Seguridad en un Mundo móvil
#MicrosoftSecure
Protección integral frente a las amenazas Victor Recuero - Consultor Cloud en Seguridad e Identidad Sergio Medina - Ingeniero de Soporte en Identidad Alberto López - Consultor Cloud en Seguridad e Identidad David Marin – Especialista Técnico en Windows 10 Cybersecurity Reference Architecture Software as a Service Office 365 80% + of employees admit using ASM Vulnerability Security Operations Incident Investigation non-approved SaaS apps for work Internet of Things (Stratecast, December 2013) Management Center (SOC) Response and Recovery Lockbox Logs & Analytics Active Threat Detection Unmanaged & Mobile Clients Identity & Information Access Protection UEBA ATA Enterprise Managed Hunting Security Analytics Threat Cloud App Security Provider OMS Teams SIEM Detection Conditional Access Intune MDM/MAM AAD Identity Office 365 DLP Protection On Premises Datacenter(s) SIEM DLP Security Integration Azure NGFW Microsoft Azure AAD PIM SSL Proxy Colocation Appliances Information Protection (AIP) Office 365 ATP IPS Multi-Factor • Email Gateway Azure Security Center Authentication • Classify • Label • Anti-malware • Security Hygiene • Protect VPN • Threat Detection Extranet Hello for • Report Azure Key Vault Business Enterprise Servers Hold Your Own Windows Server 2016 Security Azure App Gateway MIM PAM Shielded VMs Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers, Key (HYOK)
Device Guard, Credential Guard, Remote Credential Guard, … Azure Antimalware ATA Labels Classification VMs VMs Network Security Groups Domain Controllers ESAE Admin Forest VPN Structured Data & 3rd party Apps Privileged Access Workstations (PAWs) Endpoint DLP SQL Encryption & Firewall $ Managed Clients Certification Windows Legacy Windows 10 Sensitive Windows 10 Security Authority (PKI) Info Protection Windows Disk & Storage Encryption Workloads • Secure Boot • Device Health WEF Mac EDR - Windows Defender ATP • Device Guard Attestation IoT OS • Application Guard • Remote DDoS attack prevention Nearly all customer breaches that Microsoft’s Incident EPP - Windows Defender • Credential Guard Credential Guard Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or System Management + Patching (SCCM + Intune) • Windows Hello Backup and Site Recovery Intranet stolen passwords (Verizon 2016 DBR) Cybersecurity Reference Architecture Software as a Service Office 365 80% + of employees admit using ASM Vulnerability Security Operations Incident Investigation non-approved SaaS apps for work Internet of Things (Stratecast, December 2013) Management Center (SOC) Response and Recovery Lockbox Logs & Analytics Active Threat Detection Unmanaged & Mobile Clients Identity & Information Access Protection UEBA ATA Enterprise Managed Hunting Security Analytics Threat Cloud App Security Provider OMS Teams SIEM Detection Conditional Access Intune MDM/MAM AAD Identity Office 365 DLP Protection On Premises Datacenter(s) SIEM DLP Security Integration Azure NGFW Microsoft Azure AAD PIM SSL Proxy Colocation Appliances Information Protection (AIP) Office 365 ATP IPS Multi-Factor • Email Gateway Azure Security Center Authentication • Classify • Label • Anti-malware • Security Hygiene • Protect VPN • Threat Detection Extranet Hello for • Report Azure Key Vault Business Enterprise Servers Hold Your Own Windows Server 2016 Security Azure App Gateway MIM PAM Shielded VMs Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers, Key (HYOK)
Device Guard, Credential Guard, Remote Credential Guard, … Azure Antimalware ATA Labels Classification VMs VMs Network Security Groups Domain Controllers ESAE Admin Forest VPN Structured Data & 3rd party Apps Privileged Access Workstations (PAWs) Endpoint DLP SQL Encryption & Firewall $ Managed Clients Certification Windows Legacy Windows 10 Sensitive Windows 10 Security Authority (PKI) Info Protection Windows Disk & Storage Encryption Workloads • Secure Boot • Device Health WEF Mac EDR - Windows Defender ATP • Device Guard Attestation IoT OS • Application Guard • Remote DDoS attack prevention Nearly all customer breaches that Microsoft’s Incident EPP - Windows Defender • Credential Guard Credential Guard Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or System Management + Patching (SCCM + Intune) • Windows Hello Backup and Site Recovery Intranet stolen passwords (Verizon 2016 DBR) Azure AD Identity Protection CLOUD-POWERED PROTECTION
Identity Protection at its best
Infected Leaked Gain insights from a consolidated view of devices Configuration credentials machine learning based threat detection vulnerabilities Brute force Suspicious sign- Risk-based attacks in activities policies Remediation recommendations MFA Challenge Risky Logins
Machine-Learning Engine Change bad Risk severity calculation credentials
Block attacks Risk-based conditional access automatically protects against suspicious logins and compromised credentials CLOUD-POWERED PROTECTION
Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools
Infected Leaked devices Configuration credentials vulnerabilities Brute force Suspicious sign- attacks in activities
Security/Monitoring/Reporting Notifications Solutions
Data Extracts/Downloads
Reporting APIs
Apply Microsoft learnings to your existing security tools Microsoft machine - learning engine Azure AD Privileged Identity Management CLOUD-POWERED PROTECTION
Discover, restrict, and monitor privileged identities
Enforce on-demand, just-in-time administrative access when needed Provides more visibility through alerts, audit reports and access reviews
Global Billing Exchange User Password Administrator Administrator Administrator Administrator Administrator CLOUD-POWERED PROTECTION
How time-limited activation of privileged roles works
SECURITY ADMIN
Users need to activate their privileges to perform a task ALERT
MFA is enforced during the activation process Configure Privileged Identity Management
Alerts inform administrators about out-of-band changes Identity Monitor verification ADMIN PROFILES Billing Admin Users will retain their privileges for a pre- Global Admin Audit configured amount of time Read only USER MFA Service Admin Access reports Security admins can discover all privileged identities, view audit reports and review everyone who has is eligible to activate via access reviews
PRIVILEGED IDENTITY MANAGEMENT CLOUD-POWERED PROTECTION
Reduces exposure Simplifies Increases visibility to attacks delegation and finer-grained targeting admins control
Removes unneeded permanent Separates role administration Enables least privilege role admin role assignments from other tasks assignments
Limits the time a user has admin Adds roles for read-only views Alerts on users who haven’t privileges of reports and history used their role assignments
Ensures MFA validation prior to Asks users to review and justify Simplifies reporting on admin admin role activation continued need for admin role activity Azure AD Conditional Access CLOUD-POWERED PROTECTION
Conditions Actions
User, App sensitivity Allow access or Device state Enforce MFA per User Location user/per app
Risk
Block access
MFA
NOTIFICATIONS, ANALYSIS, REMEDIATION, CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT RISK-BASED POLICIES IDENTITY PROTECTION Azure Key Vault Key Vault offers an easy, cost-effective way to safeguard keys and other secrets used by Microsoft Azure cloud apps and services using HSMs.
IaaS PaaS SaaS
Key Vault
Import keys HSM Monitoring
Encrypt keys and small secrets Import or generate your keys Comply with regulatory Monitor and audit key use like passwords using keys in HSMs for added assurance - standards for secure key through Azure logging – pipe stored in tightly controlled and keys never leave the HSM management, including the US logs into HDInsight or your monitored Hardware Security boundary Government FIPS 140-2 Level SIEM for additional analysis Modules (HSMs) 2 and Common Criteria EAL 4+ Manages keys Deploys application Monitors access to keys
Creates a Key Vault in Azure Tells application the Reviews usage logs to URI of the key / secret confirm proper key use and Adds keys / secrets to the compliance with data Vault Application security standards programmatically Grants permission to specific uses key / secret application(s) to perform (and may abuse) but specific operations using keys never sees the keys e.g. decrypt, unwrap Enables usage logs Cybersecurity Reference Architecture Software as a Service Office 365 80% + of employees admit using ASM Vulnerability Security Operations Incident Investigation non-approved SaaS apps for work Internet of Things (Stratecast, December 2013) Management Center (SOC) Response and Recovery Lockbox Logs & Analytics Active Threat Detection Unmanaged & Mobile Clients Identity & Information Access Protection UEBA ATA Enterprise Managed Hunting Security Analytics Threat Cloud App Security Provider OMS Teams SIEM Detection Conditional Access Intune MDM/MAM AAD Identity Office 365 DLP Protection On Premises Datacenter(s) SIEM DLP Security Integration Azure NGFW Microsoft Azure AAD PIM SSL Proxy Colocation Appliances Information Protection (AIP) Office 365 ATP IPS Multi-Factor • Email Gateway Azure Security Center Authentication • Classify • Label • Anti-malware • Security Hygiene • Protect VPN • Threat Detection Extranet Hello for • Report Azure Key Vault Business Enterprise Servers Hold Your Own Windows Server 2016 Security Azure App Gateway MIM PAM Shielded VMs Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers, Key (HYOK)
Device Guard, Credential Guard, Remote Credential Guard, … Azure Antimalware ATA Labels Classification VMs VMs Network Security Groups Domain Controllers ESAE Admin Forest VPN Structured Data & 3rd party Apps Privileged Access Workstations (PAWs) Endpoint DLP SQL Encryption & Firewall $ Managed Clients Certification Windows Legacy Windows 10 Sensitive Windows 10 Security Authority (PKI) Info Protection Windows Disk & Storage Encryption Workloads • Secure Boot • Device Health WEF Mac EDR - Windows Defender ATP • Device Guard Attestation IoT OS • Application Guard • Remote DDoS attack prevention Nearly all customer breaches that Microsoft’s Incident EPP - Windows Defender • Credential Guard Credential Guard Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or System Management + Patching (SCCM + Intune) • Windows Hello Backup and Site Recovery Intranet stolen passwords (Verizon 2016 DBR) THE WINDOWS 10 DEFENSE STACK
DeviceDevice protection ThreatThreat resistance IdentityIdentity InformationInformation protection resistance protectionprotection protectionprotection
BitLocker and Device Integrity SmartScreen Windows Hello :) Device Health SmartScreen Built-in 2FA DeviceBitLocker protection to Go / Deviceattestation Control Windows Firewall Credential Guard Drive encryption AppLocker Account lockdown Windows Device Guard Enterprise Data Cryptographic MicrosoftDevice Guard Edge Credential Guard Information Protection DeviceProcessor Control Microsoft Passport Protection WindowsDevice DefenderGuard Virtualization based Conditional access Security policies Windows Defender AV Windows Hello ;) Security Network/Firewall TRADITIONAL PLATFORM STACK
Apps
Windows Platform Services
Kernel
Device Hardware VIRTUALIZATION BASED SECURITY WINDOWS 10
Apps
3
#1 #2 #
Trustlet Trustlet Windows Platform Trustlet Services
Kernel Kernel
Windows Operating System SystemContainer
Hyper-V Hyper-V
Device Hardware
Hypervisor THE WINDOWS 10 DEFENSE STACK
DeviceDevice protection ThreatThreat resistance IdentityIdentity InformationInformation protection resistance protectionprotection protectionprotection
BitLocker and Device Integrity SmartScreen Windows Hello :) Device Health SmartScreen Built-in 2FA DeviceBitLocker protection to Go / Deviceattestation Control Windows Firewall Credential Guard Drive encryption AppLocker Account lockdown Windows Device Guard Enterprise Data Cryptographic MicrosoftDevice Guard Edge Credential Guard Information Protection DeviceProcessor Control Microsoft Passport Protection WindowsDevice DefenderGuard Virtualization based Conditional access Security policies Windows Defender AV Windows Hello ;) Security Network/Firewall THE WINDOWS 10 DEFENSE STACK
DeviceDevice protection ThreatThreat resistance IdentityIdentity InformationInformation protection resistance protectionprotection protectionprotection
BitLocker and Device Integrity SmartScreen Windows Hello :) Device Health SmartScreen Built-in 2FA DeviceBitLocker protection to Go / Deviceattestation Control Windows Firewall Credential Guard Drive encryption AppLocker Account lockdown Windows Device Guard Enterprise Data Cryptographic MicrosoftDevice Guard Edge Credential Guard Information Protection DeviceProcessor Control Microsoft Passport Protection WindowsDevice DefenderGuard Virtualization based Conditional access Security policies Windows Defender AV Windows Hello ;) Security Network/Firewall THE WINDOWS 10 DEFENSE STACK
PRE-BREACH
DeviceDevice protection ThreatThreat resistance IdentityIdentity InformationInformation protection resistance protectionprotection protectionprotection
BitLocker and Device Integrity SmartScreen Windows Hello :) Device Health SmartScreen Built-in 2FA DeviceBitLocker protection to Go / Deviceattestation Control Windows Firewall Credential Guard Drive encryption AppLocker Account lockdown Windows Device Guard Enterprise Data Cryptographic MicrosoftDevice Guard Edge Credential Guard Information Protection DeviceProcessor Control Microsoft Passport Protection WindowsDevice DefenderGuard Virtualization based Conditional access Security policies Windows Defender AV Windows Hello ;) Security Network/Firewall ADDING A POST-BREACH MINDSET
PRE-BREACH POST-BREACH
BreachBreach detection Device protection Threat resistance Identity Information Device Threat Identity Information investigationinvestigation && protection resistance protectionprotection protectionprotection responseresponse
BitLocker and Device Integrity SmartScreen Windows Hello :) Windows Defender Device Health SmartScreen Built-in 2FA DeviceBitLocker protection to Go / Windows Defender ATP Advanced Threat Deviceattestation Control Windows Firewall Credential Guard Drive encryption AppLocker Account lockdown Windows Protection (ATP) Device Guard Enterprise Data Cryptographic MicrosoftDevice Guard Edge Credential Guard Information Protection DeviceProcessor Control Microsoft Passport Protection WindowsDevice DefenderGuard Virtualization based Conditional access Security policies Windows Defender AV Windows Hello ;) Security Network/Firewall “THERE ARE TWO KINDS OF BIG COMPANIES, THOSE WHO’VE BEEN HACKED, AND THOSE WHO DON’T KNOW THEY’VE BEEN HACKED.” - J A M E S COMEY , FBI DIRECTOR
200+ 80 $3Trillion $3.5Million
Median number of Days after detection Impact of lost Average cost of a data days attackers are to full recovery productivity and breach (15% YoY present on a victims growth increase) network before detection HOW DO BREACHES OCCUR?
Malware and vulnerabilities are 46% 99.9% not the only thing of compromised systems had of exploited Vulnerabilities were to worry about no malware on them used more than a year after the CVE was published
Fast and effective phishing attacks 23% 50% give you little of recipients opened phishing of those who open and click time to react messages (11% clicked on attachments do so within the attachments) first hour WHAT MAKES IT AN ADVANCED ATTACK?
The attacker’s “kill-chain”
EoP & Exploitatio Recon Delivery C&C Lateral Asset Exfiltration The attacker’s n challenge movement
Much like in real-life attacks, planning, control and time is required for a successful attack to take place
Targeted attacks While the compromise itself may are often and What makes is take minutes, planning, lateral complex and an APT? movement and exfiltration of lengthy data can take days, weeks or operation months Windows Defender ATP helps enterprise customers detect and remediate Advanced Attacks and data breaches
Universal end-point Powered by cloud Enhanced by the behavioral sensor, Machine Learning community of our built into Win10, Analytics over the largest Hunters, with no additional sensor array in the world researchers and deployment threat intelligence requirements Built into Why Microsoft is in a unique position
APT hunters – Over 1M Microsoft New code, new 1.2 Billion Windows 11M Enterprise OS Security, Exploit & corporate machines products, new files machines reporting machines reporting Malware Researchers, & Threat Intelligence
2.5T URLs indexed Advanced 1M files and 600M reputation detection algorithms Most are local Hundreds of labs, detonated daily admins malware enclaves look ups & Statistical modelling Combined Microsoft Stack: MaximizePIVOT detection coverage- ACROSS throughout MICROSOFT the attack stages ATP SERVICES
User receives Opens an an email attachment
Privilege Lateral Access to shared Clicks on a URL Exploitation Installation C&C channel Persistence escalation Reconnaissance movement resources
Office 365 ATP Windows Defender ATP ATA Email protection End Point protection User protection
http:// User browses to a website
User runs a program Cybersecurity Reference Architecture Software as a Service Office 365 80% + of employees admit using ASM Vulnerability Security Operations Incident Investigation non-approved SaaS apps for work Internet of Things (Stratecast, December 2013) Management Center (SOC) Response and Recovery Lockbox Logs & Analytics Active Threat Detection Unmanaged & Mobile Clients Identity & Information Access Protection UEBA ATA Enterprise Managed Hunting Security Analytics Threat Cloud App Security Provider OMS Teams SIEM Detection Conditional Access Intune MDM/MAM AAD Identity Office 365 DLP Protection On Premises Datacenter(s) SIEM DLP Security Integration Azure NGFW Microsoft Azure AAD PIM SSL Proxy Colocation Appliances Information Protection (AIP) Office 365 ATP IPS Multi-Factor • Email Gateway Azure Security Center Authentication • Classify • Label • Anti-malware • Security Hygiene • Protect VPN • Threat Detection Extranet Hello for • Report Azure Key Vault Business Enterprise Servers Hold Your Own Windows Server 2016 Security Azure App Gateway MIM PAM Shielded VMs Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers, Key (HYOK)
Device Guard, Credential Guard, Remote Credential Guard, … Azure Antimalware ATA Labels Classification VMs VMs Network Security Groups Domain Controllers ESAE Admin Forest VPN Structured Data & 3rd party Apps Privileged Access Workstations (PAWs) Endpoint DLP SQL Encryption & Firewall $ Managed Clients Certification Windows Legacy Windows 10 Sensitive Windows 10 Security Authority (PKI) Info Protection Windows Disk & Storage Encryption Workloads • Secure Boot • Device Health WEF Mac EDR - Windows Defender ATP • Device Guard Attestation IoT OS • Application Guard • Remote DDoS attack prevention Nearly all customer breaches that Microsoft’s Incident EPP - Windows Defender • Credential Guard Credential Guard Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or System Management + Patching (SCCM + Intune) • Windows Hello Backup and Site Recovery Intranet stolen passwords (Verizon 2016 DBR) Azure SQL Server Protect Data Security : Encryption at rest :Transparent Data Encryption (TDE) Encryption in use (client) : Always Encrypted (AE)
Control Access Database Access: Azure Active Directory Authentication (AAD) Application Access: Row-Level Security (RLS), Dynamic Data Masking
Proactive Monitoring Tracking & Detecting : Auditing & Threat Detection Protect Data Security : Encryption at rest :Transparent Data Encryption (TDE) Encryption in use (client) : Always Encrypted (AE)
Control Access Database Access: Azure Active Directory Authentication (AAD) Application Access: Row-Level Security (RLS), Dynamic Data Masking
Proactive Monitoring Tracking & Detecting : Auditing & Threat Detection Protect data on SQL database physical storage from unauthorized access,
✓ Server-side encryption of the data on physical disk Customer1 Simple to Use , Zero application changes Customer2 ✓ Customer3
✓ Support for all database operations (ex. joins) on data SQL Database ✓ SQL Database service manages your keys ✓ AES-NI Hardware Acceleration (2-3% performance impact ) Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server
Protects the highly sensitive data in-use from high privilege SQL users.
Client side Queries on Application encryption Encrypted Data Transparency
Client-side encryption of Support for equality Minimal application changes sensitive data using keys that comparison, incl. join, group via server and client library are never given to the by and distinct operators. enhancements. database system. Protect Data Security : Encryption at rest :Transparent Data Encryption (TDE) Encryption in use (client) : Always Encrypted (AE)
Control Access Database Access: Azure Active Directory Authentication (AAD) Application Access: Row-Level Security (RLS), Dynamic Data Masking
Proactive Monitoring Tracking & Detecting : Auditing & Threat Detection A central place to manage users across services
✓ Alternative to SQL Server authentication ✓ Simplifies database permission management using external Azure Active Directory groups ✓ Allows password rotation in a single place
Multiple authentication methods ADALSQL ✓ Username/password for Azure AD managed accounts ADO ✓Integrated Windows authentication , for federated domains .NET 4.6 which is authenticated via Azure AD ✓ Certificate-based authentication, in case the certificate registered with Azure Active Directory
Status: Preview Limit the exposure of sensitive data by obfuscating query results for app users and engineer APP Users Dev Users Limit Access to Application Sensitive Data Transparency
Protects against unauthorized Data is masked on-the-fly, access to sensitive data in the underlying data in the database application, using built-in or remains intact. Transparent to custom masking rules. the application and applied Privileged users can still see according to user privilege. unmasked data. Centralize your row access logic within the database.
Fine-grained Application Access Control Transparency
Control both read- and write- • RLS works transparently at access to specific rows of data query time, no app changes in a shared database. needed. Flexible access criteria (user • Reduces application identity, role/group maintenance and code memberships, connection data, complexity. time of day, etc). Protect Data Security : Encryption at rest :Transparent Data Encryption (TDE) Encryption in use (client) : Always Encrypted (AE)
Control Access Database Access: Azure Active Directory Authentication (AAD) Application Access: Row-Level Security (RLS), Dynamic Data Masking
Proactive Monitoring Tracking & Detecting : Auditing & Threat Detection Gain insight into database events and streamline compliance-related tasks Audit log
Azure Storage Auditing ✓ Configurable audit policy via the Azure portal and Azure DB standard API ✓ Audit logs reside in your Azure Storage account ✓ Azure portal viewer and excel templates for analysis of audit log Detects suspicious database activities indicating External Attacker possible malicious intent to access, breach or exploit data in the database
SQL Web ✓ Configurable threat detection policy via the Azure portal Database App
and standard API SQL Threat ✓ Multiple set of algorithms, which detect potential SQL Detection injections and unusual behavior patterns ✓ Immediate notification upon suspicious activities detection
✓ Investigate and mitigate threats using Azure portal. Malicious insider
Status: Preview Azure Multi Factor Authentication What is Multi-Factor Authentication?
The use of two or more of the following factors:
It’s stronger when two different channels are used (out-of-band authentication). What is Azure Multi-Factor Authentication?
It is an Azure Identity and Access management service that prevents unauthorized access to on-premises and cloud applications by providing an additional level of authentication. It is trusted by thousands of enterprises to authenticate employee, customer, and partner access. Text Message SMS message One way or two-way acknowledgement Mobile App Notification – verification code is delivered to mobile app OATH TOTP Verification Code – a verification code is xxx Multi-platform: iOS, Android, Windows Phone OATH TOTP Hard Tokens (MFA Server Only) OTP generated using algorithm based on shared secret and current time. Phone Call Call placed to designated phone number (wireless or landline) Simple Acknowledgement (#) or special PIN
Mobile App Notification – verification code is delivered to mobile app OATH TOTP Verification Code – a verification code is xxx Multi-platform: iOS, Android, Windows Phone OATH TOTP Hard Tokens (MFA Server Only) OTP generated using algorithm based on shared secret and current time. Phone Call Call placed to designated phone number (wireless or landline) Simple Acknowledgement (#) or special PIN Text Message SMS message One way or two-way acknowledgement
OATH TOTP Hard Tokens (MFA Server Only) OTP generated using algorithm based on shared secret and current time. Phone Call Call placed to designated phone number (wireless or landline) Simple Acknowledgement (#) or special PIN Text Message SMS message One way or two-way acknowledgement Mobile App Notification is delivered to mobile app – Simple Acknowledgement (#) or special PIN Software OATH Time-based-One-Time-Password (TOTP) Multi-platform: iOS, Android, Windows Phone • •
•
•
• -> Trusted IP networks on MFA Server ▪ ▪
▪ ▪ ▪ ▪ ▪ ▪
▪ • • • Adapter between RADIUS MFA Benefits ▪ ▪ https://azure.microsoft.com/en-us/documentation/services/multi-factor- authentication/ ▪ https://azure.microsoft.com/en-us/documentation/articles/multi- factor-authentication-get-started-server/ ▪ https://azure.microsoft.com/en- us/documentation/articles/multi-factor-authentication-advanced-vpn- configurations/ ▪ ▪ ▪ Cybersecurity Reference Architecture Software as a Service Office 365 80% + of employees admit using ASM Vulnerability Security Operations Incident Investigation non-approved SaaS apps for work Internet of Things (Stratecast, December 2013) Management Center (SOC) Response and Recovery Lockbox Logs & Analytics Active Threat Detection Unmanaged & Mobile Clients Identity & Information Access Protection UEBA ATA Enterprise Managed Hunting Security Analytics Threat Cloud App Security Provider OMS Teams SIEM Detection Conditional Access Intune MDM/MAM AAD Identity Office 365 DLP Protection On Premises Datacenter(s) SIEM DLP Security Integration Azure NGFW Microsoft Azure AAD PIM SSL Proxy Colocation Appliances Information Protection (AIP) Office 365 ATP IPS Multi-Factor • Email Gateway Azure Security Center Authentication • Classify • Label • Anti-malware • Security Hygiene • Protect VPN • Threat Detection Extranet Hello for • Report Azure Key Vault Business Enterprise Servers Hold Your Own Windows Server 2016 Security Azure App Gateway MIM PAM Shielded VMs Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers, Key (HYOK)
Device Guard, Credential Guard, Remote Credential Guard, … Azure Antimalware ATA Labels Classification VMs VMs Network Security Groups Domain Controllers ESAE Admin Forest VPN Structured Data & 3rd party Apps Privileged Access Workstations (PAWs) Endpoint DLP SQL Encryption & Firewall $ Managed Clients Certification Windows Legacy Windows 10 Sensitive Windows 10 Security Authority (PKI) Info Protection Windows Disk & Storage Encryption Workloads • Secure Boot • Device Health WEF Mac EDR - Windows Defender ATP • Device Guard Attestation IoT OS • Application Guard • Remote DDoS attack prevention Nearly all customer breaches that Microsoft’s Incident EPP - Windows Defender • Credential Guard Credential Guard Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or System Management + Patching (SCCM + Intune) • Windows Hello Backup and Site Recovery Intranet stolen passwords (Verizon 2016 DBR) Advanced Threat Analytics An on-premises platform to identify advanced security attacks and insider threats before they cause damage
Behavioral Detection of advanced Advanced Threat Analytics attacks and security risks Detection
Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization’s users. Detect threats Adapt as fast Focus on what Reduce the Prioritize and fast with as your is important fatigue of false plan for next Behavioral enemies fast using the positives steps Analytics simple attack timeline 4/12/2017 62 How Microsoft Advanced Threat Analytics Works
1 Analyze After installation: • Simple nonintrusive port-mirroring, or deployed directly onto domain controllers • Remains invisible to the attackers • Analyzes all Active Directory network traffic • Collects relevant events from SIEM and information from Active Directory (titles, group membership and more) How Microsoft Advanced Threat Analytics Works
2 Learn ATA: • Automatically starts learning and profiling entity behavior • Identifies normal behavior for entities • Learns continuously to update the activities of the users, devices, and resources
What is an entity? An entity represents users, devices, or resources How Microsoft Advanced Threat Analytics Works
3 Detect Microsoft Advanced Threat Analytics: • Looks for abnormal behavior and identifies suspicious activities • Only alerts if abnormal activities are contextually aggregated • Uses world-class security research to detect known attacks and security issues (regional or global)
ATA not only compares the entity’s behavior to its own, but also to the behavior of other entities in the environment. How Microsoft Advanced Threat Analytics Works
4 Alert
ATA reports all suspicious ATA identifies For each suspicious activities on a simple, Who? activity, ATA provides functional, usable attack What? recommendations for timeline When? the investigation and How? remediation 4/12/2017 66 ATA detects a wide range of suspicious activities
Abnormal authentication requests Skeleton key malware Abnormal resource access Abnormal resource access Golden ticket Account enumeration Pass-the-Ticket Remote execution Net Session enumeration Pass-the-Hash Malicious replication requests DNS enumeration Overpass-the-Hash Compromised Privilege Credential Escalation
Reconnaissance Lateral Domain Movement Dominance Abnormal working hours MS14-068 exploit (Forged PAC) Brute force using NTLM, Kerberos or LDAP MS11-013 exploit (Silver PAC) Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Information (DPAPI) Request Azure Security Center
Gain visibility Enable security Integrate partner Detect cyber and control at cloud speed solutions attacks Gain visibility and control
Provides a unified view of security across all your Azure subscriptions, including vulnerabilities and threats detected Enables you to define security policies for hardening cloud configurations APIs, SIEM connector and Power BI dashboards make it easy to access, integrate, and analyze security information using existing tools and processes
REST APIs (Activity Logs, Security Azure Monitor Service Azure Monitor Eventhub Center Alerts, AAD Logs) (VM Diagnostics) (Service Diagnostics -NSG, Key Vault)
Log Analytics/ SIEM Azure Log Standard Log Integration Connector (ArcSight, Splunk, etc) Preview Continuously assesses the security of your workloads even as they change Creates policy-driven recommendations and guides users through the process of remediating security vulnerabilities Enables rapid deployment of built-in security controls as well as products and services from security partners (firewalls, endpoint protection, and more)
Recommends and streamlines provisioning of partner solutions Integrates signals for centralized alerting and advanced detection Enables monitoring and basic management with easy access to advanced configuration using the partner solution Leverages Azure Marketplace for commerce and billing
Analyzes security data from your Azure virtual machines, Azure services (like Azure SQL databases), the network, and connected partner solutions Leverages security intelligence and advanced analytics to detect threats more quickly and reduce false positives Creates prioritized security alerts and incidents that provide insight into the attack and recommendations on how to remediate
Cybersecurity Reference Architecture Software as a Service Office 365 80% + of employees admit using ASM Vulnerability Security Operations Incident Investigation non-approved SaaS apps for work Internet of Things (Stratecast, December 2013) Management Center (SOC) Response and Recovery Lockbox Logs & Analytics Active Threat Detection Unmanaged & Mobile Clients Identity & Information Access Protection UEBA ATA Enterprise Managed Hunting Security Analytics Threat Cloud App Security Provider OMS Teams SIEM Detection Conditional Access Intune MDM/MAM AAD Identity Office 365 DLP Protection On Premises Datacenter(s) SIEM DLP Security Integration Azure NGFW Microsoft Azure AAD PIM SSL Proxy Colocation Appliances Information Protection (AIP) Office 365 ATP IPS Multi-Factor • Email Gateway Azure Security Center Authentication • Classify • Label • Anti-malware • Security Hygiene • Protect VPN • Threat Detection Extranet Hello for • Report Azure Key Vault Business Enterprise Servers Hold Your Own Windows Server 2016 Security Azure App Gateway MIM PAM Shielded VMs Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers, Key (HYOK)
Device Guard, Credential Guard, Remote Credential Guard, … Azure Antimalware ATA Labels Classification VMs VMs Network Security Groups Domain Controllers ESAE Admin Forest VPN Structured Data & 3rd party Apps Privileged Access Workstations (PAWs) Endpoint DLP SQL Encryption & Firewall $ Managed Clients Certification Windows Legacy Windows 10 Sensitive Windows 10 Security Authority (PKI) Info Protection Windows Disk & Storage Encryption Workloads • Secure Boot • Device Health WEF Mac EDR - Windows Defender ATP • Device Guard Attestation IoT OS • Application Guard • Remote DDoS attack prevention Nearly all customer breaches that Microsoft’s Incident EPP - Windows Defender • Credential Guard Credential Guard Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or System Management + Patching (SCCM + Intune) • Windows Hello Backup and Site Recovery Intranet stolen passwords (Verizon 2016 DBR) Seguridad en un Mundo móvil
#MicrosoftSecure