About Consultant since many years Mainly working with defense and public sector MCSE on Windows Server 2000 security ;-)
CYBERCRIME: STATE OF THE UNION
EVOLUTION OF ATTACKS Mischief Fraud and theft Damage and disruption Script Kiddies Unsophisticated Organized Crime More sophisticated Nations, Terror Groups, Activists Very sophisticated and well resourced
ATTACK VECTORS Attack the applications and infrastructure Attack the virtualization fabric itself
ANATOMY OF AN ATTACK Browser or Doc Exploit Delivery Malicious Attachment Delivery Phishing Attacks ENTER USER DEVICE ESTABLISH Internet Service Compromise Browser or Doc Exploit Execution Malicious Attachment Execution Stolen Credential Use Kernel Exploits Kernel-mode Malware Pass-the-Hash EXPAND NETWORK ENDGAME BUSINESS DISRUPTION LOST PRODUCTIVITY DATA THEFT ESPIONAGE, LOSS OF IP RANSOM
MICROSOFT IS COMMITTED TO BE YOUR SECURITY VENDOR We will continue to invest over $1 billion annually on cyber security research and development in the coming years and this amount does not include acquisitions we may make in the sector Bharat Shah, Microsoft Vice President of Security Microsoft to continue to invest over $1 billion a year on cyber security Tova Cohen Reuters Janurary 26, 2017 Source: Zero Day Auction for the Masses
THE WINDOWS 10 SECURITY PROTECT, DETECT & RESPOND Threat Protection Protect, detect, and respond to the most advanced threats using advanced based hardware security and the power of the cloud Identity Protection Kick passwords to the curb with a convenient, easy to use and enterprise-grade alternative that is designed for today s mobile-first world. Information Protection Protect data on lost and stolen devices and prevent accidental data leaks using data separation, containment, and encryption. Servicing and Centralized Security Management
Prevent Encounters Isolate Threats Control Execution Detect Behaviors Investigate and Respond Use the power of the cloud to prevent devices from ever encountering threats Isolate threats from the things you care about by using containers to hardware isolate apps and sensitive windows functions and data Nearly every attack requires the execution of unauthorized code. Use application control or detection based means to prevent unauthorized code form running Monitor the system for the indicators of compromise from advanced and highly targeted attacks using a post breach solution Block unhealthy devices from resources and provide SecOps with the optics and tools to investigate, respond and remediate from the most advanced attacks Pre-Breach Post-Breach
Prevent Encounters Isolate Threats Control Execution Detect Behaviors Investigate and Respond Use the power of the cloud to prevent devices from ever encountering threats Isolate threats from the things you care about by using containers to hardware isolate apps and sensitive windows functions and data Nearly every attack requires the execution of unauthorized code. Use application control or detection based means to prevent unauthorized code form running Monitor the system for the indicators of compromise from advanced and highly targeted attacks using a post breach solution Block unhealthy devices from resources and provide SecOps with the optics and tools to investigate, respond and remediate from the most advanced attacks Pre-Breach Post-Breach
TRADITIONAL PLATFORM STACK JUST ONE VULNERABILITY AWAY FROM FULL COMPROMISE Apps Windows Platform Services Kernel Device Hardware
Trustlet #1 Trustlet #2 Trustlet #3 Apps Windows Platform Services Kernel Windows Operating System Kernel Windows Defender System Guard Container Device Hardware Hypervisor
TR A DITIONA L EX ECUTA BLE FILE BA SED A TTA CKS CODE OUR ANSWER: EXECUTABLE CODE MUST EARN TRUST BEFORE USE
Protection that competes to win Scored 100% detection in Real World Testing against top competitors (AVTest Feb 2017). Behavior and cloud-powered protection Can detect fast changing malware varietals using behavior monitoring and cloud-powered protection that expedites signature delivery Tamper Resistant Windows Trusted Boot and platform isolation and protect Windows Defender from attacks and enable it to self-repair Built into and Always Up-To-Date No additional deployment & Infrastructure. Continuously up-to-date, lower costs
MODER N FILELESS BA SED A TTA CKS CODE OUR ANSWER: BLOCK FILELESS BASED ATTACKS
Prevent Encounters Isolate Threats Control Execution Detect Behaviors Investigate and Respond Use the power of the cloud to prevent devices from ever encountering threats Isolate threats from the things you care about by using containers to hardware isolate apps and sensitive windows functions and data Nearly every attack requires the execution of unauthorized code. Use application control or detection based means to prevent unauthorized code form running Monitor the system for the indicators of compromise from advanced and highly targeted attacks using a post breach solution Block unhealthy devices from resources and provide SecOps with the optics and tools to investigate, respond and remediate from the most advanced attacks Pre-Breach Post-Breach
Windows Defender Advanced Threat Protection Windows Enterprise E-3 Windows Enterprise E-5
Built into Windows 10, not bolted on Protection built deep into Windows and in the cloud provides best in class performance and eliminates 3 rd party agents and complex infrastructure. Analytics based, cloud powered protection and response Fusing the deep OS expertise, data science and Microsoft Intelligent Security Graph to quickly adapt to changing threats, deploy new defenses, and orchestrate remediation. Single pane of glass and centralized management Enterprise grade, easy to enable and integrate into your environment. Enabling security operations to investigate, determine scope of an incident and take action using correlated data across the suite. Amplified by the power of Microsoft Secure Windows Defender Suite is a key component of the Microsoft Secure stack that brings together and amplifies security across devices, identity and information.
Demo: Integrated Protection, Detection, and Response
THE WINDOWS 10 SECURITY PROTECT, DETECT & RESPOND Threat Protection Protect, detect, and respond to the most advanced threats using advanced based hardware security and the power of the cloud Identity Protection Kick passwords to the curb with a convenient, easy to use and enterprise-grade alternative that is designed for today s mobile-first world. Information Protection Protect data on lost and stolen devices and prevent accidental data leaks using data separation, containment, and encryption. Servicing and Centralized Security Management
WINDOWS H ELLO FOR BUSINESS Device-Based Multi-Factor USER CREDENTIAL UTILIZE FAMILIAR DEVICES An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 SECURED BY HARDWARE
BIOMETRIC MODALITIES: FACIAL PERIPHERALS USB Webcams Logitech BRIO 4K/HDR Razer Stargazer Intel SR300 Creative Labs BlasterX Senz3D Intel SR300 Others by Mouse Computer Japan (MCJ) Japan-only Monitors with face modules Lenovo HP
COMPA NION DEV ICE AUTHENTICATION WINDOWS HELLO COMPANION DEVICE FRAMEWORK Phone Band 2 USB RFID Phone Wearable USB Card
Credential Guard Trustlet #2 Trustlet #3 TODAY S SOLUTION: CREDENTIAL GUARD Pass the Hash (PtH) attacks are the #1 go-to tool for hackers. Used in nearly every major breach and APT type of attack Apps Credential Guard uses VBS to isolate Windows authentication from Windows operating system Windows Platform Services Protects LSA Service (LSASS) and derived credentials (NTLM Hash) Fundamentally breaks derived credential theft using MimiKatz, Kernel Windows Operating System Hyper-V Kernel Windows Defender System Guard Hyper-V Device Hardware Hypervisor
THE WINDOWS 10 SECURITY PROTECT, DETECT & RESPOND Threat Protection Protect, detect, and respond to the most advanced threats using advanced based hardware security and the power of the cloud Identity Protection Kick passwords to the curb with a convenient, easy to use and enterprise-grade alternative that is designed for today s mobile-first world. Information Protection Protect data on lost and stolen devices and prevent accidental data leaks using data separation, containment, and encryption. Servicing and Centralized Security Management
YOUR INFORMATION PR OTECTION NEEDS DEVICE PROTECTION DATA SEPARATION LEAK PROTECTION SHARING PROTECTION BitLocker enhancements Protect system and in Windows data when 8.1 device is lost or stolen InstantGo 3 rd party adoption Containment Data separation Prevent unauthorized users and apps from accessing and leaking data Protect data when shared with others, or shared outside of organizational devices and control
INFORMATION PR OTECTION NEEDS DEVICE PROTECTION DATA SEPARATION LEAK PROTECTION SHARING PROTECTION BitLocker enhancements in Windows 8.1 InstantGo 3 rd party BitLocker adoption Windows Information Protection Azure Rights Management Office 365
Windows Server 2016 Protect credentials and privileged access
Credential Guard X Remote Credential Guard Just Enough Administration Just in Time Administration JEA + JIT = limited in time & capability Required capability and time
Windows Server 2016 Protect the the virtualization Virtualization fabric Fabric
virtual machines
Contrast: SHIELDED VM HOST GUARDIAN SERVICE GENERATION 2 VM
Windows Server 2016 Protect applications and data in any cloud
CONTROL FLOW G UA R D ( CFG) Helps ensure that trusted binaries execute as intended Helps prevent attacks that use memory corruption vulnerabilities CFG places controls on how an otherwise-trusted application executes code Provides defenses against exploits such as buffer overflows
WINDOWS DEFENDER In-box anti-malware that is Server-workload aware Deep integration with Windows security systems Anti-tampering (protecting critical dependent OS Services) Registry hardening; file-less malware Actively protects against malware without impacting workloads
DEVICE GUA R D Hardware Rooted Code Integrity Windows can be locked down to run ONLY trusted binaries Untrusted binaries, such as malware, are unable to run Protects kernel mode processes and drivers from zero-day attacks as well as vulnerabilities through the use of HVCI Code Integrity policies can be signed and protected against malicious administrators