DXC Labs | Security — White Paper

Is security enterprise ready? DXC Labs | Security — White Paper

Are the security capabilities in the enterprise version of ’s Windows 10 operating system robust enough to rely on as a secure endpoint solution? To answer that question you have to understand the benefits and compromises required to implement Windows 10 in a real-world environment. This paper examines the security capabilities in the latest revision1 of what Microsoft calls its “most secure version of Windows” to date2. While this paper does not compare Microsoft to third-party solutions, it addresses whether the level of security provided is appropriate for the enterprise. There are no silver bullets in security, after all, since all solutions have flaws and require continual improvement to keep up with today’s threats.

Microsoft’s security evolution

Comparisons are often made between Microsoft and other security vendors dealing with endpoint maturity and functionality. While Microsoft has faced challenges in positioning its products as mature from a security standpoint, today the company employs more than 3,500 full-time security professionals and spends $1 billion annually on its security stack.

In fact, Microsoft is now delivering a compelling alternative to third-party security solutions, in particular, with its Windows 10 Enterprise E5 licenses. Microsoft recently announced a new Identity and Threat Protection SKU (stock-keeping unit) for Microsoft 365 E3. Where the Windows E5 license covers a greater product reach, the new SKU delivers the advanced security features found in the Windows E5 license for the Windows 10 platform. References to Windows E5 in the rest of this paper will also refer to the new M365 E3 SKU.

Recent testing showed that Microsoft’s capabilities in endpoint protection have significantly matured in the last 2 years. Independent testing organization AV-Test, which evaluates antivirus and security suite software, found in June 2018 that Windows Defender AV v4.12 equaled other market leaders in this segment by demonstrating 100 percent protection against zero-day malware attacks — up from 86.4 percent in February 20163.

DXC Labs | Security

DXC Labs delivers thought leadership and technology prototypes to enable enterprises to thrive in the digital age.

DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to efficiently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.

Learn more at www.dxc.technology/securitylabs DXC Labs | Security — White Paper

Summarizing the challenges

As the first commercial operating system of its kind with security baked in, Windows 10 is a catalyst and strengthener for Microsoft security offerings. Microsoft’s significant detection improvements and commitment to deliver a unified security solution — from deployment to management to resolution — makes a compelling alternative to other endpoint protection (EPP) and endpoint detection and response (EDR) offerings.

Does this make Microsoft right for all organizations? The simple answer is no. The deployment of Windows 10 security features should be considered individually and departmentally, the same as any vendor solution. And Microsoft’s feature set should not be viewed as all or nothing. Third-party vendor solutions from Symantec, McAfee, CrowdStrike, Carbon Black and others may be needed to deliver protection for various types of users and security requirements.

But organizations thinking about a Microsoft-native, enable-all approach to Windows 10 security are advised to be cautious. Some security features may be restrictive and reduce productivity. Examples include the controlled folder access (CFA) and the attack surface reduction (ASR). While such features can restrict the impact of ransomware and malware, they can also fuel user frustration.

Figure 1. Intelligent Security Graph Microsoft Intelligent Security Graph — by the numbers (ISG) is a cloud-based data lake for all Microsoft-connected devices and Outlook services that provides daily threat and event information. Microsoft is also the emails analyzed only vendor capable of building this 400 billion level of anti-threat integration into the operating system without affecting 90% share of Fortune 500 firms’ enterprise security endpoint performance. Microsoft’s Global Threat Intelligence 1.2 billion devices scanned monthly is one of the largest in the industry, informed by trillions of signals from Azure software, botnet data from Microsoft Digital Crimes Unit, and shared threat data from partners, researchers and 750 million user accounts law enforcement worldwide.

Source: Microsoft Corp., April 2018 Windows

930 million threats detected on devices monthly

Bing

18 billion Bing web pages scanned

Microsoft accounts

450 billion authentications monthly

3 DXC Labs | Security — White Paper

One approach is to adopt a ring-based approach to Windows 10 security deployment. This will avoid impacts on areas of the business that rely on custom tools, scripts and macros, such as the IT or finance departments. The features can still be deployed but activated in an audit mode, giving the security team visibility without direct intrusion into user productivity.

Timing and cost considerations

Regardless of approach, the timing for re-evaluation is good. With the end of life for Windows 7 coming in 2020, more organizations are making the move to Windows 10, creating an ideal opportunity to examine your endpoint protection strategy. DXC Technology is working with clients on the many security decisions related to migrating to Windows 10 and Enterprise E5 or M365 E3 licenses.

A core strength of Microsoft’s approach to security is the Intelligent Security Graph (ISG), its cloud-based data lake for all Microsoft-connected devices and services that provides daily threat and event information. And Microsoft is also the only vendor Figure 2. Microsoft solutions are focused capable of building this level of anti-threat integration into the operating system without on four security pillars. E5 features are affecting endpoint performance. available under the M365 E3, Identity and Threat Protection SKU, which began But it might all come down to cost. The Microsoft E5 license is required for the advanced February 1, 2019. and recommended features, and if you don’t already have that license, the cost might rule out the Microsoft approach.

Capability Featureeat to DXC License

Identity Protection Windows Hello Business replaces passwords with strong two-factor authentication on PCs and mobile devices. E3

Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. E3

Information BitLocker Drive Encryption is a data protection feature that integrates with the operating Pro Protection system and addresses the threats of data theft or exposure from lost, stolen or inappropriately decommissioned computers.

Windows Information Protection, previously known as enterprise data protection (EDP), helps to protect against potential data leakage without otherwise interfering with the employee Pro experience, using data policies defined for your organization.

Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified administrative interface for BitLocker Drive Encryption. E3

Security Security Analytics Score dashboard expands your visibility into the overall security E5 Management posture of your organization.

Windows Defender Security Center is the portal where you can access Windows E5 Defender Advanced Threat Protection capabilities.

Threat Protection is the faster, safer browser designed for Windows 10, replacing Internet Pro Explorer 11.

Windows Defender AV is an antimalware solution included as part of Windows 10, Pro comparable to third-party solutions in industry tests.

Secure/Trusted Boot ensures that the host operating system executed at boot time is valid Pro and not interfered with. DXC Labs | Security — White Paper

System Guard is a way to describe the fully locked-down state achieved using Windows E3 Defender Application Control (WDAC), hypervisor-protected code integrity (HVCI), and hardware and firmware security features.

Application Guard is a virtual container for Microsoft Edge and , ensuring E3 that all browser activity is isolated from the host operating system.

AppLocker is a whitelisting tool used to define what applications are permitted to run in E3 your environment.

Exploit Guard - Exploit Protection* can apply exploit mitigation techniques to apps your E5 organization uses, both individually and to all apps.

Exploit Guard - Attack Surface Reduction Rules* can reduce the attack surface of your E5 applications with intelligent rules that stop the vectors used by Office-, script- and -based malware. Requires Windows Defender AV.

Exploit Guard - Network Protection* extends the malware and social engineering protection E5 offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV.

Exploit Guard - Controlled Folder Access* helps protect files in key system folders from E5 changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.

Windows Defender Advanced Threat Protection (ATP) is a unified endpoint security E5 platform using built-in security technologies working together and powered by the cloud.

SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. Pro

Windows Firewall delivers firewalling and packet-filtering functions. Pro

*Exists in Pro, but requires E5 for Evaluating Microsoft’s solution for endpoint security central management, reporting, monitoring and analytics. Historically, enterprises have secured their Windows environments by turning to third- party endpoint protection solutions layered on top of the host operating system, but the wealth of security capabilities in Windows 10 is prompting organizations to re-evaluate that approach.

Windows 10 endpoint security is delivered in various levels across the license stack, Pro, E3 and E5, but Microsoft has positioned Windows 10 Enterprise E5 with the ability to deliver an end-to-end endpoint protection solution.

The features (shown in Figure 2) are focused on Microsoft’s four security pillars: Identity Protection, Information Protection, Security Management and Threat Protection:With Windows 10, these security capabilities are baked into the operating system, not layered on top as they had been in previous versions or when third-party software is used. Only Microsoft can embed security directly into the operating system and make endpoint security part of its DNA.

That’s evident from the get-go. When you power on a Windows 10 client, a secure and trusted boot is performed to attest to the authenticity of the device and ensure that the host operating system is the one expected. The operating system and the Windows 10 drivers don’t commence execution until everything is validated. 5 DXC Labs | Security — White Paper

This results in assurance for users and the enterprise that the device and operating system are in fact trusted resources, a capability not present in Windows 7. This is a key step toward a zero-trust network

Once the host operating system is loaded, the first process executed is Windows Defender AV. This ensures that malware and virus scanning are active at launch. Windows Defender AV can be replaced by a third-party solution, but it cannot be uninstalled. If a third-party AV service fails or is unloaded from memory, Windows 10 will wake the Defender AV process to ensure protection.A wealth of additional Windows 10 security features protects the device against access threats, credentials theft and wider network traversal. They include identity protection, information protection and threat protection.

Identity protection. Introduced in Windows 10 Enterprise, Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.

Unauthorized access to these secrets can lead to credential theft attacks, such as pass-the-hash4 or pass-the-ticket5. Windows Defender Credential Guard prevents these attacks by protecting Windows Challenge/Response NT LAN Manager password hashes, Kerberos Ticket-Granting Tickets and credentials stored by applications such as domain credentials.

When Credential Guard is enabled, the Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on remote machines, mitigating many pass-the-hash-style attacks.

While Defender Credential Guard does deliver greater security for this type of attack vector, it also comes with several requirements and concerns.

From a hardware view, Defender Credential Guard requires Trusted Platform Module (TPM) 2.0, virtualization extensions, second-level address translation (SLAT) and unified extensible firmware interface (UEFI) 2.3.1, X64, basic I/O system (BIOS) lockdown. This may require a hardware refresh if moving from Windows 7 to Windows 10. It also will require a rebuild if Windows 10 was deployed in legacy BIOS mode.

Applications will break if they require Kerberos DES encryption support, Kerberos unconstrained delegation or extraction of the Kerberos ticket-granting ticket (TGT) or NTLMv1.

Applications will prompt and expose credentials to risk if they require digest authentication, credential delegation and challenge-handshake application protocol (MS-CHAPv2).

These authentication concerns potentially could be addressed by upgrading the problematic applications utilizing the legacy protocols, but this requires additional cost and engineering time.

Information protection. In today’s enterprise, many users are likely carrying laptops containing confidential data. BitLocker Drive Encryption helps protect this data if the laptop is lost, stolen or inappropriately decommissioned. BitLocker originated in 2004 as a part of Microsoft’s Next-Generation Secure Computing Base architecture and has continued to mature over new operating system releases6.

6 DXC Labs | Security — White Paper

Managing BitLocker in the enterprise is generally approached in one of two ways:

– In legacy on-premises environments, enterprises should use Microsoft BitLocker Administration and Monitoring, which provides a simplified administrative interface to manage and monitor BitLocker Drive Encryption. It requires Microsoft Desktop Optimization Pack, which is part of the Software Assurance licensing model, but not all organizations should have it by default. Microsoft BitLocker Administration and Monitoring requires devices to be on premises and (AD) domain-joined7. It is also capable of delivering key management of the BitLocker recovery keys.

– In the modern management model, where devices are Azure AD-joined, InTune would be used to manage the BitLocker policies on devices, and users would access recovery keys in the enterprise Azure MyApps portal.

Threat protection. Microsoft offers a range of tools to protect against threats in Windows 10, including:

– Windows Defender Device Guard (WDDG) restricts the applications that users can execute within the system kernel, using application whitelists that impose restrictions on subscribed devices. Whitelist enforcement is implemented with virtual machine technology, which works at a lower level than the Windows operating system. As such, it is difficult to defeat.

WDDG can prove restrictive and can affect perceived productivity. It is best suited to environments that have a strongly defined application deployment roadmap and limited need for additional random application requests. Ideal environments would be kiosks and point-of-sale terminals. Such devices are under tight control and run a limited set of known applications that seldom change. For such devices the value of the added security far exceeds the added administrative costs.

If WDDG is implemented in a more diverse environment, one in which many of the applications used are unknown, IT could be flooded with requests to add non- whitelisted applications, which of course would need to be appraised and approved.

Some organizations may decide that dramatically increased security is worth the increased administration and end-user friction. For organizations that want to make this trade-off, we advise a go-slow approach.

If the feature is turned on for the entire enterprise, the impact of thousands of users being locked out of applications that are probably not supported — but nonetheless necessary — would send a shock wave through the organization, likely resulting in a reversal of the WDDG deployment.

However, the impact can be moderated by taking it one department or location at a time. Applications can be discovered and whitelisted gradually, and the new policy is more likely to survive, gradually providing desired security improvements.

Additionally, administrators can run WDDG in audit mode to collect all of the applications that are active. This can then be used to develop the whitelist for approved applications. However, the information collected is tied to the hash of the file and, as such, will require updating whenever the application is updated.

7 DXC Labs | Security — White Paper

– Windows Defender Application Guard (WDAG), currently supported by Microsoft Edge and Internet Explorer, is a virtual container for applications and ensures that all browser activity is isolated from the rest of the operating system. It isolates enterprise-defined untrusted sites to provide protection while employees browse the internet. Enterprise administrators define whitelists of trusted sites, cloud resources and internal networks. Sites not whitelisted are considered untrusted.

Prior to 1803, users running Microsoft Edge in Application Guard were, by design, unable to transfer information from the host operating system to the browser or vice versa. This update introduced the capability to transfer information. It is still difficult but not impossible.

The concern with WDAG is that it assumes the enterprise will eradicate the use of Chrome and Firefox and allow the use only of Microsoft Edge or Internet Explorer. This is unlikely and, as such, devalues the capability of this feature. Other solutions, such as Bromium, allow the containerization of many more applications.

– AppLocker is seen as a complementary feature to WDDG, although it can function separately. It allows administrators to develop a more granular whitelist of applications and levels of permissions for file execution for nonadministrators. The execution permissions can be based on attributes from a file’s digital signature, including the publisher, product or version.

– Windows Defender Exploit Guard (WDEG) is a new set of host intrusion prevention capabilities that manages and reduces the attack surface of applications used by employees. It includes:

— Exploit protection — Attack surface reduction rules — Network protection — Controlled folder access

These components are designed to lock down the device against a variety of attack vectors and block behaviors commonly used in malware attacks, enabling enterprises to balance security risk and productivity.

Windows Defender Exploit Guard uses Microsoft Intelligent Security Graph and the security research team at Microsoft to identify active exploits and common behaviors to stop these types of attacks at various stages of the kill chain.

Although the underlying vulnerability being exploited varies, the delivery mechanism differs and the payload changes, many attacks adhere to a core set of behaviors and vectors. By correlating streams of events to various malicious behaviors with the ISG, Windows Defender Exploit Guard provides the controls to handle these types of emerging threats8.

– Windows Exploit Protection, a suite of Windows 10 vulnerability and mitigation capabilities that replaced the Enhanced Mitigation Experience Toolkit (EMET), has been built into the Exploit Protection service. Exploit Protection requires Windows Defender AV.

– Email and Office applications are the most common vector for attacks. Microsoft’s attack surface reduction (ASR) capability provides a set of built-in intelligence rules, strengthened with machine learning that’s updated multiple times weekly. It blocks underlying behaviors used by malicious documents

8 DXC Labs | Security — White Paper

to execute, without hindering productivity. By blocking malicious behaviors independent of what the threat or exploit is, ASR protects enterprises from never- seen zero-day attacks. ASR requires Windows Defender AV.

– Network Protection utilizes the intelligence from Intelligent Security Graph to vet, and if necessary, block all outbound connections before they are made. This brings the same level of protection previously available for Microsoft Edge with the SmartScreen service across the entire system and network stack.

– Controlled Folder Access (CFA) protects files from ransomware or other unauthorized application access. CFA locks down all access to the folders and files placed under CFA control. When an unauthorized application attempts to access folders or files, CFA prevents access and reports the attempt. By default, CFA protects common folders where documents and other important data are stored, but additional locations are simple to add.

As with other features, Exploit Guard can be intrusive to day-to-day operations and may not be suitable for all departments. But it is possible to run all of the above services in audit mode, allowing IT administrators to understand potential issues prior to enablement.

– Windows Defender SmartScreen protects Microsoft Edge from socially engineered malware, phishing and other web-based threats through the Intelligent Security Graph. When a user clicks a URL link, SmartScreen validates the safety of the request and allows or blocks it. A feature missing from SmartScreen is the ability to perform whitelisting and blacklisting of sites. Network Protection is recommended in place of SmartScreen for the enterprise.

Managing the mix?

Today all these features are managed through a combination of , PowerShell, InTune, System Center Configuration Manager and Defender Security Center. This approach can be problematic, frustrating and resource-costly compared to more integrated third-party solutions, and may be a deterrent for organizations looking to strengthen and simplify management of their security solutions with a Microsoft strategy.

Going forward, Microsoft is focused on moving management to a centralized solution. This will focus on InTune for the management aspects and Defender Security Center for reporting and visualization, making the management side of Microsoft security more appealing.

Extending endpoint protection with cloud services

One of the core strengths of Microsoft’s endpoint protection and endpoint detection and response solutions is the ability to use its cloud-based Intelligent Security Graph capabilities to extend support beyond the device.

After all, a unified endpoint strategy requires a view of protection across your organization. The Intelligent Security Graph ecosystem of security threat information is free to all Microsoft customers.

9 DXC Labs | Security — White Paper

The Microsoft Threat Protection (ATP) product line leverages the wealth of the Intelligent Security Graph information. In particular:

• Office 365 ATP, designed to protect and respond to threats across the Office 365 tenant

• Azure ATP, which helps protect hybrid environments from advanced targeted attacks and insider threats

• Windows Defender ATP (WD ATP), which delivers a unified endpoint security strategy to help enterprises protect, detect, respond and remediate threats

WD ATP, Microsoft’s solution to endpoint detection and response, initially required a Microsoft E5 license. On Feb. 1, 2019, Microsoft introduced two new SKUs to the M365 product line, specifically the E3 line. Organizations with the M365 E3 license can now purchase the Identity and Threat Protection SKU add-on. This enables the use of the three products: Office 365 ATP (email protection), Azure ATP (identity protection), WD ATP (endpoint protection), as well as other protection capabilities, such as Microsoft cloud application broker, at a reduced rate.

WD ATP is an integral part of Windows 10. In fact, several advanced threat features operate more efficiently with WD ATP. These fall into the Exploit Guard group discussed earlier. WD ATP is a cloud service residing on the Azure Tenant and is enabled in the Windows Defender Security Center, providing a central location to monitor the security posture and health of endpoints. Integration directly with your SIEM is also possible.

WD ATP enables organizations to quarantine and block files, isolate machines, update and run Windows Defender AV scans and restrict the execution of untrusted applications. WD ATP also reports the security posture of your endpoint estate. This is delivered in the form of a “Secure Score,” which weighs enabled security features against the overall features available for enablement in Windows 10.

With the significant improvements in Windows Defender AV and the introduction of Windows Defender Advanced Threat Protection, the Microsoft security stack now represents a viable option for enterprises when looking at replacing existing EPP and EDR solutions.

Improved threat protection

Figure 3. The Microsoft security stack is a viable option for enterprises, with improvements Known threat intelligence AI to Windows Defender AV and the introduction of Windows Defender Microsoft Threat Advanced Threat Protection. Intelligence

Conditional access policies Windows applied automatically Defender ATP based on risk indicators Active monitoring and from WDATP behavioral analytics of customer devices Managed Digital Windows 10 Windows 8.1 Security Forensic Windows 7 Services Investigator

Devices are enrolled in the WDATP service 10 DXC Labs | Security — White Paper

Organizations looking for help in going this route may want to consider DXC’s Managed Endpoint Threat Detection and Response service, which includes the EDR service based on Windows Defender Advanced Threat Protection.

Your trusted security partner Getting started

DXC Technology, one of the Given all the options, what is the best way to begin using Microsoft’s tools to secure world’s leading IT and security endpoints? First, define what you’re trying to achieve. To secure endpoints, enable services providers, has more than secure and trusted boot capabilities to determine device and host operating system 4,000 security specialists who attestation. To deliver an endpoint protection solution with Windows 10, implement advise, transform and manage BitLocker, Defender AV and Firewall. These capabilities are combined in the DXC leading-edge security capabilities. Managed Endpoint Protection service, which covers both Windows 10 modern and Our network of global, intelligent traditional deployments. Security Operations Centers To increase your security posture, enable the Windows Defender Advanced Threat (SOCs) enables us to deliver Protection service. The additional EDR capability provides an alternative to third- end-to-end security management party solutions and is available with the Microsoft E5 license. and monitoring capabilities, 24x7x365, anywhere in the This provides a solid foundation to build upon with the Windows 10 security stack, world. Sharing threat intelligence including the enablement of advanced features, Exploit Guard and Credential Guard. across multiple technology bases As previously noted, these tools can present issues in the form of authentication increases our ability to defend incompatibilities, such as in Credential Guard, which may require reengineering of enterprises against risk. application authentication approaches or restriction of applications permitted to We correlate billions of security execute through whitelisting. events and manage more than 1.8 Microsoft’s current solutions have significantly progressed. The decision to bake the million security-specific devices security functionality into the Windows 10 DNA, coupled with the cloud capabilities globally, along with another for ATP and threat information from the Microsoft Intelligent Security Graph, has 8 million end user and delivered a platform that can protect the enterprise endpoint today and into the devices worldwide. future. Microsoft is focused on delivering a secure environment across endpoints and servers. As Microsoft further invests in its portfolio, we expect continual improvement and progression at each release.

One factor to consider is Microsoft’s operating system release cadence. To remain up to date with threat protection in Windows 10, it is important to adopt a continual update path.

For organizations migrating to Windows 10, evaluating EPP and EDR capabilities, or already using Enterprise E5 or M365 E3, Microsoft solutions are worth serious consideration.

Why DXC?

DXC Technology has 4,000+ security experts who have been protecting enterprise clients for decades. Delivering 24x7 monitoring of endpoint threats through its global Security Operations Centers, DXC is ideally positioned to monitor and respond to enterprise cyber threats.

DXC continually invests in security capabilities and serves as a trusted strategic advisor to the world’s largest organizations. A major strategic partner with Microsoft, DXC maintains close links with Microsoft product groups and is involved early in the development of future offerings. This enables DXC to provide strategic feedback to Microsoft and drive solutions to fully address client needs. Also, as a vendor-neutral organization, DXC helps clients select the best technology provider to deliver the correct level of endpoint protection for specific enterprise needs. 11 DXC Labs | Security — White Paper

Additional DXC services

• DXC Managed Endpoint Threat Detection and Response

• DXC Managed Endpoint Protection

• DXC Windows 10 as a Service

• DXC Security Advisory Services

About the author

Chris Waterworth, global product management lead for Microsoft Security Solutions at DXC Technology, specializes in Microsoft’s strategic direction for security, understanding how DXC can best use current and future capabilities to protect its enterprise clients. A member of the Microsoft Security Partner Advisory Council, he has more than 24 years of IT industry experience across various roles, previously working for EDS, Microsoft and T-Systems.

Sources

1 Windows 10 Enterprise version 1083

2 “Windows Security,” Microsoft.com, https://www.microsoft.com/en-us/trustcenter/security/windows10- security, 2019

3 Microsoft Forefront Endpoint Protection, AV-Test.org, https://www.av-test.org/en/antivirus/business-windows- client/manufacturer/microsoft/, December 2018.

4 A pass-the-hash attack is an exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.

5 A pass-the-ticket attack is a method of authenticating to a system using Kerberos tickets without having access to an account’s password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

6 “BitLocker Overview,” Microsoft.com, https://docs.microsoft.com/en-us/windows/security/information- protection//bitlocker-overview, January 25, 2018.

7 “BitLocker in Modern Device Management: Automating recovery key escrow,” Paul O’Connor, DXC Blogs, https://blogs.dxc.technology/2017/07/24/bitlocker-in-modern-device-management-automating-recovery-key- Learn more at escrow, July 24, 2017. www.dxc.technology/ 8 “Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware,” Misha Kutsovsky, Microsoft.com, https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/windows-defender- security exploit-guard-reduce-the-attack-surface-against-next-generation-malware/, October 23, 2017.

About DXC Technology

As the world’s leading independent, end-to-end IT services company, DXC Technology (NYSE: DXC) leads digital transformations for clients by modernizing and integrating their mainstream IT, and by deploying digital solutions at scale to produce better business outcomes. The company’s technology independence, global talent, and extensive partner network enable 6,000 private and public-sector clients in 70 countries to thrive on change. DXC is a recognized leader in corporate responsibility. For more information, visit www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for changemakers and innovators. www.dxc.technology © 2019 DXC Technology Company. All rights reserved. MD_9708a-19. March 2019