are real-world experiences and examples of implementing those reference architecture? Which security controls should be applied? Who and what should be defined as "Tier0" or "Control Plane"? Which privilege escalation paths should be considered even in a tiered administration model?

In this demo-drive session, I will share my learnings and practical approach to identify, protect and monitor the high-privileged assets in Microsoft Entra. We will go through related features and monitoring capabilities but also limitations to implement a tiered administration model in a cloud environment. In addition, I will show insights of my free commmunity tool "EntraOps" which allows to automate classification and protection of privileged assets in your environment.