2016, A New Era of OS and Cloud Security - Tudor Damian

@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
2016 – A New Era of OS and Cloud Security
Tudor Damian
Microsoft Cloud and Datacenter Management MVP
Certified Ethical Hacker
tudor.damian@avaelgo.ro / @tudydamian / tudy.tel

Many thanks to our sponsors & partners!
GOLD
SILVER
PARTNERS
PLATINUM
POWERED BY

• Overview of Security Trends
• Windows security on-prem & Cloud-enabled improvements
– Guarded Fabric
• Shielded VMs & Hypervisor Code Integrity (HVCI)
– Device Guard
– Provable PC Health (PPCH) Service
– Advanced Threat Analytics
– Windows Defender Advanced Threat Protection
– Azure Security Center
– Operations Management Suite
Agenda

INDUSTRY SECURITY TRENDS

The Evolution of Attacks
Volume and Impact
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
Ignite 2015 BRK2325

2005-PRESENT
Organized Crime
RANSOMWARE,
CLICK-FRAUD,
IDENTITY THEFT
Motive: Profit
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
Ignite 2015 BRK2325

2005-PRESENT
Organized Crime
RANSOMWARE,
CLICK-FRAUD,
IDENTITY THEFT
Motive: Profit
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2012 - Beyond
Nation States,
Activists, Terror
Groups
BRAZEN,
COMPLEX,
PERSISTENT
Motives:
IP Theft,
Damage,
Disruption
2003-2004
Ignite 2015 BRK2325

Changing nature of cybersecurity attacks
Causing significant financial loss, impact to
brand reputation, loss of confidential data and
executive jobs
Compromising user credentials in the vast
majority of attacks
Today’s cyber attackers are:
Staying in the network an average of eight
months before detection
Using legitimate IT tools rather than malware
– harder to detect
Ignite 2015 BRK3870

Changing nature of cybersecurity attacks
Today’s cyber attackers are:
Causing significant financial loss, impact to
brand reputation, loss of confidential data and
executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Using legitimate IT tools rather than malware
– harder to detect
Ignite 2015 BRK3870

Median number of
days attackers are
present on a victims
network before
detection
200+
Days after detection
to full recovery
80
Impact of lost
productivity and
growth
$3Trillion
Average cost of a data
breach (15% YoY
increase)
$3.5Million
“ THERE ARE TWO KINDS OF BIG COMPANIES, THOSE WHO’VE BEEN
HACKED, AND THOSE WHO DON’T KNOW THEY’VE BEEN HACKED.”
- J A M E S C O M E Y , F B I D I R E C T O R
Build 2016 B890

Timeline of discovery for cyber attacks worldwide
Hours, 9%
Days, 8%
Weeks, 16%
Months, 62%
Years, 5%
Hours Days Weeks Months Years
Source: Verizon

• Some Verizon DBIR findings
– The time to compromise is almost always days or less, if
not minutes or less
– 85% of breaches took weeks to discover
– 96% of breaches were not highly difficult
– 97% of breaches were avoidable through
simple/intermediate controls
– 63% of confirmed data breaches involved weak, default or
stolen passwords
– 95% of confirmed web app breaches were financially
motivated
• The 2014 DBIR report shows that 92% of the
100.000 incidents they’ve analyzed over the past 10
years can be described by just 9 basic patterns
Verizon Data Breach Investigations Report
Source: http://www.verizonenterprise.com/DBIR/

Pwn2Own 2014-2016
• Sandbox escapes or 3rd party code execution:
– Internet Explorer
– Edge
– Mozilla Firefox
– Google Chrome
– Adobe Flash
– Adobe Reader XI
– Apple Safari on Mac OS X
– Windows
– OS X
• 2014 - $850.000 total prize money, paid to 8 entrants
• 2015 - $557.500 total prize money, paid to 6 entrants
• 2016 - $460.000 total prize money
Sources:
http://www.eweek.com/security/pwn2own-2014-claims-ie-chrome-safari-and-more-firefox-zero-days.html
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204
http://www.securityweek.com/pwn2own-2016-hackers-earn-460000-21-new-flaws

• Heartbleed (2014)
• Shellshock (2014)
• BadUSB (2014)
• Equation Group (Kaspersky study, 2015)
• Lenovo’s Superfish (2014-2015)
• OAuth & OpenID Covert Redirect (2014)
• Poodle, Freak and Drown SSL attacks (2014-2016)
• Stagefright vulnerability (Android, 2015)
• XCodeGhost malware (iOS, 2015)
• Gemalto SIM cards (2015)
• GSM SS7 vulnerabilities (2014-2016)
Other recent “happenings” in the IT industry

• We have to stop focusing on preventing a data breach and
start assuming the breach has already happened
• Currently: a one-sided, purely preventative strategy
• Future: emphasis on breach detection, incident response,
and effective recovery
– Start thinking about the time when a breach will (almost inevitably)
occur in your infrastructure
– Be prepared for that!
Assume Breach - a change in mindset

GUARDED FABRIC
Shielded VMs, Hypervisor Code Integrity (HVCI)

Fabric, workloads, control plane
Fabric
manager
Workload
manager
Ignite 2015 BRK2482

Trust plane - isolated from fabric & control plane
Key
service
Ignite 2015 BRK2482

Virtual Secure Mode
•
•
•
•
•
•
•
•
•
VSM
Key
service
Ignite 2015 BRK2482

VSM
VM protected at rest, in transit
•
•
•
•
3. Deliver vTPM key
encrypted to
VSM
TPM
Key
service
Workload
manager
HSM
Ignite 2015 BRK2482

VSM
VM protected in execution
•
•
•
•

Key
service
Ignite 2015 BRK2482

VSM
Key
service
Trust in the environment
•
•
•
1. Attestation request:
TPM public key,
VSM public key,
UEFI secure boot log,
HVCI policy
2. Deliver
attestation certificate
Attestation
service
Ignite 2015 BRK2482

• Admin-trusted attestation
– Intended to support existing host hardware (no TPM 2.0 available)
– Guarded hosts that can run Shielded VMs are approved by the Host Guardian Service based on
membership in a designated Active Directory Domain Services (AD DS) security group
• TPM-trusted attestation
– Offers the strongest possible protections
– Requires more configuration steps
– Host hardware and firmware must include TPM 2.0 and UEFI 2.3.1 with secure boot enabled
– Guarded hosts that can run Shielded VMs are approved based on their TPM identity, measured
boot sequence and code integrity policies
Guarded hosts and Shielded VMs attestation
Ignite 2015 BRK2482

VSM Overview
Ignite 2015 BRK2325

• Uploading shielded VM
• Uploading secrets
• Bring-your-own-key with HSM
• Retrieving shielded VM
• Live migration
• Live storage migration
• Non-live migration
• Automatic scale-out
• Cluster failover
• Cross-datacenter, cross-trust migration
• Backup, disaster recovery
• Creating shielded VM from tenant’s template
• Creating shielded VM from third-party template
• Protected guest configuration
• Remote administration
• On-boarding and retiring servers
• Servicing host OS, hardware and firmware
• Managing HVCI policy for host software
• Isolating Guardian service in separate forest
• Remediating compromised and evicted host
• Administrator trust, non-attested
• Troubleshooting
All scenarios become secure, scalable & reliable

DEVICE GUARD

New challenges require a new platform
Ignite 2015 BRK2325

• (Sort of) an improved version of AppLocker
• Hardware Rooted App Control (runs in VSM)
– Enables a Windows desktop to be locked down to only run trusted apps, just like
many mobile OS’s (e.g.: Windows Phone)
– Untrusted apps and executables such as malware are unable to run
– Resistant to tampering by an administrator or malware
– Requires devices specially configured by either the OEM or IT
• Getting Apps into the Circle of Trust
– Supports all apps including Universal and Desktop (Win32)
– Trusted apps can be created by IHV, ISV, and Organizations using a Microsoft provided
signing service
– Apps must be specially signed using the Microsoft signing service. No additional
modification is required
– Signing service will be made available to OEM’s, IHV, ISV’s, and Enterprises
Device Guard
Ignite 2015 BRK2325

PROVABLE PC HEALTH (PPCH)

Today, health is assumed
• Unhealthy clients proliferate malware
1
Important resources
2
Ignite 2015 BRK2325

Windows Provable PC Health (PPCH)
• Cloud-based service
–Provides remote health attestation
–Can issue health state “claims”
• Blocks unhealthy devices to protect resources and
prevent proliferation
• Intune can provide conditional access based on PPCH
health state claims
• Available for use by 3rd party network access, security,
and management solutions
Ignite 2015 BRK2325

Provable PC Health overview
1
Important resources
2
3
5
4
Ignite 2015 BRK2325

ADVANCED THREAT ANALYTICS
Protecting corporate environments from advanced attacks

How Microsoft Advanced Threat Analytics works
Analyze1 After installation:
• Simple, non-intrusive port mirroring
configuration copies all AD-related traffic
• Remains invisible to the attackers
• Analyzes all Active Directory network
traffic
• Collects relevant events from SIEM
(Security Information and Event
Management) and information from AD
(titles, group memberships, and more)
Ignite 2015 BRK3870

ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities of
the users, devices, and resources
Learn2
What is an entity?
Entity represents users, devices, or resources
Ignite 2015 BRK3870

Detect3
Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities
are contextually aggregated
• Leverages world-class security research to
detect security risks and attacks in near real
time based on attackers Tactics, Techniques
and Procedures (TTPs)
ATA not only compares the entity’s behavior
to its own, but also to the behavior of
entities in its interaction path.
Ignite 2015 BRK3870

Abnormal Behavior
 Anomalous logins
 Remote execution
 Suspicious activity
Security issues and risks
 Broken trust
 Weak protocols
 Known protocol vulnerabilities
Malicious attacks
 Pass-the-Ticket (PtT)
 Pass-the-Hash (PtH)
 Overpass-the-Hash
 Forged PAC (MS14-068)
 Golden Ticket
 Skeleton key malware
 Reconnaissance
 BruteForce
 Unknown threats
 Password sharing
 Lateral movement
Ignite 2015 BRK3870

ATA Topology - Overview
Ignite 2015 BRK3870

Captures and analyzes DC network traffic
via port mirroring
Listens to multiple DCs from a single
Gateway
Receives events from SIEM
Retrieves data about entities from the
domain
Performs resolution of network entities
Transfers relevant data to the ATA Center
ATA Topology - Gateway
Ignite 2015 BRK3870

ATA Topology - Center
Manages ATA Gateway configuration
settings
Receives data from ATA Gateways and
stores in the database
Detects suspicious activity and abnormal
behavior (through Machine Learning)
Provides Web Management Interface
Supports multiple Gateways
Ignite 2015 BRK3870

ATA Interface Overview
Ignite 2015 BRK3870

WINDOWS DEFENDER
ADVANCED THREAT PROTECTION
Windows advanced threat detection, investigate and response

STRONTIUM attack case study

@ITCAMPRO #ITCAMP16Community Conference for IT ProfessionalsBuild 2016 B890

From: <attacker>@<email provider.com>
To: <victim>@<email provider.com>
Subject: Re: Mission In Central African Republic
*Dear Sir!*
Please be advised that The Spanish Army personnel and a large
number of the Spanish Guardia Civil officers currently deployed in
the Central African Republic (CAR) as part of the
European EUFOR RCA mission will return to Spain in early March
as the mission draws to a close.
Visit
for the additional info.
*Best regards,*
*Capt. <omitted>, Defence Adviser, Public Diplomacy Division
NATO, Brussels <attacker>@<email provider.com>
TARGET: Diplomat in the Middle East
hxxp://eurasiaglobalnews.com/90670117-spains-
armed-forces-conclude-mission-in-central-african-
republic/
Build 2016 B890

TARGET: NATO-Themed Spear Phish
hxxp://nato.int ->
hxxp://natoint.com
Build 2016 B890

ATTACK: Stages of a 0-day Attack
TimeStamp Alert Data
2015/04/08
10:11:54
Unknown URL Report hxxp:militaryadviser.org/hu/press-center/news/426728-ukraine/440136/
Initial Exploit URL (Flash 0day)
TimeStamp Alert Sha1 FileName Parent Process
2015/04/08
10:12:11
Win32/ContextualDropIETemp b22233684bc8aa939629f4cbebb18545c7121548 runrun.exe iexplore.exe
2015/04/08
10:12:11
#LowFiContextRundllAppdata ef1a7b1a92b7b00f77786b6a1bffc4e495ccf729 odserv.dll rundll32.exe
2015/04/09
06:34:04
#HackTool:Win32/WDigest.A!dha ca709ec79ee0518b77f161bc8bab8847c889cb88 psw.exe rundll32.exe
Kernel Mode Exploit (0day)
Stage 1: Backdoor
Stage 2: Pass-the-Hash Module
1
2
3
4
Build 2016 B890

Device Health
attestation
Device Guard
Device Control
Security policies
Built-in 2FA
Account lockdown
Credential Guard
Microsoft Passport
Windows Hello ;)
Device protection /
Drive encryption
Enterprise Data
Protection
Conditional access
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Windows Defender
ATP
Device protection Information
protection
Threat resistance
Breach detection
Investigation & Response
Pre breach Post breach
Identity protection
The Windows 10 Defense Stack
Build 2016 B890

Powered by cloud
Machine Learning Analytics
over the largest sensor array
in the world
Universal end-point
behavioral sensor,
built into Win10,
with no additional
deployment
requirements
Enhanced by the
community of
researchers and
threat intelligence
Windows Defender ATP Overview
Build 2016 B890

Post breach detection
for advanced attacks
actionable, correlated,
real-time and historical for
known and unknown attacks
Easily investigate & explore
enterprise endpoints to
understand scope of breach
through rich machine
timeline and data pivoting
Self hunting across protected assets
search for current and historical
observables: machines, files, IPs,
or URLs across all endpoints.
Deep file analysis of files
observed on endpoints
Built-in threat intelligence
knowledge base
provides actor and intent
context for threat intel-based
detections, combining 1st and
3rd-party intelligence sources
Windows Defender ATP Features
Build 2016 B890

• Indicators of Compromise (IOCs)
– Monitoring “What (who) we know”
– Threat Intelligence database of known adversary and campaign IOCs
• Indications of Attack (IOAs)
– Monitoring “What (who) we don’t recognize – yet”
– Generic IOA Dictionary of attack-stage behaviors, tools, and techniques
Windows ATP Indicators
Build 2016 B890

Over1MMicrosoft
corporatemachines
Newcode,new
products,newfiles
Mostarelocal
admins
Hundredsoflabs,
malware enclaves
1.2BillionWindows
machinesreporting
1Mfiles
detonateddaily
Advanced
detectionalgorithms
&Statistical modelling
APThunters–
OSSecurity,Exploit&
MalwareResearchers,
&ThreatIntelligence
11MEnterprise
machinesreporting
2.5TURLsindexed
and600Mreputation
lookups
Why Microsoft is in a unique position
Build 2016 B890

AZURE SECURITY CENTER
Understand the security state of all of your Azure resources

• Understand the security state of Azure resources
• Use policies that enable you to recommend and monitor security
configurations
• Use DevOps to deploy integrated Microsoft and partner security
solutions
• Identify threats with advanced analysis of your security-related events
• Respond and recover from incidents faster with real-time security
alerts
• Export security events to a SIEM for further analysis
Azure Security Center enables you to:
AzureCon 2015 ACON205

Azure Security Center interface

• Compromised machines
• Failed exploitation attempts
• Brute force attacks
• Data exfiltration
• Web application vulnerabilities
• Advanced malware
• Achieve all this using:
– High volume of signals
– Behavioral profiling
– Machine Learning
– Global threat intelligence
• Constantly being expanded with new detection mechanisms
Finds attacks that might go undetected

Rich ecosystem of products and services

OPERATIONS MANAGEMENT SUITE
Transforming machine data into operational intelligence

```
Log Analytics Automation Backup DR and Data Protection Security
Microsoft Operation Management Suite
Simplified Management. Any Cloud, Any OS.

Gain visibility across your
hybrid enterprise cloud
Log Analytics Automation
Orchestrate complex and
repetitive operations
Availability
Increase data protection
and application
availability
Security
Help secure your
workloads, servers, and
users
OMS Solutions

Log Analytics
• Gain visibility across your hybrid enterprise cloud
• Easy collection, correlation, and visualization of your machine data
– Log management across physical, virtual, and cloud infrastructure
• Overview of infrastructure health, capacity, and usage
• Proactive operational data analysis
– Faster investigation and resolution of operational issues with deep insights
• Deliver unparalleled insights across your datacenters and public clouds, including
Azure and AWS
• Collect, store, and analyze log data from virtually any Windows Server and Linux
server source

Integrated search
• Combine and correlate any machine data from multiple sources
– Query, and filter the results by using facet controls.
– Automated data visualization
– Metrics pivoted around a particular problem areas
– Common search queries

Custom Dashboard
• Visualize all of your saved searches
– Custom or sample searches
– Customizable visual information
– Shareable across teams

Solution Packs
• Collection of logic, visualization and data acquisition rules
– Powered by search
– Metrics pivoted around a particular problem areas
– Investigate and resolve operational issues
– Can be added/removed and customized

Alert Management
• Expose your integrated System Center Operations Manager alerts
• Web based Alert visualization
• Integrated search for deeper analysis
• Common alert queries

Capacity Planning
• Plan for future capacity and trends using historical data
• VM utilization and efficiency
• Compute projection
• Storage utilization

Active Directory Assessment
• Using best practices and data collection, identify potential issues
• Security and Compliance
• Availability and business continuity
• Performance and security
• Upgrade, migration and deployment

SQL Server Assessment
• Security and Compliance
• Availability and business continuity
• Performance and security
• Upgrade, migration and deployment
• Operations and monitoring
• Change and configuration

Change Tracking
• Track every change on your system across any environment
• Configuration type change
• Software & application changes
• Windows Service changes

Azure Automation Dashboard
• Quick glance view of runbook health and status
– Active runbooks & total jobs
– Link into Azure Automation portal

Azure Backup and Recovery Dashboard
• Quick glance view of backup and protection status
– Registered servers
– Backup size & jobs status
– Link into Azure portal for backup and recovery

System Update Assessment
• Understand server update and patching status across your environment
• Servers missing security updates
• Servers not updated recently
• Types of updates missing

Malware Assessment
• Quickly define your servers malware status and potential threats
• Detected threats
• Protection status

Security and Audit
• Collect security events and perform forensic, audit and breach analysis
– Security posture
– Notable issues
– Summary threats

• Security Posture
– Quick glance showcasing server workload
and server security threats
– Computer growth change
– Account authentication
– Total system activities
– Processes executed
– Change in policy
– Remote IP Tracking
Security Solution Pack

• Notable issues
– Understand notable security issues,
and audit rate of change
– Failed account access
– Security policy and group changes
– Password resets
– Event log cleaning
– Lock-out accounts

• Security context
– Quick view of security positon across
your enterprise
– Active threats
– Patch status
– Software changes
– Service changes
– Critical and warning alerts

AND THAT’S NOT ALL OF IT…

Responsibility for Security in the Cloud era
Ignite 2015 BRK2482

Some other things to keep in mind
• Start using an “Assume Breach” approach
• UEFI Secure Boot and TPM support on your hardware
• Just-Enough/Just-In-Time Administration (coming in WS 2016)
• Azure Rights Management & Data Loss Prevention
• Azure AD Multi-Factor Authentication
• Windows Hello / Microsoft Passport
• Cloud App Security
• Etc. 

What to do next?
• Channel 9 - https://channel9.msdn.com/
– Ignite 2015 BRK2482 - Platform Vision and Strategy: Security and Assurance Overview
– Ignite 2015 BRK3870 - Microsoft Advanced Threat Analytics
– Ignite 2015 BRK2325 - A New Era of Threat Resistance for the Windows 10 Platform
– AzureCon 2015 ACON205 - New Azure Security Center helps you prevent, detect, and respond to threats
– Ignite New Zealand 2015 M235 - Automating Operational and Management Tasks in Microsoft
Operations Management Suite and Azure
– Build 2016 B890 – Windows Defender ATA
– … & others 
• Microsoft Virtual Academy - http://www.microsoftvirtualacademy.com/
• Try out & look at Windows Server 2016 TP5 & System Center 2016
• Look into the latest Azure/Cloud improvements
• Keep up with Security changes in the industry

THANK YOU! 
Contact: tudor.damian@avaelgo.ro / @tudydamian / tudy.tel

2016, A New Era of OS and Cloud Security - Tudor Damian

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (13)

Semelhante a 2016, A New Era of OS and Cloud Security - Tudor Damian

Semelhante a 2016, A New Era of OS and Cloud Security - Tudor Damian (20)

Mais de ITCamp

Mais de ITCamp (20)

Último

Último (20)

2016, A New Era of OS and Cloud Security - Tudor Damian