Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Defenses: What Works Today

Published byJessie Cooper Modified over 9 years ago

Similar presentations

Presentation on theme: "Cyber Security Defenses: What Works Today"— Presentation transcript:

1 Cyber Security Defenses: What Works Today
4/15/2017 7:05 PM SIA200 Cyber Security Defenses: What Works Today Laura Robinson/Mark Simos/Roger Grimes Principal Security Architect/Senior Consultant/Principal Security Architect Microsoft Corporation © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 MCS Cybersecurity Team – Who We Are
Detect Recover Cybersecurity Protect Respond MCS Cybersecurity Team – Who We Are Microsoft Windows Developers Red Team Members IR for major networks Microsoft Network Security Delivery Consultants Malware Analysts Forensic Investigators & Trainers Intelligence Officers Law Enforcement Officers Microsoft Security Support Corporate Compliance Managers Internet Security Researchers

3 MSIT’s ISRM ACE Team- Who We Are
Service Channels Service Lines Microsoft Internal MSIT MSN Microsoft.com Product Groups Microsoft External MCS Premier Acquisitions Global and Strategic Partners Application Security Customized Solutions & Training Infrastructure Security 10+ Years of Tailored Best Practices and Specialized Intellectual Property Unique knowledge transfer and value-add for Microsoft and its customers, partners and acquisitions Global Delivery: Staffed Locations Functional Capacity Canada Europe India Specialization Totals Application Security 30 Infrastructure Security 16 Dedicated PMs 3 TOTAL 49 US- Redmond, ACE HQ China United States Australia Our Mission: to protect key assets by lowering overall information security risk for Microsoft and its customers through advisory services

4 Today’s Threat Environment…

5 US CIO Summit – Fall 2010 4/15/2017 Determined Adversaries and Targeted Attacks (DA/TA) …AKA Advanced Persistent Threats (APTs) Think “organizations stealing data with full-time employees (FTEs),” not casual hackers or “viruses” If you are targeted, they want (and may already have) Profiles of your people and organization Who has access to what they want Who are the IT admins Who clicks on phishing s © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 DA/TA Common Technical Tactics
US CIO Summit – Fall 2010 4/15/2017 DA/TA Common Technical Tactics Gain control of your identity store Public - admin rights, interesting projects/groups Secrets - passwords/hashes Download terabytes of your data Large initial exfiltration(s) typically Then… target specific data (new/valuable/strategic) Hide custom malware on multiple hosts © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Cyber Attack Techniques
Targeting Phishing Pass the Hash Custom Malware Application Exploit

8 Pass The Hash Bad guy targets workstations en masse
Power: Domain Controllers Bad guy targets workstations en masse User running as local admin compromised, Bad guy harvests credentials. Bad guy starts “credentials crabwalk” Data: Servers and Applications Bad guy finds host with domain privileged credentials, steals, and elevates privileges Bad guy owns network, can harvest what he wants. Access: Users and Workstations

9 Pass the Hash with Windows Credential Editor (Security Research Tool)
4/15/2017 7:05 PM Demo demo Pass the Hash with Windows Credential Editor (Security Research Tool) Mark Simos Solution Architect Microsoft Consulting Services © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 $ Recommendations Know What Matters
Effective Workstation and Server Defenses Protect Key Identities/Roles Employ The SDL

11 Protecting the Crown Jewels
$ Protecting the Crown Jewels Do not try to protect all assets equally- you can’t Identify and protect intellectual property that is valuable to the organization and to potential attackers Foreign and domestic competitors Would-be competitors Governments, etc. “If you protect your paper clips and diamonds with equal vigor, you’ll soon have more paper clips and fewer diamonds” -Attributed to Dean Rusk, US Secretary of State,

12 Protecting the Crown Jewels
$ Protecting the Crown Jewels What the defender values What the defender protects What the attacker wants Reference:

13 Protecting the Crown Jewels
$ Protecting the Crown Jewels Identify the most important assets Protect them with the strongest security Multi-factor authentication (smart cards, etc.) Strict security requirements Hardened systems Asset Isolation Concentric rings of security Xxx xyx

14 Effective Workstation and Server Defenses
Protect Your Hosts Effective Workstation and Server Defenses Effective defenses that minimize risk: Move users out of local admins groups Get current / stay current Implement exploit mitigation Patching, compliance, and configuration management End-user education Creative destruction

15 Get Current/Stay Current
Java 6 Ends side-by-side versioning Windows 7 Standard User Adobe Flash Player 11 SSL Support Random Number Generator Office 2010 XML file format Protected View Adobe Acrobat Reader X Applied Microsoft SDL Protected Mode Internet Explorer 9 SmartScreen Filter Protected Mode Adobe SPLC:

16 Better Patching Not just OS patches
But Java, Adobe Reader, Flash, plug-ins, apps Firmware Appliances are often running publicly known vulnerable versions of software Make sure the devices and appliances that protect your network aren’t gateways into your network Printers

17 Enhanced Mitigation Experience Toolkit (EMET)
US CIO Summit – Fall 2010 4/15/2017 Enhanced Mitigation Experience Toolkit (EMET) No application re-compile required Mitigations apply to opted-in application and its plug-ins Recommend Opt-in apps that process internet/untrusted content Test for application compatibility © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Effective End-User Education
Do your end-users know that the most likely way they can be exploited is visiting the web site they trust the most? Or reading a PDF file? Does your current end-user education teach end-users what their antivirus software looks like? Does your current end-user education contain these points? If not, they should Phish-me type tests

19 Asset Isolation Firewalls are old news
Do traffic analysis, who needs to talk to what? Should server A speak to server B? Should workstation A be able to connect to all servers? If not, isolate! Use any method you like (e.g., routers, firewalls, IPsec, etc.) A great way to notice DA/TAs

20 Creative Destruction Gartner term for a method of decommissioning legacy applications and systems Catalogue Create new specs Identify Cloud provider Pipe application data to Cloud Application portfolio Application functionality Decommission legacy applications and systems Create application(s) with desired functionality Identify redundancies

21 Protect your AD and Key Identities
Protect Active Directory and Key Identities Practice credential hygiene Implement multi-factor authentication Reduce broad and deep privileges

22 Credential Hygiene Privileged accounts log onto sufficiently secured hosts Separate internet risk from privileged credentials Can require detailed design/re-design of privileges, host security, and logon rights GPOs Rule of Thumb: Protect admin workstations at same level of the servers/apps administered by accounts using them Domain Admin logs on to internet connected workstation = Security of entire domain entrusted that workstation

23 Production Domain Admins High Business Impact (HBI) Server Admins
Secure Maintenance Compartmentalization Production Domain Admins High Business Impact (HBI) Server Admins Server Admins SQL Admins Exchange Admins SharePoint Admins … Server Admins Respond Detect Recover Cybersecurity Protect ## Workstation Name Workstation Admins

24 Multi-factor Authentication
What you know (password, PIN, etc.) What you have (smart card, token, cell phone, etc.) Biometric measurement (fingerprint, retina, etc.) Ensure remote attackers can’t use identity over Internet Physical attacks are more expensive and difficult Smart cards are natively supported by Windows

25 Privilege Reduction Leverage easy mechanisms
Goals Why? Because it only takes one privileged account to: Eliminate accounts that have both broad and deep privilege Leverage easy mechanisms Use the privileged account to create additional accounts Not just privileged, but VIP “mimicking” accounts Accounts with backdoors into other accounts Place malware and other binaries on DCs and member servers Leverage existing management tools Disable SID quarantining and/or selective authentication Modify GPOs Install backdoors in approved images/packages Or slightly harder mechanisms sIDHistory manipulation Migration APIs Debugger attacks Disk editors Have no permanent Enterprise Admins Domain Admins Administrators Accounts with equivalent privilege

26 Role-Based Access Controls (RBAC) for IT
Least-privilege model for IT operations IT staff given multiple accounts Staff with limited responsibilities typically have 2 Regular user account Support account that has been granted roles based on day-to-day work characteristics Possible additional accounts (usually more with higher support tiers) NOT member of EA/DA/Administrators No equivalent privileges Multi-factor authentication required Accounts denied workstation logon Defined “allowed to authenticate” systems RDP to secure “jump servers”/”bastion hosts” for management Can leverage virtualization Secure per-person jump servers that are restricted to each unique user and restarted after each use. Jane Doe Help desk Jane Doe Secure Maintenance

27 Privileged Identity Management
Mechanisms by which accounts are granted temporary rights and privileges required to perform build or break-fix functions Time-bound Workflow generated, monitored and reported May be given temporary username + password May be temporarily placed in privileged groups May operate through recorded portals Programmatic Privileged credentials are not permitted to stagnate or to be permanently available Reduced attack surface Checks and balances Audit trails

28 Mechanics of RBAC (IT) and PIM
Multiple Approaches For RBAC (IT) For PIM Powerful proxy accounts Not preferable Can potentially secure using a subset of the Administrator account recommendations Defined roles with assigned rights and permissions Better approach Combinations of both Powerful proxy accounts Not preferable Temporary membership in privileged groups Password vaults APIs to replace hard-coded passwords Session management tools Local and service account management tools

29 Basic Principles: Roles vs. Temporary Privilege
For Day-to-Day Functions: Define roles Roles may have broad privilege (e.g., reset passwords across broad swaths of accounts) or deep privilege (e.g., can activate privileged accounts), but not both In Build & Break-Fix Scenarios: Temporarily populate privileged groups in some cases (e.g., fixing a member server, might grant support staff temporary local Administrators membership) Temporarily use built-in privileged accounts Consider broad vs. deep Caveat If role privileges are functional equivalents of built-in privileged groups, use time-bound population of groups rather than creating permanent roles with high privilege.

30 Sample Approach to Securing Built-In Administrator Accounts
In each domain Set Administrator account flags Account is disabled Smart card is required for interactive logon Account is sensitive and cannot be delegated Audit and alert on any changes to account Create/modify domain-level GPO “Deny access to this computer from the network” Does not prevent interactive logon in case of emergency On member servers and workstations Create/modify GPO Disable Administrator account Audit and alert on changes to account

31 Takeaways $ Identify and protect important systems/data first
Implement effective host defenses Run standard users without local administrative access Use multi-factor authentication Anywhere Internet access and content is processed: Deploy and configure EMET Patch all OSes/applications Start a creative destruction program Protect important credentials and accounts Isolate from risks of Internet and lower trust hosts. Implement least-privilege approaches

32 Cyber Security Capabilities
Detecting Threats Advanced tools to find new attacks Deep expertise hunting for the DHA Innovative Mitigations Make the most of your existing assets New approaches to counter threats Custom Solutions Specialized development team Applying SDL to your development Sensors & Intelligence Response & Investigation Recovery & Mitigations Architecture & Advisory Workshops Advanced Programs

33 ACE Offerings Comprehensive Approach Security Program
Security Architect Led & Program Manager Supported Infrastructure Security Application Security Active Directory Security Assessment (ADSA) Enterprise Host Security Assessment (EHSA) Public Key Infrastructure Security Assessment (PKISA) Dogfood Security Review Application Security Assessment Application Privacy Assessment Application Penetration Testing Vendor Maturity Assessment (VMA) ISO Security Assessment Service (ISAS) Venture Integration (VI) Security Assessments Credential Protection Training and Design Application Security Architecture Assessment Azure Application Security Assessment Mobile Application Security Assessment Comprehensive Approach Enterprise PKI Framework Custom Infrastructure Design Infrastructure Security Design Review Custom Assessments Application Security Training Custom Application Security Programs Application Security Program Development

34 Related Content SIA300- Ten Deadly Sins of Administrators about Windows Security SIA301- Crouching Admin, Hidden Hacker: Techniques for Hiding and Detecting Traces SIA324- Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You SIA308- Antimalware Smackdown SIA309- Windows 8: Malware Resistant by Design

35 Track Resources www.microsoft.com/twc www.microsoft.com/security

36 Resources Learning TechNet http://northamerica.msteched.com
Connect. Share. Discuss. Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers

37 Complete an evaluation on CommNet and enter to win!
Required Slide Complete an evaluation on CommNet and enter to win!

38 MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile

39 4/15/2017 7:05 PM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40 4/15/2017 7:05 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Cyber Security Defenses: What Works Today"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
What’s New in Active Directory in Windows Server 2012 Dean Wells Active Directory Product Group Microsoft SIA312.

What’s New in Active Directory in Windows Server 2012 Dean Wells Active Directory Product Group Microsoft SIA312.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You Aaron Margosis Principal Consultant Microsoft Corporation SIA324.

Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You Aaron Margosis Principal Consultant Microsoft Corporation SIA324.
IaaS PaaS SaaS This is, in fact, the only risk to which we can lose the entire company. Chief Risk Manager.

IaaS PaaS SaaS This is, in fact, the only risk to which we can lose the entire company. Chief Risk Manager.
Sysinternals Primer: Gems Aaron Margosis Principal Consultant Microsoft Corporation SIA311.

Sysinternals Primer: Gems Aaron Margosis Principal Consultant Microsoft Corporation SIA311.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Inside Windows Azure Virtual Machines Vijay Rajagopalan Microsoft Corporation.

Inside Windows Azure Virtual Machines Vijay Rajagopalan Microsoft Corporation.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Managing Active Directory Domain Services Objects

Managing Active Directory Domain Services Objects

Similar presentations

Ads by Google