Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Cybersecurity Solutions Group

Similar presentations

Presentation on theme: "Microsoft Cybersecurity Solutions Group"— Presentation transcript:

1 Microsoft CISO Workshop 4b - Threat Protection Strategy (DETECT-RESPOND-RECOVER)
Microsoft Cybersecurity Solutions Group © Copyright Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Threat protection (Detect-Respond-Recover)
4/4/2019 Threat protection (Detect-Respond-Recover) TRENDS STRATEGY Applying to Operations Threat Evolution SIEM Integration Intelligence Success Criteria SOC Mission Evolution INTEGRATED OPERATIONS Recommended Approach integrated AUTOMATION Evolution of MICROSOFT SOC Key Takeaway: This is the module layout. This slide uses the PowerPoint zoom feature, you can present it and click on each section to skip to it Community Effect DEEP DIVES Typical Kill Chain Applying Machine Learning Dark Markets Graph Security API AND MORE © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Observations and challenges
Threats increasing in volume and sophistication Attacker business models evolve to maximize attacker return on investment (ROI) Attack automation and evasion techniques evolving along multiple dimensions Can’t Stop All Attacks Must balance investments across prevention, detection, and response Prevention investments must be focused on real world attacks Integration is required, but complex and costly Threat Detection requires context from a diverse signal sources and high volumes of data Efficient operations requires integration of tools and technology like machine learning Humans and Automation Need human expertise, adaptability, and creativity to combat human threat actors Automation can reduce toil and repetitive tasks, enabling people to make their best contributions Key Takeaway: The ever-changing threat environment is challenging, but there are ways to be more effective using the right blend of modern technology, strategy, and expertise Threats increasing in volume and sophistication There are advanced attack groups out there, but attackers are not infinitely sophisticated. They do constantly evolve, but they tend to invest only as it make business sense to spend their time/money/resources. Focusing on the mission they are trying to accomplish and their ROI model will likely create the best opportunities to disrupt attackers. CLICK 1 Can’t Stop All Attacks A pure preventive strategy simply will not work with the volume of attacks and rate of evolution we see. At the same time, a pure detect and response strategy without meaningful investment into preventive controls can lock the bulk of your resources into repeatedly solving the same ‘problems’ vs. making meaningful progress. We recommend a pragmatic balance of resource investments into prevention, detection, and response with a focus on maximizing attacker cost increases per dollar of your security investment. CLICK 2 Integration is required, but complex and costly While the cybersecurity industry has developed many compelling individual “point solution” technologies and many potentially valuable threat feeds, organizations are currently suffering from the resultant integration challenges from this “Best of breed” approach. Organizations are forced to adopt the cost and inefficiency of integrating security tools with each other and with threat intelligence feeds. This slows down response times and limits defender effectiveness. CLICK 3 Humans and Automation Automation has the power to take away repetitive tasks from people and ensure they are executed consistently, but ultimately we face human attack operators and need to have human judgement, adaptability, insight, and creativity in the process. Without this combination, you can’t sort out the signal (real detections) from the noise (false positives).

4 Evolution trajectory of SOCs Reducing mean time to remediation (MTTR) by optimizing expert human decisions Assistance from AI bots and augmented reality ACT – Speed up response with Orchestration and Automation DECIDE – Increase speed and quality with embedded guidance ORIENT – Extract Context from mountain of data with AI, ML, UEBA, and Human Expertise Key Takeaway – Technology trends will continually improve the ability of your analysts and incident responders to quickly detect and remediate incidents As we look at the trajectory of how SOCs will evolve, we see technology continually increasing speed and quality of decisions and actions (along each stage of an OODA ‘loop’ in the decision making process). OODA ‘loop’ was pioneered by USAF Colonel John Boyd. Observe – SOCs are already tapping into the vast security intelligence in Microsoft’s intelligent security graph (and other intelligence sources), increasing their field of view dramatically within the organization and the external environment. We see no reason for this not to continue CLICK 1 Orient – As these data sources become available to already overloaded SOCs, machine learning becomes critical to make sense of what is happening. Microsoft (and other security vendors) have adopted machine learning (ML) technology (a subset of artificial intelligence) to reason over massive datasets, quickly prioritize events, and correlate events into holistic incidents that can be investigated by SOCs. Additionally, User and Entity Behavior Analysis allows for rapidly identifying anomalies in the profile of individual identities vs. trying to do the same from the whole dataset. CLICK 2 Decide – Because attack volume and talent shortage are overloading SOC staff, analysts and incident responders need to reduce steps and effort to get to a good decision. Microsoft has been integrating guidance for detected malware and attacker groups inline to investigation process of our tools Azure Security Center EDR capabilities in Windows Defender ATP CLICK 3 Act – Containing adversary access and limiting their damage comes from rapid and accurate response execution across many technologies and platforms, which orchestration and automation technology enables. Microsoft has and is continuing to invest in these technologies including Windows Defender ATP and Office 365 ATP automatically create and execute cleanup plans for the incidents Azure security center includes automation and orchestration technologies.    CLICK 4 Further into the future, we expect all of these technologies to continue mature and be augmented by intelligent interactive assistants. We expect them to perform research and execution via natural interfaces much like the Cortana character in the video game Halo. We also expect that virtual and augmented reality like HoloLens will enable SOC personnel to easily visualize complex systems and attacks to allow humans to more quickly spot anomalies and collaborate on incidents. OBSERVE – Increase Field of view with vast intelligence data Available Today Near Future

5 Data Gravity Pulls analytics to the data
APPS & SERVICES APPS & SERVICES Getting signal from noise requires context from large disparate datasets Can’t copy all needed data to one location because of bandwidth  Need to leverage analytics from anywhere and centrally integrate Key Takeaway: The concept of data gravity (analytics will gravitate to the largest ‘mass’ of data) will likely affect where SOCs and where they perform analytics CLICK 1 Because of the cost and latency of moving large amounts of data over networks, it is much more effective to leverage analytics that are close to the data vs. trying to move large sets of data to existing analytics. Security data is growing to massive levels and more and more is generated where workloads are hosted at cloud providers like Microsoft, creating a ‘gravity’ that favors native security analytics in the cloud vs. backhauling data to traditional on premises SIEMs.

6 SOC Signal Rationalization
Many data sources in a SOCs today Key Takeaway: Most SOCs are dealing with multiple datasets in different location that can assist with alert generation, investigation, or hunting Microsoft invested in providing the Graph Security API that enables organizations to connect these security capabilities as providers, enabling the SOC to rapidly query for context across them to increase speed and effectiveness of investigation. Microsoft Graph Security API allows analysts to get insights across local security datasets

7 Graph Security API – Signal Unification
Allows analysts to get insights and context across Local datasets and Cloud hosted security datasets Microsoft’s Intelligent Security Graph Massive dataset + analytics powering Microsoft threat detection capabilities Key Takeaway: This includes pulling context from various cloud sources including Microsoft’s Intelligent Security Graph (via Microsoft’s threat detection toolsets)

8 Threat evolution is accelerating
Malware-Less Attacks ‘File-less’ Malware Tailored/Targeted Malware Mass Distribution Malware Key Takeaway: Attacker methods have been expanding recently (along with attacker investment and returns) Mass Distribution Malware - Mass distribution malware has been with us for several decades CLICK 1 Tailored/Targeted Malware - This evolved into malware targeted at individual organization, which has matured into a mainstream attack method CLICK 2 ‘File-Less’ Malware - The past few years saw increased investment into evading file based detection using PowerShell to load attack code directly into memory and other similar methods CLICK 3 Malware-Less Attacks - Recently, we have seen the rise of “live off the land” attack campaigns that involve no malware. These frequently target online software as a service (such as Office 365) and involve methods like social engineering, credential theft, and native platform capabilities like document download, forged s, delegation/forwarding rules, and PowerShell scripts. Identity and Apps THREAT AGES Malware and Infrastructure

9 Corporate IT SOC – Started with Classic SIEM model
Major challenges with this approach Event Storage Volume and Cost Analyst Overload from False Positives Poor Investigation Workflow Malware-Less Attacks SIEM 3rd Party tools (as needed) ‘File-less’ Malware Microsoft & Tailored/Targeted Malware Key Takeaway: Microsoft’s Corporate IT SOC used to operate a traditional SOC model similar to what we see in most organizations and faced the same set of natural challenges with the model. Note: The SOC referenced here is the Microsoft IT operations that is most comparable to SOCs in most organizations. At Microsoft, multiple teams work shoulder to shoulder in our CDOC facility to enable collaboration and rapid intelligence sharing between teams protecting our other environment such as Azure and Office 365. For more information on this SOC, see This SOC is cross platform and covers a significant population of Linux, Mac, and non-Microsoft software CLICK 1 The challenges we experienced with this model are similar to those reported by our customers running in this SIEM centric model: Event Volume - High volume and growth (on the scale of 20 billion events a day currently) exceeded the capacity of the SIEM to handle it. Alert Overload – The static rulesets generated excessive false positives that led to alert fatigue Poor Investigation workflow – Investigation of events using the SIEM was clunky and required manual queries and manual switching to different tools Mass Distribution Malware Alert Queue Primary Investigation Pivot and Remediate

10 Corporate IT SOC – Evolved to adopt specialized tooling
SIEM 3rd Party tools (as needed) Malware-Less Attacks AZURE – Azure Security Center OFFICE 365 and SaaS – Advanced Threat Protection + Cloud App Security ‘File-less’ Malware IDENTITY - Azure ATP + Azure AD Identity Protection Tailored/Targeted Malware Windows Defender ATP ENDPOINT DETECTION & RESPONSE (EDR) Key Takeaway: Microsoft increased SOC responsiveness and remediation speed by (1) incorporating specialized host/ /identity tools and (2) shifting log analytics to the cloud from the SIEM (Current as of Jan 2019) While our various SOCs consider and tests Microsoft solutions, the SOC mission always comes first and these organizations have rejected Microsoft solutions and used 3rd party capabilities when they don’t meet the needs. Our Corporate IT SOC focuses on responsiveness (Time to Acknowledge alerts - TTA) and rapid containment (Time to Remediation - TTR) To address the SIEM scalability challenges in this SOC, we introduced data lake and machine learning technology to more efficiently store and analyze events to provide high quality alerts that meet the 90% true positive (and growing) bar for inclusion in the SOC main feed. Our SIEM currently remains as centralized alert queue CLICK 1 The most impactful change was adding Windows Defender ATP’s EDR capability as a high-quality alert source, which quickly became the primary investigation tool (by our analyst’s choice) once it was made available. This is the “console that never closes” on our analyst’s desktop during their shift, which isn’t surprising because they contributed significantly to the product design: The product group spent about months shadowing our SOC analysts to understand how they thought as they investigated incidents, what technical information they needed to investigate, and what their ideal workflows would be. Additionally, this product group worked closely with Microsoft’s incident response team to integrate learnings and technology used on these customer investigations. CLICK 2 The next primary alert source for our SOC main feeds are the identity analytics that include Azure AD Identity Protection – Analytics built into Azure AD that provide behavior analytics (UEBA), Leaked Credential Detection, and many other security analytics Azure Advanced Threat Protection (ATP) – On-Premises Active Directory analytics including UEBA and direct threat detection of many attacks like pass-the-hash/ticket/etc, golden ticket, skeleton key, and many more Note that we piloted, but did not ultimately adopt a 3rd party UEBA tool that was not able to scale to the needs of our environment CLICK 3 Additionally, our SOC monitors corporate assets in Office 365 and Azure. This is an emerging space that is evolving quickly, but several technologies have proven indispensable for investigations and high-quality alerts. Office 365 ATP – The threat explorer is critical at speeding up investigations and remediation. Cloud App Security analytics and investigation capabilities for Office 365 and 3rd party SaaS services Azure Security Center is a mainstay of alerts, investigations, and remediation for workloads on the Azure platform. Additional Notes Our internal phishing reporting system also generates tickets that are investigated by analysts. The Log Analytics capabilities include several generations of technical solutions that we are now consolidating and standardizing on Azure Monitor (formerly Azure Log Analytics) now that these are available in market (which wasn’t the case when may of these were built) Alert quality is a top priority - we require 90%+ true positive in order to get a feed into the SOC main channel. This is a critical factor in optimizing responsiveness by ensuring that analysts aren’t wasting time on false positives. Even before adding the Automated Remediation capabilities from Hexadite, We found that Defender ATP’s EDR solution increased SOC efficiency to the point where Tier 3 and Tier 2 analysts are able to start doing more proactive hunting (usually by sifting through lower priority alerts in Defender ATP console).  The SOC has a close collaboration relationship with the NOC, but their missions are sufficiently different that we did not merge those two functions. Mass Distribution Malware LOG ANALYTICS Data Lake + Azure Monitoring Generate Alerts Alert Queue Primary Investigation Pivot and Remediate

11 SOC Reference Operational Model
THREAT INTELLIGENCE Provide External Context to inform decisions Investigations | Hunting | Leadership | Technical Detections and Defenses SUCCESS METRIC: Mean Time to Remediation (MTTR) INCIDENT / BREACH MANAGEMENT Coordinate Data Breaches and Major Incidents with: Leadership | Legal | Communications | Risk Management | Others SOC ANALYST Lead technical incident through lifecycle (across cloud and on-premises) Escalate Incident to higher tier as needed Tier 3 Tier 2 Tier 1 Key Takeaway: This is an operating model that we have found works well in our own SOC and at our customers. One of our key success metrics in our SOC is mean time to remediation (MTTR). This drives an end to end view of incidents and aligns SOC to mitigating business risks spanning both operational downtime and intellectual property loss. If the attacker has less access to the environment (less time, less privilege), they have less ability to cause either type of damage. CLICK 1 Analyst involvement - Our SOC analysts generally stay involved with an incident until it is remediated, even when escalated to a higher tier (e.g. from “cradle to grave”). This helps preserve context and continuity while drawing on the experience and access to specialized data from higher tiers. This also helps with analyst career development as they get firsthand exposure to the work of the higher tiers. In a SOC, the lower tiers are typically the place for cost optimization: MSSP outsourcing - We don’t outsource SOC functions, but recognize that other organizations may outsource lower tiers (or all tiers) of analysts depending on many factors Automation – We have seen that the automation of investigation and remediation technologies recently added to Windows Defender ATP’s EDR capability can dramatically reduce the time that analysts spend on routine incidents. This was recently introduced into Microsoft’s SOC so long-term operational data isn’t available yet. Tier 3 is focused much more on proactive hunting activities as most incidents are resolved in Tier 1 or 2. CLICK 2 The Incident Management team will be brought into incidents that involve a potentially reportable data breach or a significant risk to the organization. This team helps assess the impact of the attack and coordinates among the needed stakeholders in leadership, legal, communications, risk management, and any other internal or external stakeholders. CLICK 3 The model also includes a separate threat intelligence functions whose role is to inform both technical and business stakeholders. The intelligence teams perform reactive and proactive research tasks in support of business risk decisions, hunting operations, incident investigations, and more. Lower Tiers may be automated and/or outsourced to MSSP DETECT RESPOND RECOVER

1 2 2 Threat Prevention Threat Detection Response 3 Lessons Learned Goal: Increase attacker cost as rapidly and efficiently as possible STRATEGIC IMPERATIVES 1 Prevent as many threats as possible (Best Security ROI when available) 2 Rapidly Detect and Respond (highest coverage of assets/scenarios) 3 Continually apply learnings (continuous attack cost increase) Key Takeaway: We recommend a balanced and pragmatic strategic approach focused on increasing the cost of attacks for attackers. This requires balancing prevention with detection and response and a culture of continuously integrating lessons learned CLICK 1 Prevention offers the best security return on investment for defenders as a single upfront defender investment forces the attackers to spend resources to create or acquire something new. You can’t prevent all attack vectors, but you can block the established and known ones (which are cheap to attacker) to rapidly drive the attacker cost up. CLICK 2 Detection and response offer defenders the ability to cover many more assets and scenarios, but at an ongoing operational cost to monitor for attacks and investigate/remediate when they are detected. CLICK 3 As defenses improve, adversaries will likely continue to adapt their attack techniques to get around them. You should be prepared for this and adopt a learning culture built around continuously increasing the cost of attacking your assets.  CLICK 4 Microsoft is committed to helping you succeed at managing cybersecurity risk and increasing attacker cost with an integrated security experience delivered through Secure platforms Security capabilities (products and features) Guidance and recommendations from our lessons learned Professional services from Microsoft and partners Committed to your success Accelerate your ability to manage threats by providing secure platforms and products, security capabilities, services, and recommendations

13 Unparalleled cybersecurity visibility and insight
The Microsoft Intelligent Security Graph 6.5 trillion diverse threat signals analyzed daily +1B Windows devices updated & scanned Machine learning applied to: Reduce manual effort Reduce wasted effort on false positives Speed up detection 630 billion monthly authentications 18+ billion web pages scanned Key Takeaway: Microsoft’s Intelligent Security graph is a series of interconnected systems that enhance Microsoft’s security capabilities with data, machine learnings, and human insights. We have learned that successful use of threat intelligence requires a large diverse set of data and extensive integration into your processes and tools. Microsoft has invested in both of these so that our customers can take advantage of it. At current, Microsoft processes over 6.5 Trillion signals each day​ Microsoft has an unparalleled view into cybersecurity activity: We have to deal with most adversary groups on the planet as our cloud customers “bring their adversaries with them” to the cloud when they start using our services We have high fidelity threat data by virtue of the businesses we are in (as well as external threat feeds from various partners and suppliers) Antimalware – We are the largest antimalware vendor in the world – We are the largest enterprise provider and second largest consumer provider in the world. We analyze 400 Billion s a month Identity – We service 450 Billion user authentications per month Host – We update 1.2 Billion PCs a month with Windows Update Web – We have web crawlers that have indexed 2.5 trillion URLs and scan 18+ billion webpages a month(supporting our search engine business– Bing) Additional Commentary Direct access to the graph/data itself is not available at this time. Currently the only way to access the graph is through the products that are powered by it (summarized in the next slide) 470 billion s analyzed 5 billion threats detected on devices every month Unparalleled cybersecurity visibility and insight

14 Inside The Intelligent Security Graph
Sample zoos Dark markets Sinkholes and honeypots Detonation and sandboxes Services IR intelligence Threat feeds Malicious Software Removal Tool Windows Defender AV PRODUCT AND SERVICE TELEMETRY Office 365 Microsoft Azure Bing Products instrumented to strict privacy/compliance standards See Microsoft Trust Center [ Privacy/Compliance boundary ] Analytics help fuel new discoveries DATA COLLECTION AND ANALYSIS Products send data to graph Collection and Normalization Analytics (Machine Learning, detonation, behavior) Publish to Internal APIs { } Products use Interflow APIs to access results Key Takeaway: To be successful with threat intelligence, you must have a large diverse set of data and you have to apply it to your processes and tools. Microsoft does both. The data that we collect from the various sources passes through a strict privacy/compliance boundary to ensure that data is only being used in ways that our customers have agreed to. Microsoft takes this responsibility very seriously. The data sources include the product noted earlier, specialized security sources, insights from dark markets (criminal forums), and learnings from incident response engagements where we help customers investigations and remediate incidents (on any given week, we are typically engaged onsite at several customers and engaged remotely with dozens more) CLICK 1 Data Collection and Analysis - The data then goes through a collection and analysis phase to normalize it, apply various analytics (listed) to identify relevant security insights and findings, and publish to an internal API CLICK 2 Products - Each of the products then access the data to provide findings, context, insight, etc. relative to that capability and then automatically feed new detections and insights back into the graph to enrich other product findings. To give you an idea of how powerful this is, consider a situation where an attack comes in over a personal Gmail account (where we wouldn’t have direct visibility). Once is detected on a host and analyzed for indicators of attack/compromise (IOA/IOC), that same attack could then be immediately detected on our systems. CLICK 3 Hunters – Additionally, human teams are constantly working with the graph to hunt for adversaries in various environments (Azure, Office 365, Microsoft IT, Windows ATP Customers, etc.) as well as creating, tuning, and validating new analytics to improve the detection overall. Additional Information Microsoft has over 4 Trillion files in our malware sample zoo Microsoft collects over 8 million indicators of compromise each day We also use external threat feeds to enrich and validate our findings We directly include intelligence from onsite investigations into attacks into the graph (when approved by the customer) Azure Security Center (ASC) Operations Management Suite (OMS) Azure Active Directory Identity Protection Microsoft Accounts Azure Advanced Threat Protection (ATP) Windows Defender Advanced Threat Protection (ATP) Defender Anti-malware Office 365 Advanced Threat Protection (ATP) Exchange Online Protection (EOP) Microsoft Cloud Application Security (MCAS) Hunters Products generate data which feeds back into the graph Hunters identify attacks, improve analytics, feed back into product design

15 SOC Integration Unifying and Informing Analysts
QUERY RESPONSE ACTION SOC ANALYST SOC CONSOLE AZURE SECURITY CENTER AZURE AD IDENTITY PROTECTION MICROSOFT CLOUD APP SECURITY FIREWALL PROVIDER GRAPH SECURITY API { } Key Takeaway: The Microsoft Graph Security API acts as a backplane or “Bus” for security operations centers This approach replaces the typical “mesh” integration approach of directly connecting security tools with each other, which is challenging to set up and maintain. The Graph Security API increases SOC effectiveness and efficiency by Consolidating and standardizing alerts for easier correlation Bringing together contextual data to inform investigations Enabling automation for greater security operations efficiency Let’s take a look at how this works Microsoft has enabled many first party providers including Azure Security Center and Azure AD Identity protection. Several partner solutions from Palo Alto Networks, Anomali, and PWC are already available. Additional SOC tools can be enabled by supporting this API (either directly by vendor or implementing a small amount of code – TERMINOLOGY?) CLICK 1 Analyst investigations are enabled by calling the and rapidly getting Alerts across all systems Enrichment of alerts with additional security context for users, hosts, file, Apps, and documents Additionally the Microsoft Graph API (separately) can further enable investigations and impact analysis by providing business context and insights into assets from the collective knowledge about accounts, systems, and documents in Microsoft systems like Office 35. CLICK 2 The Graph API can also enable automation by enabling you to initiate actions on connected systems such as Isolating a server with Azure security center Blocking a C2 IP address in a palo alto firewall Resetting a passcode on a device using Intune Revoking access to a file for certain users using Azure Information Protection Additional Notes: Like the Microsoft Graph API, the Graph Security API is free of charge and leverages Azure Active Directory authentication for access. Microsoft does not collect your security information from the graph. Microsoft only maintains a limited level of API usage logging so that we can troubleshoot issues (Log queries + arguments + response time – NEED TO VERIFY DETAILS) Accessing intelligence from the trillions of signals in Microsoft's intelligent security graph requires the use of Microsoft’s security capabilities like windows defender ATP, azure security Center, office 365 ATP, etc. GRAPH API Account, Mail, Calendar, documents, directory, devices, etc. { } WINDOWS DEFENDER ADVANCED THREAT PROTECTION MICROSOFT INTUNE OFFICE 365 |

16 Most attackers have a supply chain
ATTACKS AGAINST PCs ATTACKS AGAINST EMPLOYEES AND CUSTOMERS ATTACKER INFRASTRUCTURE COLLECTIVE KNOWLEDGE SERVICES AIDING THE “CASH OUT” ATTACKERS You face ecosystems, not just hackers and malware Defenses must address current attacker methods Key Takeaway: The threats your organization likely faces comes from an interconnected ecosystem, not any single attacker or attack group. Behind most attackers is a supply chain of criminal (black market) and non-criminal (grey market) services and tools CLICK 1 This ecosystem consists of an array of both criminal and non-criminal offerings: Criminal services are offered by criminals with solely illegal use cases. Non-criminal services offered by gray hat markets could be used for legitimate or criminal purposes (hence “gray” nature of market) The supply chain allows for more efficiencies and specialization for the attackers, but this specialization also brings a kind of fragility. Defenders who focus on choke points (e.g. commonly used tools and methods) can use this supply chain against them with better detection and blocking. For example, username/password pairs are sold in multi-million account blocks, making “account checkers” an essential attacker tool to find the 1-2% valid passwords in the bunch. Detecting these account checkers can give you an early heads up on reconnaissance that could indicate an impending attack.

17 Yes, attack services are inexpensive
Ransomware: $66 upfront Or 30% of the profit (affiliate model) Yes, attack services are inexpensive 0days price range varies from $5,000 to $350,000 ATTACKS AGAINST THE PC ATTACKS AGAINST THE EMPLOYEES AND CUSTOMERS ATTACKER INFRASTRUCTURE COLLECTIVE KNOWLEDGE SERVICES AIDING THE “CASH OUT” Loads (compromised device) average price ranges PC - $0.13 to $0.89 Mobile - from $0.82 to $2.78 Spearphishing services range from $100 to $1,000 per successful account take over Denial of Service (DOS) average prices day: $102.05 week: $327.00 month: $766.67 Key Takeaway: Dark Market Products are notably inexpensive with a few exceptions (like zero days) This is a sampling of price ranges to give you a sense of what is traded and how much it costs. Like any other market, the prices vary because of supply, demand, and externalities like war/politics/etc. 0Day / Zero Day Exploits are quite expensive, costing as much as $350,000 USD for higher value vulnerabilities. (Zero-Day vulnerabilities are unpatched and otherwise unknown vulnerabilities). The price varies by many factors including ease of exploitation, affected platforms, and exclusivity of use. CLICK 1 RATs range from free to premium pricing of about $2,000 USD Loads are compromised PCs or mobile devices that can be taken over by the buyer on a temporary or permanent basis and cost pennies up to a dollar for PCs and a few dollars for mobile devices. CLICK 2 [Distributed] Denial of Service (DOS / DDoS) attack services are focused on slowing or taking down target services or websites. There are many price variables, but average monthly rate is less than $1,000 USD Proxy services allow an attacker to route traffic through a local IP address range to defeat blocking of traffic from their country. CLICK 3 Ransomware is sold as a kit and is also offered in an affiliate model where the kit maker takes a percentage of the ransomware profit of the attack. Spearphishing is usually priced by successful account takeover and costs between USD $100 and $1000 Compromised accounts usually come in bulk in very large blocks. Prices average around $1 USD per 1k accounts and quality varies significantly (from 0.1% up to 20% of the username/password pairs may be valid) This is a snapshot of average prices; the actual prices fluctuate up and down but you now have an idea of what can be bought/sold at what price. Additional Information This cheapness of resources make the attacker ROI equation quite favorable. The cheapness is partially offset by the speculative nature of attacks (as not all pay off) and the risk of illegal activities (jails/fines/etc.), but it remains an incredibly lucrative opportunity space for criminals. Compromised accounts As low as $150 for 400M. Averages $0.97 per 1k. Proxy services to evade IP geolocation prices vary As low as $100 per week for 100,000 proxies.

18 Yes, attack services are inexpensive
0days price range varies from $5,000 to $350,000 ATTACKS AGAINST THE PC ATTACKS AGAINST THE EMPLOYEES AND CUSTOMERS ATTACKER INFRASTRUCTURE COLLECTIVE KNOWLEDGE SERVICES AIDING THE “CASH OUT” PRIORITIZE HYGIENE OVER ‘ZERO DAY’ DEFENSES Zero day vulnerabilities are expensive and impractical for many attacks. Focus first on critical security hygiene like rapidly applying security updates/patches (which have much lower cost to attackers) has guidance from Microsoft + NIST + CIS + DHS NCCIC Ransomware: $66 upfront Or 30% of the profit (affiliate model) Loads (compromised device) average price ranges PC - $0.13 to $0.89 Mobile - from $0.82 to $2.78 SHIFT FROM NETWORK TO ZERO TRUST STRATEGIES Attackers can easily evade traditional network defenses. You should shift security strategy towards ‘zero trust’ of your network that focuses on Endpoint and Identity security capabilities as the front line Data centric security that prioritizes highest value assets Application / SaaS protections Centralized access control (such as Microsoft’s Conditional Access) Spearphishing services range from $100 to $1,000 per successful account take over Compromised accounts As low as $150 for 400M. Averages $0.97 per 1k. Proxy services to evade IP geolocation prices vary As low as $100 per week for 100,000 proxies. Key Takeaway: These are strategic approaches we recommend based on what we have learned from studying the dark market data LIMIT EFFORTS TO RESTRICT TRAFFIC BY GEOGRAPHY Blocking IP addresses by geography (e.g. hostile countries) can be easily and cheaply evaded, so focus your security efforts elsewhere. Denial of Service (DOS) average prices day: $102.05 week: $327.00 month: $766.67 DDoS Protection FOR CRITICAL SERVICES Ensure that your business critical services have DDoS protection from Azure platform or a capable 3rd parties

19 Pragmatic intelligence investment
SMSG Readiness 4/4/2019 Pragmatic intelligence investment ATTACKS AGAINST PCs ATTACKS AGAINST EMPLOYEES AND CUSTOMERS ATTACKER INFRASTRUCTURE COLLECTIVE KNOWLEDGE SERVICES AIDING THE “CASH OUT” Attacks are commoditized and cheap Complicates attack attribution Enables new entrants with affiliate models Recommend a two part strategy “Outsource” commodity threat intelligence Focus on developing your unique intelligence Which attackers would be interested in you What they would target What would damage your business/mission most Key takeaway: We recommend that you (1) buy detection and response tools with “commodity” dark market intelligence already built and (2) focus further intelligence investments on unique aspects of your business and mission Security is a challenging partially because attackers have access to specialized tools and services via dark markets CLICK 1 For this (and other reasons) Security has to be tightly focused on only the most effective activities with the highest security ROI We recommend leveraging the investments Microsoft had already made into integrating actionable dark market intelligence into our products via the intelligent security graph rather than trying to do this yourself. We also recommend that you focus any intelligence investments on what you need to manage the unique threats to your industry or your organization. Microsoft’s intelligent security graph includes actionable dark market threat intelligence © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Machine Learning Helps overcome human limitations using large datasets
1. Scales out Human Expertise Key Takeaway: Machine learning is a function of Artificial Intelligence (AI) that enables significant benefits for data analysis CLICK 1 Supervised ML can help scale human expertise across large datasets rapidly by having experts identify and tag patterns in a smaller subset and then apply the same logic over large datasets. For example in our antivirus, For every sample analyzed by a Microsoft expert, we protect, on average, against 4,500 other malicious samples through our next-gen technologies like machine learning, automation, and heuristics. CLICK 2 Unsupervised ML can help identify correlations and “clusters” of similar data that a human analyst might otherwise miss. One example is using an algorithm to cluster files into similar clusters and allowing the algorithm to determine the best features to do the clustering. Human experts can then add labels into the clustered results which allows us to find similar malware files and clusters of completely unknown files. 2. Shines a light in human blind spots

21 Machine Learning also brings risks Must manage potential negative consequences
1. Can amplify human bias Key Takeaway: Like all technologies, Machine learning (ML) has potential risk and weaknesses For security applications, this is mostly a concern of false positive (erroneous alert) or false negative (missed attack signal). Machine learning can amplify human bias, this is particularly true in supervised ML where it relies on the initial judgement of human experts that is then scaled out across the larger datasets. CLICK 1 2 – Private/sensitive information often correlates strongly to one or more ‘public’ attributes, so machine learning can inadvertently expose what was thought to be private or masked data. 3 – If datasets are incomplete or ambiguous, machine learning may conflate different objects together. 4 – Of particular concern to security is deliberate abuse of ML systems. Microsoft has anticipated that attackers will attempt this and built in mitigation measures to our use of machine learning. For more information, see 2. Can inadvertently reveal private/secret information 3. Can miss critical context and implications (e.g. Confuse innocent “John Smith” with another “John Smith” with criminal record and same birthdate) 4. Can be fed false/malicious data Microsoft Mitigation Approach –

22 Machine Learning in Microsoft Security
We use machine learning extensively to Reduce manual effort Reduce wasted effort on false positives Speed up detection Examples: Defender ATP Antivirus - rapid detection and blocking of new threats Azure - Rule recommendations for Application whitelisting Azure - Threat detection via Malicious User Profiling, Compromised VM behavior Key Takeaway: Microsoft uses Machine learning (ML) extensively to increase security detection Defender ATP Antivirus uses ML extensively, details in the next slide. Application Whitelisting - Azure Security Center uses machine learning to identify what the normal processes are for a server and recommends – Many VMs in the cloud have a dedicated purpose and thus should run a short, well-defined, and rarely modified list of applications. However, without the right protection on these VMs, anyone that gains unauthorized access to these VMs can could potentially run any applications to gain further access to the environment. Existing Application Whitelisting tools help to reduce a machine’s attack surface by allowing only authorized processes to run on the machine, but are hard to maintain such that critical authorized applications are able to run. This type of defense is not used frequently because of the management and maintenance overhead. Azure Security Center ML models identify stable VMs and the executables they routinely use. These are processed into recommendations of directories and file signatures to be allowed on the VMs. On top of that, we also cluster VMs into groups of similar recommendations, to allow for easier maintenance and manageability. Threat Detection - Azure Security Center Malicious User Profiling - Malicious activity is often hard to detect with manually generated rules, due to complex attack patterns, diversity of valid VMs activities, and the rapid improvement in attacking tools. Detecting malicious activity is even harder when each single execution in the activity cannot identify that the activity is malicious. To overcome these challenges, Azure Security Center uses ML to learn behavioral patterns of known malicious logins and execution sequences. These dynamically adapt to new attacks and hacking tools. And allow us to detect attacks on your Azure resources. Compromised VMs -  We developed a package of ML detections that help customer identify that their VMs may be compromised. These detections include detection of behavior that is consistent with typical post-compromise activity like outgoing port scanning, outgoing Spam, outgoing DDoS, and more.

23 Results from Machine Learning
A former rules-based Microsoft system scored 28% of logins as suspicious With 1 billion logins per day =280 million “suspicious” logins After applying Machine Learning with rules, the rate dropped to less than 0.001% Key Takeaway: This is an example of a corporate IT application of Machine learning to security that dramatically increased the accuracy of the system to the point where it was useful Company Proxy Cellphone networks Vacations/Travel Noisy Results Work by Mace et. al, Microsoft

24 Machine Learning in Windows Defender AV
Local ML models, behavior-based detection algorithms, generics, heuristics Metadata-based ML models Sample analysis-based ML models Detonation-based ML models Protection in milliseconds Most common malware blocked by high-precision detection on the client Client ML Cloud ML Protection in milliseconds ML powered cloud rules evaluate suspicious files based on metadata Protection in seconds A sample is uploaded for inspection by multi-class ML classifiers Key Takeaway: This is an overview of how the antiviturs capabiltieis in Windows Defender ATP works Note that the multiple layers has dual benefits Optimize the speed and efficiency of detection Increase difficulty of attackers abusing the machine learning because they would have to attempt to tamper with multiple different defense techniques Protection in minutes Sample run in sandbox for dynamic analysis by multi-class ML classifiers Protection in hours ML models and expert rules correlate signals from a vast network of sensors to classify threats Big data analytics

25 Real world example – Dofoil / Smoke Loader
Client ML Cloud ML Local ML models, behavior-based detection algorithms, generics, heuristics Metadata-based ML models Sample analysis-based ML models Detonation-based ML models Protection in milliseconds Just before noon, behavior-based algorithms detected a massive campaign Protection in milliseconds Most components of the attack were blocked at first sight by metadata-based ML models Protection in seconds Additional Protection was provided by sample analysis-based ML models for some components Key Takeaway: This is an example of how cloud capabilities protected customers rapidly and automatically How many people heard about this incident? (usually not many) Good! The cloud did its job!  Just before noon on March 6 (PST), Windows Defender Antivirus blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Behavior-based signals coupled with cloud-powered machine learning models uncovered and blocked this new wave of infection attempts. The trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin miner payload. CLICK 1 Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight. CLICK 2 Seconds later, our sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation. Within minutes, an anomaly detection alert notified us about a new potential outbreak. After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer. Within 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters. On March 6, Windows Defender Antivirus blocked more than 400,000 instances of several sophisticated trojans Big data analytics Other recent cases: Emotet | Bad Rabbit

26 You have to be able to spot that and quickly take action on it
Threat Prevention Threat Detection Response Lessons Learned At some point the adversary has to do something anomalous— You have to be able to spot that and quickly take action on it Key Takeaway: Adversaries have to act differently than normal users at some point. This forms the basis of attack detection. Adversaries can do a lot to mimic normal user behavior to avoid detection, but their objectives are different than standard users and they have to do something abnormal at some point

27 Making better decisions faster
4/4/2019 Making better decisions faster Observe 1 Maximize Visibility Internal – Sensor coverage completeness and diversity External – Threat Feed Diversity and fidelity Reduce manual steps (and errors) Automate detection and response tasks Integrate investigation tools Maximize human impact Provide analysts with access to deep expertise and intelligence Continuous Learning– Observe attacks and integrate learnings into defenses Orient 2 3 Act Decide Key Takeaway: To make better decisions faster, Security operations should continually focus on maximizing visibility, reducing manual steps, and maximizing human impact. Your investigation process (in blue at the bottom) needs to…. CLICK 1 1. Maximize Visibility Internal - Minimize internal blind spots by ensuring you have good coverage (as close to 100% as you can manage) as well as coverage of assets types (including identities, endpoints, , cloud applications, on-premises datacenters, cloud datacenters, and data on cloud SaaS and PaaS applications) External – Ensure you have a diversity of threat feeds from external sources that gives you insight and context from the external environment of malware, attacks, attack websites, compromised passwords/identities, etc. Maximize the freshness and fidelity (relevant details) of the external threat sources you use CLICK 2 2. Reduce manual steps (and errors) Automate and integrate as many manual processes as possible to remove unneeded human actions that lead to slowdowns and potential human errors. CLICK 3 3. Maximize human impact For the places in the process where it makes sense to have human interaction (difficult choices, new decisions, etc), you should ensure that your analysts have access to deep expertise and intelligence to make those decisions better. Additionally, you ensure learning is integrated throughout the process, up to and including consideration of when you would watch an attack unfold to learn its objective (long term value) vs. blocking it (short term value) Additional Commentary A common blind spot is to overly focus on network data without having visibility into data and identity patterns, leaving you susceptible to missing activities like credential theft attacks and data exfiltration. DEFENDER DECISION CYCLE (Investigation and Response Process) Observe Orient Decide Act DETECT RESPOND RECOVER

28 Maximize internal visibility Apply Threat Insights Across Your Hybrid Cloud Estate
Cloud App Security Azure SQL Threat Detection Cloud Infrastructure Data on SaaS Azure AD Identity Protection Azure Security Center Threat Protection Threat Detection Security Appliances Identity Office 365 ATP gateway Anti-malware Windows Defender ATP Powered by the Intelligent Security Graph Azure Advanced Threat Protection Private Cloud AND On-Premises Infrastructure Windows Defender ATP Office 365 Threat Intelligence Windows Defender AV Key Takeaway: Microsoft invests in a number of technologies to help organizations better detect and respond to threats. Microsoft has built detective controls to enable better and faster detection and investigation across the attack phases that could show up in an attack chain (kill chain). We won’t be going over all of the technology names, but they are included here for your reference CLICK 1 Many of these capabilities include intelligence reports and malware analysis that appear based on the actual detected attacks to help provide the right context “just in time” to speed the analyst investigation and remediation processes. CLICK 2 Additionally, we provide professional services to help you respond to an active incident or to proactively hunt for hidden adversaries in your environment. INTELLIGENCE AND ANALYSIS Professional Services Cybersecurity Operations Service (COS) Incident Response and Recovery Services Hunt for threats and persistent adversaries in your environment Respond to Threats with seasoned professionals and deep expertise

29 Microsoft threat protection
SIEM Integration Product and Cross Platform Integration Office Threat Intelligence Machine Learning and UEBA Key Takeaway: These are areas where Microsoft can help with threat protection Community Effect Incident Response and Hunting Summary and Close 

30 Automate and enable threat protection
File Behavior Analysis (Sandbox Detonation or Realtime Monitoring) Isolate machine from network On Demand Detonation Malicious URLs and IP addresses Remove Malware Automated Response and Recovery OWASP Top Risks (SQL Injection, XSS, etc.) Block and Clean Attack Timeline Generation Anti-malware Self-Service Password Reset Event Correlation and Dynamic Queries Machine Learning Blocking Risky Events Anomaly Detection Refine Detections and Preventions Attack Impact analysis Quarantine Shared Sensitive Data User and Entity Behavior Analytics Observe Adversary Operation Key Takeaway: Microsoft has been investing in automating threat protection and integrating key techniques and technology We won’t be going over each of these in detail, but can share a couple of key observations Microsoft has been integrating security automation across our capabilities. We did not have room on the slide for all of our capabilities, particularly the large set of preventive controls. Many of the same approaches and technologies can be used to both prevent and detect attacks. Cloud Offers powerful logging and analysis– Combining logs from a mature SaaS application like Office 365 with a CASB analysis capability like Cloud App Security creates a dramatically better capability “out of the box” to follow adversary operations and assess potential or actual business impact of an attack (down to the document level) vs the manual and inconsistent process of many on-premises organizations. Attack Impact Analysis (bottom of respond column) – for example, if an account is compromised for a period of time (e.g 10 days), you can review what documents were accessed and more easily assess the business impact of an attack Observe adversary operation (bottom of respond column) – using the same Office 365 data and CAS analysis, we can more quickly determine the attacker’s ultimate objective by observing what documents they access or modify Additional Reference information Prevent – File Behavior Analysis Office 365 ATP have the ability to block unsafe executables after analyzing them in a sandbox ‘detonation chamber’ Windows Defender AV performs file behavior analysis to blocks based on signatures (of various types including machine learning) as well as signals from Defender ATP where you identify files as malicious Prevent – Malicious URLs and IP addresses Office 365 ATP blocks from known bad senders, IPs, and URLs sourced from the intelligent security graph Many familiar security capabilities from our partners in the Azure Marketplace include the ability to integrate external threat intelligence feeds Prevent and Detect – OWASP Top Risks Azure Web Application Firewall – prevents and detects attacks using the OWASP core rule sets Many familiar security capabilities from our partners in the Azure Marketplace include the ability to prevent or detect OWASP attacks using similar means Prevent and detect – Anti-malware Office 365 ATP uses multiple antivirus engines to scan inbound to prevent and detect known threats Windows Defender AV detects, blocks, and cleans up files based on signatures sourced from the intelligent security graph Prevent and Detect - Machine Learning (ML) Office 365 ATP uses ML to analyze inbound s for suspicious patterns Azure AD can block risky logons based on high/medium/low risk scoring from Azure AD Identity Protection Prevent – Quarantine shared sensitive data Cloud App Security can quarantine access to sensitive files that are overshared (e.g. highly confidential information that is accessible by the public) Detect – File Behavior Analysis Windows Defender ATP performs live file behavior analysis as files are executed on a system to alert security analysts Detect – Malicious URLs and IP addresses Many capabilities across the Microsoft portfolio and our partners in the Azure Marketplace integrate malicious URLs and IP addresses into their threat detections Detect - Machine Learning Many capabilities across the Microsoft portfolio and our partners in the Azure Marketplace integrate machine learning into threat detections Detect – User and Entity Behavior Analytics Each of these capabilities has integrated anomaly detection based on the normal behavior of individual users Azure AD (for Azure Active Directory Accounts) Cloud App Security (for SaaS) usage SQL Threat Detection (for SQL uses and admins) Azure Advanced Threat Protection (ATP) (for Active Directory) Respond - File Behavior Analysis Windows Defender ATP allows you to send any files or URLs into deep collection and analysis (“detonation”) during an investigation to identify if they are malicious Respond – Automated Response and Recovery Windows Defender ATP includes automated investigation and remediation functionality (based on technology from the Hexadite acquisition). These workflows are based on the investigation methods of highly skilled analysts and can be configured to automatically remediate or to execute only after approval of your analysts. Respond - Attack Timeline Generation Azure Security Center automatically correlates multiple related alerts into a single security incident that analysts can rapidly understand and manage ATA generates visual timelines for security incidents that analysts can navigate (and integrates with Windows Defender ATP [roadmap] and Office 365 ATP [roadmap]) Windows Defender ATP automatically creates a timeline (including file execution history) for you to investigate attacks (and directly integrates with Office 365 ATP [available now] and ATA [roadmap]) Office 365 ATP allows you to navigate back and forth with Windows Defender ATP attack timelines [available now] and ATA [Roadmap] Respond - Event Correlation and Dynamic Queries Azure Security Center (former OMS capabilities) allows you to dynamically pivot through event data for both on-premises and cloud assets during an investigation (narrow or broaden search fields visually, add fields to query, etc.) Respond – Attack Impact analysis CAS allows investigators to rapidly determine the impact of a compromised account on cloud data/application assets using the log history on API managed services like Office 365 Recover – Isolate machine from network, remove malware Windows Defender ATP allows you to isolate computers from the network or remove malware during an investigation or recovery operation Recover – Block and Clean Office 365 ATP allows you to block or clean malicious from mailboxes. This cleanup happens automatically for signature updates using the ZAP feature Recover – Self-Service password Reset Azure Active Directory offers self-service password reset to help recover control of accounts Recover - Refine Detections and Preventions Azure AD allows you to refine you conditional access rules to manage both security/detection needs and user productivity needs ASC (former OMS capabilities) allows you to update queries and detections based on learnings from attacks targeting you CAS allows you to tune your policy and detections to your organizations needs Office 365 ATP allows you to adjust settings to meet both productivity and security needs (e.g. run attachments through detonation sandbox, but send immediately with placeholder for attachment until the process is complete) Office 365 Threat Intelligence’s Threat Explorer allows you to explore messages/campaigns/attacks against Microsoft, and then update the hosted connection filter policy to block IPs implicated in the campaign from sending to Microsoft. (Login to O365 as an Admin > Security and Compliance Center > Threat Management > Threat Explorer) Many familiar security capabilities from our partners in the Azure Marketplace include the ability to customize detections Recover - Observe Adversary Operation CAS allows investigators to monitor an ongoing attacker operation to identify the attacker’s objective using the log history on API managed services like Office 365 PROTECT DETECT RESPOND RECOVER Azure AD Identity Protection Azure ATP / Identity Manager Office 365 ATP Windows Defender ATP / Defender AV Microsoft Cloud App Security Azure Security Center Azure Web App Firewall / SQL Threat Detection Azure Marketplace Partner Capability

1 2 2 Threat Prevention Threat Detection Response 3 Lessons Learned Goal: Increase attacker cost as rapidly and efficiently as possible STRATEGIC IMPERATIVES 1 Prevent as many threats as possible (Best Security ROI when available) 2 Rapidly Detect and Respond (highest coverage of assets/scenarios) 3 Continually apply learnings (continuous attack cost increase) Key Takeaway: We recommend a balanced and pragmatic approach focused on increasing the cost of attacks for cybercriminals In summary, Microsoft is here to help you raise the cost of attacking your environment. Committed to your success Accelerate your ability to manage threats by providing secure platforms and products, security capabilities, services, and recommendations

32 Questions?

33 References

34 Integrating with your SIEM Two different approaches to connect to your existing SIEM tool and processes 1. Graph Security API SIEM Integration - Solutions already Integrated - 2. Individual Capabilities Windows Defender ATP Azure Advanced Threat Protection Office 365 Cloud App Security Azure SIEM Integration (includes Azure AD) Key Takeaway: Microsoft recognizes that many security organizations need SIEM integration and offers integration capabilities

35 Additional Resources – Threat Protection
Incident Response Reference Guide (IRRG) - Updates to Windows Hello for Business – Video Updates to Windows Defender ATP's EDR - Blog Office 365 Attack Simulation - Video | Documentation Privileged Access Management in O365 – Video Shielded VMs for PAWs access-workstation-paw-solution/ Microsoft Azure Security Response in the Cloud

36 Advanced Threat Protection Videos
WDATP Automated investigation and response [YouTube link]​ Animation shows how Windows Defender ATP frees up time for them to do more advanced hunting and strategic work by automating investigation and response tasks WDATP Secure Score [YouTube link]  Animation shows how Windows Secure Score helps organizations to stay more secure using PowerBI reports to easily looks for CVE's and automatic pushing of Emergency Outbreak Updates.  ​WDATP & Azure AD & Intune integration [YouTube link]  Animation shows how Microsoft Intune will receive the device risk level from Windows Defender ATP and CA will block access to data until threat is remediated (and device conforms with policy again). OATP & WDATP detection sharing [YouTube link] Video It shows how Microsoft 365 Threat Protection shares signals through the Intelligent Security Graph (ISG) to better protect our customers.

37 Advanced Threat Protection (ATP)
Security Operations Center (SOC) Software as a Service Cybersecurity Reference Architecture May 2018 – | Video Recording | Strategies Vulnerability Management MSSP SIEM + Analytics Cybersecurity Operations Service (COS) Office 365 Dynamics 365 Incident Response and Recovery Services Secure Score Azure Security Center Windows Defender Office 365 Security & Compliance Azure Customer Lockbox This is interactive! Present Slide Hover for Description Click for more information Roadmaps and Guidance Securing Privileged Access Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya) Cloud App Security Advanced Threat Protection (ATP) Identity & Access Graph Security API (Public Preview) Information Protection Azure Active Directory Alert & Log Integration Conditional Access – Identity Perimeter Management Clients Hybrid Cloud Infrastructure Microsoft Azure 3rd party IaaS Cloud App Security Multi-Factor Authentication MIM PAM Azure AD PIM Hello for Business Azure AD B2C Azure AD B2B Azure AD Identity Protection Leaked cred protection Behavioral Analytics Unmanaged & Mobile Devices On Premises Datacenter(s) Azure Information Protection (AIP) Discover Classify Protect Monitor Hold Your Own Key (HYOK) AIP Scanner Azure Security Center – Cross Platform Visibility, Protection, and Threat Detection Just in Time VM Access Configuration Hygiene Security Appliances Adaptive App Control NGFW Intune MDM/MAM Classification Labels Extranet IPS Edge DLP SSL Proxy Azure Key Vault Application & Network Security Groups Azure WAF Azure Antimalware Disk & Storage Encryption DDoS attack Mitigation+Monitor Backup & Site Recovery Azure Policy Confidential Computing Managed Clients Windows Server 2016 Security Window 10 + Just Enough Admin, Hyper-V Containers, Nano server, and more… Express Route System Center Configuration Manager Office 365 Data Loss Protection Data Governance eDiscovery STATIC SLIDE VERSION (No Animations) The Microsoft Cybersecurity Reference Architecture ( describes Microsoft’s cybersecurity capabilities and how they integrate with existing security architectures and capabilities. We recently updated this diagram and wanted to share a little bit about the changes and the document itself to help you better utilize it. How to use it We have seen this document used for several purposes by our customers and internal teams (beyond a geeky wall decoration to shock and impress your cubicle neighbors :-) Starting template for a security architecture - The most common use case we see is that organizations use the document to help define a target state for cybersecurity capabilities. Organizations find this architecture useful because it covers capabilities across the modern enterprise estate that now spans on-premise, mobile devices, many clouds, and IoT / Operational Technology. Comparison reference for security capabilities - We know of several organizations that have marked up a printed copy with what capabilities they already own from various Microsoft license suites (many customers don't know they own quite a bit of this technology), which ones they already have in place (from Microsoft or partner/3rd party), and which ones are new and could fill a need. Learn about Microsoft capabilities - In presentation mode, each capability has a "ScreenTip" with a short description of each capability + a link to documentation on that capability to learn more. Learn about Microsoft's integration investments - The architecture includes visuals of key integration points with partner capabilities (e.g. SIEM/Log integration, Security Appliances in Azure, DLP integration, and more) and within our own product capabilities among (e.g. Advanced Threat Protection, Conditional Access, and more). Learn about Cybersecurity - We have also heard reports of folks new to cybersecurity using this as a learning tool as they prepare for their first career or a career change. As you can see, Microsoft has been investing heavily in security for many years to secure our products and services as well as provide the capabilities our customers need to secure their assets. In many ways, this diagram reflects Microsoft massive ongoing investment into cyber security research and development, currently over $1 billion annually (not including acquisitions). What has changed and why We made quite a few changes in v2 and wanted to share a few highlights on what's changed as well as the underlying philosophy of how this document was built. New visual style - The most obvious change for those familiar with the first version is the simplified visual style. While some may miss the "visual assault on the senses" effect from the bold colors in v1, we think this format works better for most people. Interactivity instructions - Many people did not notice that each capability on the architecture has a quick description and link to more information, so we added instructions to call that out (and updated the descriptions themselves). Complementary Content - Microsoft has invested in creating cybersecurity reference strategies (success criteria, recommended approaches, how our technology maps to them) as well as prescriptive guidance for addressing top customer challenges like Petya/WannaCrypt, Securing Privileged Access, and Securing Office 365. This content is now easier to find with links at the top of the document. Added Section headers for each grouping of technology areas to make it easier to navigate, understand, and discuss as a focus area. Added Foundational Elements - We added descriptions of some core foundational capabilities that are deeply integrated into how we secure our cloud services and build our cybersecurity capabilities that have been added to the bottom. These include Trust Center - This is where describe how we secure our cloud and includes links to various compliance documents such as 3rd party auditor reports. Compliance Manager is a powerful (new) capability to help you report on your compliance status for Azure, Office 365, and Dynamics 365 for General Data Protection Regulation (GDPR), NIST and , ISO and 27018, and others. Intelligent Security Graph is Microsoft threat intelligence system that we use to protect our cloud, our IT environment, and our customers. The graph is composed of trillions of signals, advanced analytics, and teams of experts hunting for malicious activities and is integrated into our threat detection and response capabilities. Security Development Lifecycle (SDL) is foundational to how we develop software at Microsoft and has been published to help you secure your applications. Because of our early and deep commitment to secure development, we were able to quickly conform to ISO after it was released. Moved Devices/Clients together - As device form factors and operating systems continue to expand and evolve, we are seeing security organizations view devices through the lens of trustworthiness/integrity vs. any other attribute. We also re-organized the Windows 10 and Windows Defender ATP capabilities around outcomes vs. feature names for clarity. We also reorganized windows security icons and text to reflect that Windows Defender ATP describes all the platform capabilities working together to prevent, detect, and (automatically) respond and recover to attacks. We also added icons to show the cross-platform support for Endpoint Detection and Response (EDR) capabilities that now extend across Windows 10, Windows 7/8.1, Windows Server, Mac OS, Linux, iOS, and Android platforms. We also faded the intranet border around these devices because of the ongoing success of phishing, watering hole, and other techniques that have weakened the network boundary. Updated SOC section - We moved several capabilities from their previous locations around the architecture into the Security Operations Center (SOC) as this is where they are primarily used. This move enabled us to show a clearer vision of a modern SOC that can monitor and protect the hybrid of everything estate. We also added the Graph Security API (in public preview) as this API is designed to help you integrate existing SOC components and Microsoft capabilities. Simplified server/datacenter view - We simplified the datacenter section to recover the space being taken up by duplicate server icons. We retained the visual of extranets and intranets spanning on-premises datacenters and multiple cloud provider(s). Organizations see Infrastructure as a Service (IaaS) cloud providers as another datacenter for the intranet generation of applications, though they find Azure is much easier to manage and secure than physical datacenters. We also added Azure Stack capability that allows customers to securely operate Azure services in their datacenter. New IoT/OT section - IoT is on the rise on many enterprises due to digital transformation initiatives. While the attacks and defenses for this area are still evolving quickly, Microsoft continues to invest deeply to provide security for existing and new deployments of Internet of Things (IoT) and Operational Technology (OT). Microsoft has announced $5 billion of investment over the next four years for IoT and has also recently announced an end to end certification for a secure IoT platform from MCU to the cloud called Azure Sphere. Updated Azure Security Center - Azure Security Center grew to protect Windows and Linux operating system across Azure, on-premises datacenters, and other IaaS providers. Security Center has also added powerful new features like Just in Time access to VMs and applied machine learning to creating application whitelisting rules and North-South Network Security Group (NSG) network rules. Added Azure capabilities including Azure Policy, Confidential Computing, and the new DDoS protection options. Added Azure AD B2B and B2C - Many Security departments have found these capabilities useful in reducing risk by moving partner and customer accounts out of enterprise identity systems to leverage existing enterprise and consumer identity providers. Added information protection capabilities for Office 365 as well as SQL Information Protection (preview). Updated integration points - Microsoft invests heavily to integrate our capabilities together as well as to ensure use our technology with your existing security capabilities. This is a quick summary of some key integration points depicted in the reference architecture: Conditional Access connecting info protection and threat protection with identity to ensure that authentications are coming from a secure/compliant device before accessing sensitive data. Advanced Threat Protection integration across our SOC capabilities to streamline detection and response processes across Devices, Office 365, Azure, SaaS applications, and on Premises Active Directory. Azure Information Protection discovering and protecting data on SaaS applications via Cloud App Security. Data Loss Protection (DLP) integration with Cloud App Security to leverage existing DLP engines and with Azure Information Protection to consume labels on sensitive data. Alert and Log Integration across Microsoft capabilities to help integrate with existing Security Information and Event Management (SIEM) solution investments. Feedback We are always trying to improve everything we do at Microsoft and we need your feedback to do it! You can contact the primary author (Mark Simos) directly on LinkedIn ( with any feedback on how to improve it or how you use it, how it helps you, or any other thoughts you have. Windows Defender ATP Secure Score Threat Analytics Shielded VMs VMs Azure ATP Intranet Servers Azure Stack Azure SQL Threat Detection SQL Encryption & Data Masking Azure SQL Info Protection (Preview) Active Directory Privileged Access Workstations (PAWs) ESAE Admin Forest Network protection Credential protection Exploit protection Reputation analysis Full Disk Encryption Attack surface reduction Windows 10 Enterprise Security App control Isolation Antivirus Behavior monitoring S Mode IoT and Operational Technology Included with Azure (VMs/etc.) Premium Security Feature Windows 10 IoT Azure Sphere IoT Security Maturity Model Endpoint DLP Azure IoT Security IoT Security Architecture Security Development Lifecycle (SDL) Compliance Manager Trust Center Intelligent Security Graph

38 Platform security approach
 BACK TO TIMELINE # time REDUCE VULNERABILITY COUNT AND SEVERITY Security Development Lifecycle (SDL) SD3+C: Secure in Design Development Deployment + Communications Platform Mitigations Eliminate classes of vulnerabilities Break exploit techniques Contain damage Prevent persistence Limit exploit opportunity window INCREASE DIFFICULTY AND COST TO EXPLOIT REDUCE TIME OF EXPOSURE Rapid Response Bug Bounty Rigorous Testing Response Center Automatic Updates Key Takeaway: Over the last 15+ years, Microsoft has been systematically reducing customer risk through platform security improvements. The first priority we tackled was to reduce the number and severity of security vulnerabilities in our products, which we accomplished by creating a security development lifecycle (SDL). We have published our SDL openly (including many tools we use internally) and it became the basis of the ISO standard on secure software development. CLICK 1 Another top priority is to reduce the amount of time that any vulnerability would be exposed. We pioneered automatic updates (known to many as “Patch Tuesday), created a dedicated security response center (MSRC) to rapidly respond to reported issues, rigorously test security updates prior to release, and have also adopted a bug bounty program to reduce the incentive of security researchers selling security vulnerabilities on the grey or black markets. CLICK 2 We have also been continuing to work hard to reduce the opportunity of attackers to exploit vulnerabilities by investing in platform mitigations to eliminate entire classes of vulnerabilities, break exploit techniques, and architect the platform to contain damage and prevent malware persistence. Additional Commentary Rigorous Testing - From “…the Windows team works hard to ensure that they consistently deliver high quality updates that can be trusted by hundreds of millions of users. They conduct thousands of manual and automated tests that cover the core Windows functionality, the most popular and critical applications used by our customers, and the APIs used by our broad ecosystem of Windows apps and developers. The team also reasons over the data, problem and usage reports received from hundreds of millions of devices and triages that real world usage information to proactively understand and fix application compatibility issues as quickly as possible. With all of this context in mind, I want to acknowledge that even more work is needed to make updates easier to deploy and we have teams across the company hard at work improving the experience.”

39 Increase difficulty and cost to exploit
 BACK TO TIMELINE Key Takeaway: These numbers illustrate some of the progress we have made to increase the difficulty and cost of exploitation for attackers. Many attackers reverse engineer the software updates we release to identify the vulnerability that was fixed so that they can exploit it quickly before organizations have a chance to deploy the updates. This graph shows how our platform mitigations investments have resulted in an overall decrease in the successful exploitation of vulnerabilities. See the blog link for additional details. FROM BLOG: Mitigating arbitrary native code execution in Microsoft Edge

40 Rapidly detect and respond
HUMAN ATTACKER DECISION CYCLE Observe Key Takeaway: Facing human cybercriminals instead of automated malware is more difficult due to human adaptability, but it also offers opportunities for security experts as humans adversaries operate at human speed, much slower than machines. You are frequently managing a real time conflict with a human adversary that operates in “real” time While its more difficult to deal with the human adaptability of attack operators vs. automated malware (such as worms and viruses), the one advantage you have is that they operate and decide at human speed, not computer speed. Observe – The adversary first has to develop an understanding of your network through scans, reading documents, and other reconnaissance CLICK 1 Orient – Next they have to understand their options of attack CLICK 2 Decide – The adversary has to select the best option among those discovered. CLICK 3 Act – The adversary then has to act on that option and execute it Each of these takes time and offers you the opportunity to disrupt the attackers Additional Information In addition, these attack operators typically operating under a few conditions that would cause them to be cautious (and slow) in most scenarios Limited familiarity – attackers frequently operate in many target environments and may not be intimately familiar with all aspects of your culture and practices Stealth motivation - While they may have access to automated attack tools, most of them want to avoid detection and the additional cost/delay/risk that being found and evicted would bring on them. These steps may happen in a matter of seconds or may unfold over the course of days, months, and years See video on NSA TAO operations - Orient Decide Act

Get inside their OODA loop Better and Faster Investigation and Response Decisions Key Takeaway – Your analysts need to make decisions better and faster to outmaneuver the adversary Getting inside attackers OODA loop will rapidly raise their cost to your environment. Your OODA decision cycle is your processes that are mapped to Detect/Respond/Recover in the NIST framework CLICK 1 Your goal should be to move from an “After the fact” posture (cleaning up an existing adversary operation after they have achieved their initial objective) to a proactive posture where you are actively disrupting the attackers early in their attack process. Additional commentary Set realistic expectations for this goal, it will take a while to get fully proactive but we should always strive to make progress on it Attack speed and ability to disrupt will vary in several ways including Kill Chain Stage - Some stages are slower and have more opportunity for disruption (e.g. compromising hosts is highly automated, but its much more manual to explore an internal network, choose next internal host to compromise, etc.) Attack motivation - Maintaining invisibility also slows down attackers and makes them take more time Long term espionage can happen slowly and we which is something we can use that slowness to our advantage. Ransomware and destructive attacks happen much quicker because they don’t require stealth to be successful This is analogous to the difference between a “smash and grab” grocery store robbery vs. a multi-year espionage campaign to steal specialized military technology/designs/etc. Proactive After the Fact DEFENDER DECISION CYCLE (Investigation and Response Process)

42 integrated across Microsoft 365
Threat detection integrated across Microsoft 365 Faster remediation Office 365 ATP Windows ATP ATA End Point User protection Office 365 ATP Endpoint protection Windows Defender ATP Identity protection Azure ATP Reconnaissance Lateral Movement Domain Dominance Brute force an account User receives an Opens an attachment Clicks on a URL User browses to a website User runs a program C:\ Command & Control channel Exploitation Installation Key Takeaway: This is how Advanced Threat Protection (ATP) technologies provide coverage for commonly seen kill chain elements These technologies work together to enable analysts to detect threats across the kill chain and investigated across all three depth capabilities with the click of a mouse (see next slide for screenshots) Protection - Office 365 ATP provides advanced threat protection technologies and investigation capabilities for and other collaboration activities in Office 365 Scope – Protections are applied to inbound and intra-organization , to uploads of files to SharePoint, OneDrive, Teams, and to links found in Office documents Protections – These include antimalware scanning, sandbox detonation of URLs and attachments, URL rewrites to protect against making URLs malicious after inbound scan, and consideration of various other signals from the Microsoft intelligent security graph Endpoint Protection – Windows Defender ATP provides host coverage with advanced endpoint detection and response (EDR) capabilities that provide deep visibility into advanced attacks, Realtime and historical threat hunting, Advanced detonation and analysis, automated response capabilities, and more. Identity Protection – Azure ATP provides visibility into Common on-premises attack techniques like pass-the-hash/ticket/password, golden ticket, skeleton key and others Suspicious or anomalous user activities that may be attacker reconnaissance or account abuse Potential risk to sensitive accounts from lateral traversal techniques

43 Investigate and respond to threats across our consoles
4/4/2019 5:23 PM Investigate and respond to threats across our consoles No blind spots anymore – Visibility across , endpoint, and identity Incorporate data from Office 365 ATP into the Windows Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows Defender ATP endpoints. Investigate across the stack, without losing context Key Takeaway: Office 365 and Windows currently offer direct integration for investigations between the tools, greatly simplifying the investigation of attacks that span and windows clients. Note: In order to get the integration between Windows Defender ATP and Office 365 Threat Explorer to work, customers need to have Windows 10 Enterprise E5 (to get WDATP) and Office 365 E5 or Office 365 E3 with Threat Explorer. Office 365 Threat Explorer Windows Defender Security Center Azure Advanced Threat Protection (ATP)

44 Integration to reduce investigation time and missed signals
Azure Security Center monitors threats across a hybrid infrastructure: Azure + On-premises / other clouds Windows + Linux Zero Hour Auto Purge (ZAP) Cleans mailboxes as new detections are released Log Integration Product Integration Azure Security Center Threat Protection Threat Detection Azure SQL Security Appliances Office 365 ATP gateway Anti-malware ROADMAP Powered by the Intelligent Security Graph Windows Defender ATP Key Slide Takeaway: A key priority is to integrate and streamline the incident detection and response process to get you an edge against active attacks. As discussed in the previous slide, Office 365 ATP and Windows Defender ATP already have direct integrations and the next release of ATA will include identities as well. CLICK 1 Zero Hour Auto Purge (ZAP) feature of exchange online protection will automatically clean mailboxes (move to or from junk folder) if a signature is changed that matches the mail after it is delivered. (e.g. if something is found to be junk/phishing later, it will be moved to the junk folder) CLICK 2 Azure Security Center (ASC) monitors threats in a modern hybrid infrastructure by collecting and analyzing events from Azure, on-premises hosts, hosts on other cloud providers, and other event sources. ASC and has recently added the log analytic capabilities for on-premises and cloud datacenters that were formerly part of OMS Security, enabling a robust hybrid detection and investigation capability. This includes multiple sources: Azure tenant alerts and logs are directly integrated into Azure Security center (including Azure SQL threat detection) Alerts from security appliances in the Azure Marketplace are integrated into Azure Security Center to allow you visibility into them (but not full logs at this time) Windows and Linux hosts (via agents) as well as syslog integration. Integration between ASC and ATA is on the roadmap Investigators can pivot easily across s, hosts, and identities Azure Advanced Threat Protection Click for Screenshots

45 Integrating external context
MICROSOFT HUNTING TEAMS With a connected defender community CAPABILITY LEVEL THREAT FEED Full Network Effect INTELLIGENT SECURITY GRAPH Externally Aware Learning Organization Basic Detection Detection OTHER ORGANIZATIONS Key Takeaway: Microsoft has built capabilities to connect defenders together in a way that rapidly raises the cost of attacks for cybercriminals Basic Detection - Organizations that are able to detect their incidents (vs. being notified by a government agency) Learning Organization – Able to adapt information from those attacks to detect additional attacker activity Externally Aware – Organizations that purchase and integrate external threat feeds to learn from attacks on other organization (though many times this data is stale and the costs/challenges to integrate these into processes are high) Full Network Effect – Refers to an organization that is connected to a fully interactive two-way system like the intelligent security graph. Detections and learnings from many organizations are automatically integrated and correlated into the intelligent security graph and then automatically shared with other organizations Additional Commentary Note that you don’t have to do these in order, you can skip ahead and let the community do the bulk of the work No direct access to the graph is currently available, the graph is accessible to through the products and technologies it powers such as Azure Security Center, Windows Defender ATP, Office 365 ATP, Azure Active Directory, and many others. Maximize Visibility Internal External Reduce manual steps (and errors) Integrate Automate Maximize human analyst impact Deep expertise and intelligence Continuous Learning Incident YOUR ENVIRONMENT

46 Microsoft incident response services
DESIGN Microsoft incident response services INCIDENT RESPONSE (IR) Discreet onsite engagement to investigate, identify affected systems, and report findings COMPROMISE RECOVERY Develop and Execute a Recovery plan to: Rapidly Evict attacker Perform Critical Hardening (Limited) Set up Tactical Monitoring ALREADY ‘ON RETAINER’ WITH PREMIER SUPPORT EXISTING INVESTIGATION YES CYBERSECURITY OPERATIONS SERVICE (COS) Proactive engagement to hunt for adversary presence Attacker Present? NO KNOWN ADVERSARY Immediate threat is evicted NO Key Takeaway: Microsoft offers several services to respond to security incidents, rapidly evict attackers and resume normal operations Incident Response is already available to customers with Premier support (which includes most large and medium size customers). While there may not be enough funding on a contract to cover these services, the contract relationship needed to rapidly get access to phone and onsite support is included in the premier support contract. CLICK 1 After an investigation by Microsoft (or a qualified investigation), Microsoft services can engage to help with compromise recovery Rapid Eviction – Coordinated takeback event to eliminate attacker access Critical Hardening – Deploy critical mitigations to block attack vectors and command/control channels, and commonly used attack vectors. Tactical Monitoring – Rapidly deploy advanced detection tools to monitor attacker activity during and after eviction This takes you to the state of having no known adversary and feeds learnings from the incident into your security and modernization strategies. CLICK 2 Additionally, Microsoft can be engaged to proactively hunt for adversaries using tools and methods as we would use in an incident response, following the same recovery process in case an adversary is found CLICK 3 Microsoft took the learnings we have made from these processes and collaborated with EY, Edelman, and Orrick to publish lessons learned and recommendations on the technical, operational, communications / public relations, and legal aspects of managing major incidents. Maximize Visibility Internal External Reduce manual steps (and errors) Integrate Automate Maximize human analyst impact Deep expertise and intelligence Continuous Learning Learnings and Recommendations Microsoft, EY, Edelman, Orrick Incident Response Reference Guide Feed learnings into strategic security and modernization plans

47 Common attack steps and mitigations
Office 365 Advanced Threat Protection (ATP) Securing Privileged Access Roadmap Incident Response (Professional Services) Azure AD Identity Protection Window 10 Credential Guard Azure Advanced Threat Protection Azure Security Center Azure Monitor …and more Credential Theft and Abuse Gathers credentials stolen credentials to move laterally 2a Phishing Threat Actor targets employee(s) via phishing campaign 1 Increase access to your environment 3 Access Data Threat Actors exfiltrate PII and other sensitive business data  Access same data as employee EMS Technology Azure Information Protection Cloud App Security (CASB) Office 365 Data Loss Prevention features Windows Information Protection Azure Technology Azure Security Center Multi-Factor Authentication Disk, Storage, SQL Encryption Key Vault …and more 2 Compromise Device/Account Employee opens attachment/link or types credentials into fake web page Key Takeaway: This is a summary of a few of the key Microsoft technologies to mitigate against common attack chains EMS Technology Intune conditional access Windows Defender Advanced Threat Protection Endpoint Detection and Response (EDR) SmartScreen URL and App reputation Exploit Mitigations …and more

Download ppt "Microsoft Cybersecurity Solutions Group"

Similar presentations

Ads by Google