Securing the Digital Transformation - Concurrency...Health Services. Apple. A&B Altegrity. Mac...
Transcript of Securing the Digital Transformation - Concurrency...Health Services. Apple. A&B Altegrity. Mac...
Securing the Digital TransformationOverview
2Digital Transformation Realized™
Latest
2015
2014
2013
Hacks resulting in loss of more than 30,000 records
Source: Informationisbeautiful.net
Largest Data Breaches
JP Morgan Chase
76000000
Target70000000
AOL2400000
Ebay
MySpace164000000Experian /
T-Mobile
Anthem800000000
BannerHealth
Mail.ru25000000
Linux Ubuntu forums
Clinton Campaign
Carefirst
BritishAirways
AshleyMadison.com
Adult Friend Finder
Dominos Pizzas
(France)
Evernote50000000
Home Depot56000000
European Central Bank
Kromtech
MSpyJapan
Airlines
Philippines’ Commission on
Elections55000000
Telegram
SecurusTechnologies
70000000NASDAQ
Sony Pictures
Nintendo
Neiman Marcus
Staples
OHVScribd
US Office of Personnel
Management (2nd Breach)
VK100544934
Vtech
UPS
Yahoo Japan
Washington State Court
System
Twitch TV
Ubuntu
Wendy’s
Verizon
uTorrent
Syrian Government
Adobe36000000
Central HudsonGas & Electric
National Childbirth
Trust
HackingTeamCarPhone
WarehouseInvestBank
Community Health
Services
Apple
A&BAltegrity
MacRumours
.com
Premera
LivingSocial50000000
TalkTalk
US Office of Personnel
Management
3Digital Transformation Realized™
Economic Impact from Cybercrime
$162m $1 billion $171mTarget JPMorgan Sony
4Digital Transformation Realized™
Risk Mitigation and Digital Transformation
The Digital Transformation is driving change in the way IT is leveraged throughout the business
The way IT is secured and risks mitigated within the business will also rapidly evolve as threats enter new vectors
The technologies for mitigating risks are a combination of longstanding best practices and modern capabilities
The defense against the modern (and existing) threats of the Digital Transformation start now
1
2
3
4
The Digital Transformation is driving change in the way IT is leveraged throughout the business
6Digital Transformation Realized™
Companies are Becoming More Digital
Enabling the customer experience with technology
Enabling partner interactions through technology
Driving efficiency in internal operations
Customers Partners Employees
7Digital Transformation Realized™
Transformative vs. Non-Transformative
8Digital Transformation Realized™
Digital Transformation
Modern ApplicationsIoT, Mixed Reality,
Collaboration, ECM, BPM
SecureModern IT ManagementDevOps and IT Service,
Business Process Transformation, Governance
Customer EngagementCRM, Extranets, B2B solutions
Cloud Data CenterIdentity & Device Management ,
Cloud Integration & Management, Unified Communications
Analytics & DataBI, SQL, Predictive Analytics, Big Data
Mobile
SecureMobile
The way IT is secured and risks mitigated within the business will rapidly evolve as threats enter new vectors
10Digital Transformation Realized™
Top New Threats with Financial Impact
Customer User Database Compromise
IoT Device Compromise
Internal Identity Compromise
Confidential Data Compromise
Predictive Analytics Compromise
Source Code Compromise
Social Engineering Theft
Physical Access paired with Theft
11Digital Transformation Realized™
Modern Security Layers to Mitigate Risk
Network Operating System Identity Application
Information Communications Management Physical
12Digital Transformation Realized™
NIST Security Framework
DetectRespond
Recover Protect
Digital Transformation
Identify
13Digital Transformation Realized™
Risk Mitigation Combining Layers and NIST
Detect Big data detection patterns
Respond Automated response
mechanisms
Recover Declarative configuration
Protect Cloud consistent
protection patterns
Digital Transformation
Identify Cloud threat identification
Network
Identity
Application
Information
Communications
Management
Physical
Operating System
14Digital Transformation Realized™
Modern Security Layers and NIST
DetectRespond
Recover Protect
Digital Transformation
IdentifyNetwork
The extent to which traffic can reach the intended destination based on its qualities, being
from a known source, appropriate port, and of certain characteristics.
Millions of hacked agents
Network boundary is everywhere
Applications are customer facing
15Digital Transformation Realized™
Modern Security Layers and NIST
DetectRespond
Recover Protect
Digital Transformation
IdentifyOperating System
The extent to which the operating system is protected from attack based on its inherent flaws,
as well as the extent to which it provides for modern protections from modern invasive
approaches.
Out-of-Date Operating Systems
Your clients are your network boundary
IoT clients, mobile, and devices exposed
16Digital Transformation Realized™
Modern Security Layers and NIST
Recover
DetectRespond
Protect
Digital Transformation
IdentifyIdentity
The extent to which authentication to an application provides a more important role in security in the
modern age, as well as what access the authenticated person has based on role based access control.
Weak passwords everywhere
Applications not properly identity secured
Brute force techniques increasingin capability
17Digital Transformation Realized™
Modern Security Layers and NIST
Recover
DetectRespond
Protect
Digital Transformation
IdentifyApplication
The security of the actual application itself, as was tested and written using patterns
and practices which mitigate known threats and attack vectors.
Applications using APIs and features with known flaws
Interaction between application components
Boundary security flaws on endpoint
18Digital Transformation Realized™
Modern Security Layers and NIST
DetectRespond
Recover Protect
Digital Transformation
IdentifyInformation
The extent to which documents and data are protected regardless of location and are
controlled based on their qualities.
Confidential information is widely accessible
Secure content is used to gain other content
Users who “should” have access change
19Digital Transformation Realized™
Modern Security Layers and NIST
Management
The extent to which management tools have evolved to address modern threats which require analysis and response exceeding manual effort. These scenarios look more like “big
data” and machine learning scenarios than manual reviews and responses that traditional security practices employed.
DetectRespond
Recover Protect
Digital Transformation
Identify
Breadth of threats exceeds human capabilities
Response needs are immediate
Employees not properly trained
20Digital Transformation Realized™
Modern Security Layers and NIST
Communications
The extent to which application communications (or even personal communications) are protected and private based on identity and application qualities.
No assurance that the network is secured
Modern devices are connected to the internet
Pass-the-Hash, Password Extraction
DetectRespond
Recover Protect
Digital Transformation
Identify
The technologies for mitigating risks are a combination of longstanding best practices and modern capabilities
22Digital Transformation Realized™
NIST CSF to Category / Microsoft technology map
Mapping in Technology SolutionsPr
otec
t (PR
)
Data Security (PR.DS):Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
Cloud Datacenter Operations Management Suite & System CenterModern IT Management
PR.DS-5: Protections against data leaks are implemented
Customer Enablement Enterprise Mobility SuiteCloud Datacenter Operations Management Suite & System CenterModern IT Management Azure Resource Management Standards
Office365
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
Customer Enablement Enterprise Mobility SuiteModern IT Management Operations Management Suite & System Center
PR.DS-7: The development and testing environment(s) are separate from the production environment
Cloud Datacenter Azure Resource Management StandardsModern IT Management Visual Studio Team Services
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained
Modern IT Management Operations Management Suite &System CenterServiceNow
PR.IP-2: A System Development Life Cycle to manage systems is implemented
Modern IT Management Visual Studio Team ServicesOperations Management Suite & System CenterServiceNow
23Digital Transformation Realized™
Tool Categories and Mapping
ServiceNow Operations Management Suite
Visual Studio Team Services
Azure Machine Learning
Modern Service Management Platform
Modern Operational and Automation
Platform
Modern Development Platform
Predictive Analytics
24Digital Transformation Realized™
Tool Categories and Mapping
Enterprise Mobility + Security Suite
Office365
Dynamics 365
Azure Platform as a Service
Azure Cloud Platform, Windows Server
Azure Stack
Windows 10
Microsoft IoT Platform
Client Management Platform
Collaboration and Business
Process Platform
Cloud Platform
End User Computing Platform
25Digital Transformation Realized™
Anatomy of Attacks and Defense
ServiceNow
Dynamics
Power BI
System Center
SCCM
MIM
ATA
Azure Stack
VM Ware
Network
EMS OMS USTS
Azure
ML Log Data
ARM + DSCCode
Inventory
Log Data
Log Data
Inventory
Automation
Log Data/IDS
ARM + Code DSC
Log Data
I
I
IoTSuite
Demo
The defense against the modern threats of the Digital Transformation start now
28Digital Transformation Realized™
Steps to Starting Out
Admit that you can do better
Know that you can always do better
Make a plan for addressing the security threats that are most relevant
based on risk and financial impact
First Second Then
29Digital Transformation Realized™
Who Do You Want to Be?
Disorganized, Hidden, Unprepared
Organized, Transparent, Prepared
30Digital Transformation Realized™
Get Specific with Assessments
Discover Assess
ID System Owner Business Process
Hardware Product
Software Product Configuration Threat Vulnerability Controls
Impact(Low-Med-
High)
Complexity(Low-Med-
High)
Risk(Low-Med-
Hgih)Priority
00001 Workstations and Servers Denise Smith X Privilege
EscalationLocal
Administrators LAPS High Low High 1
00002 Active Directory Qiong Wu X UnauthorizedUse
Privileged Accounts MIM PAM Med Med Low 4
00003 Workstations and Servers Naoki Sato X Code Execution Patching SCCM X Med Med 3
00004 Business Culture Daniel Roth X Social
Engineering Phishing KnowBe4 High Low High 2
00005 WiFi Andrea Dunker X UnauthorizedUse Pre-shared Key 802.1X Low High Med 5
00006 Workstations and Servers Eric Gruber X Business Data
LossMalicious Software Device Guard High High Med 6
31Digital Transformation Realized™
Concurrency’s Engagements
Review, assess and make a plan, strategic and tactical,
working with CISO
Address threats through targeted process improvements,
technologies, and education
Develop a backlog and keep improving the
security state
Plan and Design Execution Continuous Improvement
32Digital Transformation Realized™
Key points
Understand that security is not something to procrastinate on
Leverage NIST CSF to develop a prioritized plan
Address key operating system and identity threats first
Don’t underestimate the importance of a security management platform
1
2
3
4
33Digital Transformation Realized™
Digging into the Details
Presentations on individual scenarios for the Digital Transformation, including:
Securing the Client to Application Threat: Part 1
Securing the Client to Application Threat: Part 2
Securing Content and Communications
You will have access to the NIST to Technology Mapping, the whitepaper, and this presentation through a follow-up call
Part 1:Securing the Client
An Employee, their Laptop anda Hacker walk into a Bar…
35Digital Transformation Realized™
We are not an appealing target for attackers, I’m probably fine. I couldn’t stop them anyway.An attacker would need to get someone’s password to start hacking on us.
Breaking into our Network would require an experienced and sophisticated attacker.
What do you think?
36Digital Transformation Realized™
I’m using some of the laziest methods
They are easy to demo and understand
Much better methods and tools are available
They are easy to use, but might feel abstract
Attack Methods in this Demo
37Digital Transformation Realized™
Attack Pyramid
EntryReconn
& Movement
End Goal / Exfiltration
38Digital Transformation Realized™
Attack Plan
39Digital Transformation Realized™
BitLocker
Would have prevented access to the file system Is built-in to Windows Enterprise/Pro Edition
Manage with GPO, MBAM, AAD Join / Intune− “InstantGo” capable devices (aka Connected Standby)−Microsoft Surface/Book, Lenovo ThinkPad, Dell Venue
What could have stopped that?
40Digital Transformation Realized™
Conditional Access
Single Sign On
Enterprise State Roaming
MDM Registration / Intune
New Intune Portal!
Azure AD Join / Domain Join++
41Digital Transformation Realized™
Social EngineeringWalk-up Access in office
Phishing with Macros
Remote Command and Control
What else could have happened?
Let’s go Phishing
43Digital Transformation Realized™
Macro Security settings
GPO to “Disable all except digitally signed” GPO for Trust Center/Trusted Locations
Client Activity Analysis with Defender ATP
What could have stopped that?
What’s on this Laptop?
45Digital Transformation Realized™
BitLocker (indirectly)− Encrypts the file system, not files
Azure Information Protection (Azure RMS)− Encrypts individual files by user action*
Windows Information Protection (WIP, prev. EDP)− Encrypt “Enterprise Data” by device policy
What could have stopped that?
Where’s the Network?
47Digital Transformation Realized™
Local Admins can export Wifi Profiles Exports any network saved by any user
Also exports client-side certificates− Ensure the cert private key is not Exportable−Consider using RADIUS authentication
Consider managing Wifi setting with GPO/MDM
What could have stopped that?
48Digital Transformation Realized™
Attack Pyramid
EntryReconn
& Movement
End Goal / Exfiltration
Part 2:Securing the Servers
50Digital Transformation Realized™
Attack Plan
51Digital Transformation Realized™
− LAPS / Better Passwords• Generate and Rotate STRONG Local Admin Passwords
− Device Guard / AppLocker (for non-admins)• Prevent running unsigned applications (mimikatz)
− Credential Guard• Prevent dumping hashes
− Advanced Threat Analytics• Detected machine account querying AD
What could have stopped that?
52Digital Transformation Realized™
LAPS− Randomize and Change STRONG Local Admin Passwords
Windows Firewall− Block RDP / Disable RDP, allow trusted sources
Group Policy− Prevent Remote Use of Local Accounts
Network Segmentation− Separate Client and Servers networks with ACLs
What could have stopped that?
What’s on this Server?
54Digital Transformation Realized™
Group Managed Service Accounts− Passwords managed by Machines, not saved in registry
Device Guard / AppLocker− Prevent running unsigned applications
GPO / Access Control− Prevent Service Accounts from logging in remotely
Monitor with OMS / SysMon
What could have stopped that?
55Digital Transformation Realized™
Attack Pyramid
EntryReconn
& Movement
End Goal / Exfiltration
56Digital Transformation Realized™Digital Transformation Realized ™ @MrShannonFritz
Attack Plan
Stealing AD from the Shadows
58Digital Transformation Realized™
Network Segmentation− Restrict network access to the DC’s
GPO / Access Control− Prevent Non-Domain Admin’s from logging in to DC’s− Prevent Domain Admin’s from being using on Non-DC’s
Isolation / Protection− Restrict access to the DC’s Physical / Virtual hardware
What could have stopped that?
59Digital Transformation Realized™
Attack Plan
60Digital Transformation Realized™
Attack Mitigation Plan
stickykeys hijackremote shell macro
data theftwifi psk dump
reconnaissance
rdp
vss copy ntds.dit
bitlocker
macro security gpoazure rms
wipcertifitate wifidefender atp
service secrets
gpo
aad join / intune
atagmsa
device guard
isolation
gpo / dsc
skeleton keykrbtgt golden ticket
device guardoms / sysmon
61Digital Transformation Realized™
NIST Cybersecurity Framework Core
Identify Asset Inventory Patches and Updates Risk Management Policies
Protect Credentials & Identity Network Access User Training Data Security Baseline Configuration
Detect Nefarious Activity Malicious Code Unauthorized Users Unauthorized Devices External Services
Respond Investigations Forensics Incidents Containment Public Relations
Recover Business Continuity Communications
Microsoft and 3rd Party Products
OMS : Operations Management Suite
SC Operations Mgr SC Configuration Mgr SC Service Manager Intune Cloud App Security ServiceNOW
MIM : Identity Mgr MIM PAM AAD Premium / PIM Azure MFA Intune Conditional Access Azure App Proxy BitLocker Office 365 ATP OMS
Advanced Threat Analytics
OMS Azure AD Premium Defender ATP Cloud App Security O365 Compliance Cntr Lookout App Security
OMS SC Service Manager ServiceNOW
Hyper-V Storage Replica DFS OneDrive for Business OMS : Site Recovery SC DPM Veeam ServiceNOW
62Digital Transformation Realized™
Sami Laiho – wioski.com
Sean Metcalf – adsecurity.org
Rob Fuller – mubix, room362.com, hak5
Paula Januszkiewicz – cqureacademy.com
Robert Reif – cynosure prime password research
Michael Goetzman – cyphercon.com
Marcus Murray & Hasain Alshakarti – Truesec
Troy Hunt – haveibeenpwned.com, troyhunt.com
Acknowledgements / Learn More
Securing Content and Communication
64Digital Transformation Realized™
Securing Content and Communication
Review of security issues with content and communications scenarios and live review of example
Review of technologies to protect content and communications scenarios and live review of example
How to get started with protecting content and communications scenarios through both policy and technology
65Digital Transformation Realized™
Data protection realities
87% of senior managers admit to regularly uploading work files to a personal email or cloud account.*
87%
58% have accidentally sent sensitive information to the wrong person.*
58%
Focus on data leak prevention for personal devices, but ignore the issue on corporate owned devices where the risks are the same
? %
66Digital Transformation Realized™
Security Issues with Content and Communications
Confidential content is
everywhere Content needs to be
shared,despite its
security status
Certain locations
should never access
content
Content is shared when not intended
to be
67Digital Transformation Realized™
Modern Content Security Needs
Protect variouscontent types
Protect in-place and in-flight
Share with anyonesecurely
Important applications and
services are enlightened
Meet with varied organizational
needs
Protect everywhere and
layer security
68Digital Transformation Realized™
Technical Solution Layers Applied
Network • Location Awareness for Office365 w/ MFA
Application • Office365 applies Azure Information Protection
Information • Azure Information Protection
Operating System • Local Bitlocker Encryption
Identity • EM+S with Azure Active Directory Platform
Management• Operations Management Suite (OMS)• Enterprise Mobility + Security• ServiceNow
69Digital Transformation Realized™
Steps to Starting Out
Define corporate content types and scenarios based on business use cases and organizational policies
Build rights management policies based on defined business requirements
Incrementally roll out location awareness and Azure Information Protection based on the defined rights management policies and business requirements
70Digital Transformation Realized™
Concurrency’s engagements
Plan and DesignReview, assess and make a plan, strategic and tactical, working with CISO
ExecutionAddress threats through targeted process improvements, technologies, and education
Continuous improvementDevelop a backlog and keep improving the security state
Thank you!