{"id":121754,"date":"2022-09-14T09:00:00","date_gmt":"2022-09-14T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=121754"},"modified":"2023-06-19T10:34:34","modified_gmt":"2023-06-19T17:34:34","slug":"implementing-a-zero-trust-strategy-after-compromise-recovery","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/","title":{"rendered":"Implementing a Zero Trust strategy after compromise recovery"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">What changes after compromise recovery?<\/h2>\n\n\n\n<p>After a successful compromise recovery effort, you are back in control. Likely, you gave your team a round of applause and took a sigh of relief. <\/p>\n\n\n\n<p>Now what? Is everything going back to as it was in the past? Absolutely not! A compromise recovery engagement is an accelerated way of doing numerous amounts of cybersecurity configuration and upgrades in a short amount of time. Just because the Domain Admins have basic protection it doesn&#8217;t mean that the full environment is secure yet.<\/p>\n\n\n\n<p>After a compromise recovery engagement, Microsoft\u2019s compromise recovery team follows up with what we call security strategic recovery. This is the plan for moving forward to get the environment up to date with security posture. The plan consists of different components like Securing Privileged Access and extended detection and response (XDR), depending on the organizational needs, but it all points in the same direction: moving ahead with <a href=\"https:\/\/www.microsoft.com\/security\/business\/zero-trust\">Zero Trust<\/a> strategy over traditional network-based security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Privileged administration<\/h2>\n\n\n\n<p>After we have secured the most critical privileged servers (including Domain Controllers, called also \u201cTier 0\u201d server for on-premises environment) and privileged accounts (Domain Admins), the next step is to mitigate unauthorized privilege escalation for the Data\/Workload and Management plane (called also \u201cTier 1\u201d for on-premises environment).<\/p>\n\n\n\n<p>An encryption attack that gets local admin permissions on all member servers will still be devastating, so a proper delegation model must be implemented. Ransomware&nbsp;can utilize this account to encrypt application and database servers in the same way as using a Domain Admin account. Different tools like PIM\/PAM and strategies can be used to strengthen the security of the Data\/Workload administrators and services. Please refer to the <a href=\"https:\/\/docs.microsoft.com\/security\/compass\/privileged-access-access-model\" target=\"_blank\" rel=\"noreferrer noopener\">enterprise access model<\/a> for additional details.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Privileged Access Workstation<\/h2>\n\n\n\n<p>During a compromise recovery, we are implementing what we call a \u201cTactical\u201d Privileged Access Workstation. While functional for the purpose of providing a secure workstation with a \u201cclean keyboard\u201d to operate in a compromised environment, it is not meant to be long-lasting and engineered for broader enterprise deployment.<\/p>\n\n\n\n<p>Implementing a proper Privileged Access Workstation together with a broader Privileged Access environment for all administrative tasks is necessary to reduce attack vectors and risk of re-compromise.<\/p>\n\n\n\n<p>The Privileged Access Workstation configuration must include security controls and policies that restrict local administrative access and productivity tools to minimize the attack surface to only what is absolutely required for performing sensitive job tasks.&nbsp;Please refer to <a href=\"https:\/\/docs.microsoft.com\/security\/compass\/privileged-access-devices\" target=\"_blank\" rel=\"noreferrer noopener\">Why are privileged access devices important<\/a> for additional details.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">From tactical monitoring to XDR<\/h2>\n\n\n\n<p>While performing compromise recovery, we implement \u201ctactical monitoring\u201d to supplement the customer&#8217;s investigation, leveraging a targeted implementation of <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-365-defender\">Microsoft Defender suite<\/a> and <a href=\"https:\/\/azure.microsoft.com\/services\/microsoft-sentinel\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Sentinel<\/a> on all critical systems.<\/p>\n\n\n\n<p>This is key to obtain visibility on the environment and respond quickly and efficiently to abnormal or suspicious activities before it turns into another security incident.<\/p>\n\n\n\n<p>As part of a strategic security roadmap, we strongly recommend completing the implementation of XDR with <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\">Microsoft Defender Threat Protection<\/a> and leveraging automated investigation and remediation capabilities to save security operations teams&#8217; time and effort.<\/p>\n\n\n\n<p>Additional help to our customers to defend and manage their environment is now available from Microsoft through <a href=\"https:\/\/www.microsoft.com\/security\/business\/services\/\">Microsoft Security Experts<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Zero Trust journey<\/h2>\n\n\n\n<p>The Strategic Recovery recommendation listed previously on using least privileged access for privileged administration and XDR for improving defenses are just initial steps into a broader Zero Trust journey (see Figure 1).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture2-631a243149a6e.png\" alt=\"Guidance for technical architecture relating to Microsoft Zero Trust Principles.\" class=\"wp-image-121775\" width=\"781\" height=\"439\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture2-631a243149a6e.png 649w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture2-631a243149a6e-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Picture2-631a243149a6e-539x303.png 539w\" sizes=\"(max-width: 781px) 100vw, 781px\" \/><\/figure>\n\n\n\n<p>Figure 1 outlines the Microsoft Zero Trust Principles. The first principle is to verify explicitly, which means to always validate all available data points including user identity and location, device health, service or workload context, data classification, and anomalies. The second principle is to use least privileged access, meaning to help secure both data and productivity and limit user access using iust-in-time access (JIT), just-enough-access (JEA), risk-based adaptive policies, and data protection against out of band vectors. Finally, the third principle is assume breach, which is when you minimalize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and app awareness; encrypting all sessions end-to-end; and use analytics for threat detection and posture.<\/p>\n\n\n\n<p>As observed during most of our compromise recovery engagements, the attackers usually came in through the abuse of user identity and then perform lateral movement and escalation to privileged access.<\/p>\n\n\n\n<p>Most organizations have built security controls over the years based on network and perimeter protection and are still underestimating the \u201cidentity risk\u201d in the current threat landscape.<\/p>\n\n\n\n<p>With Strategic Recovery also comes the need for a mind shift from network and perimeter protection to identity-based protection, leveraging Zero Trust principles. Implementing a Zero Trust security strategy is a journey that needs both technology and training, but it is necessary moving forward.<\/p>\n\n\n\n<p>Organizations may leverage the <a href=\"https:\/\/www.microsoft.com\/security\/business\/zero-trust\/maturity-model-assessment-tool\">Microsoft Zero Trust Maturity Assessment Quiz<\/a>&nbsp;to assess their current state of Zero Trust maturity and recommendations on the next steps. More details of how Microsoft can empower organizations in their Zero Trust journeys can be found in the&nbsp;<a href=\"https:\/\/query.prod.cms.rt.microsoft.com\/cms\/api\/am\/binary\/RWIrfk\" target=\"_blank\" rel=\"noreferrer noopener\">Zero Trust Essentials eBook<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Who is CRSP?<\/h2>\n\n\n\n<p>The Microsoft Compromise Recovery Security Practice (CRSP) is a worldwide team of cybersecurity experts operating in most countries, across both public and private organizations, with deep expertise to secure an environment post-security breach and to help you prevent a breach in the first place. The CRSP is a specialist team within the wider&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/business\/services\">Microsoft Security Experts<\/a>.&nbsp;Microsoft Security Experts&nbsp;help customers through the entire cyberattack from investigation to successful containment and recovery related activities. The response and recovery services are offered via two highly integrated teams, the Detection and Response Team (DART) with a focus on the investigation and groundwork for recovery, and the Compromise Recovery Security Practice (CRSP), which focuses on the containment and recovery aspects.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Learn more<\/h2>\n\n\n\n<p>To learn more about Microsoft Security solutions,&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/business\/solutions\">visit our&nbsp;website<\/a>.&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@MSFTSecurity<\/a>&nbsp;for the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After a compromise recovery follows what we call a Security Strategic Recovery. This is the plan for moving forward to get up to date with security posture all over the environment. The plan consists of different components like securing privileged access and extended detection and response, but it all points in the same direction: moving ahead with Zero Trust Strategy over traditional network-based security.<\/p>\n","protected":false},"author":179,"featured_media":121969,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3662],"topic":[3689],"products":[3690,3720],"threat-intelligence":[],"tags":[],"coauthors":[3308,3147,3389],"class_list":["post-121754","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-news","topic-zero-trust","products-microsoft-defender","products-microsoft-security-experts"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Implementing a Zero Trust strategy after compromise recovery | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"After a compromise recovery, we follow a plan for moving forward to get up-to-date with security posture all over the environment.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Implementing a Zero Trust strategy after compromise recovery | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"After a compromise recovery, we follow a plan for moving forward to get up-to-date with security posture all over the environment.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-14T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-19T17:34:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"780\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Security Experts, Jesper Kr\u00e5khede, Massimo Agrelli\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Security Experts, Jesper Kr\u00e5khede, Massimo Agrelli\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-experts\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Security Experts\"},{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/jesper-krakhede\/\",\"@type\":\"Person\",\"@name\":\"Jesper Kr\u00e5khede\"},{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/massimo-agrelli\/\",\"@type\":\"Person\",\"@name\":\"Massimo Agrelli\"}],\"headline\":\"Implementing a Zero Trust strategy after compromise recovery\",\"datePublished\":\"2022-09-14T16:00:00+00:00\",\"dateModified\":\"2023-06-19T17:34:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/\"},\"wordCount\":1008,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/\",\"name\":\"Implementing a Zero Trust strategy after compromise recovery | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg\",\"datePublished\":\"2022-09-14T16:00:00+00:00\",\"dateModified\":\"2023-06-19T17:34:34+00:00\",\"description\":\"After a compromise recovery, we follow a plan for moving forward to get up-to-date with security posture all over the environment.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg\",\"width\":1200,\"height\":780,\"caption\":\"Microsoft Cyber Defense Operations Center.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Implementing a Zero Trust strategy after compromise recovery\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Implementing a Zero Trust strategy after compromise recovery | Microsoft Security Blog","description":"After a compromise recovery, we follow a plan for moving forward to get up-to-date with security posture all over the environment.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/","og_locale":"en_US","og_type":"article","og_title":"Implementing a Zero Trust strategy after compromise recovery | Microsoft Security Blog","og_description":"After a compromise recovery, we follow a plan for moving forward to get up-to-date with security posture all over the environment.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/","og_site_name":"Microsoft Security Blog","article_published_time":"2022-09-14T16:00:00+00:00","article_modified_time":"2023-06-19T17:34:34+00:00","og_image":[{"width":1200,"height":780,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg","type":"image\/jpeg"}],"author":"Microsoft Security Experts, Jesper Kr\u00e5khede, Massimo Agrelli","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg","twitter_misc":{"Written by":"Microsoft Security Experts, Jesper Kr\u00e5khede, Massimo Agrelli","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-experts\/","@type":"Person","@name":"Microsoft Security Experts"},{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/jesper-krakhede\/","@type":"Person","@name":"Jesper Kr\u00e5khede"},{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/massimo-agrelli\/","@type":"Person","@name":"Massimo Agrelli"}],"headline":"Implementing a Zero Trust strategy after compromise recovery","datePublished":"2022-09-14T16:00:00+00:00","dateModified":"2023-06-19T17:34:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/"},"wordCount":1008,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/","name":"Implementing a Zero Trust strategy after compromise recovery | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg","datePublished":"2022-09-14T16:00:00+00:00","dateModified":"2023-06-19T17:34:34+00:00","description":"After a compromise recovery, we follow a plan for moving forward to get up-to-date with security posture all over the environment.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Win17_CDOC_1077.jpg","width":1200,"height":780,"caption":"Microsoft Cyber Defense Operations Center."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/14\/implementing-a-zero-trust-strategy-after-compromise-recovery\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Implementing a Zero Trust strategy after compromise recovery"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/121754"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/179"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=121754"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/121754\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/121969"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=121754"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=121754"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=121754"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=121754"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=121754"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=121754"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=121754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}