Microsoft Citrix Partnership Microsoft Strategic Alliance Driving Forward with Cloud and Mobility

Home , Credential Guard, Windows Firewall

TOMORROW ON WHEELS STIJN VANNUT Microsoft Citrix Partnership Microsoft Strategic Alliance Driving Forward with Cloud and Mobility

• Why Citrix • Current solutions Microsoft & Citrix together • Azure solutions • Office 365 • Windows 10 • New strategic agreement on Cloud and Mobility

“Power a world where people, organizations, and things are securely connected and accessible, so that you can make the extraordinary possible “ Citrix Strategy Build the world’s best integrated technology services for secure delivery of apps and data—anytime, anywhere.

On-Premises Citrix Cloud Citrix Service Providers (Traditional)

Public Or Private Corporate Data Center Service Provider Cloud Cloud Subscription Offerings Perpetual Offerings Service Provider Offerings: • Desktops Service • XenApp Advanced edition • Subscription offers by individual • Apps & Desktop Service • XenApp Enterprise edition Service Providers • XenApp Platinum edition • XenDesktop VDI edition • XenDesktop Enterprise ed. • XenDesktop Platinum ed.

Current Azure Solutions Enterprise Cloud Enterprise File Enterprise App Skype for Business Windows 10 App Delivery Networking Sync and Share Delivery Cloud Optimization Office 365 Delivery via IaaS

• BYOL/IaaS Solution • Enhance load balancing • Mobilize employees • Unify administration • Virtual Skype for • Accelerate Win10 • Centralize control • Deliver network • Provide anywhere • Smooth on-ramp to the Business solution only delivery • Increase mobility optimization access cloud available from Citrix • Secure Office 365 • Enable cloud • Cross security and control • Aggregate enterprise • Cross-service • Uncompromised • Deliver Windows apps management data coordination quality of voice and video

XenApp & XenDesktop Services Optimization Pack

Citrix makes Azure it’s preferred and strategic cloud

Aligning Microsoft EMS & Intune and XenMobile & NetScaler Integrating Identity and Networking between NetScaler and Azure

Enabling XenDesktop VDI to deliver Windows 10 desktops from the Cloud on Azure

Building next generation RemoteApp Service to deliver apps from the Azure cloud Subscription-based model

SERVICE CAPABILITIES Management* Assign Desktops Yes, Win10 CBB Citrix Provisioning w/ Azure Resource Manager XenDesktop for Access Control Policy Available Windows 10 on Azure Desktop Modes Dedicated and Pooled Monitoring Full Director Access Citrix Cloud Alerting Available Customer Subscription End User Access Capability Full Storefront Access Smart Scale Available Auto Update VDA Service Available Hybrid Deployments Yes. Requires NetScaler on- CONNECTOR premises High Availability Yes (active/active for Control NetScaler WindowsServer WindowsServer Gateway 10Server 10Server Active Plan. VDA failover) VDAs VDAs Directory VDAs VDAs SLA 99.9% Customer’s Azure Subscription Support (24x7x365) Available

12 © 2016 Citrix. Confidential. Through Citrix Studio Citrix Cloud: XenApp “express“ SERVICE CAPABILITIES* Deployment Options Future of Azure RemoteApp Cloud • Non-domain joined • Azure AD Hybrid • Domain joined • On-premises AD or Azure AD VMs, Storage • Bring your own Azure subscription • Auto create Azure subscription if needed • • Allow instance size and region selection Apps/Images • Pre-canned Images with common apps provided by service • Upload custom Images • Create Image workflow (Phase 2) • Orchestration Multi-tenant service: • Creation of Resource Groups, Cloud Connectors, Availability Sets, and VDAs • Many-to-many mapping between Azure subscriptions and customers • Azure V2 support VNETs • Bring your own VNET • Auto create for customer if needed Management Console • Simple UI mode providing ARA like experience • (Image selector, compute selector, publish apps, assign users) • Advanced UI mode via Studio (Full flexibility as provided to existing XenApp customers) Power and Capacity • Allow customers to set the scheme Management Identity • On-premises AD • • Azure AD ( with Multi Factor Authentication) • FAS for single sign-on (Phase 2) Remoting protocol • HDX • RDP (Phase 2) Clients • All Citrix Receiver supported platforms Migration • Help migrate ARA customers to our service

Citrix Cloud

Simple Management UI Operated by Citrix Control Plane

Customer Subscription CONNECTOR Managed by Citrix

WindowsServer WindowsServer AppsServer AppsServer Active VDAs VDAs Directory VDAs VDAs Customer’s Azure Subscription

On-prem / IaaS Service Provider

Traditional installable Comprehensive Hybrid Simple, Secure, cloud- Simplest way to publish Package End-to-end virtual apps Simple Window 10 VDI software for complete IT virtual apps & based web-browser remote applications in and desktops solution on Azure Description control desktop service solution the cloud Citrix Infra. IT Dept. Partner Citrix Citrix Citrix Citrix Management Workload IT Dept. / Partner Partner IT Dept. / Partner Managed by Citrix IT Dept. / Partner IT Dept. / Partner Management Perpetual + Subscription Subscription Subscription Subscription Subscription Licensing Maintenance (varies) (user/year) (user hours) (User/month) (User/month) Private cloud or Public Private, Partner, Cloud Partner Cloud Citrix Selected Azure-only Azure-only IaaS Public IaaS

RTM Normal Channel Normal Channel Normal Channel Normal Channel Azure Marketplace Azure Marketplace Available Today Future

On-prem / IaaS Virtual Desktop Offering

Package Traditional installable software for Cloud based VDI management service Simple Window 10 VDI on Azure Description complete control Leverage current hardware, add cloud Deliver multiple desktops types in the Fastest route to Windows 10 VDI and Why use? for burst and DR cloud of your choice avoid upfront CapEx investment Citrix Infra. IT Dept. / Partner Citrix Citrix Management Workload IT Dept. / Partner IT Dept. / Partner IT Dept. / Partner Management Deploy Infra. or workload VMs In Public Deploy workload VMs in one of: Deploy workload VMs in Azure Only Cloud for increased capacity Private, Public, Partner

Licensing/ 1,2,3 year term / subscription via Perpetual via normal channel Month-to-month subscription via transaction normal channel Azure Marketplace only

Available Today Future

On-prem / IaaS Virtual Apps & Desktops Offering

Traditional installable software for Simple, Secure, cloud-based web- Simplest way to publish remote Package Cloud based VDI management service Description complete control browser solution applications in the cloud Leverage current hardware, add cloud Best way to enable Hybrid-IT for Quickly give access to web sites and Fastest route to delivering apps and Why use? for burst and DR strategic use of cloud / migration browsers not supported by IT avoid upfront CapEx investment Citrix Infra. IT Dept. / Partner Citrix Citrix Citrix Management Workload IT Dept. / Partner IT Dept. / Partner Citrix IT Dept. / Partner Management Deploy Infra. or workload VMs In Deploy workload VMs in one of: Selected by Citrix Deploy workload VMs in Azure Only Cloud Public for increased capacity Private, Public, Partner

Licensing/ Perpetual 1,2,3 year term/subscription Subscription (user hours) Month-to-month subscription via transaction via normal channel via normal channel via normal channel Azure Marketplace only

Available Today Future

EVOLUTION OF ATTACKS

Mischief Fraud and Theft Damage and Disruption

Script Organized Nations, Terror Groups, Kiddies Crime Activists

Unsophisticated More sophisticated Very sophisticated and well resourced ANATOMY OF AN ATTACK

Browser or Doc Exploit Delivery Malicious Attachment Delivery ENTER USER Phishing Attacks

Internet Service Compromise Browser or Doc Exploit Execution DEVICE ESTABLISH Malicious Attachment Execution Stolen Credential Use

Kernel Exploits Kernel-mode Malware EXPAND NETWORK Pass-the-Hash

ENDGAME

BUSINESS DISRUPTION LOST PRODUCTIVITY DATA THEFT ESPIONAGE, LOSS OF IP RANSOM ANATOMY OF AN ATTACK: STRONTIUM

PHISHING USER

DEVICE Browser or Doc Exploit Execution

PASS-THE-HASH NETWORK

ENDGAME

Theft of sensitive information, disruption of government. ANATOMY OF AN ATTACK: STRONTIUM

PHISHING USER

DEVICE Browser or Doc Exploit Execution

http://natoint.com/900117-spain-forces-conclude-mission-in-central-african-republic/

PASS-THE-HASH NETWORK

ENDGAME

Theft of sensitive information, disruption of government. ANATOMYTotal OF Elapsed AN ATTACK: Time: STRONTIUM00:00.1

PHISHING USER

DEVICE Browser or Doc Exploit Execution

PASS-THE-HASH ExploitNETWORK runs

Land on exploit page Redirected to legitimate page ENDGAME

Theft of sensitive information, disruption of government. THE WINDOWS 10 DEFENSE STACK

PROTECT, DETECT & RESPOND

PRE-BREACH POST-BREACH

Breach detection Device Threat Identity Information investigation & protection resistance protection protection response

DeviceDevice integrity Health SmartScreen WindowsBuilt-in Hello 2FA :) DeviceBitLocker protection and / WindowsConditional Defender Access attestation DriveBitLocker encryption to Go ATP Device control WindowsAppLocker Firewall AccountCredential lockdown Guard Windows Defender Device Guard MicrosoftDevice Guard Edge Credential Guard EnterpriseWindows Data ATP Device Control Microsoft Passport InformationProtection WindowsDevice DefenderGuard Protection Conditional access Security policies WindowsNetwork/Firewall Defender Windows Hello :) ThreatGame changeprotection with overWindows time and Software Protection Gap CAPABILITY Attackersas a Services take advantage of Disruptperiods andbetween out innovate releases our adversaries by design

TIME

PRODUCT THREAT RELEASE SOPHISTICATION Windows 7 Security features

Breach detection Device Threat Identity Information investigation & protection resistance protection protection response

PRE-BREACH POST-BREACH Windows 10 Security on Legacy or Modern Devices (Upgraded from Windows 7 or 32-bit Windows 8)

Breach detection Device Threat Identity Information investigation & protection resistance protection protection response

PRE-BREACH POST-BREACH Windows 10 Security on Modern Devices (Fresh Install or upgraded from 64-bit Windows 8 )

Breach detection Device Threat Identity Information investigation & protection resistance protection protection response

PRE-BREACH POST-BREACH THE WINDOWS 10 DEFENSE STACK

PROTECT, DETECT & RESPOND

PRE-BREACH POST-BREACH

Breach detection Device Threat Identity Information investigation & protection resistance protection protection response

DeviceDevice integrity Health SmartScreen Windows Hello :) BitLocker and Conditional Access attestation BitLocker to Go Device control Windows Firewall Credential Guard Windows Defender Device Guard Microsoft Edge Windows ATP Device Control Information Device Guard Protection Security policies Windows Defender DEVICE PROTECTION SECURE ROOTS OF TRUST

Device integrity

Cryptographic processing

Biometrics sensors

Virtualization TRADITIONAL PLATFORM STACK

Apps

Windows Platform Services

Kernel

Device Hardware VIRTUALIZATION BASED SECURITY WINDOWS 10

Apps #1 #2 #3 Trustlet Trustlet Trustlet Windows Platform Services

Kernel Kernel

Windows Operating System System Container

Hyper-V Hyper-V

Device Hardware

Hypervisor VIRTUALIZATION BASED SECURITY THE FUTURE

Apps

Windows Platform Windows Platform Critical System Processes Services Services

Kernel Kernel Kernel

AppContainer Windows Operating System SystemContainer

Hyper-V Hyper-V

Device Hardware

Hypervisor THE WINDOWS 10 DEFENSE STACK

PROTECT, DETECT & RESPOND

PRE-BREACH POST-BREACH

Breach detection Device Threat Identity Information investigation & protection resistance protection protection response

Device integrity SmartScreen Windows Hello :) BitLocker and Conditional Access BitLocker to Go Device control Windows Firewall Credential Guard Windows Defender Microsoft Edge Windows ATP Information Device Guard Protection Windows Defender TRADITIONAL APPROACH Type of threats to consider and mitigate

Device Tampering Vulnerabilities Malware Phishing COMPREHENSIVE THREAT RESISTENCE

Office ATP

SmartScreen Windows Firewall

External

Internal

Microsoft Edge Windows Defender

Device Guard Windows 10

PROTECT FROM THE EDGE Protect devices before they encounter threats PROACTIVE THREAT IDENTIFICATION AND PROTECTION

Microsoft SmartScreen  Phishing and malware filtering technology for Microsoft Edge and Internet Explorer 11 in Windows 10.

 Provides protection from drive-by attacks.

 Cloud service is continuously updated, nothing for you to deploy.

Exchange Online Advanced Threat Protection  Cloud-based email filtering service helps protect against unknown malware and viruses.

 URL trace technology examines potentially harmful links. Windows 10

PROTECT FROM WITHIN Operating system used defense in depth to address threats that get inside the perimeter MICROSOFT EDGE: DESIGNED FOR SECURE BROWSING

Microsoft Edge is the most secure browser Microsoft has ever shipped

Tactics

Objective Strategy Eliminate vulnerabilities before attackers can find them

Make it difficult and Break exploitation techniques used by attackers Keep our customers costly for attackers to safe when browsing  find and exploit  the web vulnerabilities in Contain the damage when vulnerabilities are discovered Microsoft Edge

Prevent navigation to known exploit sites MICROSOFT EDGE: BUILDING A SAFER BROWSER Fundamentally improve security and enable users to confidently experience the web when using Windows 10

www

DEFEND USERS DEFEND THE BROWSER New

(SmartScreen) (Universal Windows Platform)

(Windows Address Space Layout Randomization on 64-bit systems) (Microsoft Passport and Windows Hello)

(MemGC)

(Cert. Reputation, EdgeHTML, W3C Content Security Policy, HTTP Strict Transport Security)

(Control Flow Guard) MICROSOFT EDGE SECURITY IMPROVEMENTS

Before – Full access to Win32.sys  Microsoft Edge and Flash no longer have full access to Microsoft Edge Browser Windows Kernel win32k.sys—API calls are filtered Edge Content Process Win32k.sys  Only 40% of interfaces are Flash Host Process available to Flash and Edge reducing attack surface Today – 60% less surface area of attack on a highly targeted library  Flash player moves into its own AppContainer Microsoft Edge Browser Windows Kernel  Working directly with Adobe to harden Flash player to be Edge Content Process Allowed Win32k.sys interfaces resistant to vulnerability Flash Host Process exploits Blocked Win32k.sys interfaces HARDWARE ISOLATION WITH WINDOWS DEFENDER APPLICATION GUARD

Microsoft Edge Apps

Windows Platform Windows Platform Critical System Processes Services Services

Kernel Kernel Kernel

Windows Defender Windows Operating System System Container Application Guard Container

Hyper-V Hyper-V

Device Hardware

Hypervisor

TODAY’S CHALLENGE:

APPS YOUR SECURITY DEPENDS ON A PLATFORM WHERE:

APPS MUST EARN TRUST BEFORE USE Windows 10

NEXT GENERATION APP CONTROL Secure your devices with Device Guard DEVICE GUARD Hardware Rooted App Control

Windows desktop can be locked down to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone) Untrusted apps and executables, such as malware, are unable to run Signed policy secures configuration from tampering Protects system core (kernel mode) and drivers from zero days and vulnerabilities Requires Windows 8 certified or greater hardware with VT-X and VT-D DEVICE GUARD IN VBS ENVIRONMENT DECISIVE MITIGATION

Apps #2 #3 DEVICE GUARD Trustlet Trustlet Windows Platform Services

Kernel Kernel

Windows Operating System SystemContainer

Hyper-V Hyper-V

Device Hardware

Hypervisor

WINDOWS DEFENDER ANTI-VIRUS PROTECTION

Protection that competes to win Scored 98.1% detection rating from AV Comparatives testing Microsoft Protection Stars AVTest against top competitors (March 2016). 6 5

Behavior and cloud-powered malware detection 4 Can detect fast changing malware varietals using behavior monitoring and cloud-powered protection that expedites signature delivery 3 2 Tamper Resistant Windows Trusted Boot and platform isolation protect 1 Windows Defender from attacks and enable it to self-repair 0 2014 2015 2016 Built into Windows and Always Up-To-Date No additional deployment & Infrastructure. Continuously up-to- date, lower costs VIDEO: HOW FAST CAN WINDOWS DEFENDER LEARN ABOUT NEW MALWARE AND BLOCK IT? THE WINDOWS 10 DEFENSE STACK

PROTECT, DETECT & RESPOND

PRE-BREACH POST-BREACH

Breach detection Device Threat Identity Information investigation & protection resistance protection protection response

Mainstream Make credentials Deliver solution Provide a two-factor theft resistant to both solution that authentication and breach and consumer and works in all phish proof business users scenarios and industries Windows 10

USER IDENTITY & AUTHENTICATION SHARED SECRETS

shhh! Easily mishandled or lost (Hint: The user is the problem) PKI SOLUTIONS

Complex, costly, and under attack ENTERPRISE DEMANDS

Simplify Reduce costs implementation WINDOWS HELLO FOR BUSINESS Device-Based Multi-Factor

USER CREDENTIAL

UTILIZE FAMILIAR SECURED BY DEVICES An asymmetrical key pair HARDWARE Provisioned via PKI or created locally via Windows 10 BIOMETRIC MODALITIES

 Improved security

 Fingerprint and facial recognition

 Ease of use

 Impossible to forget

 VBS support COMPANION DEVICE AUTHENTICATION

WINDOWS HELLO COMPANION DEVICE FRAMEWORK

Phone WearableBand 2 USB CardRFID COMPANION DEVICE SCENARIOS

Companion as second factor Credentials are mobile and remain on companion

Increase convenience and improve security. Adds additional security by storing creds off of the device. Helps with compliance and convenience. Windows 10

DERIVED CREDENTIALS & ACCESS TOKENS “PASS THE HASH” ATTACKS

Today’s security challenge TODAY’S SECURITY CHALLENGE: PASS THE HASH ATTACKS

1. 2. 3. Single IT Pro’s machine is Using IT Pros access token Repeat compromised attacker looks for kiosk/shared devices and IT Pro manages mines them for tokens kiosks/shared devices on network Attacker steals IT Pro’s Access to one access token device can lead to access to many TODAY’S SOLUTION: CREDENTIAL GUARD

 Pass the Hash (PtH) attacks are the #1 go-to tool for hackers. Used in Apps

nearly every major breach and APT #2 #3 type of attack Credential Credential Guard  Credential Guard uses VBS to isolate Trustlet Trustlet Windows Platform Windows authentication from Services Windows operating system

 Protects LSA Service (LSASS) and Kernel Kernel

derived credentials (NTLM Hash) Windows Operating System SystemContainer  Fundamentally breaks derived

credential theft using MimiKatz, Hyper-V Hyper-V

Device Hardware

Hypervisor

THE WINDOWS 10 DEFENSE STACK

PROTECT, DETECT & RESPOND

PRE-BREACH POST-BREACH

Breach detection Device Threat Identity Information investigation & protection resistance protection protection response

DEVICE DATA LEAK SHARING PROTECTION SEPARATION PROTECTION PROTECTION

BitLocker enhancementsProtect system andin Containment Prevent Protect data when Windowsdata when 8.1 device is Data separation unauthorized users shared with others, lost or stolen and apps from or shared outside InstantGo accessing and of organizational 3rd party adoption leaking data devices and control INFORMATION PROTECTION NEEDS

DEVICE DATA LEAK SHARING PROTECTION SEPARATION PROTECTION PROTECTION

Azure Rights Management BitLocker enhancements in Office 365 Windows 8.1 InstantGo 3rd partyBitLocker adoption Windows Information Protection Windows 10

DATA-AT-REST PROTECTION The threat of lost or stolen devices DEVICE ENCRYPTION BitLocker

Modern devices may be encrypted out- of-box with BitLocker technology Increased global acceptance of TPM TPM pervasive on Windows devices by end 2015 Easiest deployment, leading security, reliability, and performance Single sign-on for modern devices and configurable Windows 7 hardware Enterprise grade management (MBAM) and compliance (FIPS) INFORMATION PROTECTION NEEDS

DEVICE DATA LEAK SHARING PROTECTION SEPARATION PROTECTION PROTECTION

Protect system and Containment Prevent data when device is unauthorized apps Data separation lost or stolen from accessing data MARKET SOLUTIONS FOR DATA LOSS PREVENTION

Mobile Platforms Desktop Platforms

Using Containers Limited Platform Integration Compromised user experience Better user experience Ease of deployment Difficult to deploy Lowest cost Higher cost INTRODUCING WINDOWS INFORMATION PROTECTION Integrated protection against accidental data leaks

Protects data at rest locally and on removable storage.

Common experience across all Windows 10 devices with copy and paste protection. Corporate vs personal data identifiable wherever it rests on the device and can be wiped. Ships in the Windows 10 Anniversary Update

Prevents unauthorized apps Seamless integration into from accessing business data the platform, No mode and users from leaking data switching and use any app. via copy and paste protection. WINDOWS INFORMATION PROTECTION LIFECYCLE Corporate Data Private Data & & Apps Apps Block User is not allowed to copy/paste data

Override User gets prompted Y/N if he/she wants to Y/N copy/paste data

Silent User copy/paste data, but gets Logging audited Off No WIP

Encrypted Unencrypted Corporate Data & Apps Block Private Data & Apps

Can copy/paste but encrypted

Can attach and/or transfer the data decrypted

Encrypted INFORMATION PROTECTION NEEDS

DEVICE DATA LEAK SHARING PROTECTION SEPARATION PROTECTION PROTECTION

Containment Prevent Protect data when unauthorized apps shared with others, BYOD separation from accessing or shared outside data of organizational devices and control SHARING PROTECTION Rights Management Services

Protect all file types, everywhere they go, cloud, email, BYOD, …

Support for all commonly used devices and systems – Windows, OSX, iOS, Android

Support for B2B and B2B via Azure AD

Support for on premise and cloud based scenarios (e.g.: Office 365) Seamless, easy to provision and support for FIPS 140-2 regulation and compliance THE WINDOWS 10 DEFENSE STACK

PROTECT, DETECT & RESPOND

PRE-BREACH POST-BREACH

Breach detection Device Threat Identity Information investigation & protection resistance protection protection response

SECURE YOUR ENVIRONMENT WITH CONDITIONAL ACCESS Keep unhealthy devices out with Intune and Windows Device Health Attestation. UNKNOWN PC HEALTH

Important resources

Today health 1 is assumed 2 WINDOWS DEVICE HEALTH ATTESTATION ENABLES:

MDMS to gate access based on device integrity 3 4 Important resources and health 5

1 ATTACKS HAPPEN FAST AND ARE HARD TO STOP

If an attacker sends an email …23 people will open it… …11 people will open the …and six will do it in the to 100 people in your attachment… first hour. company… WINDOWS DEFENDER ADVANCED THREAT PROTECTION

DETECT ADVANCED ATTACKS AND REMEDIATE BREACHES

Built into Windows No additional deployment & Infrastructure. Continuously up-to-date, lower costs.

Behavior-based, cloud-powered breach detection Actionable, correlated alerts for known and unknown adversaries. Real-time and historical data.

Rich timeline for investigation Easily understand scope of breach. Data pivoting across endpoints. Deep file and URL analysis.

Unique threat intelligence knowledge base Unparalleled threat optics provide detailed actor profiles 1st and 3rd party threat intelligence data.

Secure Secured Information Threat devices identities protection resistance THE WINDOWS 10 DEFENSE STACK

PROTECT, DETECT & RESPOND

PRE-BREACH POST-BREACH

Breach detection Device Threat Identity Information investigation & protection resistance protection protection response

Business Productivity Roadmap

Kick-off meeting

Discovery sessie

Business Requirements workshop

Architectuuranalyse

Project Roadmap Realdolmen Education offering

• Custom User Adoption Program

▶ Tailor-made

▶ Accompany the user in the journey towards a new way of working

• Systems management trainings

▶ Microsoft Certified Trainers

▶ Largest Microsoft Learning Partner in Belgium

▶ Open calendar with guaranteed schedule

• More information

▶ http://education.realdolmen.com

▶ [email protected]

▶ Open calendar training Supporting & Troubleshooting Windows 10, starting March 20 Upcoming event

• 21/2, Filliers Meeting Center, Deinze • 23/2, De Hoorn Leuven

• Voor wie? Zowel business als IT