Transcription
Windows 10Identity and Security
“CYBER SECURIT Y IS A CEO ISSUE.”-MCKINSEY 3.0TRILLIONImpact of lost productivityand growth 3.5MILLIONAverage cost of a data breach(15% YoY increase) 500Corporate liability coverage.CYBER THREATS ARE A M A T E R I A L R I S K TO YOUR BUSINESSSource: McKinsey, Ponemon Institute, VerizonMILLION
EVOLUTION OF ATTACKSMischiefFraud and TheftDamage and DisruptionScriptKiddiesOrganizedCrimeNations, Terror Groups,ActivistsUnsophisticatedMore sophisticatedVery sophisticated andwell resourced
RANSOMWARE
ANATOMY OF AN A TTA CKBrowser or Doc Exploit DeliveryENTERMalicious Attachment DeliveryPhishing AttacksUSERInternet Service CompromiseESTABLISHDEVICEBrowser or Doc Exploit ExecutionMalicious Attachment ExecutionStolen Credential UseKernel ExploitsKernel-mode MalwareEXPANDNETWORKPass-the-HashENDGAMEBUSINESS DISRUPTIONLOST PRODUCTIVITYDATA THEFTESPIONAGE, LOSS OF IPRANSOM
ANATOMY OF AN A TTA CK: STR ONTIUMPHISHINGUSERBrowser or Doc Exploit ExecutionDEVICEPASS-THE-HASHNETWORKENDGAMETheft of sensitive information, disruption of government.
ANATOMY OF AN A TTA CK: STR ONTIUMPHISHINGUSERBrowser or Doc Exploit ASS-THE-HASHNETWORKENDGAMETheft of sensitive information, disruption of government.
ANATOMYAN A TTACK: wser or Doc Exploit ExecutionDEVICEPASS-THE-HASHNETWORK runsExploitLand on exploit pageRedirected to legitimate pageENDGAMETheft of sensitive information, disruption of government.
THE WINDOWS 10 DEFENSE STACKPROTECT, DETECT & reach detectioninvestigation icecontrolSmartScreenWindowsBuilt-inHello2FA nGuardDeviceBitLockerprotectionand /DriveBitLockerencryptionto erMicrosoftDevice nProtectionConditional accessATPDevice GuardDevice ControlWindowsDevice DefenderGuardCredential GuardMicrosoft PassportSecurity policiesWindowsNetwork/FirewallDefenderWindows Hello :)
CAPABILITYGame changeThreatprotectionwithover time and SoftwareWindowsasa ServicesAttackers take advantage ofProtection Gapperiodsbetweenreleases ourDisrupt andout innovateadversaries by designTIMEPRODUCTRELEASETHREATSOPHISTICATION
Windows 7 Security otectionPRE-BREACHInformationprotectionBreach detectioninvestigation &responsePOST-BREACH
Windows 10 Security on Legacy or Modern Devices(Upgraded from Windows 7 or 32-bit Windows onPRE-BREACHInformationprotectionBreach detectioninvestigation &responsePOST-BREACH
Windows 10 Security on Modern Devices(Fresh Install or upgraded from 64-bit Windows 8 nPRE-BREACHInformationprotectionBreach detectioninvestigation &responsePOST-BREACH
THE WINDOWS 10 DEFENSE STACKPROTECT, DETECT & SmartScreenWindows Hello :)Windows FirewallCredential GuardBitLocker andBitLocker to GoDevice GuardMicrosoft EdgeDevice ControlDevice GuardSecurity policiesWindows DefenderWindowsInformationProtectionBreach detectioninvestigation &responseConditional AccessWindows DefenderATP
DEV ICE PROTECTIONSECURE ROOTS OF TRUSTDevice integrityCryptographic processingBiometrics sensorsVirtualization
TR A DITIONA L PL ATFORM STACKAppsWindows Platform ServicesKernelDevice Hardware
V IR TUA LIZA TION BA SED SECUR ITY W INDOW S 10KernelKernelWindows Operating SystemSystem ContainerHyper-VHyper-VDevice HardwareHypervisorTrustlet #3Windows PlatformServicesTrustlet #2Trustlet #1Apps
VIRTUALIZATION BASED SECURITY THE FUTUREAppsWindows PlatformServicesWindows PlatformServicesKernelKernelAppContainerCritical System ProcessesKernelWindows Operating SystemHyper-VSystemContainerHyper-VDevice HardwareHypervisor
THE WINDOWS 10 DEFENSE STACKPROTECT, DETECT & evice integritySmartScreenWindows Hello :)Device controlWindows FirewallCredential GuardBitLocker andBitLocker to GoMicrosoft EdgeDevice GuardWindows DefenderWindowsInformationProtectionBreach detectioninvestigation &responseConditional AccessWindows DefenderATP
T RADIT IONAL APPROACHType of threats to consider and mitigateDevice TamperingVulnerabilitiesMalwarePhishing
COMPREHENSIVE TH R EA T R ESISTENCEOffice ATPSmartScreenWindows FirewallExternalInternalMicrosoft EdgeWindows DefenderDevice Guard
Windows 10PROTECT FROM THE EDGEProtect devices before they encounter threats
PROACTIVE THREAT IDENTIFICATION AND PROTECTIONMicrosoft SmartScreen Phishing and malware filtering technology forMicrosoft Edge and Internet Explorer 11 inWindows 10.Provides protection from drive-by attacks.Cloud service is continuously updated, nothing foryou to deploy.Exchange Online Advanced Threat Protection Cloud-based email filtering service helps protectagainst unknown malware and viruses.URL trace technology examines potentiallyharmful links.
Windows 10PROTECT FROM WITHINOperating system used defense in depth to addressthreats that get inside the perimeter
MICROSOFT EDGE: DESIGNED FOR SECUR E BR OWSINGMicrosoft Edge is the most secure browser Microsoft has ever shippedTacticsStrategyObjectiveKeep our customerssafe when browsingthe web Make it difficult andcostly for attackers tofind and exploitvulnerabilities inMicrosoft EdgeEliminate vulnerabilities before attackers can find them Break exploitation techniques used by attackersContain the damage when vulnerabilities are discoveredPrevent navigation to known exploit sites
MICROSOF T EDGE: BUILDING A SA FER BR OWSERFundamentally improve security and enable users to confidently experience the web when using Windows 10wwwDEFEND USERSDEFEND THE BROWSERNew(SmartScreen)(Universal Windows Platform)(Windows Address Space Layout Randomization on 64-bit systems)(Microsoft Passport and Windows Hello)(MemGC)(Cert. Reputation, EdgeHTML, W3C Content Security Policy,HTTP Strict Transport Security)(Control Flow Guard)
MICROSOFT EDGE SECUR ITY IMPR OV EMENTSBefore – Full access to Win32.sys Microsoft Edge and Flash nolonger have full access towin32k.sys—API calls arefilteredOnly 40% of interfaces areavailable to Flash and Edgereducing attack surfaceFlash player moves into itsown AppContainerWorking directly with Adobeto harden Flash player to beresistant to vulnerabilityexploitsMicrosoft Edge BrowserWindows KernelEdge Content ProcessFlash Host ProcessWin32k.sysToday – 60% less surface area of attack on a highly targeted libraryMicrosoft Edge BrowserWindows KernelEdge Content ProcessAllowed Win32k.sys interfacesFlash Host ProcessBlocked Win32k.sys interfaces
MICROSOF T EDGEHardware based isolation enables the most secure browsing experienceWindows Defender Application Guardprotects the device from advanced attackslaunched against Microsoft EdgeMalware and vulnerability exploits targetingthe browser, including zero days, are unableto impact the operating system, apps, dataand networkApplication Guard uses virtualization basedsecurity to hardware isolate to isolateMicrosoft Edge and any browsing activityaway from the rest of the systemClosing Microsoft Edge wipes all traces ofattacks that may been encountered whileonline
HARDWARE ISOL ATION WITHWINDOWS DEFENDER APPLICATION GUARDMicrosoft EdgeAppsWindows PlatformServicesWindows PlatformServicesKernelKernelWindows DefenderApplication Guard ContainerCritical System ProcessesKernelWindows Operating SystemHyper-VSystem ContainerHyper-VDevice HardwareHypervisor
TODA Y’ S CH ALLENGE:APPS
YOUR SECUR ITY DEPENDS ON A PL ATFORM WHERE:APPS MUST EARNTRUST BEFORE USE
Windows 10NEXT GENERATION APP CONTROLSecure your devices with Device Guard
DEVICE GUARDHardware Rooted App ControlWindows desktop can be locked downto only run trusted apps, just like manymobile OS’s (e.g.: Windows Phone)Untrusted apps and executables, suchas malware, are unable to runSigned policy secures configurationfrom tamperingProtects system core (kernel mode)and drivers from zero days andvulnerabilitiesRequires Windows 8 certified orgreater hardware with VT-X and VT-D
DEV ICE GUA R D IN V BS ENV IR ONMENTD E C I S I V E M I T I G AT I O NKernelKernelWindows Operating SystemSystemContainerHyper-VHyper-VDevice HardwareHypervisorTrustlet #3Windows PlatformServicesTrustlet #2DEVICEGUARDApps
WINDOWS DEFENDERANTI-VIRUS PROTECTIONProtection that competes to winScored 98.1% detection rating from AV Comparatives testingagainst top competitors (March 2016).Behavior and cloud-powered malware detectionCan detect fast changing malware varietals using behavior monitoringand cloud-powered protection that expedites signature deliveryTamper ResistantWindows Trusted Boot and platform isolation protectWindows Defender from attacks and enable it to self-repairBuilt into Windows and Always Up-To-DateNo additional deployment & Infrastructure. Continuously up-todate, lower costsMicrosoft Protection Stars AVTest6543210201420152016
THE WINDOWS 10 DEFENSE STACKPROTECT, DETECT & evice integritySmartScreenWindows Hello :)Device controlWindows FirewallCredential GuardBitLocker andBitLocker to GoMicrosoft EdgeDevice GuardWindows DefenderWindowsInformationProtectionBreach detectioninvestigation &responseConditional AccessWindows DefenderATP
WINDOWS 10 IDENTITY GOA LSMainstreamtwo-factorauthenticationMake credentialstheft resistantand breach andphish proofDeliver solutionto bothconsumer andbusiness usersProvide asolution thatworks in allscenarios andindustries
Windows 10USER IDENTITY & AUTHENTICATION
SH A R ED SECRETSEasily mishandled or lost(Hint: The user is the problem)shhh!
PKI SOLUTIONSComplex, costly,and under attack
ENTER PR ISE DEMANDSReduce costsSimplifyimplementation
WINDOWS H ELLO FOR BUSINESSDevice-Based Multi-FactorUSER CREDENTIALUTILIZE FAMILIARDEVICESAn asymmetrical key pairProvisioned via PKI or createdlocally via Windows 10SECURED BYHARDWARE
FIDO AL L IANCEExample boardlevel members
BIOMETRIC MODA LITIES Improved security Fingerprint and facial recognition Ease of use Impossible to forget VBS support
COMPA NION DEV ICE AUTHENTICATIONWINDOWS HELLO COMPANION DEVICE FRAMEWORKPhoneBand 2WearableUSBRFIDCard
COM PA NION D EV ICE SCENARIOSCompanion as second factorCredentials are mobile andremain on companionIncrease convenience and improve security.Adds additional security by storing creds off of thedevice. Helps with compliance and convenience.
Windows 10DERIVED CREDENTIALS& ACCESS TOKENS
“PASS THE HASH”ATTACKSToday’s security challenge
TOD A Y’ S SECUR ITY CH A LLENGE:PASS THE HASH AT TACKSAccess to onedevice can lead toaccess to many1.2.3.Single IT Pro’s machine iscompromisedUsing IT Pros access tokenattacker looks forkiosk/shared devices andmines them for tokensRepeatIT Pro manageskiosks/shared devices onnetworkAttacker steals IT Pro’saccess token
TO DAY ’ S S O LU T I O N : C R E D E N T I A L G U A R D Protects LSA Service (LSASS) andderived credentials (NTLM Hash)Fundamentally breaks derivedcredential theft using MimiKatz,Windows PlatformServicesKernelKernelWindows Operating SystemSystemContainerHyper-VHyper-VDevice HardwareHypervisorTrustlet #3Credential Guard uses VBS to isolateWindows authentication fromWindows operating systemAppsTrustlet #2 Pass the Hash (PtH) attacks are the#1 go-to tool for hackers. Used innearly every major breach and APTtype of attackCredentialGuard
THE WINDOWS 10 DEFENSE STACKPROTECT, DETECT & evice integritySmartScreenWindows Hello :)Device controlWindows FirewallCredential GuardBitLocker andBitLocker to GoMicrosoft EdgeDevice GuardWindows DefenderWindowsInformationProtectionBreach detectioninvestigation &responseConditional AccessWindows DefenderATP
YOUR INFORMATION PR OTECTION NEEDSDEVICEPROTECTIONBitLockerProtectsystem andenhancementsindatawhen8.1device isWindowslost or stolenInstantGo3rd party IONContainmentPreventunauthorized usersand apps fromaccessing andleaking dataProtect data whenshared with others,or shared outsideof organizationaldevices and controlData separation
INFORMATION PR OTECTION NEEDSDEVICEPROTECTIONBitLockerenhancements inWindows 8.1InstantGoBitLocker3rd OTECTIONAzure Rights ManagementOffice 365Windows Information Protection
Windows 10DATA-AT-REST PROTECTIONThe threat of lost or stolen devices
DEVICE ENCRYPTIONBitLockerModern devices may be encrypted outof-box with BitLocker technologyIncreased global acceptance of TPMTPM pervasive on Windows devices byend 2015Easiest deployment, leading security,reliability, and performanceSingle sign-on for modern devices andconfigurable Windows 7 hardwareEnterprise grade management (MBAM)and compliance (FIPS)
INFORMATION PR OTECTION rotect system anddata when device islost or stolenContainmentPreventunauthorized appsfrom accessingdataData separationSHARINGPROTECTION
MA R KET SOLUTIONSFOR DATA LOSS PREVENTIONMobile PlatformsDesktop PlatformsUsing ContainersLimited Platform IntegrationCompromised user experienceBetter user experienceEase of deploymentDifficult to deployLowest costHigher cost
INTRODUCING WINDOWS INFOR MA TION PR OTECTIONIntegrated protection against accidental data leaksProtects data at rest locallyand on removable storage.Common experience acrossall Windows 10 devices withcopy and paste protection.Ships in the Windows 10Anniversary UpdateSeamless integration intothe platform, No modeswitching and use any app.Corporate vs personal dataidentifiable wherever it rests onthe device and can be wiped.Prevents unauthorized appsfrom accessing business dataand users from leaking datavia copy and paste protection.
WINDOWS INFORMAT ION PROTECTION LIFECYCLE
INFORMATION PR OTECTION HARINGPROTECTIONContainmentPreventunauthorized appsfrom accessingdataProtect data whenshared with others,or shared outsideof organizationaldevices and controlBYOD separation
SHARING PR OTECTIONRights Management ServicesProtect all file types, everywhere theygo, cloud, email, BYOD, Support for all commonly used devicesand systems – Windows, OSX, iOS,AndroidSupport for B2B and B2B via Azure ADSupport for on premise and cloudbased scenarios (e.g.: Office 365)Seamless, easy to provision andsupport for FIPS 140-2 regulationand compliance
THE WINDOWS 10 DEFENSE STACKPROTECT, DETECT & evice integritySmartScreenWindows Hello :)Device controlWindows FirewallCredential GuardBitLocker andBitLocker to GoMicrosoft EdgeDevice GuardWindows DefenderWindowsInformationProtectionBreach detectioninvestigation &responseConditional AccessWindows DefenderATP
Windows 10SECURE YOUR ENVIRONMENTWITH CONDITIONAL ACCESSKeep unhealthy devices out with Intune and WindowsDevice Health Attestation.
UNKNOW N PC HEALTHImportant resourcesToday healthis assumed12
WINDOWS DEV ICE HEALT H AT TESTATION ENABL ES:MDMS to gateaccess based ondevice integrityand health34Important resources521
AT TACKS HAPPEN FAST AND ARE H A R D TO STOPIf an attacker sends an emailto 100 people in yourcompany 23 people will open it 11 people will open theattachment and six will do it in thefirst hour.
WINDOWS DEFENDERADVANCED THREAT PROTECTIONDETECT ADVANCED ATTACKS AND REMEDIATE BREACHESBuilt into WindowsNo additional deployment & Infrastructure. Continuouslyup-to-date, lower costs.Behavior-based, cloud-powered breach detectionActionable, correlated alerts for known and unknown adversaries.Real-time and historical data.Rich timeline for investigationEasily understand scope of breach. Data pivotingacross endpoints. Deep file and URL analysis.Unique threat intelligence knowledge baseUnparalleled threat optics provide detailed actor profiles1st and 3rd party threat intelligence data.
US DEPART MENT OF DEFENSEMICR OSOFT R ECEIV ES TH EULTIMA TE WINDOWS 10SECUR ITY PR OOF POINT FR OMUS DEPA R TMENT OF DEFENSEPENTA GON OR DER S WINDOWS 10TO BE INSTALLED ON ALL4 MILLION OF ITS PCS
dentitiesInformationprotectionThreatresistance
Resources:aka.ms/ITInnovationContinue your learningDownload the presentation, access online training and demos, try Windows 10 for free.aka.ms/ITInnovationResourcesBuild your IT Pro skillsAttend the Microsoft Tech Summit.www.microsoft.com/techsummit
THE WINDOWS 10 DEFENSE STACK PROTECT, DETECT & RESPOND PRE-BREACH POST-BREACH Conditional Access Windows Defender ATP Breach detection investigation & response Device protection Device integrity Device control Information protection BitLocker and BitLocker to Go