The global security landscape is changing, now more than ever. With cloud computing gaining momentum and advanced persistent threats becoming a common occurrence, the industry is taking a more focused and serious approach when it comes to security, especially after some of last years’ heavily publicized incidents. Join this session for a discussion on what Microsoft is doing to protect against these new security threats with fresh approaches taken both at the server & client OS level, as well as in Azure.
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
2016, A new era of OS and Cloud Security
1. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
2016 – A New Era of OS and Cloud Security
Tudor Damian
Microsoft Cloud and Datacenter Management MVP
Certified Ethical Hacker
tudor.damian@avaelgo.ro / @tudydamian / tudy.tel
5. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
The Evolution of Attacks
Volume and Impact
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
Ignite 2015 BRK2325
6. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
The Evolution of Attacks
2005-PRESENT
Organized Crime
RANSOMWARE,
CLICK-FRAUD,
IDENTITY THEFT
Motive: Profit
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
Ignite 2015 BRK2325
7. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
The Evolution of Attacks
2005-PRESENT
Organized Crime
RANSOMWARE,
CLICK-FRAUD,
IDENTITY THEFT
Motive: Profit
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2012 - Beyond
Nation States,
Activists, Terror
Groups
BRAZEN,
COMPLEX,
PERSISTENT
Motives:
IP Theft,
Damage,
Disruption
2003-2004
Ignite 2015 BRK2325
8. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Changing nature of cybersecurity attacks
Causing significant financial loss, impact to
brand reputation, loss of confidential data and
executive jobs
Compromising user credentials in the vast
majority of attacks
Today’s cyber attackers are:
Staying in the network an average of eight
months before detection
Using legitimate IT tools rather than malware
– harder to detect
Ignite 2015 BRK3870
9. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Changing nature of cybersecurity attacks
Today’s cyber attackers are:
Causing significant financial loss, impact to
brand reputation, loss of confidential data and
executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Using legitimate IT tools rather than malware
– harder to detect
Ignite 2015 BRK3870
10. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Changing nature of cybersecurity attacks
Today’s cyber attackers are:
Causing significant financial loss, impact to
brand reputation, loss of confidential data and
executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Using legitimate IT tools rather than malware
– harder to detect
Ignite 2015 BRK3870
11. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Changing nature of cybersecurity attacks
Today’s cyber attackers are:
Causing significant financial loss, impact to
brand reputation, loss of confidential data and
executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Using legitimate IT tools rather than malware
– harder to detect
Ignite 2015 BRK3870
12. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Median number of
days attackers are
present on a victims
network before
detection
200+
Days after detection
to full recovery
80
Impact of lost
productivity and
growth
$3Trillion
Average cost of a data
breach (15% YoY
increase)
$3.5Million
“ THERE ARE TWO KINDS OF BIG COMPANIES, THOSE WHO’VE BEEN
HACKED, AND THOSE WHO DON’T KNOW THEY’VE BEEN HACKED.”
- J A M E S C O M E Y, F B I D I R E C TO R
Build 2016 B890
13. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Timeline of discovery for cyber attacks worldwide
Hours, 9%
Days, 8%
Weeks, 16%
Months, 62%
Years, 5%
Hours Days Weeks Months Years
Source: Verizon
14. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Some Verizon DBIR findings
– The time to compromise is almost always days or less, if
not minutes or less
– 85% of breaches took weeks to discover
– 96% of breaches were not highly difficult
– 97% of breaches were avoidable through
simple/intermediate controls
– 63% of confirmed data breaches involved weak, default or
stolen passwords
– 95% of confirmed web app breaches were financially
motivated
• The 2014 DBIR report shows that 92% of the
100.000 incidents they’ve analyzed over the past 10
years can be described by just 9 basic patterns
Verizon Data Breach Investigations Report
Source: http://www.verizonenterprise.com/DBIR/
15. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Pwn2Own 2014-2016
• Sandbox escapes or 3rd party code execution:
– Internet Explorer
– Edge
– Mozilla Firefox
– Google Chrome
– Adobe Flash
– Adobe Reader XI
– Apple Safari on Mac OS X
– Windows
– OS X
• 2014 - $850.000 total prize money, paid to 8 entrants
• 2015 - $557.500 total prize money, paid to 6 entrants
• 2016 - $460.000 total prize money
Sources:
http://www.eweek.com/security/pwn2own-2014-claims-ie-chrome-safari-and-more-firefox-zero-days.html
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204
http://www.securityweek.com/pwn2own-2016-hackers-earn-460000-21-new-flaws
16. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Heartbleed (2014)
• Shellshock (2014)
• BadUSB (2014)
• Equation Group (Kaspersky study, 2015)
• Lenovo’s Superfish (2014-2015)
• OAuth & OpenID Covert Redirect (2014)
• Poodle, Freak and Drown SSL attacks (2014-2016)
• Stagefright vulnerability (Android, 2015)
• XCodeGhost malware (iOS, 2015)
• Gemalto SIM cards (2015)
• GSM SS7 vulnerabilities (2014-2016)
Other recent “happenings” in the IT industry
17. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• We have to stop focusing on preventing a data breach and
start assuming the breach has already happened
• Currently: a one-sided, purely preventative strategy
• Future: emphasis on breach detection, incident response,
and effective recovery
– Start thinking about the time when a breach will (almost inevitably)
occur in your infrastructure
– Be prepared for that!
Assume Breach - a change in mindset
22. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
VSM
VM protected at rest, in transit
•
•
•
•
3. Deliver vTPM key
encrypted to
VSM
TPM
Key
service
Workload
manager
HSM
Ignite 2015 BRK2482
24. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
VSM
Key
service
Trust in the environment
•
•
•
1. Attestation request:
TPM public key,
VSM public key,
UEFI secure boot log,
HVCI policy
2. Deliver
attestation certificate
Attestation
service
Ignite 2015 BRK2482
25. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Admin-trusted attestation
– Intended to support existing host hardware (no TPM 2.0 available)
– Guarded hosts that can run Shielded VMs are approved by the Host Guardian Service based on
membership in a designated Active Directory Domain Services (AD DS) security group
• TPM-trusted attestation
– Offers the strongest possible protections
– Requires more configuration steps
– Host hardware and firmware must include TPM 2.0 and UEFI 2.3.1 with secure boot enabled
– Guarded hosts that can run Shielded VMs are approved based on their TPM identity, measured
boot sequence and code integrity policies
Guarded hosts and Shielded VMs attestation
Ignite 2015 BRK2482
30. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• (Sort of) an improved version of AppLocker
• Hardware Rooted App Control (runs in VSM)
– Enables a Windows desktop to be locked down to only run trusted apps, just like
many mobile OS’s (e.g.: Windows Phone)
– Untrusted apps and executables such as malware are unable to run
– Resistant to tampering by an administrator or malware
– Requires devices specially configured by either the OEM or IT
• Getting Apps into the Circle of Trust
– Supports all apps including Universal and Desktop (Win32)
– Trusted apps can be created by IHV, ISV, and Organizations using a Microsoft provided
signing service
– Apps must be specially signed using the Microsoft signing service. No additional
modification is required
– Signing service will be made available to OEM’s, IHV, ISV’s, and Enterprises
Device Guard
Ignite 2015 BRK2325
32. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Today, health is assumed
• Unhealthy clients proliferate malware
1
Important resources
2
Ignite 2015 BRK2325
33. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Windows Provable PC Health (PPCH)
• Cloud-based service
–Provides remote health attestation
–Can issue health state “claims”
• Blocks unhealthy devices to protect resources and
prevent proliferation
• Intune can provide conditional access based on PPCH
health state claims
• Available for use by 3rd party network access, security,
and management solutions
Ignite 2015 BRK2325
36. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
How Microsoft Advanced Threat Analytics works
Analyze1 After installation:
• Simple, non-intrusive port mirroring
configuration copies all AD-related traffic
• Remains invisible to the attackers
• Analyzes all Active Directory network
traffic
• Collects relevant events from SIEM
(Security Information and Event
Management) and information from AD
(titles, group memberships, and more)
Ignite 2015 BRK3870
37. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
How Microsoft Advanced Threat Analytics works
ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities of
the users, devices, and resources
Learn2
What is an entity?
Entity represents users, devices, or resources
Ignite 2015 BRK3870
38. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
How Microsoft Advanced Threat Analytics works
Detect3
Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities
are contextually aggregated
• Leverages world-class security research to
detect security risks and attacks in near real
time based on attackers Tactics, Techniques
and Procedures (TTPs)
ATA not only compares the entity’s behavior
to its own, but also to the behavior of
entities in its interaction path.
Ignite 2015 BRK3870
39. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
How Microsoft Advanced Threat Analytics works
Abnormal Behavior
Anomalous logins
Remote execution
Suspicious activity
Security issues and risks
Broken trust
Weak protocols
Known protocol vulnerabilities
Malicious attacks
Pass-the-Ticket (PtT)
Pass-the-Hash (PtH)
Overpass-the-Hash
Forged PAC (MS14-068)
Golden Ticket
Skeleton key malware
Reconnaissance
BruteForce
Unknown threats
Password sharing
Lateral movement
Ignite 2015 BRK3870
41. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Captures and analyzes DC network traffic
via port mirroring
Listens to multiple DCs from a single
Gateway
Receives events from SIEM
Retrieves data about entities from the
domain
Performs resolution of network entities
Transfers relevant data to the ATA Center
ATA Topology - Gateway
Ignite 2015 BRK3870
42. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
ATA Topology - Center
Manages ATA Gateway configuration
settings
Receives data from ATA Gateways and
stores in the database
Detects suspicious activity and abnormal
behavior (through Machine Learning)
Provides Web Management Interface
Supports multiple Gateways
Ignite 2015 BRK3870
48. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
WINDOWS DEFENDER
ADVANCED THREAT PROTECTION
Windows advanced threat detection, investigate and response
51. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
From: <attacker>@<email provider.com>
To: <victim>@<email provider.com>
Subject: Re: Mission In Central African Republic
*Dear Sir!*
Please be advised that The Spanish Army personnel and a large
number of the Spanish Guardia Civil officers currently deployed in
the Central African Republic (CAR) as part of the
European EUFOR RCA mission will return to Spain in early March
as the mission draws to a close.
Visit
for the additional info.
*Best regards,*
*Capt. <omitted>, Defence Adviser, Public Diplomacy Division
NATO, Brussels <attacker>@<email provider.com>
TARGET: Diplomat in the Middle East
hxxp://eurasiaglobalnews.com/90670117-spains-
armed-forces-conclude-mission-in-central-african-
republic/
Build 2016 B890
54. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Device Health
attestation
Device Guard
Device Control
Security policies
Built-in 2FA
Account lockdown
Credential Guard
Microsoft Passport
Windows Hello ;)
Device protection /
Drive encryption
Enterprise Data
Protection
Conditional access
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Windows Defender
ATP
Device protection Information
protection
Threat resistance
Breach detection
Investigation & Response
Pre breach Post breach
Identity protection
The Windows 10 Defense Stack
Build 2016 B890
55. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Powered by cloud
Machine Learning Analytics
over the largest sensor array
in the world
Universal end-point
behavioral sensor,
built into Win10,
with no additional
deployment
requirements
Enhanced by the
community of
researchers and
threat intelligence
Windows Defender ATP Overview
Build 2016 B890
56. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Post breach detection
for advanced attacks
actionable, correlated,
real-time and historical for
known and unknown attacks
Easily investigate & explore
enterprise endpoints to
understand scope of breach
through rich machine
timeline and data pivoting
Self hunting across protected assets
search for current and historical
observables: machines, files, IPs,
or URLs across all endpoints.
Deep file analysis of files
observed on endpoints
Built-in threat intelligence
knowledge base
provides actor and intent
context for threat intel-based
detections, combining 1st and
3rd-party intelligence sources
Windows Defender ATP Features
Build 2016 B890
57. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Indicators of Compromise (IOCs)
– Monitoring “What (who) we know”
– Threat Intelligence database of known adversary and campaign IOCs
• Indications of Attack (IOAs)
– Monitoring “What (who) we don’t recognize – yet”
– Generic IOA Dictionary of attack-stage behaviors, tools, and techniques
Windows ATP Indicators
Build 2016 B890
58. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Over1MMicrosoft
corporatemachines
Newcode,new
products,newfiles
Mostarelocal
admins
Hundredsoflabs,
malware enclaves
1.2BillionWindows
machinesreporting
1Mfiles
detonateddaily
Advanced
detectionalgorithms
&Statistical modelling
APThunters–
OSSecurity,Exploit&
MalwareResearchers,
&ThreatIntelligence
11MEnterprise
machinesreporting
2.5TURLsindexed
and600Mreputation
lookups
Why Microsoft is in a unique position
Build 2016 B890
68. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Understand the security state of Azure resources
• Use policies that enable you to recommend and monitor security
configurations
• Use DevOps to deploy integrated Microsoft and partner security
solutions
• Identify threats with advanced analysis of your security-related events
• Respond and recover from incidents faster with real-time security
alerts
• Export security events to a SIEM for further analysis
Azure Security Center enables you to:
AzureCon 2015 ACON205
70. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Compromised machines
• Failed exploitation attempts
• Brute force attacks
• Data exfiltration
• Web application vulnerabilities
• Advanced malware
• Achieve all this using:
– High volume of signals
– Behavioral profiling
– Machine Learning
– Global threat intelligence
• Constantly being expanded with new detection mechanisms
Finds attacks that might go undetected
AzureCon 2015 ACON205
73. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
```
Log Analytics Automation Backup DR and Data Protection Security
Microsoft Operation Management Suite
Simplified Management. Any Cloud, Any OS.
74. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Gain visibility across your
hybrid enterprise cloud
Log Analytics Automation
Orchestrate complex and
repetitive operations
Availability
Increase data protection
and application
availability
Security
Help secure your
workloads, servers, and
users
OMS Solutions
75. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Log Analytics
• Gain visibility across your hybrid enterprise cloud
• Easy collection, correlation, and visualization of your machine data
– Log management across physical, virtual, and cloud infrastructure
• Overview of infrastructure health, capacity, and usage
• Proactive operational data analysis
– Faster investigation and resolution of operational issues with deep insights
• Deliver unparalleled insights across your datacenters and public clouds, including
Azure and AWS
• Collect, store, and analyze log data from virtually any Windows Server and Linux
server source
76. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Integrated search
• Combine and correlate any machine data from multiple sources
– Query, and filter the results by using facet controls.
– Automated data visualization
– Metrics pivoted around a particular problem areas
– Common search queries
77. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Custom Dashboard
• Visualize all of your saved searches
– Custom or sample searches
– Customizable visual information
– Shareable across teams
78. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Solution Packs
• Collection of logic, visualization and data acquisition rules
– Powered by search
– Metrics pivoted around a particular problem areas
– Investigate and resolve operational issues
– Can be added/removed and customized
79. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Alert Management
• Expose your integrated System Center Operations Manager alerts
• Web based Alert visualization
• Integrated search for deeper analysis
• Common alert queries
80. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Capacity Planning
• Plan for future capacity and trends using historical data
• VM utilization and efficiency
• Compute projection
• Storage utilization
81. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Active Directory Assessment
• Using best practices and data collection, identify potential issues
• Security and Compliance
• Availability and business continuity
• Performance and security
• Upgrade, migration and deployment
82. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
SQL Server Assessment
• Security and Compliance
• Availability and business continuity
• Performance and security
• Upgrade, migration and deployment
• Operations and monitoring
• Change and configuration
83. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Change Tracking
• Track every change on your system across any environment
• Configuration type change
• Software & application changes
• Windows Service changes
84. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Azure Automation Dashboard
• Quick glance view of runbook health and status
– Active runbooks & total jobs
– Link into Azure Automation portal
85. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Azure Backup and Recovery Dashboard
• Quick glance view of backup and protection status
– Registered servers
– Backup size & jobs status
– Link into Azure portal for backup and recovery
86. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
System Update Assessment
• Understand server update and patching status across your environment
• Servers missing security updates
• Servers not updated recently
• Types of updates missing
87. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Malware Assessment
• Quickly define your servers malware status and potential threats
• Detected threats
• Protection status
88. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Security and Audit
• Collect security events and perform forensic, audit and breach analysis
– Security posture
– Notable issues
– Summary threats
89. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Security Posture
– Quick glance showcasing server workload
and server security threats
– Computer growth change
– Account authentication
– Total system activities
– Processes executed
– Change in policy
– Remote IP Tracking
Security Solution Pack
90. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Notable issues
– Understand notable security issues,
and audit rate of change
– Failed account access
– Security policy and group changes
– Password resets
– Event log cleaning
– Lock-out accounts
Security Solution Pack
91. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Security context
– Quick view of security positon across
your enterprise
– Active threats
– Patch status
– Software changes
– Service changes
– Critical and warning alerts
Security Solution Pack
94. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Some other things to keep in mind
• Start using an “Assume Breach” approach
• UEFI Secure Boot and TPM support on your hardware
• Just-Enough/Just-In-Time Administration (coming in WS 2016)
• Azure Rights Management & Data Loss Prevention
• Azure AD Multi-Factor Authentication
• Windows Hello / Microsoft Passport
• Cloud App Security
• Etc.
95. @ITCAMPRO #ITCAMP16Community Conference for IT Professionals
What to do next?
• Channel 9 - https://channel9.msdn.com/
– Ignite 2015 BRK2482 - Platform Vision and Strategy: Security and Assurance Overview
– Ignite 2015 BRK3870 - Microsoft Advanced Threat Analytics
– Ignite 2015 BRK2325 - A New Era of Threat Resistance for the Windows 10 Platform
– AzureCon 2015 ACON205 - New Azure Security Center helps you prevent, detect, and respond to threats
– Ignite New Zealand 2015 M235 - Automating Operational and Management Tasks in Microsoft
Operations Management Suite and Azure
– Build 2016 B890 – Windows Defender ATA
– … & others
• Microsoft Virtual Academy - http://www.microsoftvirtualacademy.com/
• Try out & look at Windows Server 2016 TP5 & System Center 2016
• Look into the latest Azure/Cloud improvements
• Keep up with Security changes in the industry