Pieter Wigleven Windows Technical Specialist

Transcription

1 Pieter Wigleven Windows Technical Specialist

2

3 HOW DO BREACHES OCCUR? Malware and vulnerabilities are not the only thing to worry about 46% of compromised systems had no malware on them 99.9% of exploited Vulnerabilities were used more than a year after the CVE was published Fast and effective phishing attacks leave you little time to react 23% of recipients opened phishing messages (11% clicked on attachments) 50% of those who open and click attachments do so within the first hour

4 THE WINDOWS 10 DEFENSE STACK PRE-BREACH Device Device protection protection Threat Identity resistance protection Information Identity protection Information Threat protection resistance Device Health Attestation attestation Device Guard Device Control Security policies SmartScreen Built-in 2FA Account AppLocker lockdown Credential Device Guard Microsoft Passport Windows Defender Windows Hello :) Network/Firewall Device Built-in protection 2FA / Drive encryption Account lockdown Windows Information Credential Guard Protection Microsoft Passport Conditional access Windows Hello ;) SmartScreen Device protection / Drive AppLocker encryption Enterprise Device Guard Data Windows Protection Defender Windows Conditional Defender access Application Guard

5 ADDING A POST-BREACH MINDSET PRE-BREACH POST-BREACH Device Device protection protection Threat Identity resistance protection Information Identity protection Information Threat protection resistance Breach detection Breach detection investigation & investigation & response response Device Health Attestation attestation Device Guard Device Control Security policies SmartScreen Built-in 2FA Account AppLocker lockdown Credential Device Guard Microsoft Passport Windows Defender Windows Hello :) Network/Firewall Device Built-in protection 2FA / Drive encryption Account lockdown Windows Information Credential Guard Protection Microsoft Passport Conditional access Windows Hello ;) SmartScreen Device protection / Drive AppLocker encryption Enterprise Device Guard Data Windows Protection Defender Windows Conditional Defender access Application Guard Windows Defender ATP Advanced Threat Protection (ATP)

6

7 Built in to Windows 10 No additional deployment & infrastructure. Continuously up-to-date, lower costs. Rich timeline for investigation Easily understand scope of breach. Data pivoting across endpoints. Deep file and URL analysis. Windows Defender Advanced Threat Protection Detect advanced attacks and remediate breaches Behavior-based, cloud-powered breach detection Actionable, correlated alerts for known and unknown adversaries. Real-time and historical data. Unique threat intelligence knowledge base Unparalleled threat optics provide detailed actor profiles 1st and 3rd party threat intelligence data. Response based on the Windows stack* Rich SOC toolset ranging from machine-specific intervention or forensic actions to cross-machine blacklisting

8 Windows 10 Security is Built in - not Bolted on

9 Windows Defender Advanced Threat Protection Demo Liz Bean

10

11 THE ATTACK

12 Windows Defender Advanced Threat Protection Demo Jonathan Wolcott

13

14 INTEGRATION WITH WINDOWS DEFENDER / SCEP

15 SIEM INTEGRATION REST APIs Alert display ArcSight and Splunk Adding more Info on TechNet

16 Windows Defender Advanced Threat Protection How to get started?

17 CUSTOMER JOURNEY

18 LICENSING

19 PROVISIONING AAD Provisioning Asking for existing/new company AAD Get Started Sign-in to Windows Security Center

20 PROVISIONING

21 ONBOARDING

22 ONBOARDING

23 INTEGRATION WITH OFFICE ATP T H E F U T U R E

24 INTEGRATION WITH ADVANCED THREAT ANALYTICS T H E F U T U R E

25 Combined Microsoft Stack: Maximize detection coverage throughout the attack stages Pivot wide - across Microsoft ATP services User receives an Opens an attachment Clicks on a URL Exploitation Installation C&C channel Persistence Privilege escalation Reconnaissance Lateral movement Access to shared resources Office 365 ATP protection Windows ATP End Point protection ATA User protection User browses to a website User runs a program

26 TechNet

27