O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Turning the tables talk delivered at CCISDA conference

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio

Confira estes a seguir

1 de 29 Anúncio

Turning the tables talk delivered at CCISDA conference

Baixar para ler offline

Slides from my presentation at the CCISDA (California Counties) information technology conference this week. NOTE: hacking video I narrated has been removed for file size considerations.

Slides from my presentation at the CCISDA (California Counties) information technology conference this week. NOTE: hacking video I narrated has been removed for file size considerations.

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Turning the tables talk delivered at CCISDA conference (20)

Anúncio

Mais recentes (20)

Turning the tables talk delivered at CCISDA conference

  1. 1. TURNING THE TABLES Dean Iacovelli Director, Secure Enterprise Microsoft State and Local Government deaniac@microsoft.comEvolving cybersecurity strategies
  2. 2. A LITTLE ABOUT ME – DEAN IACOVELLI 13 years working with Microsoft State and Local customers Roles ▪ First Chief Security Advisor for Microsoft State and Local ▪ First Cloud Services Director, incubated team of specialists on what would become Office 365 ▪ Currently Director of Secure Enterprise, managing a team of cybersecurity specialists focused on security for Office 365, Identity, Threat Protection, and Windows security
  3. 3. ANATOMY OF A BREACH…OR SEVERAL IMPACT Own domain Delete backups Exfiltrate data Redirect funds Ransom Botnet ESCALATION Pass the hash Pass the ticket RECON Target recon Network traversal Mailbox persistence Device persistence ENTRY PHISHING Spear, whaling, trusted user PASSWORD Brute force, spray KNOWN VULNERABILITIES OS, database, apps
  4. 4. “THE STATE OF THE STATE” IN CYBERSECURITY ASYMMETRICAL threat creates resource drain Profit-motivated, well resourced HUMAN adversary with attacks getting cheaper PERFECT STORM #1: They use your transparency against you Attacks are becoming AUTOMATED, responses are not PERFECT STORM #2: Second lowest security rating, second highest rate of attack (NPR) Global shortage of cybersecurity talent The cost can be enormous and it’s ASYMMETRICAL to org size – see OPM Outcome ? Only 5% of security alerts get investigated (Forbes) CONCLUSION: Trying to solve the security problem at an individual org level with current approaches isn’t sufficient and may bankrupt your organization. So what can we do differently ? Two arguments/ideas for your consideration.
  5. 5. 1. BEGIN MOVING TO BEST OF BREED SECURITY PLATFORM Complexity is the enemy of security – too many disparate “best of breed” solutions, too much data and little integration/coordination If you choose to integrate these, significant cost and complexity If not, humans become the integration and limit response time and decision quality – i.e. attacks at Internet speed, response at human speed Need to begin moving to a security platform that is pre-integrated, identity- driven, policy-based “Simplify the scope of EPP by using OS-embedded security features, such as disk encryption and USB device control, especially when migrating to Windows 10” - Gartner “Redefining Endpoint Protection” report, Sep 2017
  6. 6. AUTOMATION of insights and response INTEGRATION of all components for coordinated response FOUNDATIONS OF A MODERN SECURITY PLATFORM MACHINE LEARNING and AI to separate signal and noise CLOUD SCALE real-time threat intel
  7. 7. Identity Devices Apps and Data Security Operations Azure Active Directory Advanced Threat Analytics O365 Advanced Threat Protection O365 Threat Intelligence Win 10 Identity Protection Intune Win 10 Threat Resistance Win 10 Post Breach Analysis Win 10 Info Protection Azure Info Protection Data Loss Prevention Cloud App Security INTELLIGENT SECURITY GRAPH INTELLIGENT SECURITY GRAPH ELEMENTS OF A MODERN SECURITY PLATFORM Cyber Defense Operations Center Digital Crimes Unit (DCU) Secure Score
  8. 8. Internet of Things Unmanaged & Mobile Clients Sensitive Workloads CYBERSECURITY REFERENCE ARCHITECTURE Extranet Azure Key Vault Azure Security Center • Threat Protection • Threat Detection System Center Configuration Manager + Intune Microsoft Azure On Premises Datacenter(s) NGFW Nearly all customer breaches that Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR) Colocation $ EPP - Windows Defender EDR - Windows Defender ATP Mac OS Multi-Factor Authenticatio n MIM PAMAzure App Gateway Network Security Groups Azure AD PIM Azure Antimalware Disk & Storage Encryption SQL Encryption & Firewall Hello for Business Windows Info Protection Enterprise Servers VPN VPN VMs VMs Certification Authority (PKI) Incident Response Vulnerability Managemen t Enterprise Threat Detection Analytic s Managed Security Provider OMS ATA SIEM Security Operations Center (SOC) Logs & Analytics Active Threat Detection Hunting Teams Investigation and Recovery WE F SIEM Integration IoT Identity & AccessUEBA Windows 10 Windows 10 Security • Secure Boot • Device Guard • Application Guard • Credential Guard • Windows Hello Managed Clients Windows Server 2016 Security Shielded VMs, Device Guard, Credential Guard, Just Enough Admin, Hyper-V Containers, Nano server, … Software as a Service ATA Privileged Access Workstations (PAWs) • Device Health Attestation • Remote Credential Guard Intune MDM/MAM Conditional Access Cloud App Security Azure Information Protection (AIP) • Classify • Label • Protect • Report Office 365 DLP Endpoint DLP Structured Data & 3rd party Apps DDoS attack mitigation ClassificationLabels ASM Lockbo x Office 365 Information Protection Legacy Window s Backup and Site Recovery Shielded VMs Domain Controllers Office 365 ATP • Email Gateway • Anti-malware Hold Your Own Key (HYOK) ESAE Admin Forest PADS 80% + of employees admit using non-approved SaaS apps for work (Stratecast, December 2013) IPS Edge DLP SSL Proxy Security Development Lifecycle (SDL) Azure AD Identity Protection Security Appliances
  9. 9. 2. MOVE TO CLOUD FIRST OR EVEN CLOUD ONLY POLICY 1B annual spend on cyber security – TRANSFORMATIONAL economics of cloud let you pool risk and resources Stay continuously patched and compliant “Built in, not bolt on” Intelligent Security Graph is a game changer Certs AND a track record “Gartner predicts that by 2018, increased security will displace cost savings and agility as the primary driver for government agencies to move to public cloud within their jurisdictions.” – Gartner 2016 prediction
  10. 10. BRAKES ARE WHAT ALLOW THE CAR TO GO FASTER. FINALLY, PLEASE REMEMBER…
  11. 11. Q & A
  12. 12. THANK YOU ! Dean Iacovelli deaniac@microsoft.com
  13. 13. Behavioral Analytics Machine learning baselines your environment, then scans for anomalies. Detection for known threats Forensic tools to search for known security attacks such as “pass the hash” ADVANCED THREAT ANALYTICS Identify advanced on-premises security attacks before they cause damage Focus on what’s important Clear, efficient, and convenient timeline feed that surfaces the right things along with recommendations for investigation and remediation
  14. 14. Reduce the threat of malicious content Move beyond signature-based defense to heuristic analysis and cloud-based pre-detonation of attack content. Increase understanding of threats Global visibility to real-time threat trends allow dynamic policy adjustment. OFFICE 365 ADVANCED THREAT PROTECTION Simplify management Single console for both cloud-side and client-side threat analysis.
  15. 15. Broad visibility into attack trends Billions of data points from Office, Windows, and Azure OFFICE 365 THREAT INTELLIGENCE Integrated data from external cyber threat hunters Intuitive dashboards with drill- down capabilities
  16. 16. Windows hello • Enterprise grade alternative to passwords • Natural (biometrics) or familiar (PIN) as a means to validate a user’s identity • Security benefits of smartcards without the complexity WINDOWS 10 IDENTITY PROTECTION Protecting user identities from theft and misuse Credential guard • Prevents theft of user credentials via common attacks like Pass-the-Hash (PtH)) • Credentials are secured by placing them within a hardware isolated container, safe even if OS is compromised
  17. 17. Access management • Conditional access • Compliance enforcement • Multi-identity support Mobile device &and app management • Manage iOS, Android, and Windows devices • Protect data in corporate apps with or without a device enrollment INTUNE Manage and secure mobile productivity
  18. 18. WINDOWS 10 THREAT RESISTANCE PRE-BREACH Protect devices and networks with a comprehensive set of pre-breach defenses Trusted boot • Tamper free boot via modern hardware (TPM/UEFI) • Automatically remediate and self-heal from any tampering Device guard • System hardening offers zero day protection for the system core • Next-gen app control ensures only trusted apps can run on the device Windows defender AV • Integrated enterprise grade protection from against viruses, malware, spyware, and other threats Source: AV-comparatives.org
  19. 19. WINDOWS 10 THREAT RESISTANCE POST-BREACH Windows Defender Advanced Threat Protection helps detect, investigate, and respond to advanced attacks Built into Windows, cloud-powered • No additional deployment and infrastructure • Continuously up-to-date, lower costs Behavior-based, post-breach detection • Actionable, correlated alerts for known and unknown adversaries • Real-time and historical data Unique threat intelligence knowledge base • Unparalleled threat optics provide detailed actor profiles • First and third-party threat intelligence data
  20. 20. WINDOWS 10 INFORMATION PROTECTION Protect business data when devices are lost or stolen and from accidental data leaks Bitlocker • Highly customizable full-volume encryption • Single sign-on experience on modern devices • Easily manageable with advanced provisioning, reporting, and self-service recovery options for users Enterprise data protection • Business data containment for sensitive information • Block docs from managed apps from being transferred to consumer apps • Remotely wipe business data from a device while leaving personal data untouched 0101 1001
  21. 21. Persistent classification and protection • Policy driven classification and protection • Data security regardless of where data is stored or shared Visibility and control • Data use/abuse tracking for IT and users • Document revocation in case of unexpected distribution AZURE INFORMATION PROTECTION Better secure your sensitive information - anytime, anywhere Simple, intuitive for users • Intuitive interface for users • Integrated into common apps and services • In-product notifications help users make right decisions
  22. 22. Detect • Scan for sensitive information in Exchange, SharePoint, and OneDrive for Business • Find over 80 sensitive content types (PII, credit card, HIPAA) Protect • Auto-encrypt docs, tie to forced authentication • Block egress of sensitive data DATA LOSS PREVENTION IN OFFICE 365 Detect, protect, and monitor your sensitive information Monitor • Track policy violations though inbox reports
  23. 23. Discover • Gain complete visibility and context for cloud usage and shadow IT—no agents required Control • Shape your cloud environment with granular controls and policy setting for access, data sharing, and DLP CLOUD APP SECURITY Enterprise-grade security for your cloud apps Investigate • Identify high-risk usage and security incidents, detect abnormal user behavior, and prevent threats 0101 1001
  24. 24. THE MICROSOFT CYBER DEFENSE OPERATIONS CENTER
  25. 25. THE MICROSOFT DIGITAL CRIMES UNIT (DCU) Combining creative legal strategies, cutting edge data analytics and public/private partnerships to fight cybercrime Combat Internet Fraud • Partner with law enforcement globally to detect and prosecute Internet scammers Botnet Takedown • Collect 250M records of sensor data per day to detect and locate global botnets • Use variety of legal and technical approaches to have them shut down or neutralized
  26. 26. “SECURE SCORE” CLOUD BEST PRACTICE ANALYZER Security analytics based on proven cloud security best practices Baseline on what you own in Office 365 • Up to 60 different controls/practices are assessed Reports deliver a plan for score improvement • See your score improve over time. Export data to Excel for use in project management, task assignment, etc.. • Global context Compare your score against other Office 365 organizations worldwide.
  27. 27. Our most unique global asset in the fight, informed by trillions of feeds. Machine learning helps sort the signal from the noise. This signal is leveraged across all of Microsoft’s security services. 450B monthly authentications 18+B Bing web pages scanned750M+ Azure user accounts Enterprise security for 90% of Fortune 500 Malware data from Windows Defender Shared threat data from partners, researchers and law Enforcement worldwide Botnet data from Microsoft Digital Crimes Unit 1.2B devices scanned each month 400B emails analyzed 200+ global cloud consumer and Commercial services INTELLIGENT SECURITY GRAPH Back

×