WW emergencies/ malware infections: CODE RED, NIMDA, BLASTER, SLAMMER. Billg s. Trustworthy Computing Beyond

Transcription

1 Feliciano Intini Security, Privacy & Compliance Mobility & Cloud Technology

2 WW emergencies/ malware infections: CODE RED, NIMDA, BLASTER, SLAMMER Billg s Trustworthy Computing Beyond

3 Antivirus Network INTELLIGENT SECURITY GRAPH Cyber Defense Operations Center CERTs and other partners Law Enforcement Malware Protection Center Hunting Teams Security Response Center Digital Crimes Unit PaaS IaaS SaaS Identity Apps and Data Infrastructure Device

4

5

6 Tech Support Fraud Partnering with law enforcement globally to investigate and take action against scammers, while working with advocacy groups to educate consumers Online Child Exploitation Enabling law enforcement and organizations to detect and disrupt the distribution of child sexual abuse materials online by leveraging PhotoDNA Cloud & Data Center Enforcement Identifying, investigating and disrupting malware and other criminal activity that impact devices connecting to our cloud services, ensuring our data centers are secure. Intelligence gathered from DCU disruptions is embedded into Microsoft products and services to make them more secure Global Strategic Enforcement Using sophisticated digital investigation and advanced analytics to develop civil actions and criminal referrals, protecting Microsoft services and customers against criminal organizations

7 Malware Disruptions Working with Law Enforcement and others to disrupt the criminal infrastructure DCU acquires targets, investigates, and orchestrates global partnerships to take action We enable CERTs/ISPs globally to notify and remediate Our malware intelligence is embedded into Microsoft s products and services Microsoft Confidential

8 Actionable Intelligence from Malware Disruptions Microsoft Confidential

9 Network Security Esempi: ISA Server, IPSEC, Soluzioni di Server&Domain Isolation, Wireless Security, VPN, NAP,... Host Security Esempi: hardening del sistema operativo di base, Security Update Management,Soluzioni Anti-Malware,... Application Security Esempi: hardening di applicazioni server (Exchange, SQL,...),... Data Security Esempi: Rights Management Services, Encrypted File System, Bitlocker, Secure Messaging,... Security Foundations (Technology) Esempi: Active Directory Security, Infrastrutture PKI (Smart Card, CLM,...), Soluzioni di Identity Management,Forensic Analysis... Security Foundations (Processes) Esempi: Security Policy aziendali e Compliance Management, Security Risk Management,Security Monitoring e Auditing, Security Incident Response Perimeter Security!!

10

11 1. Assumption of mainly external attacks 2. Bigger investments on perimeter defenses 3. Data Protection based on container defense

12 Current IT scenario seems not so different IT Users Devices Apps Data Employees Business Partners Customers

13

14 IDENTITY DRIVEN SECURITY 1. Protect at the front door Safeguard your resources at the front door with innovative and advanced risk-based conditional accesses 2. Protect your data against user mistakes Gain deep visibility into user, device, and data activity onpremises and in the cloud. 3. Detect attacks before they cause damage Uncover suspicious activity and pinpoint threats with deep visibility and ongoing behavioral analytics.

15 Identity Protection & Management Information Protection Threat Detection & Protection Security Management & Operations

16 Identity Protection & Management Information Protection Threat Detection & Protection Security Management & Operations

17 Identity Protection & Management Information Protection Threat Detection & Protection Security Management & Operations

18 New Identity & Access Management solution Customers Everywhere access Third-party web apps & SaaS clouds Active Directory on-premise & Azure Active Directory together integrated to build the backbone of Hybrid Partners Everywhere access B2C Microsoft Cloud AAD B2B Apps in MS Cloud Employees Everywhere access Identity Management Other Active Directories YOUR DATACENTER Web Apps on-premises Other ID stores

19 Microsoft s new IAM solution Modern identity & access management as a service solution Customers Everywhere access B2C Third-party web apps & SaaS clouds Spans cloud and on-premises Microsoft Cloud Provides full spectrum of services Partners Everywhere access AAD B2B Employees Everywhere access Federation & SSO Identity management Apps in MS Cloud Device registration AAD App Proxy User provisioning Conditional Access control Data protection Other Active Directories Microsoft Identity Manager (MIM) Web App Proxy (DMZ) Azure AD App Proxy Connectors B2B & B2C Azure AD Connect Active Directory Federation Services (ADFS) Web Apps on-premises Other ID stores

20 Microsoft s new IAM solution Active Directory on-premise Customers Everywhere access Third-party web apps & SaaS clouds & Azure Active Directory B2C together integrated to build the backbone of Hybrid Partners Everywhere access Microsoft Cloud AAD B2B Employees Everywhere access Identity Management Apps in MS Cloud AAD App Proxy Other Active Directories Microsoft Identity Manager (MIM) Web App Proxy (DMZ) Azure AD App Proxy Connectors Azure AD Connect Active Directory Federation Services (ADFS) Web Apps on-premises Other ID stores

21 Hybrid Identity: 3 types of identities Synchronized Identity Federated Identity Cloud Identity Pwd Hash Azure Active Directory No Pwd Azure Active Directory Azure Active Directory Note: Pwd Hash Note: Different Users

22 Hybrid Identity: 3 types of Authentication Synchronized Password Hash Passthrough Authentication Federated Authentication Pwd Hash Azure Active Directory Azure Active Directory NO Pwd Hash No Pwd Azure Active Directory Note: Pwd Hash

23 Firewall Firewall Azure Active Directory Azure AD Authentication Authorization

24 Firewall Firewall Azure Active Directory Azure AD Authentication Authorization

25 SSO for any Microsoft Online Service Employees Everywhere access to Biz Prod Apps Azure Active Directory as the native IdP for MS Cloud services AD-Azure AD Federation & Sync to gain SSO benefit to let employees use their Corporate accounts to access MS Cloud services On-premise

26 Employees Everywhere access to Biz Prod Apps SSO for 3 rd party web apps and On-premise SaaS Azure AD App Gallery with more than 3,000 3 rd party app with the same native SSO experience Ability to add custom App based on SAML or Username/Password

27 1000s OF APPS, 1 IDENTITY

28 Employees Everywhere access to Biz Prod Apps SSO for Intranet Web applications Through a secure channel outbound between an Azure AD App Proxy Connector and Azure AD App Proxy component On-premise Nothing to install on Application servers, no VPN, no reverse proxy

29 1000s OF APPS, 1 IDENTITY Microsoft Azure Active Directory Application Proxy connector User DMZ Azure or 3 rd Party IaaS connector connector Corporate Network

30 1000s OF APPS, 1 IDENTITY Access even more on-premises web applications Microsoft Azure Active Directory Application Proxy connector User DMZ connector connector connector Azure or 3 rd Party IaaS Corporate Network

31 Azure AD B2B collaboration PARTNERS Everywhere access to Corporate approved apps PARTNERS own Azure AD, or free from Microsoft Works well for B2B collaboration Azure AD B2B collaboration to enable Partner access to Corporate approved apps, without the hassle of authn infrastructures, only authz efforts On-premise

32 Azure AD B2B: invitation

33 Microsoft s new IAM solution Azure AD B2C Customers Everywhere access B2C Third-party web apps & SaaS clouds Microsoft Cloud Partners Everywhere access AAD B2B Employees Everywhere access Apps in MS Cloud AAD App Proxy Other Active Directories Microsoft Identity Manager (MIM) Web App Proxy (DMZ) Azure AD App Proxy Connectors Azure AD Connect Active Directory Federation Services (ADFS) Web Apps on-premises Other ID stores

34 User-friendly self-service user sign-in and sign-up experience Self-service profile management/password reset Bring-your-own-identity using social ID or create a new, local account set of credentials Sign in or username Password Match your identity experience to your application branding SIGN IN OR CONNECT USING:

35 IDENTITY DRIVEN SECURITY User Conditions Location Device state User/Application Risk Actions Allow access Or Enforce MFA per user/per app Block access MFA

36 Azure Multi-Factor Authentication (MFA)

37 Firewall Firewall 2nd Authentication Azure AD Azure Active Directory 1 st Authentication Authorization

38 Firewall Firewall 2nd Authentication Azure AD Azure Active Directory 1 st Authentication Authorization

39 ENABLE BUSINESS WITHOUT BORDERS Company-branded, personalized application Access Panel: + ios and Android Mobile Apps Integrated Office 365 app launching Manage your account, apps, and groups Self-service password reset Application access requests

40 Microsoft & SailPoint Integration Advanced governance provided by Sailpoint for all provisioned apps Box Citrix GoToMeeting Concur SailPoint App provisioning Contoso Retail Services Cornerstone OnDemand CustomApp Egnyte Jive Microsoft Developer Netw Enterprise twitter account Kronos Office 365 Exchange Onlin Facebook LinkedIn Office 365 SharePoint Onli Azure AD SSPR Extension Self-service Password Reset Extension App provisioning Oracle CRM On Demand Sales Tracking Salesforce Sensitive On-premises App ServiceNow Skype Smartsheet SuccessFactors Workday Yammer youapp Groups Single Sign-On / Conditional Access Single Sign-on Conditional Access Infrastructure Databases Applications Azure AD Connect Other on-premises and cloud apps not supported by Azure Active Directory Azure Active Directory supported on-premises apps

41 Azure Active Directory Premium I need to enable my users to securely reset their own password MFA Challenge Azure AD Connect Microsoft Azure Active Directory Username? Forgot your password? On-premises applications

42 ENABLE BUSINESS WITHOUT BORDERS Azure Active Directory Join makes it possible to connect work-owned Windows 10 devices to your company s Azure Active Directory Enterprise State Roaming Enterprise-compliant services SSO from the desktop to cloud and on-premises applications with no VPN MDM auto-enrollment Windows 10 Azure AD joined devices Intune/MDM auto-enrollment Support for hybrid environments

43

44 TODAY S SECURITY CHALLENGE: PASS THE HASH AT TACKS Access to one device can lead to access to many 1. Single IT Pro s machine is compromised IT Pro manages kiosks/shared devices on network Attacker steals IT Pro s access token 2. Using IT Pros access token attacker looks for kiosk/shared devices and mines them for tokens 3. Repeat

45 TRADITIONAL PL ATFORM STACK Apps Windows Platform Services Kernel Device Hardware

46 Trustlet #1 Trustlet #2 Trustlet #3 VIRTUALIZATION BASED SECURITY WINDOWS 10 Apps Windows Platform Services Kernel Windows Operating System Kernel SystemContainer Hyper-V Hyper-V Device Hardware Hypervisor

47 Credential Guard Trustlet #2 Trustlet #3 TODAY S SOLUTION: CREDENTIAL GUARD Pass the Hash (PtH) attacks are the #1 go-to tool for hackers. Used in nearly every major breach and APT type of attack Apps Credential Guard uses VBS to isolate Windows authentication from Windows operating system Windows Platform Services Protects LSA Service (LSASS) and derived credentials (NTLM Hash) Fundamentally breaks derived credential theft using MimiKatz, Kernel Windows Operating System Hyper-V Hyper-V Kernel SystemContainer Device Hardware Hypervisor

48 WINDOWS HELLO FOR BUSINESS Device-Based Multi-Factor USER CREDENTIAL UTILIZE FAMILIAR DEVICES An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 SECURED BY HARDWARE

49 WINDOWS HELLO - KEY BASED AUTHENTICATION 1 A New Approach User Intranet Resource IDP Active Directory Azure AD Google Facebook Microsoft Account Intranet Resource 4 Windows10

50 Example board level members FIDO ALLIANCE

51 1000s OF APPS, 1 IDENTITY A mobile authenticator application for all platforms Converges the existing Azure Authenticator and all consumer Authenticator applications. MFA for any account, enterprise or consumer and 3rd party : Push Notifications/OTP Device Registration (workplace join) SSO to native mobile apps - Certificate-based SSO Future: Sign in to a device (Windows Hello), app, or website without a password

52 IDENTITY-DRIVEN SECURITY Conditional Access User attributes User identity Group memberships Devices Are domain-joined Are compliant Platform type (Windows, ios, Android) Lost or stolen Application Per app policy Type of client (Web, mobile rich app) Other Location (IP Range) Risk profile (with Azure Identity Protection) ALLOW ENFORCE MFA BLOCK Cloud and On-premises applications Microsoft, 3 rd party and LOB

53

54

55 AAD Premium report: Sign ins from possibly infected devices

56 AAD Premium report: Users with leaked credentials 56

57 CLOUD-POWERED PROTECTION Identity Protection at its best Gain insights from a consolidated view of machine learning based threat detection Remediation recommendations Infected devices Brute force attacks Configuration vulnerabilities Leaked credentials Suspicious signin activities Risk-based policies MFA Challenge Risky Logins Risk severity calculation Risk-based conditional access automatically protects against suspicious logins and compromised credentials Machine-Learning Engine Change bad credentials Block attacks

58 CLOUD-POWERED PROTECTION Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools Infected devices Brute force attacks Configuration vulnerabilities Leaked credentials Suspicious signin activities Notifications Security/Monitoring/Reporting Solutions Data Extracts/Downloads Reporting APIs Microsoft machine - learning engine Apply Microsoft learnings to your existing security tools

59

60 SCENARIO 1: APP-BASED THREAT TRIGGERS CONDITIONAL ACCESS TO O365 INTUNE CONSOLE MALWARE DETECTED CONDITIONAL ACCESS ALERT CONDITIONAL ACCESS STOP ACCESS LOCK MANAGED APPS LOOKOUT MTP CONSOLE MALWARE DETECTED

61 SCENARIO 1: APP-BASED THREAT TRIGGERS CONDITIONAL ACCESS TO O365 INTUNE CONSOLE THREAT MALWARE REMEDIATED DETECTED CONDITIONAL ACCESS USER ALERTREMEDIATION CONDITIONAL ACCESS STOP ACCESS LOCK MANAGED APPS LOOKOUT MTP CONSOLE THREAT MALWARE REMEDIATED DETECTED

62 CLOUD-POWERED PROTECTION Discover, restrict, and monitor privileged identities Enforce on-demand, just-in-time administrative access when needed Provides more visibility through alerts, audit reports and access reviews Global Administrator Billing Administrator Exchange Administrator User Administrator Password Administrator

63 Access requests Access requests Privileged access management Existing apps User Microsoft Identity Manager Configured for PAM Existing trust Group: Resource Admins Domain: CORP Candidate: Jen Existing FIM Existing AD forests Trust for admin access AD DS WS 2003 or later Group Resource Admins User: PRIV\JenAdmin Groups: CORP\Resource Admins Refresh after: 60 minutes Time-based memberships User JenAdmin

64 Identity Protection & Management Information Protection Threat Detection & Protection Security Management & Operations

65

66

67

68 INTRODUCING WINDOWS INFOR MA TION PR OTECTION Integrated protection against accidental data leaks Protects data at rest locally and on removable storage. Ships in the Windows 10 Anniversary Update Common experience across all Windows 10 devices with copy and paste protection. Corporate vs personal data identifiable wherever it rests on the device and can be wiped. Seamless integration into the platform, No mode switching and use any app. Prevents unauthorized apps from accessing business data and users from leaking data via copy and paste protection.

69

70 MANAGED MOBILE PRODUCTIVITY Managed apps Managed apps Corporate data Multi-identity policy Managed apps attachment Personal data Copy Paste Save Paste to personal app Save to personal storage Personal apps apps Personal apps

71 without Azure Rights Management File policies MAM policies Corporate apps Familiar Office experience Seamless enrollment into app management Use for personal and corporate accounts Comprehensive protection App encryption at rest App access control PIN or credentials Save as/copy/paste restrictions App-level selective wipe MDM mgmt. by Intune or third-party is optional Extend protection to a file level with Azure RMS Might be a good solution for these scenarios: BYOD when MDM is not required MDM optional (Intune or 3 rd -party) MDM policies Personal apps Extending app access to vendors and partners Already have an existing MDM solution

72

73 CLASSIFICATION LABELING ENCRYPTION ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION Classification & labeling Protect Monitor & respond

74

75 Classify data based on sensitivity IT admin sets policies, templates, and rules Start with the data that is most sensitive PERSONAL SECRET CONFIDENTIAL INTERNAL IT can set automatic rules; users can complement it Associate actions such as visual markings and protection NOT RESTRICTED

76 Automatic Recommended Reclassification User set Policies can be set by IT Admins for automatically applying classification and protection to data Based on the content you re working on, you can be prompted with suggested classification You can override a classification and optionally be required to provide a justification Users can choose to apply a sensitivity label to the or file they are working on with a single click

77 Persistent labels that travel with the document Labels are metadata written to documents FINANCE Labels are in clear text so that other systems such as a DLP engine can read it CONFIDENTIAL

78 Corporate apps FILE VIEW EDIT COPY PASTE attachment Personal apps Protect data needing protection by: Encrypting data Including authentication requirement and a definition of use rights (permissions) to the data Providing protection that is persistent and travels with the data

79 Azure RMS: Encryption & Policy enforcement

80 Monitor use, control and block abuse Bob MAP VIEW Sue Jane Sue Bob accessed from South America Jane Competitors Jane accessed from India Jane access is revoked Joe blocked in North America Jane blocked in Africa

81 Due Diligence Documentation Due Diligence Category Documentation Task Owner Status Business plan Corporate organization Business Plan, Corporate Structure, Financing Current five-year business plan Prior business plan Articles of incorporation Bylaws Recent changes in corporate structure Parent, subsidiaries, and affiliates Shareholders agreements Minutes from board meetings

82

83

84

85 Label and protect any file through the windows shell-explorer Select either one file, multiple files or a folder and apply a label

86 Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort RMS connector Authentication & collaboration AAD Connect BYO Key Authorization requests go to a federation service ADFS

87 for Regulated Environments Data protection for organizations at different stages of cloud adoption Authentication & collaboration Service supplied Key BYOK Ensures security because sensitive data is never sent to the RMS server RMS connector AAD Connect Authorization requests via federation (optional) Integration with on-premises assets with minimal effort ADFS Hold your key on premises HYOK

88 Label A Apply Protection: AzRMS Label B Apply Protection: ADRMS BYOK HYOK Data that can be stored anywhere, travel, collaborated on and protected by a cloud service Toxic data that must reside onpremises and be protected by customer held keys

89 Identity Protection & Management Information Protection Threat Detection & Protection Security Management & Operations

90

91 DETECT ATTACKS BEFORE THEY CAUSE DAMAGE An on-premises platform to identify advanced security attacks and insider threats before they cause damage Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization s users.

92 Abnormal resource access Account enumeration Net Session enumeration DNS enumeration SAM-R Enumeration Abnormal authentication requests Abnormal resource access Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Skeleton key malware Golden ticket Remote execution Malicious replication requests Compromised Credential Privilege Escalation Reconnaissance Lateral Movement Domain Dominance Abnormal working hours Brute force using NTLM, Kerberos, or LDAP Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Information (DPAPI) Request MS exploit (Forged PAC) MS exploit (Silver PAC)

93 ATA GATEWAY 1 SIEM Port-mirroring Fileserver Syslog forwarding DC1 DC2 INTERNET ATA CENTER DMZ DC3 ATA Lightweight DC4 Gateway VPN DB Fileserver Web

94

95

96

97

98

99 WINDOWS DEFENDER ADVANCED THREAT PROTECTION DETECT ADVANCED ATTACKS AND REMEDIATE BREACHES Built into Windows No additional deployment & Infrastructure. Continuously up-to-date, lower costs. Behavior-based, cloud-powered breach detection Actionable, correlated alerts for known and unknown adversaries. Real-time and historical data. Rich timeline for investigation Easily understand scope of breach. Data pivoting across endpoints. Deep file and URL analysis. Unique threat intelligence knowledge base Unparalleled threat optics provide detailed actor profiles 1st and 3rd party threat intelligence data.

100 Windows Defender ATP architecture Always-on endpoint behavioral sensors Forensic collection SecOps console Exploration Alerts Response Security analytics Behavioral IOAs Dictionary Known adversaries unknown Files and URLs detonation Customers' Windows Defender ATP tenant Threat Intelligence from partnerships Threat Intelligence by Microsoft hunters SIEM / central UX SIEM Windows APT Hunters, MCS Cyber

101

102 Enterprise-grade security for your cloud apps Visibility Gain complete visibility and context for cloud usage and shadow IT Control Shape your cloud environment with granular controls and policy setting for access, data sharing, and DLP Threat detection Identify high-risk usage and security incidents, detect abnormal user behavior, and prevent threats

103 Cloud apps API Cloud App Security App connectors Discovery Use traffic logs to discover and analyze which cloud apps are in use Manually or automatically upload log files for analysis from your firewalls and proxies Cloud traffic Protected Cloud discovery Sanctioning and un-sanctioning Sanction or block apps in your organization using the cloud app catalog App connectors Leverage APIs provided by various cloud app providers Firewalls Proxies Cloud traffic logs Connect an app and extend protection by authorizing access to the app. Cloud App Security queries the app for activity logs and scans data, accounts, and cloud content Your organization from any location

104

105 Cloud discovery Discover all cloud usage in your organization Information protection Monitor and control your data in the cloud Threat detection Detect usage anomalies and security incidents In-session control Control and limit user access based on session context DISCOVER INVESTIGATE CONTROL PROTECT

106 Cloud App Security can read labels set by AIP giving admins visibility into sharing of sensitive files Cloud App Security admins can set policies for controlling sharing of sensitive files and also get alerted if the policies are violated

107 Identity Protection & Management Information Protection Threat Detection & Protection Security Management & Operations

108 Unified view of security across your Azure resources Central management of security policies Integrated security event logging and SIEM integration Security policies tailored to meet your needs Recommendations help address vulnerabilities Rapidly deploy controls from Microsoft and partners Continuous analysis of security events Microsoft threat intelligence informs analysis Prioritized alerts provide attack insights and recommendations for remediation

109 Monitor the security state of resources quickly identify vulnerabilities

110 Integrate partner solutions Recommends and streamlines provisioning of partner solutions Integrates signals for centralized alerting and advanced detection, including fusion Leverages Azure Marketplace for commerce and billing Closes security gaps created by disconnected point solutions

111 Operations Management Suite Windows Server (Guest) Windows Server (Guest) Windows Server (Guest) Windows Server (Guest) Linux (Guest) Private clouds (Azure Stack, Hyper-V, VMware, OpenStack)

112

113 Integrate threats detected by Microsoft Advanced Threat Analytics

114 Identity Protection & Management Information Protection Threat Detection & Protection Security Management & Operations

115 Identity Protection & Management Information Protection Threat Detection & Protection Security Management & Operations

116 Enterprise Mobility+Security

117 Identity and access management Managed mobile productivity Information protection Identity-driven security Azure Active Directory Premium P2 Azure Information Protection Premium P2 Microsoft Cloud App Security EMS E5 Identity and access management with advanced protection for users and privileged identities Intelligent classification and encryption for files shared inside and outside your organization Enterprise-grade visibility, control, and protection for your cloud applications (includes all capabilities in P1) (includes all capabilities in P1) EMS E3 Azure Active Directory Premium P1 Secure single sign-on to cloud and on-premises apps MFA, conditional access, and advanced security reporting Microsoft Intune Mobile device and app management to protect corporate apps and data on any device Azure Information Protection Premium P1 Manual classification and encryption for all files and storage locations Cloud-based file tracking Microsoft Advanced Threat Analytics Protection from advanced targeted attacks leveraging user and entity behavioral analytics

118 Enterprise Mobility+Security

119 New Microsoft Security Solutions in Action Azure Security Center Operational Management Suite Gain control over any hybrid cloud. Manage and protect Azure or AWS, Windows Server or Linux, VMware or OpenStack Prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources Microsoft Cloud App Security Extend enterprise-grade security to your cloud and SaaS apps Intune Azure Active Directory Identity Protection Manage identity with hybrid integration to protect application access from identity attacks Protect your data, everywhere Azure Information Protection Protect your users, devices, and apps Detect problems early with visibility and threat analytics Advanced Threat Analytics

120