Post on 23-Jul-2020
Securing your credentials…
in every cloud
chris.shalda@coretekservices.com
@ShaldaChris
Chris Shalda
Microsoft Solutions Architect
REVOLUTION
TODAY, YOU ARE EXPERIENCING A
OF CYBER-THREATS
Wall Street Journal, JP Morgan, White House, Bushehr nuclear reactor, RSA, Microsoft, Google, Apple, Facebook, Sony, Target, Heartland ,EBay Heartland ICANN Home Depot
struggling
THE EVOLUTION OF ATTACKS
Volume and Impact
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
THE EVOLUTION OF ATTACKS
2005-PRESENT
Organized Crime
RANSOMWARE, CLICK-FRAUD,
IDENTITY THEFT
Motive: Profit
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
THE EVOLUTION OF ATTACKS
2005-PRESENT
Organized Crime
RANSOMWARE, CLICK-FRAUD,
IDENTITY THEFT
Motive: Profit
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2012 - Beyond
Nation States, Activists,
Terror Groups
BRAZEN, COMPLEX,
PERSISTENT
Motives:IP Theft,Damage,
Disruption
2003-2004
:)
THE ANATOMY OF AN ATTACK
Healthy Computer
User Receives Email
User Lured to Malicious Site
Device Infected with
Malware
HelpDesk Logs into Device
Identity Stolen, Attacker Has
Increased Privs
:)
Healthy Computer
User Receives Email
User Lured to Malicious Site
Device Infected with
Malware
User Lured to Malicious Site
Device Infected with
Malware
HelpDesk Logs into Device
Identity Stolen, Attacker Has
Increased Privs
User Receives Email
DEFENDING AGAINST MODERN SECURITY THREATS
SECURED DEVICES
SECURED IDENTITIES
INFORMATIONPROTECTION
THREAT RESISTANCE
HARDWARE ROOTED TRUST
SECURED DEVICES
SECURED IDENTITIES
INFORMATIONPROTECTION
THREAT RESISTANCE
Device integrity
Cryptographic processing
Biometric sensors
Virtualization
SECURED HARDWARE
SECURE ROOTS OF TRUST
Traditional Platform Stack
Apps
Windows Platform Services
Virtualization Based Security (VBS)
Virtualization Based Security (VSM) Environment
Tru
stle
t#
1
Windows
AppsTr
ust
let
#2
Tru
stle
t#
3
Windows Platform Services
Windows Hello
Microsoft Passport
BitLocker
Enterprise Data Protection
Device Guard
Windows Defender
UEFI Secure Boot
TPM 2.0, Virtualization
THE END OF PASSWORDS, TWO-FACTOR FOR EVERYONE
HARDWARE ROOTED TRUST
SECURED DEVICES
SECURED IDENTITIES
INFORMATIONPROTECTION
THREAT RESISTANCE
WINDOWS 10 IDENTITY GOALS
Mainstream two-factor authentication
Make credentials theft resistant and breach and phish proof
Deliver solution to both consumer and business users
Use credentials on familiar mobile devices for desktop sign-in
USER IDENTITY & AUTHENTICATION
SHARED SECRETS
shhh!
Easily mishandled or lost
(Hint: The user is the problem)
Internet username and password
User
THE SITES WE USE ARE A WEAK LINK
Bad Guy
1
Social
.com
Bank
.com
Network
.com
LOL
.com
Obscure
.com1
2
User
1
3
5
Device
IDP
IDP
IDP
2
4
Network
Resource
THE USER AND DEVICE ARE THE WEAK LINKS
Bad Guy
PKI SOLUTIONS
Complex, costly, and under attack
1
Windows 8.1
User
2
IDP
Active Directory
3
4 5
6Network
Resource
THE CA
IS UNDER ATTACK
Bad Guy
LIMITED USE OF MFA CREATES WEAK LINKS
User
UN/Password
High-value assets
Most network resources
ENTERPRISE DEMANDS
Simplify implementation
Reduce costs
MULTIFACTOR WITH EXISTING DEVICES
SIMPLIFYING DEPLOYMENT
MICROSOFT PASSPORT DEVICE-BASED MULTI-FACTOR
UTILIZE FAMILIAR DEVICES
SECURED BY HARDWARE
USER CREDENTIAL
An asymmetrical key pair
Provisioned via PKI or created locally via Windows 10
IDP
Active Directory
Azure AD
Microsoft Account
1
User
2
Windows10
3Intranet
Resource4
4Intranet
Resource
A NEW APPROACH
PINSimplest implementation optionNo hardware dependenciesUser familiarity
Windows Hello Higher securityEase of useImpossible to forgetFingerprint, Facial, Iris
ACCESSING CREDENTIALS
Sample design, UI not final
Attacker needs to know both your PIN and have access to your
device
TPM provides anti-hammering support to thwart offline attacks
Hardware bound keys cannot be stolen or replayed
PIN is never stored in the device or sent to server
A world beyond passwords with two factor authentication
PIN or Biometric plus your device (PC or Phone)
Breach, theft, and phish proof identities
Single sign-on on-prem, on the web, across sites
Sign-in to devices using Azure Active Directory
IDENTITY FOR BUSINESS
USER IDENTITY & AUTHENTICATIONDERIVED CREDENTIALS & ACCESS TOKENS
“PASS THE HASH” ATTACKS
Today’s security challenge
TODAY’S SECURITY
CHALLENGE
PASS THE HASH ATTACKS
TODAY’S SECURITY
CHALLENGE
PASS THE HASH ATTACKS
Pass the hash attacks have gone from hypothetical to very real threats
Enables an attacker to steal derived user credentials using common hacking tools like MimiKatz
Once obtained an attacker is often able to steal additional derived user credentials and move laterally across network
Enables an attacker to frequently persist even once detected as they can move from one identity to the next
Pass the Hash (PtH) attacks are the #1 go-to tool for hackers. Used in nearly every major breach and APT type of attack
Credential Guard uses VBS to isolate Windows authentication from Windows operating system
Fundamentally breaks delivered credential theft using MimiKatz, etc
TODAY’S SOLUTION
CREDENTIAL
GUARDProtects LSA Service (LSASS) and derived credentials (Kerberos Ticket; NTLM Hash)
Credential Guard in VBS Environment = Decisive Mitigation
Virtualization Based Security (VBS) Environment
Cre
d G
uard
Windows
AppsTr
ust
let
#2
Tru
stle
t#
3
Windows Platform Services
Provides a centralized storage of secrets/passwords in Active Directory (AD) - without additional computers
Each organization’s domain administrators determine which users are authorized to read the passwords
Credential Guard does NOT supersede LAPS – Credential Guard protects domain accounts NOT local accounts
COMPLIMENTARYSOLUTION
LOCAL ADMINISTRATOR
PASSWORD SOLUTION (LAPS)
Periodically randomizes local administrator passwords - ensures password update to AD succeeds before modifying local secrets/passwords
Poll
Cloud Services
Microsoft Azure Active Directory Premium
Microsoft Azure Rights Management Premium
Advanced Threat Analytics
Easily manage identities
across on-premises and cloud
Single sign-on and self-service
for corporate resources
Leverage PC management,
MDM, and MAM to protect
corporate apps and data on
almost any device
Encryption, identity, and
authorization to secure
corporate files and email across
phones, tablets, and PCs
Identify suspicious activities
and advanced threats in near
real time with simple,
actionable reporting
Behavior-based
threat analytics
Information
protection
Identity and access
management
Device and app
management
Microsoft Intune
System Center
Configuration Manager
Identity as the core of enterprise mobility
Single sign-on
Microsoft Azure Active Directory
Self-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
Cloud
1 trillionAzure AD
authentications
since the release of
the service
>35kthird-party
applications used
with Azure AD
each month
>1.3
billion authentications every
day on Azure AD
More than
550 Muser accounts on
Azure AD
Azure AD
Directories
>7 M
86% of Fortune 500
companies use
Microsoft Cloud
(Azure, O365, CRM Online, and PowerBI)
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
Microsoft’s “Identity Management as a Service (IDaaS)”
for organizations.
Millions of independent identity systems controlled by
enterprise and government “tenants.”
Information is owned and used by the controlling
organization—not by Microsoft.
Born-as-a-cloud directory for Office 365. Extended to
manage across many clouds.
Evolved to manage an organization’s relationships with
its customers/citizens and partners (B2C and B2B).
1000s of apps, 1 identity
Making the lives of users (and IT) easier
Managing identities
Collaborating with partners
Enabling anytime/anywhere productivity
Identity-driven security
Connecting with consumers
Your domain controller as a service
Azure Active Directory Connect and Connect Health
*
MIM
*
Microsoft AzureActive Directory
HR apps
OTHER DIRECTORIES
PowerShell
SQL (ODBC)
LDAP v3
Web Services ( SOAP, JAVA, REST)
Connect and sync on-premises directories with Azure
Web apps
(Azure Active Directory Application Proxy)
Integrated
custom apps
SaaS apps
HR and Other Directories
2500+ popular SaaS apps
Connect and sync on-premises directories
with Azure
Easily publish on-premises web apps via
Application Proxy + Custom apps
through a rich standards-based platform
Microsoft Azure
Cloud HR
Conditions
Allow access
Or
Block access
Actions
Enforce MFA per
user/per app
Location (IP range)
Device state
User groupUser
NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES
CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT
MFA
IDENTITY PROTECTION
Risk
Azure Active Directory Identity Protection
Consolidated view to examine
suspicious user activities and
configuration vulnerabilities
Remediation recommendations
Risk severity calculation
Risk-based policies for
protection for future threats
Brute force attacks
Leaked credentials
Infected devices
Suspicious sign-in
activities
Configuration
vulnerabilities
Risk-Based policies
MONITOR AND PROTECT
Discover, restrict, and monitor privileged
identities and their access to resources
Enforce on-demand, just-in-time
administrative access when needed
Security Wizard
Alerts
Security reviews
MONITOR AND PROTECT
Detect threats fast
with behavioral
analytics
Adapt as fast as
your enemies
Focus on what is
important fast using the
simple attack timeline
Reduce the fatigue
of false positives
No need to create rules or policies,
deploy agents, or monitor a flood of
security reports. The intelligence
needed is ready to analyze and is
continuously learning.
ATA continuously learns from the
organizational entity behavior (users,
devices, and resources) and adjusts
itself to reflect the changes in your
rapidly evolving enterprise.
The attack timeline is a clear, efficient,
and convenient feed that surfaces the
right things on a timeline, giving you
the power of perspective on the “who,
what, when, and how” of your
enterprise. It also provides
recommendations for next steps.
Alerts only happen once suspicious
activities are contextually
aggregated; not only comparing the
entity’s behavior to its own behavior,
but also to the profiles of other
entities in its interaction path.
IDENTITY-DRIVEN SECURITY
ATA
Devices
and servers
Behavioral
analytics
Forensics for
known attacks
and issues
Advanced
Threat Analytics
Profile normal
entity behavior
(normal versus
abnormal)
Search for known
security attacks
and issues
Detect suspicious
user activities,
known attacks,
and issues
SIEM Active
Directory
Advanced Threat Analytics
Enterprise Mobility +Security
Protect your users, devices, and appsAZURE RIGHTS
MANAGEMENT
& SECURE
ISLANDS
Detect problems early with visibility
and threat analytics
Advanced
Threat
Analytics
MICROSOFT
INTUNE
Protect your data, everywhere
AZURE ACTIVE
DIRECTORY
IDENTITY
PROTECTION
Extend enterprise-grade security to your cloud and SaaS apps
Protect application access from identity attacks
MICROSOFT
CLOUD APP
SECURITY
IDENTITY-DRIVEN SECURITY
56
http://Aka.ms/LAPS
http://Aka.ms/CyberPAW
http://Aka.ms/LAPS
http://aka.ms/HardenAD
http://aka.ms/ata
http://aka.ms/JEAhttp://aka.ms/CyberPAW
http://aka.ms/PAM http://aka.ms/AzurePIM
9872521
http://aka.ms/privsec
http://aka.ms/Passport http://aka.ms/ESAE
http://aka.ms/shieldedvms
SECURED DEVICES
SECURED IDENTITIES
INFORMATIONPROTECTION
THREAT RESISTANCE
ACTIVE THEAT PROTECTION
HARDWARE ROOTED TRUST
TWO-FACTOR FOR EVERYONE
DATA LOSS PREVENTION
ACTIVE THEAT PROTECTION
SECURED DEVICES
SECURED IDENTITIES
INFORMATIONPROTECTION
THREAT RESISTANCE