Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Similar presentations


Presentation on theme: "Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,"— Presentation transcript:

1

2

3

4 Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

5 Informatio n Protection Secure Identities Threat Resistanc e Device Guard

6

7  Combination of hardware + software security features  Enables businesses to strongly control what is allowed to run  Brings mobile-like security protections to desktop OS with support for existing line of business apps

8  Hardware security  Configurable code integrity  Virtualization based security  Protects critical parts of the OS against admin/kernel level malware  Manageability via GP, MDM, or PowerShell

9  Secure Boot  Includes Secure Firmware Updates and Platform Secure Boot  Kernel Mode Code Integrity (KMCI)  User Mode Code Integrity (UMCI)  AppLocker ROM/FusesBootloaders Native UEFI Windows OS Loader Windows OS Loader Windows Kernel and Drivers 3 rd Party Drivers User mode code (apps, etc.) KMCIUEFI Secure Boot UMCI Platform Secure Boot AppLocker

10

11 Corporate lightly managed  Tightly managed  Very well-defined software and hardware configurations  Low churn  No user or standard user only  Secure Boot restricted to only boot Windows  Virtualization-based security (VBS) enabled  Kernel mode code integrity protected by VBS  User mode code integrity enforced

12  Tightly managed  Well-defined hardware configurations  Managed software only  Ideally standard user only  Secure Boot restricted to only boot Windows  Virtualization-based security (VBS) enabled  Kernel mode code integrity protected by VBS  User mode code integrity enforced

13 Corporate lightly managed  Multiple and varied hardware configurations  User can install “unmanaged” software  Standard or Admin users  Secure Boot may be restricted to only boot Windows  VBS enabled  KMCI may be protected by VBS  Code Integrity in audit mode

14 Corporate lightly managed  Personally owned devices  Highly-variable hardware and software  Secure Boot not required  No VBS  No enterprise code integrity policy

15 1. Know your target(s) 2. Use Powershell cmdlets to create policy from “golden” system(s)  Defaults to Audit Mode  Merge multiple policies OR Deploy differentiated policies 3. Deploy policy in audit mode and test 4. Use Powershell cmdlets to create policy from audit log and merge 5. Enable enforcement

16

17

18

19

20  Just as most malware is unsigned, so too are the vast majority of LOB apps  “Codesigning is hard”  Decentralized LOB app development  Lack of codesigning expertise  Enterprises don’t want to (and shouldn’t) blindly trust all software from an ISV even if signed  Windows 10 includes tools to enable IT to address codesigning for existing apps

21

22

23

24 Raising the bar for what runs in the kernel  Windows 10 drivers must be signed by Microsoft  Strong driver publisher identity verification via Extended Validation (EV) certificates  Enterprises can enforce Windows 10 driver requirements via Device Guard policy Signed Device Guard CI policy protects from local admin  Signed policy stored in pre-OS secure variable  Requires a newer signed policy to update – cannot be deleted by admin  Becomes a “machine” level policy which means boot from media must be compliant  Measured into the TPM and part of device health attestation

25  Together, AppLocker and code integrity are the basis for enforcing code and application rules on Windows  Think of code integrity as the bouncer at the door, and AppLocker as the bartender  Code integrity best expresses high level expression of trust  AppLocker allows for granular rules  Managed through common management tools in Windows 10

26  Service whitelisting for managing non-interactive processes  AppLocker management now available via MDM and WMI

27 Provides a new trust boundary for system software  Leverage platform virtualization to enhance platform security  Limit access to high-value security assets from supervisor mode (CPL0) code Provides a secure execution environment to enable:  Protected storage and management of platform security assets  Enhanced OS protection against attacks (including attacks from kernel-mode)  A basis for strengthening protections of guest VM secrets from the host OS Windows 10 services protected with virtualization based security  LSA Credential Isolation  vTPM (server only)  Kernel Mode Code Integrity

28 Host OS User Kernel Normal World Firmware (UEFI) Hardware (TPM 2.0, Vt-x2, IOMMU) KMCI Malware Howdy Peer!

29 Host OS User Normal World Secure World Hardened Boundary Hardware (TPM 2.0, Vt-x2, IOMMU) Firmware (UEFI) Kernel Hypervisor KMCI Measured Malware I thought we could be friends 

30  CI rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access  Memory pages are only marked executable if CI validation succeeds  Kernel memory cannot be marked both writable and executable  BUT… not all drivers will be compatible initially

31

32

33


Download ppt "Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,"

Similar presentations


Ads by Google