Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Modern cybersecurity threats, and shiny new tools to help deal with them

83 views

Published on

With cybersecurity threats changing rapidly, we definitely need a new set of tools to be able to prevent and address them more efficiently: malware is becoming more complex and harder to detect, malicious insider attacks are on the rise and zero-day exploits make their way to the public much quicker than before. Join this session to see how Windows Server 2016 and Windows 10 can help organizations deal with this ever-changing security ecosystem by providing them with ways to better secure their environment and data. We’ll touch on topics such as malware & threat resistance, identity & access control, virtualization-based security, configurable code integrity, remote attestation and a few others.

Published in: Sports
  • Be the first to comment

  • Be the first to like this

Modern cybersecurity threats, and shiny new tools to help deal with them

  1. 1. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Modern cybersecurity threats, and shiny new tools to help deal with them Microsoft Cloud & Datacenter Management MVP, Certified Ethical Hacker Executive Manager at Avaelgo (IT Advisory, Managed Services, Training) Contact: tudor.damian@avaelgo.ro / @tudydamian / tudy.tel Tudor Damian
  2. 2. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Many thanks to our sponsors & partners! GOLD SILVER PARTNERS PLATINUM POWERED BY
  3. 3. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals VIDEO – ANATOMY OF AN ATTACK Source: CISCO
  4. 4. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
  5. 5. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals CURRENT STATE OF CYBERSECURITY
  6. 6. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals The effects of WannaCry and EternalRocks
  7. 7. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Your systems’ security is as strong as its weakest link
  8. 8. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals • A steady increase in companies targeted by Social Engineering attacks (60% in 2016, and growing) • Data theft turning into data manipulation • Attackers targeting consumer & IoT devices (e.g. Mirai botnet) • Ransomware on the rise (e.g. WannaCry) • Breaches getting more complicated and harder to detect • 70% of companies will experience cyber attacks by 2018 (IDC) • Through 2020, 99% of vulnerabilities exploited will continue to be the ones known by IT professionals for at least one year (Gartner) • Cyber risk insurance is more needed than ever A changing security landscape
  9. 9. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Myspace Fling LinkedIn Sony VK.com Dropbox Tumblr Yahoo Equation Group Shadow Brokers Punycode BadUSB Superfish Heartbleed Shellshock Karmen POODLE FREAK GHOST DROWN Dirty COW STAGEFRIGHT QuadRooter XCodeGhost Mirai Carbanak Gemalto SS7 Locky DMA Locker Surprise Ranscam SWIFT Weebly Sundown CrypMIC TrickBot Angler RIG Neutrino xDedic BlackEnergy ProjectSauron Adwind Danti SVCMONDR Lazarus FruityArmor ScarCruft Lurk Ammyy Admin Chinastrats Patchwork TeslaCrypt 2016 – the year of hacks and vulnerabilities
  10. 10. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Secure CheapUsable Choices in building a system/app - pick any two!
  11. 11. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Attack timeline 24–48 hours More than 200 days (varies by industry) First host compromised Domain admin compromised Attack discovered Sources: HP, Ponemon Institute, Verizon
  12. 12. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals How much time does security get? An attacker has 24x7x365 to attack you Attacker Schedule Time The defender has 20 (?) man days per year to detect and defend Who has the edge?  Scheduled Pen-Test Scheduled Pen-Test
  13. 13. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals • CISCO, 2014 – There are more than 1 million unfilled security jobs worldwide • (ISC)² study, 2015 – A shortfall of 1.5 million security professionals is estimated by 2020 Lack of security professionals worldwide Sources: http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf http://blog.isc2.org/isc2_blog/2015/04/isc-study-workforce-shortfall-due-to-hiring-difficulties-despite-rising-salaries-increased-budgets-a.html
  14. 14. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals • EU General Data Protection Regulation (GDPR) – It will come into effect on May 25th 2018 – GDPR clarifies where responsibility for privacy protection lies with any companies who store, collect, manage and analyze any form of Personally Identifiable Information (PII) – Applies to any organization (including those outside the EU) that holds or processes data from EU residents – Replaces Data Protection Directive (DPD) 95/46/EC to become the single, all- encompassing privacy protection regulation in the EU • Breaches could lead to fines: – Major breaches - up to €20 million or 4% of global annual turnover – Less important breaches - up to €10m or 2% of global annual turnover GDPR is coming! More: http://www.eugdpr.org/
  15. 15. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals • Adds some more rights for EU citizens: – Right to be forgotten (ask data controllers to erase all personal data) – Right to data portability (move data from a service provider to another) – Right to object to profiling (not to be subject to a decision based solely on automated processing) • Where do companies store PII data? – Customer Relationship solutions (SalesForce, PeopleSoft, Dynamics) – ERPs (SAP, Oracle, Axapta) – Enterprise Content Management systems, File Shares – Emails, Attachments, Office Documents, PDF files, letters, contracts – SharePoint, Lotus Notes, Dropbox, Box, OneDrive – Employee HR data – etc. More details on GDPR More: http://www.eugdpr.org/
  16. 16. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals • We have to stop focusing on preventing a data breach and start assuming the breach has already happened • Currently: a one-sided, purely preventative strategy • Future: emphasis on breach detection, incident response, and effective recovery – Start thinking about the time when a breach will (almost inevitably) occur in your infrastructure – Be prepared for that! Assume Breach - a change in mindset
  17. 17. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals A healthier security approach Source: Gartner PREDICT • Proactive Exposure Analysis • Predict Attacks • Baseline Systems PREVENT • Harden and Isolate Systems • Divert Attackers • Prevent Incidents DETECT • Detect Incidents • Confirm and Prioritize • Contain Incidents RESPOND • Investigate/Forensics • Design/Model Change • Remediate/Make Change Continuous Monitoring and Analytics
  18. 18. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals WINDOWS 10 & WINDOWS SERVER 2016
  19. 19. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals The Windows 10 Defense Stack Device Health attestation Device Guard Device Control Security policies Built-in 2FA Account lockdown Credential Guard Windows Hello ;) Device protection BitLocker Enterprise Data Protection Conditional access SmartScreen AppLocker Device Guard Windows Defender Network/Firewall Windows Defender Advanced Threat Protection (WDATP) Microsoft Advanced Threat Analytics (ATA) Device protection Information protection Threat resistance Breach detection Investigation & Response Pre breach Post breach Identity protection The Windows 10 defense stack
  20. 20. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Some of the security improvements in W10 / WS2016 Windows Defender SmartScreen Credential Guard Enterprise Certificate Pinning Just Enough Administration (JEA) Just-in-time Administration (JIT) Device Guard Structured Exception Handling Overwrite Protection (SEHOP) Control Flow Guard (CFG) Windows Hello In-box Azure MFA Hypervisor- protected code integrity (HVCI) Shielded VMs Host Guardian Service Device Health Attestation (DHA) Network Controller Distributed Firewall Network Security Groups Virtual Appliances Virtual Secure Mode Virtual TPM More: https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10
  21. 21. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals JEA & JIT
  22. 22. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Challenges in protecting credentials
  23. 23. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Windows Server 2016 approach • Credential Guard – Prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials through Virtualization-based Security • Just Enough – Administration Limits administrative privileges to the bare-minimum required set of actions (limited in space) • Just in Time – Administration Provide privileged access through a workflow that is audited and limited in time • JEA + JIT – Limitation in time & capability More: https://github.com/PowerShell/JEA & https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services
  24. 24. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals In box Azure MFA More: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication
  25. 25. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals PROTECTING VMS
  26. 26. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Hypervisor Fabric Guest VM Protect virtual machines • Compromised or malicious fabric administrators can access guest VMs • Health of hosts not taken into account before running VMs • Tenant’s VMs are exposed to storage and network attacks • Virtual Machines can’t take advantage of hardware- rooted security capabilities such as TPMs Fabric Hypervisor Guest VM Healthy host? Guest VM
  27. 27. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Windows Server 2016 approach • Shielded VMs – Use BitLocker to encrypt the disk and state of virtual machines protecting secrets from compromised admins & malware • Host Guardian Service – Attests to host health releasing the keys required to boot or migrate a Shielded VM only to healthy hosts • Generation 2 VMs – Supports virtualized equivalents of hardware security technologies (e.g., TPMs) enabling BitLocker encryption for Shielded VMs               More: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node
  28. 28. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Guarded hosts and Shielded VMs attestation • Admin-trusted attestation – Intended to support existing host hardware (no TPM 2.0 available) – Guarded hosts that can run Shielded VMs are approved by the Host Guardian Service based on membership in a designated Active Directory Domain Services (AD DS) security group • TPM-trusted attestation – Offers the strongest possible protections – Requires more configuration steps – Host hardware and firmware must include TPM 2.0 and UEFI 2.3.1 with secure boot enabled – Guarded hosts that can run Shielded VMs are approved based on their TPM identity, measured boot sequence and code integrity policies More: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node
  29. 29. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals VIRTUAL SECURE MODE
  30. 30. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Virtual Secure Mode Overview
  31. 31. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals DEVICE GUARD & CREDENTIAL GUARD
  32. 32. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Device Guard & AppLocker • AppLocker was introduced back in Windows 7 / WS 2008 R2 – Specifies a list of apps allowed to run on a user’s device – Whitelist can be specific to a group or individual within AD – Much more efficient than a blacklist • Device Guard extends AppLocker – Relies on digital signatures – Requires apps to be digitally signed – This includes internal apps • Device Guard Requirements – Intel VT-x or AMD-V extensions – Second Level Address Translation (SLAT) – Intel VT-d or AMD-IOV – TPM (optional, required for Credential Manager) More: https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
  33. 33. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Device Guard • Hardware Rooted App Control (runs in VSM) – Enables a Windows desktop to be locked down to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone) – Untrusted apps and executables such as malware are unable to run – Resistant to tampering by an administrator or malware – Requires devices specially configured by either the OEM or IT • Getting Apps into the Circle of Trust – Supports all apps including Universal and Desktop (Win32) – Trusted apps can be created by IHV, ISV, and Organizations using a Microsoft provided signing service – Apps must be specially signed using the Microsoft signing service. No additional modification is required – Signing service made available to OEM’s, IHV, ISV’s, and Enterprises More: https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
  34. 34. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Credential Guard • Uses virtualization-based security to protect Kerberos, NTLM, and Credential Manager secrets More: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-how-it-works
  35. 35. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Credential Guard Details • Minimum Requirements – Windows 10 v1511 or Windows Server 2016 – x64 architecture – UEFI firmware 2.3.1 or higher and Secure Boot enabled – TPM version 2.0 • Considerations – 3rd party Security Support Providers (SSP) secrets are not protected – NTLM v1 is not supported (considered to be unsecure) – Kerberos unconstrained delegation & DES encryption aren’t supported – Digest Auth, Credential delegation and MS-CHAPv2 will prompt for (and potentially expose) credentials • MS-CHAPv2 should be phased out (i.e. upgrade your Wi-Fi and/or VPN) More: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-how-it-works
  36. 36. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals WINDOWS HELLO
  37. 37. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
  38. 38. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Windows Hello • Replaces/extends Windows passwords with – Fingerprint, iris scan & facial recognition – MFA via companion devices like phones, wearables, USBs, smartcards (formerly Microsoft Passport) Hello ITCamp ****** username More: https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport
  39. 39. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals GROUP MANAGED SERVICE ACCOUNTS
  40. 40. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Group Managed Service Accounts • The feature builds on Standalone Managed Service accounts – Introduced in Windows 2008 R2 and Windows 7 – Managed domain accounts – Automated password management – Simplified SPN (Service Principal Name) management, including delegation of management to other Administrator • Group Managed Service Accounts – Provides same functionality within the domain but also extends that functionality over multiple servers – Leverages the Microsoft Key Distribution Service within the AD domain – e.g. it can be used when connected to a service hosted on a server farm, such as a Network Load Balancer – ensures that all instances use the same principal More: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
  41. 41. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals DEVICE HEALTH ATTESTATION (DHA)
  42. 42. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Today, device health is assumed • Clients are usually granted full access to resources • Any clients which become “unhealthy” can proliferate malware 1 Important resources 2
  43. 43. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Device Health Attestation (DHA) • On-premise or cloud-based service – Provides remote health attestation for devices – Can issue health state “claims” • Blocks unhealthy devices to protect resources and prevent proliferation • Intune MDM can provide conditional access based on device health state claims • Hardware Requirements – UEFI 2.3.1 with Secure Boot – VT-x, AMD-V & SLAT – x64 processor – IOMMU (Intel VT-d or AMD-Vi) – TPM 1.2 or 2.0 More: https://docs.microsoft.com/en-us/windows-server/security/device-health-attestation
  44. 44. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals WINDOWS INFORMATION PROTECTION
  45. 45. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals • Allows companies to transparently keep corporate data secure and personal data private, while providing data leakage control • Key features: – Automatically tag personal and corporate data – Protect data while it’s at rest on local or removable storage – Control which apps can access corporate data – Control which apps can access a virtual private network (VPN) connection – Prevent users from copying corporate data to public locations – Help ensure business data is inaccessible when the device is in a locked state – Ability to wipe corporate data from devices while leaving personal data alone – Usage of audit reports for tracking issue and remedial actions Windows Information Protection More: https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip
  46. 46. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals …AND A FEW OTHERS
  47. 47. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals • SMB hardening for SYSVOL and NETLOGON shares – Client connections to the ADDS default SYSVOL and NETLOGON shares now require SMB signing and mutual authentication (such as Kerberos) • Protected Processes – Help prevent one process from tampering with another (specially signed) process • Universal Windows apps protections – Apps are carefully screened before being made available – They run in an AppContainer sandbox with limited privileges • Heap protections – Improvements in the use of internal data structures which help protect against corruption of memory used by the heap • Control Flow Guard (CFG) – Helps mitigate exploits that are based on flow between code locations in memory • Structured Exception Handling Overwrite Protection (SEHOP) – Complements DEP and ASLR • Kernel pool protections – Help prevent exploitation of pool memory used by the kernel Windows 10 mitigations against memory exploits More: https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10
  48. 48. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals • Windows Defender SmartScreen – Checks the reputation of all downloaded apps • Code Integrity – Ensure that only permitted binaries can be executed from the moment the OS is booted • Enterprise Certificate Pinning – Protect internal domain names from chaining to fraudulent certificates • Early Launch Anti Malware (ELAM) – Blocks driver-based rootkits • Guarded Fabric – Shielded VMs, VSM, Hypervisor Code Integrity (HVCI) • Windows Defender Advanced Threat Protection (WDATP) • Advanced Threat Analytics (ATA) Several other improvements More: https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10
  49. 49. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals You might also want to take a look at… …my ITCamp session from last year  Talking about Guarded Fabric, Microsoft ATA, WDATP & more
  50. 50. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals Q & A

×