IMPROVING USER AND APPLICATION SECURITYBrian Reid - NBConsult

“There are two kinds of big companies, those who’ve

been hacked, and those who don’t know they’ve been

hacked.”James Comey, Director FBI

Wall Street Journal, JP Morgan, White House, Yahoo, RSA, Microsoft, Google, Apple, Facebook, Sony, Target, Heartland ,EBay TalkTalk, ICANN, Home Depot, Vtech, Carphone Warehouse, UPS. Dropbox, LinkedIn, Republican Party

Organizations with enormous security budgets and elite security analysts are strugglingto address these modern threats.

THE EVOLUTION OF ATTACKS

Targeting

Soph

istica

tion

Volume and Impact

Script Kiddies

BLASTER, SLAMMER

Motive: Mischief

2003-2004

THE EVOLUTION OF ATTACKS

Targeting

Soph

istica

tion

2005-PRESENT

Organized Crime

RANSOMWARE,

CLICK-FRAUD, IDENTITY

THEFT

Motive: ProfitScript Kiddies

BLASTER, SLAMMER

Motive: Mischief

2003-2004

THE EVOLUTION OF ATTACKS

Targeting

Soph

istica

tion

2005-PRESENT

Organized Crime

RANSOMWARE,

CLICK-FRAUD, IDENTITY

THEFT

Motive: ProfitScript Kiddies

BLASTER, SLAMMER

Motive: Mischief

2012 - Beyond

Nation States,

Activists, Terror Groups

BRAZEN, COMPLEX, PERSISTENT

Motives:IP Theft,Damage,Disruption

2003-2004

THE ANATOMY OF AN ATTACK

:)Healthy

ComputerUser

Receives Email

User Lured to Malicious

Site

Device Infected with

Malware

HelpDesk Logs into Device

Identity Stolen, Attacker Has

Increased Privileges

:)Healthy

ComputerUser

Receives Email

User Lured to Malicious

Site

Device Infected with

Malware

THE ANATOMY OF AN ATTACK

User Lured to Malicious

Site

Device Infected with

Malware

HelpDesk Logs into Device

Identity Stolen, Attacker Has

Increased Privileges

User Receives

Email

THE ANATOMY OF AN ATTACK

What Can We Do?

Do We Do The Following?• Password Policies• Two Factor Authentication• Proper Identity Management• Spoof and Phishing Protection• End User Security Training• Email Zero Minute Protection• Data Encryption• Manage Cloud Security

• Post Breach Detection• Patch, Patch, And Patch Again• Modern Hardware• Device Management• Application Management• Conditional Access• Windows Server 2016 AD FS• Privileged Identity Management

123456, password,cowboy, football,qwerty,jordon,harley,pa55w0rd,12345,baseball, 12345678,dragon,1234,thunder,monkey,letmein,abc123,tigger,11111111,shadow,batman,trustno1,69696969,mustang, ranger,test,thomas,michael, tigger,soccer,thunder,cowboy

How To Secure Your Password• Never change it – but make it secure and easy to remember• Forcing change is an inconvenience to users, causes helpdesk reset calls and all it does is

make users choose one similar to the last one (or write it down)• Implement monitoring instead – change forced based on risk

• Change it via Azure AD• Microsoft block passwords that are considered weak and already known

• Use a trusted device or 2FA• But this can inconvenience users – do you have 2FA on your internet accounts?• Even better is risk based two factor authentication (2FA)

© xkcd http://xkcd.com/936/

SELF-SERVICE PASSWORD RESET Identity Driven Password Reset or unlock

Part of Azure Active Directory Premium

User registers device, alternative email and answers some questions

On change, lockout or risk based issues the user can easily reset their password having proved the person issuing the change is the user!

TWO FACTOR AUTHENTICATION

Lots of options from vendors

Built into Office 365 for free Azure Multi-Factor Authentication Azure Multi-Factor Authentication Server

Windows Hello and Passport for Work

AZURE MULTI FACTOR AUTHENTICATION Available for free in Office 365, but limited PowerShell support

Available as part of Enterprise Mobility + Security (EMS suite) or stand alone purchase

Can use on premises (RADIUS, IIS, AD integration etc.) by running the MFA Server installer

Can customise telephone number, voice greetings, and cache times Can integrate it with AD FS – need MFA Server on-premises if AD FS is pre-

2016 Supports one and two way 2FA with phone, text, app and devices and

SDK for adding MFA to your applications

RISK DRIVEN IDENTITYPROTECTION

Part of Azure Active DirectoryPremium P2

Includes Reports on risk and risk events MFA registration policy User risk policy

SPF, DKIM AND DMARC

Do you know where emails from your domain are coming from? DMARC will tell you DMARC also can tell receivers what to do with emails from suspicious sources

SPF tells receivers where you allow your domain to send email from

DKIM adds a signature to email header based on body to show true sender

Ever “phished” your users intentionally?

HOW MALWARE ATTACKS CHANGE OVER TIME

Attack morphs over time to evade detection

Safe

Multiple filters + 3 antivirus engineswith Exchange Online protection

Links

RecipientSafe links rewrite

Unsafe

AttachmentDetonation chamber (sandbox)Executable? Registry call?Elevation?……?

Sender

ADVANCED THREAT PROTECTION

ATP is part of Office 365 E5 licence suite or stand alone purchase

Accelerate ProductivityDynamic Email Delivery and Linked Content Detonation keep productivity high by delivering all emails instantly.

Built in protectionNatively built in to Exchange Online Protection to allow deployment in seconds. Manage policies for Safe Attachments and Safe Links from a single cloud console for faster remediation for issues that are detected.

Protection everywhereSafe Attachments and Safe Links are expanding their protection beyond email, to other Office 365 workloads and Office Clients. For example links inside documents opened in Word or Safe Attachments in SharePoint libraries.

ADVANCED THREAT PROTECTION

DATA ENCRYPTION

Protect data with encryption that stays with the data regardless of the location of the data

On-premises or cloud based service provided out of Azure Information Protection (was Azure Rights Management Service)

Now with automatic classification and labelling – protecting what needs protecting and then monitor it and respond if data is being abused

AZURE INFORMATION PROTECTION

MONITORING UNAUTHORISED CLOUD APP USAGE Upload your firewall and proxy reports to Cloud App Security

No agents to install

See what back door IT service provision is in use in your organization

Activity maps – who is using what from where

File and sharing reports in real time

WINDOWS DEFENDER ADVANCED THREAT PROTECTION Detect advanced attacks and remediate breaches Built into Window 10 Behaviour based, cloud-powered breach detection Rich timeline for investigation Can integrate with Advanced Threat Protection in Office 365

and Advanced Threat Analytics on-premises Part of the Windows Enterprise E5 Licence Included in the Enterprise Mobility + Security E5 licence

DEMO

DEMO

WDATP – LET TAKE A LOOK

What’s the latest with patching?

DEVICE GUARD

Hardware Rooted App Control

Windows desktop can be locked down to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone)

Resistant to tampering by an administrator or malware

Requires Windows 8 certified or greater hardware

Untrusted apps and executables, such as malware, are unable to run

CREDENTIAL GUARD IN WINDOWS 10

Virtualization Based Isolated User Mode

Kernel

Devi

ce G

uard

HypervisorHardware

WindowsKernel

AppsCr

eden

tial

Guar

d

Trus

tlet #

3Windows Platform Services

UNKNOWN PC HEALTH

Today health is assumedAccess please

1

Important resources

OneDriveFile Servers

Email Wireless2

You’re in

CONDITIONAL ACCESS

Blocking unhealthy devices to protect

resources and prevent proliferation

Windows Device Health Attestation (WDHA) service provides validation of device integrity dataManagement systems (e.g.: Intune) can leverage WDHA attested integrity data to facilitate conditional access to resourcesManagement may couple WDHA attested integrity data with additional health state data (e.g.: patch status) to provide more comprehensive view of device healthThe integrity data from the WDHA service is available for use by 3rd party network access, security, and management solutions.

WINDOWS DEVICE HEALTH ATTESTATION ENABLES:

MDMs to gate access basedon device integrity and health

Access please1

Important resources

OneDriveFile Servers

Email Wireless2Prove to me you are

healthy

Windows Cloud Service and

Intune

Device Integrity Health State s (Windows Cloud Service)

3Request

Here is my proof5

Approved4

Client Policies(AV, Firewall, Patch state (e.g.: Intune)

WINDOWS SERVER 2016 AD FSThree new ways to access resources without a password:

1. Sign in with Azure Multi-Factor Authentication [new] Enter username and one time code from an authenticator

app Enter username and password and then follow that up with MFA

(known as secondary authentication) MFA authentication is built into Windows Server 2016 – no MFA

server required MFA can be added as part of access control policy rules or

configured for intranet or extranet

WINDOWS SERVER 2016 AD FS

Three new ways to access resources without a password:

2. Sign in from compliant devices Enable Access only from devices that are managed and/or compliant Enable Extranet Access only from devices that are managed and/or

compliant Require multi-factor authentication for computers that are not managed

or not compliant

Managed/Compliance means meets Intune policies

WINDOWS SERVER 2016 AD FS

Three new ways to access resources without a password:

3. Microsoft Passport Windows 10 devices introduce Windows Hello and Microsoft

Passport for Work Passwords replaced with strong device-bound user credentials

protected by a user's gesture (a PIN, a biometric gesture like fingerprint, or facial recognition)

PRIVILEGED IDENTITY MANAGEMENT How many Global Admins do you have

How many Domain Admins do you have

How many other privileged identities are there on your network

Could you limit them by time and place?

Going to Consider the Following?• Password Policies• Two Factor Authentication• Proper Identity Management• Spoof and Phishing Protection• End User Security Training• Email Zero Minute Protection• Data Encryption• Manage Cloud Security

• Post Breach Detection• Patch, Patch, And Patch Again• Modern Hardware• Device Management• Application Management• Conditional Access• Windows Server 2016 AD FS• Privileged Identity Management