Critical Hygiene for Preventing Major Breaches

Similar documents
Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

Cybersecurity Best Practices

Cyber Defense Operations Center

K12 Cybersecurity Roadmap

Building a Resilient Security Posture for Effective Breach Prevention

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CYBERSECURITY MATURITY ASSESSMENT

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Cyber security tips and self-assessment for business

How Breaches Really Happen

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

Designing and Building a Cybersecurity Program

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Building Resilience in a Digital Enterprise

Security by Default: Enabling Transformation Through Cyber Resilience

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

CISO as Change Agent: Getting to Yes

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

ANATOMY OF AN ATTACK!

Cybersecurity Today Avoid Becoming a News Headline

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

the SWIFT Customer Security

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Combating Cyber Risk in the Supply Chain

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Securing Windows Server 2016

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Course Outline. Course Outline :: 20744A::

Juniper Vendor Security Requirements

Tripwire State of Cyber Hygiene Report

Course Outline 20744B

Future Forests: Realistic Strategies for AD Security & Red Forest Architecture

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

[MS20744]: Securing Windows Server 2016

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

Defensible Security DefSec 101

Introducing Cyber Observer

Maximum Security with Minimum Impact : Going Beyond Next Gen

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

align security instill confidence

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Service Provider View of Cyber Security. July 2017

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

CERT Development EFFECTIVE RESPONSE

Securing Windows Server 2016

Evolution Of Cyber Threats & Defense Approaches

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

CS 356 Operating System Security. Fall 2013

Are we breached? Deloitte's Cyber Threat Hunting

20744: Securing Windows Server Sobre o curso. Microsoft. Nível: Avançado Duração: 35h

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Personal Physical Security

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Building a Threat-Based Cyber Team

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

Cyber Resilience. Think18. Felicity March IBM Corporation

CYBERARK GDPR ADVISORY. SECURE CREDENTIALS. SECURE ACCESS. A PRIVILEGED ACCOUNT SECURITY APPROACH TO GDPR READINESS

Cybersecurity The Evolving Landscape

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

RSA NetWitness Suite Respond in Minutes, Not Months

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

The Evolution of : Continuous Advanced Threat Protection

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

THE POWER OF TECH-SAVVY BOARDS:

Microsoft Securing Windows Server 2016

Security Gaps from the Field

2017 Annual Meeting of Members and Board of Directors Meeting

Identity & Access Management

Introduction to Threat Deception for Modern Cyber Warfare

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Cyber Security Program

The Common Access Card The problems it solves (and the ones it doesn t) Quest Software/One Identity Dan Conrad Federal CTO

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Managing Microsoft 365 Identity and Access

with Advanced Protection

"Charting the Course... MOC C: Securing Windows Server Course Summary

Transcription:

SESSION ID: CXO-F02 Critical Hygiene for Preventing Major Breaches Jonathan Trull Microsoft Enterprise Cybersecurity Group @jonathantrull Tony Sager Center for Internet Security @CISecurity Mark Simos Microsoft Enterprise Cybersecurity Group @MarkSimos

The CISO Challenge

The Playing Field 23% of recipients opened phishing messages 50% of those who open and click attachments do so within the first hour 24 hours from click to domain compromise 6,449 new vulnerabilities in 2016 16% of new vulnerabilities rated as critical 100Ks of detections per day

Microsoft Threat Landscape Last 6 Months 68 incidents across 8 different countries responded to by Global Incident Response & Recovery Team 15,000 cases worked by the Cyber Defense Operations Center 85 90% of Incidents could have been prevented by: 1. Patching Critical Vulnerabilities 2. Removing Administrative Privileges 3. Using Strong Passwords / MFA

CISO s Coefficient CISO s Coefficient ((Team Efficiency) x (Business Disruption)) (Return on Investment)

Key Objectives 1. 2. 3.

The Fog of More anti-malware standards encryption need-to-know governance continuous monitoring baseline configuration SDL audit logs threat intelligence user awareness training two-factor authentication security controls DLP supply-chain security certification penetration testing threat feed best practice virtualization risk management framework compliance security bulletins incident response browser isolation maturity model whitelisting assessment SIEM sandbox 7

The Defender s Challenges What s the right thing to do, and how much do I need to do? How do I actually do it? And then how do I demonstrate to others that I have done the right thing? 8

A few cybersecurity lessons Cybersecurity is like a movie Groundhog Day, not Independence Day Cyber Defense = Information Management not Information Sharing, not technology; the most important verb is translate How do I translate millions of data points into the most effective action, at the right time? Defenders have limits: info, choices, budget, time. Attackers don t perform magic They have a plan, a budget, a Boss 9

The CIS Community Attack Model 10

Calculating Security ROI Security Return on Investment (SROI) Defender Return: Ruin Attacker ROI Deters opportunistic attacks Slows or stops determined attacks Defender Investment: Attacker Return: Successful Attacks Attacker Investment: Cost of Attack

Focus on Raising Attacker Cost RUIN ATTACKER S ECONOMIC MODEL BREAK THE KNOWN ATTACK PLAYBOOK RAPID RESPONSE AND RECOVERY ELIMINATE OTHER ATTACK VECTORS

Methodology

24-48 Hours 1. Beachhead (Phishing Attack, etc.) 2. Lateral Movement a. Steal Credentials b. Compromise more hosts & credentials 3. Privilege Escalation a. Get Domain Admin credentials 4. Execute Attacker Mission a. Steal data, destroy systems, etc. b. Persist Presence Tier 0 Domain & Enterprise Admins Tier 1 Server Admins Tier 2 Workstation & Device Admins

Credential Theft Demonstration DC Domain.Local Attack Operator DomainAdmin Client http://aka.ms/credtheftdemo

Protecting Active Directory and Admin privileges 30 Days 90 Days Beyond First response to the most frequently used attack techniques 3. Unique Local Admin Passwords for Workstations http://aka.ms/laps 4. Unique Local Admin Passwords for Servers http://aka.ms/laps 1. Separate Admin account for admin tasks 2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins http://aka.ms/cyberpaw

Protecting Active Directory and Admin privileges 30 Days 90 Days Beyond Build visibility and control of administrator activity, increase protection against typical follow-up attacks 6. Attack Detection http://aka.ms/ata 2. Time-bound privileges (no permanent admins) http://aka.ms/pam http://aka.ms/azurepim 3. Multi-factor for elevation 9872521 1. Privileged Access Workstations (PAWs) Phases 2 and 3 All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.) http://aka.ms/cyberpaw 4. Just Enough Admin (JEA) for DC Maintenance http://aka.ms/jea 5. Lower attack surface of Domain and DCs http://aka.ms/hardenad

Protecting Active Directory and Admin privileges 30 Days 90 Days Beyond Move to proactive security posture 1. Modernize Roles and Delegation Model 5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric) http://aka.ms/shieldedvms 2. Smartcard or Passport Authentication for all admins http://aka.ms/passport 3. Admin Forest for Active Directory administrators http://aka.ms/esae 4. Code Integrity Policy for DCs (Server 2016)

Roadmap for Securing Privileged Access Attack Demo http://aka.ms/credtheftdemo SPA Roadmap http://aka.ms/sparoadmap

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback