Cloud Security, Mobility and Current Threats Tristan Watkins, Head of Research and Innovation
Threat Landscape
Verizon Data Breach Investigations Report
Verizon DBIR: Threat actors and actions
Verizon DBIR: Threat actor motive (2016)
Verizon DBIR: Threat actor method (2016)
Verizon DBIR: Breached assets (2016)
Verizon DBIR: Time to compromise (2016)
Verizon DBIR: Time to discovery (2016)
DLP: Insider risks Why? We see individuals abusing the access they have been entrusted with by their organization in virtually every industry... with financial gain and convenience being the primary motivators (40% of incidents), whether they plan to monetize stolen data by selling it to others (such as with financial data) or by directly competing with their former employer. How?
DLP: accidental and outsider risks Unintended data leaks are very hard to protect against For every way that data can be lost, we need a specific (often unique) defence Examples of unintended data loss: Lost/stolen device Lost/stolen drives/media Credential theft: o o o Keystroke loggers Bad password practices Social engineering Wrong recipient Memory scraping Neither file-level protections nor FDE will solve for all of these risks
Phishing and social engineering "23% of recipients now open phishing messages and 11% click on attachments." "a campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal s Prey." " nearly 50% of users open e-mails and click on phishing links within the first hour. the median time-to-first-click coming in at one minute, 22 seconds across all campaigns."
Signature Detection Obsolescence Much of today's malware code is modified so quickly that it will avoid detection 99% of malware hashes are seen for only 58 seconds or less. In fact, most malware was seen only once. 40 million malware samples 3.8 million malware signatures (90%+is found only once in the data) 20,000 common signatures across organisations 99.95% is organisationally-unique Signature modification can be trivially automated in PowerShell
Image Courtesy of John Lambert, General Manager of the Microsoft Threat Intelligence Center
Modernising Security
What is driving change? Life before clouds Life with clouds Storage, corp data Users On-premises Only sanctioned apps are installed Resources accessed via managed devices/networks IT had layers of defense protecting internal apps IT has a known security perimeter User chooses apps (unsanctioned, shadow IT) User can access resources from anywhere Data is shared by user and cloud apps IT has limited visibility and protection
Microsoft Enterprise Mobility Management Enterprise Mobility Suite Cloud App Security Azure RemoteApp Azure Active Directory Premium Advanced Threat Analytics Azure Rights Management Premium Intune & Configuration Manager Identity & Access Management User & Entity Behaviour Analytics Information Protection Mobile Device & App Management Cloud Access Security Broker Windows App Virtualisation Easily manage identities across on-premises and cloud. Single sign-on & self-service for any application. Identify suspicious activities and advanced threats in near real time, with simple, actionable reporting. Encryption, identity, and authorisation to secure corporate files and email across phones, tablets, and PCs. Manage and protect corporate apps and data on almost any device with MDM & MAM. Protecting customer data by providing IT visibility, control, and security over cloud applications. Share Windows applications and other resources with users on almost any device Users Identity Theft Data Devices & Apps SaaS Apps Windows Apps
Active Directory Problem Spaces User Experience Makes a user's life easier by providing a single sign-on (SSO) for computers, applications and services IT Administration Simplifies system administration by centralising management of users, computers and policies Platform services Simplifies development by providing authentication, users, groups and/or claims Security/Compliance Lots of complicated non-functional stuff
What would IT be without Active Directory? Sign-on would be a colossal mess IT administrators' lives would be incredibly repetitive and inefficient...but we would reclaim simplicity from efficiency
What is Azure AD to a user? The home of my corporate identity How I prove who I am, including additional factors of authentication Details about who I am (profiles) What I belong to (groups) The service I entrust with my personal data (privacy protections/compliance) Gateway to my apps A gateway to my apps: Access Panel A trustworthy face for cloud resources (custom branding/logos) Gateway to my internal network from the outside world Self-Service Password Reset (SSPR) Application Proxy (Reverse Proxy) Workplace Join (Device Registration Service)
What is Azure AD to IT? Directory Service The directory is built with Active Directory Lightweight Directory Services (AD LDS) Sync on-premises Active Directory Domain Services (AD DS) objects with DirSync/AAD Connect DirSync and AADSync were wrapped up with related tools in a new package called AAD Connect Security Token Service Like AD FS. Enables federated sign-on to Office 365, Azure and Software as a Service providers Also provides authentication and authorisation services to Azure Websites like SharePoint Apps Advanced stuff Multiple Factors of Authentication (MFA) AKA 2FA. Think: PIN verification for sign-on Application Proxy (Reverse Proxy): Sign-on to on-premises stuff from outside the network Device Authentication: restrict sign-on to trusted devices (enables BYOD) Reporting and Alerts: Detects unusual/sketchy sign-on patterns and alerts administrators
What is Azure AD to a developer? Common Consent (OAuth 2.0) Secures Apps for Office and SharePoint with or without user authentication Sometimes Apps will be permitted to authorize on behalf of a user Graph API Querying directory User Profile sync enhancements may originate here Directory Extensions New attributes in Azure AD, flowing through to other services eventually
{ Back to Basics: What is Windows Logon? Username/password Smart card PIN/gesture (picture password) Hello (fingerprint, face, iris)
Azure Active Directory Capabilities
Risk Ranking
Defence-in-Depth