Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender...
Transcript of Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender...
![Page 1: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/1.jpg)
Protecting your critical systems from new and unknown malware, 0-days, and APT
![Page 2: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/2.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
The ONE solution
https://en.wikipedia.org/wiki/Snake_oil
![Page 3: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/3.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Modern Users
![Page 4: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/4.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Last Weeks Customer Incident
![Page 5: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/5.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Luck vs SolutionLuck
- Honesty
- No Judgment
- Response time
Bad Luck
- (Just about)Only local Admin user
- User permission
Mitigation
- Monitoring (ATA)
- User Training
- Procedures, monitoring and alerts (ATP/ATA)
![Page 6: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/6.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Affected ClientBad Luck
• USB Backup Disk
• Local Admin (Exception)
Mitigation
• Azure Backup
• LAPS
• Local Administrator Password Solution
• Device Guard
https://www.microsoft.com/en-us/download/details.aspx?id=46899
![Page 7: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/7.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
WHY!!!
![Page 8: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/8.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Man vs Machine
![Page 9: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/9.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Old School Security
o User Education
o Traditional best practices
o Avoid Exceptions
o Etc.
Think!!!
![Page 10: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/10.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Windows Security History
November 2006August 2004
https://en.wikipedia.org/wiki/Timeline_of_Microsoft_Windows
![Page 11: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/11.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Windows VistaUAC:
• Stopped more than 50% of 2000 backdoors, keyloggers, rootkits, mass mailers, trojan horses, spyware, adware, and various others directly
• Less then 5% survived UAV during reboot
http://us.norton.com/support/premium_services/malware_removal_guide.pdf
![Page 12: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/12.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
The Windows 10 Defense StackPROTECT, DETECT & RESPOND
PRE-BREACH POST-BREACH
Windows Defender ATP
Breach detection
investigation &
response
Device protection
Device Health attestation
Device Guard
Device Control
Security policies
Information protection
Device protection / Drive encryption
Enterprise Data Protection
Conditional access
Threat resistance
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Built-in 2FA
Account lockdown
Credential Guard Microsoft Passport
Windows Hello ;)
Identity protection
Breach detection
investigation &
response
Device protection
Information protection
Threat resistance
Conditional Access
Windows Defender ATP
Device integrity
Device control
BitLocker and BitLocker to Go
Windows Information Protection
SmartScreen
Windows Firewall
Microsoft Edge
Device Guard
Windows Defender
Windows Hello ;)
Credential Guard
Identity protection
![Page 13: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/13.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
POST-BREACHPRE-BREACH
Breach detection
investigation &
response
Device protection
Identity protection
Information protection
Threat resistance
Windows 10 Security on Legacy or Modern Devices (Upgraded from Windows 7 or 32-bit Windows 8)
![Page 14: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/14.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Dynamic Lock / Goodbye
![Page 15: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/15.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Hello (Word) For business
10 Print «Hello World!»
20 Goto 10
Run
![Page 16: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/16.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Hello For Business
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification
![Page 17: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/17.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Secure Boot / Bitlocker / BIOS -> UEFI
https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview
![Page 18: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/18.jpg)
Show & Tell
![Page 19: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/19.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
![Page 20: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/20.jpg)
![Page 21: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/21.jpg)
![Page 22: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/22.jpg)
![Page 23: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/23.jpg)
![Page 24: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/24.jpg)
![Page 25: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/25.jpg)
![Page 26: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/26.jpg)
The Guards
![Page 27: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/27.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
VIRTUALIZATION BASED SECURITY
Kernel
Windows Platform Services
Apps
Kernel
SystemContainer
Tru
stle
t #
1
Tru
stle
t #
2
Tru
stle
t #
3
Hypervisor
Device Hardware
Windows Operating System
Hyper-VHyper-V
![Page 28: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/28.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Device guard in vbs environmentdecisive mitigation
Kernel
Windows Platform Services
Apps
Kernel
SystemContainer
DEV
ICE
GU
AR
D
Tru
stle
t #
2
Tru
stle
t #
3
Hypervisor
Device Hardware
Windows Operating System
Hyper-VHyper-V
![Page 29: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/29.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Credential Guard
Not currently supported on Windows Server2016
![Page 30: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/30.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
![Page 31: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/31.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
![Page 32: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/32.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Device GuardKMCI – Kernel Mode Code Integrity
UMCI – User Mode Code Integrity
Whitelist
◦ Applications / Apps
◦ Utilities
◦ Drivers
Audit / Enforce
Lock Policy
https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide
![Page 33: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/33.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Drivers
https://msdn.microsoft.com/en-us/windows/hardware/drivers/dashboard/windows-certified-products-listv
![Page 34: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/34.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Certificates and Views
2 314 831 bytes
888 068 bytes
![Page 35: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/35.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Exceptions (Known Threats)
• Narrator
• Wifi
• Blacklist whitelisted
• Exploit Monday
•https://github.com/mattifestation/DeviceGuardBypassMitigationRules
![Page 36: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/36.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Device Guard Getting started• Golden Image
• Audit Mode
• Failed
• Drivers
• Policy files
• Trial and error
• Maintaine
NB! Sign the policy
https://technet.microsoft.com/itpro/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-
device-guard
![Page 37: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/37.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Group Policy
![Page 38: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/38.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Config Manager
https://blogs.technet.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-
configuration-manager/
![Page 39: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/39.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
CMD:
Powershell Get-ExecutionPolicy
Powershell Set-ExecutionPolicy unrestricted -scope process; ./DG_Readiness_Tool_v2.1.ps1 –ready
Powershell Get-ExecutionPolicy
Powershell:
Get-ExecutionPolicy
Set-ExecutionPolicy unrestricted -scope process; ./DG_Readiness_Tool_v2.1.ps1 –ready
Get-ExecutionPolicy
Script
-Capable
-Enable –CG
-Enable -HVCI
![Page 40: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/40.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Management• Group Policy
• Intune (Comming)
• System Center
![Page 41: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/41.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
New-CIPolicy -FilePath c:\MyRules\MyRule.xml -Level PcaCertificate -ScanPath
Set-RuleOption -FilePath c:\MyRules\MyRule.xml -Option X
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-
rules#code-integrity-policy-rules
![Page 42: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/42.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Device Guard LinksBasic:
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#how-device-guard-features-help-protect-against-threats
https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide
https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard
http://www.exploit-monday.com/2016/09/introduction-to-windows-device-guard.html
Advanced:
https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/
https://technet.microsoft.com/en-us/library/mt634481.aspx
https://www.youtube.com/watch?v=n_fq1WnoQbI
https://github.com/mattifestation/DeviceGuardBypassMitigationRules
![Page 43: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/43.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Conclusion
![Page 44: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/44.jpg)
WE DRIVE BUSINESS EVOLUTION FORWARD
Machine vs Man
![Page 45: Protecting your critical systems from new and unknown ... - Olav Tvedt.pdf · Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows](https://reader036.fdocuments.us/reader036/viewer/2022071301/60a03315dd1267260212693c/html5/thumbnails/45.jpg)
Olav TvedtSenior Principal Architect
Lumagate A/S
Blog: olavtvedt.blogspot.com
Twitter: OlavTwitt
Epost: [email protected]
Cloud and Datacenter Management
Windows and Devices for IT
31. Mai – www.mvpdagen.no