Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Ignite 2016 6/2/2018 6:37 AM BRK2293

Published byKelley Lambert Modified over 6 years ago

Similar presentations

Presentation on theme: "Microsoft Ignite 2016 6/2/2018 6:37 AM BRK2293"— Presentation transcript:

1 Microsoft Ignite 2016 6/2/2018 6:37 AM BRK2293 Mitigate datacenter security threats with guided investigation using Operations Management Suite Yuri Diogenes Senior Content Developer Enterprise Mobility + Security (OMS / Azure Security Center) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 YOUR YOUR IT ENVIRONMENT OPPORTUNITY

3 YOUR YOUR IT ENVIRONMENT O P P O R T U N I T Y Smart cities Sensors
Vehicles Partners Energy systems Cloud Equipment On-premises YOUR YOUR IT ENVIRONMENT O P P O R T U N I T Y Mobile devices Marketplaces Manufacturers Citizens Supply Chains Customers

4 YOUR IT ENVIRONMENT

5 closing the gap between discovery and action
PROTECT across all endpoints, from sensors to the datacenter DETECT using targeted signals, behavioral monitoring, and machine learning YOUR YOUR SECURITY POSTURE IT ENVIRONMENT ! RESPOND closing the gap between discovery and action

6 Critical Mitigations: Typical Attack Chain
Compromises privileged access Tier 0 Domain & Enterprise Admins 24-48 Hours Directory Database(s) Beachhead (Phishing Attack, etc.) Domain Controllers Lateral Movement Steal Credentials Compromise more hosts & credentials Tier 1 Server Admins Privilege Escalation Get Domain Admin credentials Execute Attacker Mission Steal data, destroy systems, etc. Persist Presence Key Slide Outcome - Credential theft attacks are highly impactful and highly prevalent – they can happen on just about any environment today. This is a view of a typical attack we see on a typical environment. *CLICK 1* Attacks start by gaining control of a “beachhead” computer in your network, sometimes called “Patient Zero”. [Attacker] This is usually a phishing attack, but can also be done by compromising a website frequently visited by your users, by delivering malware through advertising, or other techniques. [Green Circle] Most attackers target domain controllers to gain access to all identities *CLICK 2* The next step for attackers is typically to gather credentials available on the compromised machines (including local administrator password hashes) They then move laterally within that Tier to compromise other computers and harvest more credentials This requires the attack to be an administrator on the local machine. This can happen when A user running as a local admin clicks “allow” on a security warning dialog in a browser or other application Attacker exploits an unpatched vulnerability on a computer (whether the user is running locally as local admin or only with standard user privileges) *CLICK 3* The attackers can directly attempt to escalate their access to the environment by directly attacking servers *CLICK 4* More commonly, we see privilege escalation by stealing higher tier credentials (e.g. domain admins) where they are exposed on lower tier devices (e.g. standard workstations) This leads to an attacker gaining full control of the environment This is a shared state of control, so it doesn’t “kick out” the real admins This attack is very difficult to detect with conventional means because attackers are using real legitimate credentials (and can then move to creating fake accounts, insall malware on any computer, etc.) Tier 2 Workstation & Device Admins

7 6/2/2018 6:37 AM Many organizations learn how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Incident Response Stage 1 – Detect Stage 2 – Assess Stage 3 – Diagnose
6/2/2018 6:37 AM Incident Response Stage 1 – Detect Identifying suspicious activity requires a nexus of the latest intelligence capabilities, detection tools, and incident management solutions. Stage 2 – Assess Executing a preliminary assessment and evaluating its details as the investigation continues Stage 3 – Diagnose Examine the collected information, as well as to gain a better technical understanding of the event © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Leveraging OMS Security for Incident Response
6/2/2018 6:37 AM Leveraging OMS Security for Incident Response © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Attack Scenario Stage 1: Phishing e-mail (downloading malware)
6/2/2018 6:37 AM Attack Scenario Stage 1: Phishing (downloading malware) Stage 2: Lateral movement (suspicious activity) Stage 3: Privilege escalation (suspicious process) Stage 4: Cleaning evidence (event log) DETECT © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Demo: Leveraging OMS for Incident Response
Microsoft Ignite 2016 6/2/2018 6:37 AM Demo: Leveraging OMS for Incident Response Yuri Diogenes © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Botnet Scenario Stage 1 (Recruitment / Infection)
6/2/2018 6:37 AM Botnet Scenario Stage 1 (Recruitment / Infection) - Phishing (downloading malware / exploiting vulnerabilities) Stage 2 (Interaction): - Registration, C&C communication and external interaction (network communication) DETECT © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Demo: Leveraging OMS for Incident Response (BotNet Investigation)
Microsoft Ignite 2016 6/2/2018 6:37 AM Demo: Leveraging OMS for Incident Response (BotNet Investigation) Yuri Diogenes © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 6/2/2018 6:37 AM Leveraging OMS Security and Azure Security Center for Incident Response Azure Security Center OMS Security Security for OMS Log Analytics Threat detection using advanced analytics Collection of security data from virtually any source (Azure or AWS, Windows Server or Linux, VMware or OpenStack) Insight into security status (antimalware, system updates) Correlations to detect malicious activities and search for rapid investigation Integrates operational and security management Security for Azure Asset discovery and ongoing security assessment (OS configurations, system updates, SQL Db configurations, virtual network configurations) Actionable security recommendations with easy remediation Security policy for IT governance Integrated management and monitoring of partner security solutions & Microsoft Operations Management Suite © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Demo: Leveraging Azure Security for Incident Response
Microsoft Ignite 2016 6/2/2018 6:37 AM Demo: Leveraging Azure Security for Incident Response Yuri Diogenes © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 INTELLIGENCE PLATFORM INTELLIGENCE PARTNERS
Multi-factor authentication Data encryption User accounts Device log-ins Malware Unauthorized data access PLATFORM INTELLIGENCE PARTNERS Attacks INTELLIGENCE User log-ins Phishing Denial of service Spam System updates Enterprise security

17 OUR UNIQUE INTELLIGENCE
6/2/2018 6:37 AM OUR UNIQUE INTELLIGENCE 300B user authentications each month 1B Windows devices updated 200B s analyzed for spam and malware MSFT Field - Please view associated material at: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Learn more To learn more about Azure Security Center, visit:
6/2/2018 6:37 AM Learn more To learn more about Azure Security Center, visit: urity-center To learn more about OMS Security, visit: us/documentation/suites/operations- management-suite/ Also available at Ignite Bookstore Book signing session: 1 to 1:30PM at Ignite Bookstore (Expo Hall) © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 6/2/2018 6:37 AM Free IT Pro resources To advance your career in cloud technology Plan your career path Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Microsoft IT Pro Career Center Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Please evaluate this session
6/2/2018 6:37 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 6/2/2018 6:37 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Ignite 2016 6/2/2018 6:37 AM BRK2293"

Similar presentations

Learn how the cloud is accelerating network transformation

Learn how the cloud is accelerating network transformation
2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,

2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,
Deployment Planning Services

Deployment Planning Services
BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.

BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.
Microsoft Ignite 2016 4/30/2018 9:28 PM BRK3174

Microsoft Ignite /30/2018 9:28 PM BRK3174
Transform yourself and build your IT cloud career path

Transform yourself and build your IT cloud career path
Deliver business insights with Microsoft Dynamics AX and Power BI

Deliver business insights with Microsoft Dynamics AX and Power BI
Examine information management in Cortana Intelligence

Examine information management in Cortana Intelligence
Enterprise Security in Practice

Enterprise Security in Practice
Develop, debug and deploy containerized applications with Docker

Develop, debug and deploy containerized applications with Docker
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
Microsoft Operations Management Suite Insight and Analytics

Microsoft Operations Management Suite Insight and Analytics
Journey to Microsoft Secure Cloud

Journey to Microsoft Secure Cloud
Microsoft 2016 6/2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.

Microsoft /2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.
BRK3288-Discover data-driven apps that learn and adapt

BRK3288-Discover data-driven apps that learn and adapt
Configure and Manage Your Hybrid Cloud Environment at Scale

Configure and Manage Your Hybrid Cloud Environment at Scale
Conduct a successful pilot deployment of Microsoft Intune

Conduct a successful pilot deployment of Microsoft Intune
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
Review the Nutanix Cloud Platform System Standard solution

Review the Nutanix Cloud Platform System Standard solution
SaaS Application Deep Dive

SaaS Application Deep Dive

Similar presentations

Ads by Google