SlideShare a Scribd company logo

Experts Live 2022 - Attack Surface Reduction rules...your best ally against ransomware!

P
PimJacobs3

Attack Surface Reduction rules in Windows Defender can help defend against ransomware attacks by reducing common techniques used by ransomware. The rules target suspicious software behaviors to prevent attacks. There are different rule categories and operating modes that can be used. Configuring and monitoring the rules through Endpoint Manager was demonstrated. Tips were provided on how and where to start implementing Attack Surface Reduction rules, such as creating individual policies, using audit mode initially, and using Advanced Hunting queries to identify compatibility issues. Resources for further information on Attack Surface Reduction rules were also shared.

Technology
1 of 24
SECURITY Attack Surface Reduction rules... your best ally against ransomware! Pim Jacobs Principal Consultant, InSpark Ronny de Jong Security Technical Specialist, Microsoft
SECURITY Agenda Introduction Start with some humor😀 Understanding the cybercrime economy and ruin their business model Overview Defending against ransomware: Moving beyond protection by detection Proof is in the eating Prevent common attack techniques used in ransomware attacks Considerations & next steps Tips & tricks to get you kick started Questions …and hopefully some answers 😉
SECURITY Believing attackers will follow the planned path?
SECURITY Attacker Perspective: shaped by experience & ‘fog of war’ Phishing email to admin Looks like they have NGFW, IDS/IPS, and DLP I bet their admins 1. Check email from admin workstations 2. Click on links for higher paying jobs Low Found passwords.xls Now, let’s see if admins save service account passwords in a spreadsheet… High
SECURITY Strategically position security investments Replace password.xls ‘process’ with • PIM/PAM • Workload identities Sensitive Data Protection & Monitoring • Discover business critical assets with business, technology, and security teams • Increase security protections and monitoring processes • Encrypt data with Azure Information Protection Modernize Security Operations • Add XDR for identity, endpoint (EDR), cloud apps, and other paths • Train SecOps analysts on endpoints and identity authentication flows Protect Privileged Accounts Require separate accounts for Admins and enforce MFA/passwordless Privileged Access Workstations (PAWs) + enforce with Conditional Access Rigorous Security Hygiene • Rapid Patching • Secure Configuration • Secure Operational Practices
SECURITY Evolution of ransomware models
SECURITY Pattern – Human Operated Ransomware ENTER ENVIRONMENT TRAVERSE & SPREAD EXECUTE OBJECTIVES Human Attack Operator(s)
SECURITY SECURITY Mapping rules to HumOR
SECURITY Ruin their Business Model DEFENDERS: RUIN ATTACKER ROI NOTE: Cost of attack is continuously changing with technical advancement + business model evolution Your budget spend should result in increased attacker cost/friction
SECURITY SECURITY Introduction of Attack Surface Reduction rules Reducing the attack surface…
SECURITY
SECURITY CENTRALIZED CONFIGURATION AND ADMINISTRATION APIS AND INTEGRATION Threats are no match
SECURITY What are Attack Surface Reduction rules? Attack Surface Reduction rules are meant to resist attacks and exploitations on endpoints. • Attack surface reduction rules target certain software behaviors, such as: • Launching executable files and scripts that attempt to download or run files • Running obfuscated or otherwise suspicious scripts • Performing behaviors that apps don't usually initiate during normal day-to-day work
SECURITY Rules by category Productivity apps rules • • • • • Email rule • • • Misc rule • Script rules • • Polymorphic threats • • • Lateral movement & credential theft • • •
SECURITY Operating modes Disabled (default) • • Audit mode • • • Block mode • • Warn mode (added this year) • •
SECURITY SECURITY Demo Proof is in the eating… - Determine your security posture by Secure Score and unleash your ASR potential - Understand user impact recommendations in practice with Vulnerability Management - Configure Attack Surface Reduction rules Endpoint Manager
SECURITY Attack Surface Reduction rules What’s new in ASR rules • • • • Attack surface reduction rules reference | Microsoft Docs Requirements • • • • Warn mode exceptions* • • • Demo scenarios to validate Defender for Endpoint, SmartScreen and Attack Surface Reduction* https://demo.wd.microsoft.com/Page/ASR
SECURITY Attack Surface Reduction rules What’s to check when having false positives? • • • • What type of exclusions work for ASR rules?low • • • • What type of wildcards work with ASR Rules exclusions? •
SECURITY SECURITY Demo Proof is in the eating… - Attack Surface Reduction in action from a user perspective - Gain insights and fine tune your ASR deployment using reports - Use Advanced Hunting to get detailed information with a little help of KQL
SECURITY SECURITY Tips & Tricks Attack Surface Reduction rulezzz…
SECURITY How & where to start tomorrow? • Make sure Cloud Protection and MAPS are enabled • Create individual policies for each of the ASR Rules (audit/warn/block) and deploy • Audit for a period between 1 to 7** days. Repeat for 3-4 weeks • Have at least some ASR rules enabled in block mode while working on others • Start mitigation from least amount audit detections to the greatest number of detections • Use Advanced Hunting queries to find apps/scripts/docs that might have compatibility issues • Standardize on Endpoint Security (ASR) policy templates • Think defense-in-depth! Do not rely on ASR rules solely
SECURITY Resources Blog posts in Microsoft Defender for Endpoint Tech Communities Demystifying ASR rules Use attack surface reduction rules to prevent malware infection Use attack surface reduction rules to prevent malware infection - Windows security | Microsoft Docs Enable attack surface reduction rules Enable attack surface reduction rules - Windows security | Microsoft Docs Power BI Power BI Report templates GitHub - microsoft/MDE-PowerBI-Templates: A respository for MDATP PowerBI Templates Customize attack surface reduction rules Customize attack surface reduction rules - Windows security | Microsoft Docs View attack surface reduction events View attack surface reduction events - Windows security | Microsoft Docs Attack surface reduction policy for endpoint security in Endpoint Manager Manage attack surface reduction settings with endpoint security policies in Microsoft Intune | Microsoft Docs Demo scenarios to validate Defender for Endpoint, SmartScreen and Attack Surface Reduction* https://demo.wd.microsoft.com/Page/ASR *After listening to feedback, we have decided to delay the retirement of this site until 09/30/2022. You have more time to let us know about the features you are using and how you are using them. To contact us, email mdedemositefeedback@microsoft.com.
SECURITY SECURITY Questions?
SECURITY Thank you! Pim Jacobs pim.jacobs@inspark.nl Ronny de Jong ronnydejong@microsoft.com

Recommended

Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Monitoring and administrating privilegeMonitoring and administrating privileg...
Monitoring and administrating privilegeMonitoring and administrating privileg...Monitoring and administrating privilegeMonitoring and administrating privileg...
Monitoring and administrating privilegeMonitoring and administrating privileg...
Amazon Web Services
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
FIDO Alliance
 
Microsoft 365 and Microsoft Cloud App Security
Microsoft 365 and Microsoft Cloud App SecurityMicrosoft 365 and Microsoft Cloud App Security
Microsoft 365 and Microsoft Cloud App Security
Albert Hoitingh
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
David J Rosenthal
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
Puma Security, LLC
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
ErikHof4
 

Recommended

Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Monitoring and administrating privilegeMonitoring and administrating privileg...
Monitoring and administrating privilegeMonitoring and administrating privileg...Monitoring and administrating privilegeMonitoring and administrating privileg...
Monitoring and administrating privilegeMonitoring and administrating privileg...
Amazon Web Services
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
FIDO Alliance
 
Microsoft 365 and Microsoft Cloud App Security
Microsoft 365 and Microsoft Cloud App SecurityMicrosoft 365 and Microsoft Cloud App Security
Microsoft 365 and Microsoft Cloud App Security
Albert Hoitingh
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
David J Rosenthal
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
Puma Security, LLC
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
ErikHof4
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
Puma Security, LLC
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
David J Rosenthal
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
Passwordless Authentication
Passwordless AuthenticationPasswordless Authentication
Passwordless Authentication
Enterprise Management Associates
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
Cheah Eng Soon
 
Azure conditional access
Azure conditional accessAzure conditional access
Azure conditional access
Tad Yoke
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
Infosys Finacle
 
An introduction to Defender for Business
An introduction to Defender for BusinessAn introduction to Defender for Business
An introduction to Defender for Business
Robert Crane
 
How to use microsoft authenticator app
How to use microsoft authenticator appHow to use microsoft authenticator app
How to use microsoft authenticator app
Server Consultancy
 
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...
FIDO Alliance
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Edureka!
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Edureka!
 
Azure Fundamentals Part 2
Azure Fundamentals Part 2Azure Fundamentals Part 2
Azure Fundamentals Part 2
CCG
 
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
David J Rosenthal
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
David J Rosenthal
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
Marcelo Martins
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
New Horizons Ireland
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
angelohammond
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
tmbainjr131
 

More Related Content

What's hot

Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
David J Rosenthal
 

What's hot (20)

Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
Passwordless Authentication
Passwordless AuthenticationPasswordless Authentication
Passwordless Authentication
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
 
Azure conditional access
Azure conditional accessAzure conditional access
Azure conditional access
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
 
An introduction to Defender for Business
An introduction to Defender for BusinessAn introduction to Defender for Business
An introduction to Defender for Business
 
How to use microsoft authenticator app
How to use microsoft authenticator appHow to use microsoft authenticator app
How to use microsoft authenticator app
 
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...
Microsoft's Path to Passwordless - FIDO Authentication for Windows & Azure Ac...
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
 
Azure Fundamentals Part 2
Azure Fundamentals Part 2Azure Fundamentals Part 2
Azure Fundamentals Part 2
 
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
 

Similar to Experts Live 2022 - Attack Surface Reduction rules...your best ally against ransomware!

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 

Similar to Experts Live 2022 - Attack Surface Reduction rules...your best ally against ransomware! (20)

MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surface
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 

Recently uploaded

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Recently uploaded (20)

AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Experts Live 2022 - Attack Surface Reduction rules...your best ally against ransomware!

  • 1. SECURITY Attack Surface Reduction rules... your best ally against ransomware! Pim Jacobs Principal Consultant, InSpark Ronny de Jong Security Technical Specialist, Microsoft
  • 2. SECURITY Agenda Introduction Start with some humor😀 Understanding the cybercrime economy and ruin their business model Overview Defending against ransomware: Moving beyond protection by detection Proof is in the eating Prevent common attack techniques used in ransomware attacks Considerations & next steps Tips & tricks to get you kick started Questions …and hopefully some answers 😉
  • 3. SECURITY Believing attackers will follow the planned path?
  • 4. SECURITY Attacker Perspective: shaped by experience & ‘fog of war’ Phishing email to admin Looks like they have NGFW, IDS/IPS, and DLP I bet their admins 1. Check email from admin workstations 2. Click on links for higher paying jobs Low Found passwords.xls Now, let’s see if admins save service account passwords in a spreadsheet… High
  • 5. SECURITY Strategically position security investments Replace password.xls ‘process’ with • PIM/PAM • Workload identities Sensitive Data Protection & Monitoring • Discover business critical assets with business, technology, and security teams • Increase security protections and monitoring processes • Encrypt data with Azure Information Protection Modernize Security Operations • Add XDR for identity, endpoint (EDR), cloud apps, and other paths • Train SecOps analysts on endpoints and identity authentication flows Protect Privileged Accounts Require separate accounts for Admins and enforce MFA/passwordless Privileged Access Workstations (PAWs) + enforce with Conditional Access Rigorous Security Hygiene • Rapid Patching • Secure Configuration • Secure Operational Practices
  • 7. SECURITY Pattern – Human Operated Ransomware ENTER ENVIRONMENT TRAVERSE & SPREAD EXECUTE OBJECTIVES Human Attack Operator(s)
  • 9. SECURITY Ruin their Business Model DEFENDERS: RUIN ATTACKER ROI NOTE: Cost of attack is continuously changing with technical advancement + business model evolution Your budget spend should result in increased attacker cost/friction
  • 10. SECURITY SECURITY Introduction of Attack Surface Reduction rules Reducing the attack surface…
  • 12. SECURITY CENTRALIZED CONFIGURATION AND ADMINISTRATION APIS AND INTEGRATION Threats are no match
  • 13. SECURITY What are Attack Surface Reduction rules? Attack Surface Reduction rules are meant to resist attacks and exploitations on endpoints. • Attack surface reduction rules target certain software behaviors, such as: • Launching executable files and scripts that attempt to download or run files • Running obfuscated or otherwise suspicious scripts • Performing behaviors that apps don't usually initiate during normal day-to-day work
  • 14. SECURITY Rules by category Productivity apps rules • • • • • Email rule • • • Misc rule • Script rules • • Polymorphic threats • • • Lateral movement & credential theft • • •
  • 15. SECURITY Operating modes Disabled (default) • • Audit mode • • • Block mode • • Warn mode (added this year) • •
  • 16. SECURITY SECURITY Demo Proof is in the eating… - Determine your security posture by Secure Score and unleash your ASR potential - Understand user impact recommendations in practice with Vulnerability Management - Configure Attack Surface Reduction rules Endpoint Manager
  • 17. SECURITY Attack Surface Reduction rules What’s new in ASR rules • • • • Attack surface reduction rules reference | Microsoft Docs Requirements • • • • Warn mode exceptions* • • • Demo scenarios to validate Defender for Endpoint, SmartScreen and Attack Surface Reduction* https://demo.wd.microsoft.com/Page/ASR
  • 18. SECURITY Attack Surface Reduction rules What’s to check when having false positives? • • • • What type of exclusions work for ASR rules?low • • • • What type of wildcards work with ASR Rules exclusions? •
  • 19. SECURITY SECURITY Demo Proof is in the eating… - Attack Surface Reduction in action from a user perspective - Gain insights and fine tune your ASR deployment using reports - Use Advanced Hunting to get detailed information with a little help of KQL
  • 20. SECURITY SECURITY Tips & Tricks Attack Surface Reduction rulezzz…
  • 21. SECURITY How & where to start tomorrow? • Make sure Cloud Protection and MAPS are enabled • Create individual policies for each of the ASR Rules (audit/warn/block) and deploy • Audit for a period between 1 to 7** days. Repeat for 3-4 weeks • Have at least some ASR rules enabled in block mode while working on others • Start mitigation from least amount audit detections to the greatest number of detections • Use Advanced Hunting queries to find apps/scripts/docs that might have compatibility issues • Standardize on Endpoint Security (ASR) policy templates • Think defense-in-depth! Do not rely on ASR rules solely
  • 22. SECURITY Resources Blog posts in Microsoft Defender for Endpoint Tech Communities Demystifying ASR rules Use attack surface reduction rules to prevent malware infection Use attack surface reduction rules to prevent malware infection - Windows security | Microsoft Docs Enable attack surface reduction rules Enable attack surface reduction rules - Windows security | Microsoft Docs Power BI Power BI Report templates GitHub - microsoft/MDE-PowerBI-Templates: A respository for MDATP PowerBI Templates Customize attack surface reduction rules Customize attack surface reduction rules - Windows security | Microsoft Docs View attack surface reduction events View attack surface reduction events - Windows security | Microsoft Docs Attack surface reduction policy for endpoint security in Endpoint Manager Manage attack surface reduction settings with endpoint security policies in Microsoft Intune | Microsoft Docs Demo scenarios to validate Defender for Endpoint, SmartScreen and Attack Surface Reduction* https://demo.wd.microsoft.com/Page/ASR *After listening to feedback, we have decided to delay the retirement of this site until 09/30/2022. You have more time to let us know about the features you are using and how you are using them. To contact us, email mdedemositefeedback@microsoft.com.