Securing your credentials…

in every cloud

chris.shalda@coretekservices.com

@ShaldaChris

Chris Shalda

Microsoft Solutions Architect

REVOLUTION

TODAY, YOU ARE EXPERIENCING A

OF CYBER-THREATS

Wall Street Journal, JP Morgan, White House, Bushehr nuclear reactor, RSA, Microsoft, Google, Apple, Facebook, Sony, Target, Heartland ,EBay Heartland ICANN Home Depot

struggling

THE EVOLUTION OF ATTACKS

Volume and Impact

Script Kiddies

BLASTER, SLAMMER

Motive: Mischief

2003-2004

THE EVOLUTION OF ATTACKS

2005-PRESENT

Organized Crime

RANSOMWARE, CLICK-FRAUD,

IDENTITY THEFT

Motive: Profit

Script Kiddies

BLASTER, SLAMMER

Motive: Mischief

2003-2004

THE EVOLUTION OF ATTACKS

2005-PRESENT

Organized Crime

RANSOMWARE, CLICK-FRAUD,

IDENTITY THEFT

Motive: Profit

Script Kiddies

BLASTER, SLAMMER

Motive: Mischief

2012 - Beyond

Nation States, Activists,

Terror Groups

BRAZEN, COMPLEX,

PERSISTENT

Motives:IP Theft,Damage,

Disruption

2003-2004

:)

THE ANATOMY OF AN ATTACK

Healthy Computer

User Receives Email

User Lured to Malicious Site

Device Infected with

Malware

HelpDesk Logs into Device

Identity Stolen, Attacker Has

Increased Privs

:)

Healthy Computer

User Receives Email

User Lured to Malicious Site

Device Infected with

Malware

User Lured to Malicious Site

Device Infected with

Malware

HelpDesk Logs into Device

Identity Stolen, Attacker Has

Increased Privs

User Receives Email

DEFENDING AGAINST MODERN SECURITY THREATS

SECURED DEVICES

SECURED IDENTITIES

INFORMATIONPROTECTION

THREAT RESISTANCE

HARDWARE ROOTED TRUST

SECURED DEVICES

SECURED IDENTITIES

INFORMATIONPROTECTION

THREAT RESISTANCE

Device integrity

Cryptographic processing

Biometric sensors

Virtualization

SECURED HARDWARE

SECURE ROOTS OF TRUST

Traditional Platform Stack

Apps

Windows Platform Services

Virtualization Based Security (VBS)

Virtualization Based Security (VSM) Environment

Tru

stle

t#

1

Windows

AppsTr

ust

let

#2

Tru

stle

t#

3

Windows Platform Services

Windows Hello

Microsoft Passport

BitLocker

Enterprise Data Protection

Device Guard

Windows Defender

UEFI Secure Boot

TPM 2.0, Virtualization

THE END OF PASSWORDS, TWO-FACTOR FOR EVERYONE

HARDWARE ROOTED TRUST

SECURED DEVICES

SECURED IDENTITIES

INFORMATIONPROTECTION

THREAT RESISTANCE

WINDOWS 10 IDENTITY GOALS

Mainstream two-factor authentication

Make credentials theft resistant and breach and phish proof

Deliver solution to both consumer and business users

Use credentials on familiar mobile devices for desktop sign-in

USER IDENTITY & AUTHENTICATION

SHARED SECRETS

shhh!

Easily mishandled or lost

(Hint: The user is the problem)

Internet username and password

User

THE SITES WE USE ARE A WEAK LINK

Bad Guy

1

Social

.com

Bank

.com

Network

.com

LOL

.com

Obscure

.com1

2

User

1

3

5

Device

IDP

IDP

IDP

2

4

Network

Resource

THE USER AND DEVICE ARE THE WEAK LINKS

Bad Guy

PKI SOLUTIONS

Complex, costly, and under attack

1

Windows 8.1

User

2

IDP

Active Directory

3

4 5

6Network

Resource

THE CA

IS UNDER ATTACK

Bad Guy

LIMITED USE OF MFA CREATES WEAK LINKS

User

UN/Password

High-value assets

Most network resources

ENTERPRISE DEMANDS

Simplify implementation

Reduce costs

MULTIFACTOR WITH EXISTING DEVICES

SIMPLIFYING DEPLOYMENT

MICROSOFT PASSPORT DEVICE-BASED MULTI-FACTOR

UTILIZE FAMILIAR DEVICES

SECURED BY HARDWARE

USER CREDENTIAL

An asymmetrical key pair

Provisioned via PKI or created locally via Windows 10

IDP

Active Directory

Azure AD

Google

Facebook

Microsoft Account

1

User

2

Windows10

3Intranet

Resource4

4Intranet

Resource

A NEW APPROACH

PINSimplest implementation optionNo hardware dependenciesUser familiarity

Windows Hello Higher securityEase of useImpossible to forgetFingerprint, Facial, Iris

ACCESSING CREDENTIALS

Sample design, UI not final

Attacker needs to know both your PIN and have access to your

device

TPM provides anti-hammering support to thwart offline attacks

Hardware bound keys cannot be stolen or replayed

PIN is never stored in the device or sent to server

A world beyond passwords with two factor authentication

PIN or Biometric plus your device (PC or Phone)

Breach, theft, and phish proof identities

Single sign-on on-prem, on the web, across sites

Sign-in to devices using Azure Active Directory

IDENTITY FOR BUSINESS

USER IDENTITY & AUTHENTICATIONDERIVED CREDENTIALS & ACCESS TOKENS

“PASS THE HASH” ATTACKS

Today’s security challenge

TODAY’S SECURITY

CHALLENGE

PASS THE HASH ATTACKS

TODAY’S SECURITY

CHALLENGE

PASS THE HASH ATTACKS

Pass the hash attacks have gone from hypothetical to very real threats

Enables an attacker to steal derived user credentials using common hacking tools like MimiKatz

Once obtained an attacker is often able to steal additional derived user credentials and move laterally across network

Enables an attacker to frequently persist even once detected as they can move from one identity to the next

Pass the Hash (PtH) attacks are the #1 go-to tool for hackers. Used in nearly every major breach and APT type of attack

Credential Guard uses VBS to isolate Windows authentication from Windows operating system

Fundamentally breaks delivered credential theft using MimiKatz, etc

TODAY’S SOLUTION

CREDENTIAL

GUARDProtects LSA Service (LSASS) and derived credentials (Kerberos Ticket; NTLM Hash)

Credential Guard in VBS Environment = Decisive Mitigation

Virtualization Based Security (VBS) Environment

Cre

d G

uard

Windows

AppsTr

ust

let

#2

Tru

stle

t#

3

Windows Platform Services

Provides a centralized storage of secrets/passwords in Active Directory (AD) - without additional computers

Each organization’s domain administrators determine which users are authorized to read the passwords

Credential Guard does NOT supersede LAPS – Credential Guard protects domain accounts NOT local accounts

COMPLIMENTARYSOLUTION

LOCAL ADMINISTRATOR

PASSWORD SOLUTION (LAPS)

Periodically randomizes local administrator passwords - ensures password update to AD succeeds before modifying local secrets/passwords

Poll

Cloud Services

Microsoft Azure Active Directory Premium

Microsoft Azure Rights Management Premium

Advanced Threat Analytics

Easily manage identities

across on-premises and cloud

Single sign-on and self-service

for corporate resources

Leverage PC management,

MDM, and MAM to protect

corporate apps and data on

almost any device

Encryption, identity, and

authorization to secure

corporate files and email across

phones, tablets, and PCs

Identify suspicious activities

and advanced threats in near

real time with simple,

actionable reporting

Behavior-based

threat analytics

Information

protection

Identity and access

management

Device and app

management

Microsoft Intune

System Center

Configuration Manager

Identity as the core of enterprise mobility

Single sign-on

Microsoft Azure Active Directory

Self-service

Simple connection

On-premises

Other directories

Windows ServerActive Directory

SaaSAzure

Publiccloud

Cloud

1 trillionAzure AD

authentications

since the release of

the service

>35kthird-party

applications used

with Azure AD

each month

>1.3

billion authentications every

day on Azure AD

More than

550 Muser accounts on

Azure AD

Azure AD

Directories

>7 M

86% of Fortune 500

companies use

Microsoft Cloud

(Azure, O365, CRM Online, and PowerBI)

Every Office 365 and Microsoft Azure customer uses Azure Active Directory

Microsoft’s “Identity Management as a Service (IDaaS)”

for organizations.

Millions of independent identity systems controlled by

enterprise and government “tenants.”

Information is owned and used by the controlling

organization—not by Microsoft.

Born-as-a-cloud directory for Office 365. Extended to

manage across many clouds.

Evolved to manage an organization’s relationships with

its customers/citizens and partners (B2C and B2B).

1000s of apps, 1 identity

Making the lives of users (and IT) easier

Managing identities

Collaborating with partners

Enabling anytime/anywhere productivity

Identity-driven security

Connecting with consumers

Your domain controller as a service

Azure Active Directory Connect and Connect Health

*

MIM

*

Microsoft AzureActive Directory

HR apps

OTHER DIRECTORIES

PowerShell

SQL (ODBC)

LDAP v3

Web Services ( SOAP, JAVA, REST)

Connect and sync on-premises directories with Azure

Web apps

(Azure Active Directory Application Proxy)

Integrated

custom apps

SaaS apps

HR and Other Directories

2500+ popular SaaS apps

Connect and sync on-premises directories

with Azure

Easily publish on-premises web apps via

Application Proxy + Custom apps

through a rich standards-based platform

Microsoft Azure

Cloud HR

Conditions

Allow access

Or

Block access

Actions

Enforce MFA per

user/per app

Location (IP range)

Device state

User groupUser

NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES

CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT

MFA

IDENTITY PROTECTION

Risk

Azure Active Directory Identity Protection

Consolidated view to examine

suspicious user activities and

configuration vulnerabilities

Remediation recommendations

Risk severity calculation

Risk-based policies for

protection for future threats

Brute force attacks

Leaked credentials

Infected devices

Suspicious sign-in

activities

Configuration

vulnerabilities

Risk-Based policies

MONITOR AND PROTECT

Discover, restrict, and monitor privileged

identities and their access to resources

Enforce on-demand, just-in-time

administrative access when needed

Security Wizard

Alerts

Security reviews

MONITOR AND PROTECT

Detect threats fast

with behavioral

analytics

Adapt as fast as

your enemies

Focus on what is

important fast using the

simple attack timeline

Reduce the fatigue

of false positives

No need to create rules or policies,

deploy agents, or monitor a flood of

security reports. The intelligence

needed is ready to analyze and is

continuously learning.

ATA continuously learns from the

organizational entity behavior (users,

devices, and resources) and adjusts

itself to reflect the changes in your

rapidly evolving enterprise.

The attack timeline is a clear, efficient,

and convenient feed that surfaces the

right things on a timeline, giving you

the power of perspective on the “who,

what, when, and how” of your

enterprise. It also provides

recommendations for next steps.

Alerts only happen once suspicious

activities are contextually

aggregated; not only comparing the

entity’s behavior to its own behavior,

but also to the profiles of other

entities in its interaction path.

IDENTITY-DRIVEN SECURITY

ATA

Devices

and servers

Behavioral

analytics

Forensics for

known attacks

and issues

Advanced

Threat Analytics

Profile normal

entity behavior

(normal versus

abnormal)

Search for known

security attacks

and issues

Detect suspicious

user activities,

known attacks,

and issues

SIEM Active

Directory

Advanced Threat Analytics

Enterprise Mobility +Security

Protect your users, devices, and appsAZURE RIGHTS

MANAGEMENT

& SECURE

ISLANDS

Detect problems early with visibility

and threat analytics

Advanced

Threat

Analytics

MICROSOFT

INTUNE

Protect your data, everywhere

AZURE ACTIVE

DIRECTORY

IDENTITY

PROTECTION

Extend enterprise-grade security to your cloud and SaaS apps

Protect application access from identity attacks

MICROSOFT

CLOUD APP

SECURITY

IDENTITY-DRIVEN SECURITY

56

http://Aka.ms/LAPS

http://Aka.ms/CyberPAW

http://Aka.ms/LAPS

http://aka.ms/HardenAD

http://aka.ms/ata

http://aka.ms/JEAhttp://aka.ms/CyberPAW

http://aka.ms/PAM http://aka.ms/AzurePIM

9872521

http://aka.ms/privsec

http://aka.ms/Passport http://aka.ms/ESAE

http://aka.ms/shieldedvms

SECURED DEVICES

SECURED IDENTITIES

INFORMATIONPROTECTION

THREAT RESISTANCE

ACTIVE THEAT PROTECTION

HARDWARE ROOTED TRUST

TWO-FACTOR FOR EVERYONE

DATA LOSS PREVENTION

ACTIVE THEAT PROTECTION

SECURED DEVICES

SECURED IDENTITIES

INFORMATIONPROTECTION

THREAT RESISTANCE