Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection
Azure Active Directory 3 rd Party IaaS IaaS Rights Management Services Key Management Services Microsoft Azure PaaS Office 365 Admin Environment 3 rd Party SaaS High Value Assets On-Premises Datacenters Branch Office Intranet and Remote PCs Mobile Devices Customer and Partner Access
First Host Compromised Domain Admin Compromised Attack Discovered Research & Preparation Attacker Undetected (Data Exfiltration) 24-48 Hours More than 200 days (varies by industry)
Active Directory and Administrators control all the assets
Active Directory and Administrators control all the assets under attack One small mistake can lead to attacker control Attackers Can Steal any data Modify documents Impersonate users Disrupt business operations
http://aka.ms/pthdemo 24-48 Hours 1. Beachhead (Phishing Attack, etc.) Tier 0 Domain & Enterprise Admins 2. Lateral Movement a. Steal Credentials b. Compromise more hosts & credentials 3. Privilege Escalation a. Compromise unpatched servers b. Get Domain Admin credentials 4. Execute Attacker Mission a. Steal data, destroy systems, etc. b. Persist Presence Tier 1 Server Admins Tier 2 Workstation & Device Admins
How to protect your privileges against these attacks Attack Defense Three Stage Mitigation Plan 2-4 weeks 1-3 months 6+ months http://aka.ms/sparoadmap
2-4 weeks 1-3 months 6+ months First response to the most frequently used attack techniques 3. Unique Local Admin Passwords for Workstations http://aka.ms/laps 4. Unique Local Admin Passwords for Servers http://aka.ms/laps 1. Separate Admin account for admin tasks 2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins http://aka.ms/cyberpaw
First response to the most frequently used attack techniques Attack Defense 2-4 weeks 1-3 months 6+ months Top Priority Mitigations
2-4 weeks 1-3 months 6+ months Build visibility and control of administrator activity, increase protection against typical follow-up attacks 2. Time-bound privileges (no permanent admins) http://aka.ms/pam http://aka.ms/azurepim 3. Multi-factor for elevation 6. Attack Detection http://aka.ms/ata 9872521 1. Privileged Access Workstations (PAWs) Phases 2 and 3 All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.) http://aka.ms/cyberpaw 4. Just Enough Admin (JEA) for DC Maintenance http://aka.ms/jea 5. Lower attack surface of Domain and DCs http://aka.ms/hardenad
Attack Defense 2-4 weeks 1-3 months 6+ months
2-4 weeks 1-3 months 6+ months Move to proactive security posture 1. Modernize Roles and Delegation Model 5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric) http://aka.ms/shieldedvms 2. Smartcard or Passport Authentication for all admins http://aka.ms/passport 3. Admin Forest for Active Directory administrators http://aka.ms/esae 4. Code Integrity Policy for DCs (Server 2016)
Attack Defense 2-4 weeks 1-3 months 6+ months
How Can Microsoft Services Help? Assess your current risk level and build a plan Prioritized Rapid deployment of proven solutions Support and operationalize new technologies Tailored to your needs Accelerate deployment to maximize your defenses!
ASSUME BREACH
Respond - Incident Response via Premier Based on proven response practices Premier Support Service Delivery Management Cyber Incident Response Proactive Services Problem Resolution Services
Response Scenario Non-malicious or Internal
Response Scenario Malicious - External
What Every Customer Needs to Do Roadmap to improve your cybersecurity position