MODERN DESKTOP SECURITY I M GOING TO BE HONEST. WE RE IN THE FIGHT OF OUR DIGITAL LIVES, AND WE ARE NOT WINNING! M I C H A E L M C C A U L, C H A I R M A N, U S H O M E L A N D S E C U R I T Y C O M M I T T E E
RANSOMWARE HAS BECOME THE BLACK PLAGUE "We can not say it loud and often enough, ransomware has become the black plague of the internet, spread by highly sophisticated exploit kits and countless spam campaigns.," says Cisco s Talos. Attackers are going after bigger targets that can afford to pay more, with potentially catastrophic consequences A dangerous piece of PC ransomware is now impossible to crack STEVE DENT Engadget March 17, 2016 Source: A dangerous piece of PC ransomware is now impossible to crack, Steve Dent, Engadget, Macrh 17, 2016
Evolution of Attacks Mischief Fraud and Theft Damage and Disruption Script Kiddies Unsophisticated Organized Crime Recently achieved apex attacker status, well resourced Nations, Terror Groups, Activists Traditional apex attackers, well resourced
THE MODERN DESKTOP SECURIT Y PROTECT, DETECT & RESPOND Servicing and Centralized Security Management Threat Protection Protect, detect, and respond to the most advanced threats using advanced based hardware security and the power of the cloud Identity Protection Kick passwords to the curb with a convenient, easy to use and enterprise-grade alternative that is designed for today s mobile-first world. Information Protection Protect data on lost and stolen devices and prevent accidental data leaks using data separation, containment, and encryption.
THE MODERN DESKTOP SECURIT Y PROTECT, DETECT & RESPOND Servicing and Centralized Security Management Threat Protection Office 365 ATP Windows Firewall Microsoft Edge Device Guard Windows Defender Antivirus Windows Defender ATP Windows Defender SmartScreen Identity Protection Windows Hello Credential Guard Azure Active Directory Premium Advanced Threat Analytics Information Protection BitLocker Device Encryption Windows Information Protection Azure Information Protection Microsoft Cloud App Security
THE MODERN DESKTOP SECURIT Y PROTECT, DETECT & RESPOND Servicing and Centralized Security Management Threat Protection Office 365 ATP Windows Firewall Microsoft Edge Device Guard Windows Defender Antivirus Windows Defender ATP Windows Defender SmartScreen Identity Protection Windows Hello Credential Guard Azure Active Directory Premium Advanced Threat Analytics Information Protection BitLocker Device Encryption Windows Information Protection Azure Information Protection Microsoft Cloud App Security
Office 365 ATP Multiple features, maximum security Safe Links Provides time-of-click malicious URL detection URL Detonation Scan files that are linked in email via URLs to websites Safe Attachments Helps protect against malicious attachments
Safe Links Web servers perform latest URL reputation check Helps protect against phishing and sites with malicious content. http://www. Provides visibility into compromised users for administrators. Rewrites all URLs to proxy through an EOP server. User clicking URL is taken to EOP web servers for the latest check at the time-of-click IP + envelope filter Signaturebased AV Blocking known exploits Anti-spam filter EOP user without Office 365 ATP Rewriting URLs to redirect to a web server EOP user with Office 365 ATP
Safe Links Admin sets policy Users notified if a malicious link is clicked in email
Safe Attachments Helps protect against zero-day exploits in email attachments. Provides visibility into compromised users for administrators. Leverages sandboxing technology. IP + envelope filter Signaturebased AV Blocking known exploits Anti-spam filter EOP user without Office 365 ATP EOP user with Office 365 ATP
Dynamic Delivery
TRADITIONAL PLATFORM STACK JUST ONE VULNERABILITY AWAY FROM FULL COMPROMISE Apps Windows Platform Services Kernel Device Hardware
Trustlet #1 Trustlet #2 Trustlet #3 VIRTUALIZATION BASED SECURITY WITH WINDOWS DEFENDER SYSTEM GUARD Apps Windows Platform Services Kernel Kernel Windows Operating System Windows Defender System Guard Hyper-V Hyper-V Device Hardware Hypervisor
PASS THE HASH ATTACKS Today s security challenge
TODAY S SECURITY CHALLENGE: PASS THE HASH AT TACKS Access to one device can lead to access to many 1. Single IT Pro s machine is compromised IT Pro manages kiosks/shared devices on network Attacker steals IT Pro s access token 2. Using IT Pros access token attacker looks for kiosk/shared devices and mines them for tokens 3. Repeat
Credential Guard Trustlet #2 Trustlet #3 TODAY S SOLUTION: CREDENTIAL GUARD Pass the Hash (PtH) attacks are the #1 go-to tool for hackers. Used in nearly every major breach and APT type of attack Credential Guard uses Windows Defender System Guard to isolate Windows authentication from Windows operating system Protects LSA Service (LSASS) and derived credentials (NTLM Hash) Fundamentally breaks derived credential theft using MimiKatz, Apps Windows Platform Services Kernel Windows Operating System Hyper-V Hypervisor Device Hardware Kernel Windows Defender System Guard Hyper-V
SLIDE TITLE TODA Y S CH ALLENGE: APPS OUR A NSWER : APPS MUST EARN TRUST BEFORE USE
WINDOWS DEFENDER ANTI-VIRUS PROTECTION Protection that competes to win Scored 100% detection in Real World Testing against top competitors (AVTest Feb 2017). Behavior and cloud-powered malware detection Can detect fast changing malware varietals using behavior monitoring and cloud-powered protection that expedites signature delivery Tamper Resistant Windows Trusted Boot and platform isolation and protect Windows Defender from attacks and enable it to self-repair Built into Windows and Always Up-To-Date No additional deployment & Infrastructure. Continuously up-todate, lower costs
AT TACKS HAPPEN FAST AND ARE HARD TO STOP If an attacker sends an email to 100 people in your company 23 people will open it 11 people will open the attachment and six will do it in the first hour.
WINDOWS DEFENDER ADVANCED THREAT PROTECTION DETECT ADVANCED ATTACKS AND REMEDIATE BREACHES Built into Windows No additional deployment & Infrastructure. Continuously up-to-date, lower costs. Behavior-based, cloud-powered breach detection Actionable, correlated alerts for known and unknown adversaries. Real-time and historical data. Rich timeline for investigation Easily understand scope of breach. Data pivoting across endpoints. Deep file and URL analysis. Unique threat intelligence knowledge base Unparalleled threat optics provide detailed actor profiles 1st and 3rd party threat intelligence data.
CUSTOMER