Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Privileged Access from Active Attacks

Published byRandall Douglas Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing Privileged Access from Active Attacks"— Presentation transcript:

1 Securing Privileged Access from Active Attacks
Microsoft 2016 6/12/2018 8:16 PM BRK2145 Securing Privileged Access from Active Attacks Mark Simos Enterprise Cybersecurity Group Ryan Puffer Windows Server & Services © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Cybersecurity Reference Architecture
DRAFT Software as a Service Office 365 80% + of employees admit using non-approved SaaS apps for work (Stratecast, December 2013) Security Operations Center (SOC) ASM Vulnerability Management Incident Response Investigation and Recovery Internet of Things Lockbox Logs & Analytics Active Threat Detection Unmanaged & Mobile Clients Identity & Access Information Protection Managed Security Provider UEBA ATA Enterprise Threat Detection Hunting Teams Azure Active Directory Analytics OMS Cloud App Security SIEM Conditional Access Analytics & Reporting SIEM Integration Intune MDM/MAM Extranet On Premises Datacenter(s) Express Route Microsoft Azure DLP Security Appliances NGFW AAD PIM IaaS/Hoster Azure Information Protection (AIP) Classification Labelling Encryption Rights Management Document Tracking Reporting SSL Proxy Office 365 ATP Gateway Anti-malware Multi-Factor Authentication IPS Azure Security Center Security Hygiene Threat Detection Windows Server 2016 Security Secure Boot, Nano Server, Just Enough Admin, Device Guard, Credential Guard, Remote Credential Guard, Hyper-V Containers, … VPN Hello for Business Azure Key Vault Intranet Enterprise Servers Azure App Gateway MIM PAM Shielded VMs Sensitive Workloads Azure Antimalware ATA VMs VMs Active Directory Admin Forest Network Security Groups Endpoint DLP Domain Controllers VPN Privileged Access Workstations SQL Encryption & Firewall Windows Information Protection Certification Authority (PKI) $ Managed Clients Legacy Windows Windows 10 Windows 10 Security Secure Boot Device Guard Credential Guard Remote Credential Guard Windows Hello Disk & Storage Encryption IoT Mac OS WEF EDR - Windows Defender ATP EPP - Windows Defender Nearly all customer breaches Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR) System Management + Patching - SCCM + Intune

3 SECURE MODERN ENTERPRISE
A secure modern enterprise is resilient to threats Aligned to business objectives and current threat environment SECURE MODERN ENTERPRISE Identity Embraces identity as primary security perimeter and protects identity systems, admins, and credentials as top priorities Apps and Data Aligns security investments with business priorities including identifying and securing communications, data, and applications Identity Apps and Data Infrastructure Devices Infrastructure  Operates on modern platform and uses cloud intelligence to detect and remediate both vulnerabilities and attacks Devices Accesses assets from trusted devices with hardware security assurances, great user experience, and advanced threat detection Secure Platform (secure by design)

4 Identity Pillar Identity Major Identity Challenges 6/12/2018 8:16 PM
Embraces identity as primary security perimeter and protects identity systems, admins, and credentials as top priorities Major Identity Challenges Identity system security is critical to all security assurances Attackers are actively targeting privileged access and identity systems Identity attacks like credential theft are difficult to detect and investigate Identity systems are complex and challenging to protect Individual accounts have large attack surface across devices and systems Securing Privileged Access Securing Identities © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 The Modern Enterprise Microsoft Ignite 2015 6/12/2018 8:16 PM
Azure Active Directory Rights Management Services Key Management Services PaaS IaaS Office 365 3rd Party IaaS Microsoft Azure Admin Environment 3rd Party SaaS High Value Assets Customer and Partner Access On-Premises Datacenters Branch Office Intranet and Remote PCs Mobile Devices © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Identity is the new security “perimeter”
Microsoft Ignite 2015 6/12/2018 8:16 PM Identity is the new security “perimeter” Active Directory and Administrators control all the assets Active Directory Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Identity is the new security “perimeter” under attack
Microsoft Ignite 2015 6/12/2018 8:16 PM Identity is the new security “perimeter” under attack Active Directory and Administrators control all the assets Browsing Attackers Can Steal any data Encrypt any data Modify documents Impersonate users Disrupt business operations Active Directory Azure Active Directory One small mistake can lead to attacker control © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Phase 1 Critical Mitigations: Typical Attack Chain
Compromises privileged access Tier 0 Domain & Enterprise Admins 24-48 Hours Directory Database(s) Beachhead (Phishing Attack, etc.) Domain Controllers Lateral Movement Steal Credentials Compromise more hosts & credentials Tier 1 Server Admins Privilege Escalation Get Domain Admin credentials Execute Attacker Mission Steal data, destroy systems, etc. Persist Presence Tier 2 Workstation & Device Admins

9 Phase 1 Critical Mitigations: Credential Theft Demonstration
Domain.Local DC Attack Operator DomainAdmin Client

10 Making and Measuring Progress against Risk
Microsoft Ignite 2015 6/12/2018 8:16 PM Making and Measuring Progress against Risk Attack Defense Securing Privileged Access Three Stage Roadmap Credential Theft & Abuse Prevent Escalation Prevent Lateral Traversal 2-4 weeks 1-3 months 6+ months Increase Privilege Usage Visibility Domain Controller (DC) Host Attacks Harden Configuration Reduce Agent Attack Surface AD Attacks Assign Least Privilege Attacker Stealth Detect Attacks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Protecting Active Directory and Admin privileges
Microsoft Ignite 2015 6/12/2018 8:16 PM Protecting Active Directory and Admin privileges 2-4 weeks 1-3 months 6+ months First response to the most frequently used attack techniques 3. Unique Local Admin Passwords for Workstations 4. Unique Local Admin Passwords for Servers Active Directory Azure Active Directory 1. Separate Admin account for admin tasks 2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 First response to the most frequently used attack techniques
Microsoft Ignite 2015 6/12/2018 8:16 PM First response to the most frequently used attack techniques 2-4 weeks 1-3 months 6+ months Attack Defense Credential Theft & Abuse Prevent Escalation Top Priority Mitigations Prevent Lateral Traversal Increase Privilege Usage Visibility DC Host Attacks Harden DC configuration Reduce DC Agent attack surface AD Attacks Assign Least Privilege Attacker Stealth Detect Attacks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Protecting Active Directory and Admin privileges
Microsoft Ignite 2015 6/12/2018 8:16 PM Protecting Active Directory and Admin privileges 2-4 weeks 1-3 months 6+ months Build visibility and control of administrator activity, increase protection against typical follow-up attacks 6. Attack Detection 2. Time-bound privileges (no permanent admins) 3. Multi-factor for elevation Active Directory Azure Active Directory 1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.) 4. Just Enough Admin (JEA) for DC Maintenance 5. Lower attack surface of Domain and DCs © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Build visibility and control of admin activity
Microsoft Ignite 2015 6/12/2018 8:16 PM Build visibility and control of admin activity 2-4 weeks 1-3 months 6+ months Defense Attack Credential Theft & Abuse Prevent Escalation Prevent Lateral Traversal Increase Privilege Usage Visibility DC Host Attacks Harden DC configuration Reduce DC Agent attack surface AD Attacks Assign Least Privilege Attacker Stealth Detect Attacks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Protecting Active Directory and Admin privileges
Microsoft Ignite 2015 6/12/2018 8:16 PM Protecting Active Directory and Admin privileges 2-4 weeks 1-3 months 6+ months 5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric) Move to proactive security posture 1. Modernize Roles and Delegation Model Active Directory Azure Active Directory 2. Smartcard or Passport Authentication for all admins 3. Admin Forest for Active Directory administrators 4. Code Integrity Policy for DCs (Server 2016) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Move to proactive security posture
Microsoft Ignite 2015 6/12/2018 8:16 PM Move to proactive security posture 2-4 weeks 1-3 months 6+ months Attack Defense Credential Theft & Abuse Prevent Escalation Prevent Lateral Traversal Increase Privilege Usage Visibility DC Host Attacks Harden DC configuration Reduce DC Agent attack surface AD Attacks Assign Least Privilege Attacker Stealth Detect Attacks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Demo time! Just Enough & Just In Time Administration

18 Secure Modern Enterprise The Microsoft Cybersecurity Services approach
6/12/2018 8:16 PM Secure Modern Enterprise The Microsoft Cybersecurity Services approach © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 SECURE MODERN ENTERPRISE Phase 2: Secure the Pillars
Getting started Phase 2: Secure the Pillars Continue building a secure modern enterprise by adopting leading edge technology and approaches: Threat Detection – Integrate leading edge intelligence and Managed detection and response (MDR) capabilities Privileged Access – continue reducing risk to business critical identities and assets Cloud Security Risk – Chart a secure path into a cloud- enabled enterprise SaaS / Shadow IT Risk – Discover, protect, and monitor your critical data in the cloud Device & Datacenter Security – Hardware protections for Devices, Credentials, Servers, and Applications App/Dev Security – Secure your development practices and digital transformation components SECURE MODERN ENTERPRISE Phase 1: Build the Security Foundation Start the journey by getting in front of current attacks Critical Mitigations – Critical attack protections Attack Detection – Hunt for hidden persistent adversaries and implement critical attack detection Roadmap and planning – Share Microsoft insight on current attacks and strategies, build a tailored roadmap to defend your organization’s business value and mission Identity Apps and Data Infrastructure Devices Phase 2: Secure the Pillars Phase 1: Build Security Foundation – Critical Attack Defenses Secure Platform (secure by design)

20 Phase 1 Critical Mitigations
Organizational Preparation Education Strategy & Integration Restrict Privilege Escalation Privileged Access Workstations Assess AD Security Tier 0 Domain & Enterprise Admins Directory Database(s) Restrict Lateral Movement Random Local Password Domain Controllers Attack Detection Advanced Threat Analytics (ATA) Hunt for Adversaries Attack Detection Hunt for Adversaries Tier 1 Server Admins Organizational Preparation Strategic Roadmap Technical Education Restrict Lateral Movement Tier 2 Workstation & Device Admins Restrict Privilege Escalation

21 RECOMMENDED FOR EVERY ENTERPRISE ORGANIZATION
6/12/2018 8:16 PM Secure Modern Enterprise Security Foundation RECOMMENDED FOR EVERY ENTERPRISE ORGANIZATION Microsoft is committed to mitigating security threats Microsoft is bringing the power of cloud to securing your assets Industry Leading Technology On-premises Integrated Intelligence In the cloud Critical security assurances | Cloud-powered Threat Detection | Major Incident Management © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Let’s hear from you! Are you using…
6/12/2018 8:16 PM Let’s hear from you! Where are you on the road to secure modern enterprise? Are you using… Dedicated Privileged Access Workstation (PAW) for IT administrators? Advanced Threat Analytics (ATA) or 3rd party UEBA solution? Local Administrator Password Solution (LAPS) Tool or 3rd party PAM solution for All Servers? All Workstations? © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 6/12/2018 8:16 PM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Please evaluate this session
6/12/2018 8:16 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 6/12/2018 8:16 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Securing Privileged Access from Active Attacks"

Similar presentations

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Learn how the cloud is accelerating network transformation

Learn how the cloud is accelerating network transformation
Microsoft 365 Security and Compliance: Training and Resources

Microsoft 365 Security and Compliance: Training and Resources
2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,

2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,
Deployment Planning Services

Deployment Planning Services
BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.

BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.
Enterprise grade security in your Hadoop clusters on Azure

Enterprise grade security in your Hadoop clusters on Azure
Microsoft Ignite 2016 4/30/2018 9:28 PM BRK3174

Microsoft Ignite /30/2018 9:28 PM BRK3174
Transform yourself and build your IT cloud career path

Transform yourself and build your IT cloud career path
Deliver business insights with Microsoft Dynamics AX and Power BI

Deliver business insights with Microsoft Dynamics AX and Power BI
Secure Modern Enterprise

Secure Modern Enterprise
Examine information management in Cortana Intelligence

Examine information management in Cortana Intelligence
Enterprise Security in Practice

Enterprise Security in Practice
Develop, debug and deploy containerized applications with Docker

Develop, debug and deploy containerized applications with Docker
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
Accelerate GDPR compliance with Microsoft 365

Accelerate GDPR compliance with Microsoft 365
Windows Server 2016 Secure IaaS Microsoft Build /1/2018 4:00 AM

Windows Server 2016 Secure IaaS Microsoft Build /1/2018 4:00 AM
Journey to Microsoft Secure Cloud

Journey to Microsoft Secure Cloud
Microsoft Ignite 2016 6/2/2018 6:37 AM BRK2293

Microsoft Ignite /2/2018 6:37 AM BRK2293
BRK3288-Discover data-driven apps that learn and adapt

BRK3288-Discover data-driven apps that learn and adapt

Similar presentations

Ads by Google