Security A Decade of WMI Abuse – an Overview of Techniques ...
Security Best-in-class security with over a decade of experience building Enterprise software &...
-
Upload
dinah-warner -
Category
Documents
-
view
219 -
download
0
Transcript of Security Best-in-class security with over a decade of experience building Enterprise software &...
Ken EwertPrincipal Group Program Manager / Compliance ManagerMicrosoft Corporation
Dude! Where’s my Data ???A trust overview for LyncOnline
ONLI204
Session Overview
Why is this Important
The Office 365 Trust narrative and details
Positioning Our Future Investments
Why this is important• Security, Privacy and Compliance are differentiators for
Office 365
• Political landscape due to PRISM resulting in greater attention to Security and Privacy
• Large organizations need confidence and trust which means deeper engagement in these important topics
Security Best-in-class security with over a decade of experience building Enterprise software & Online services
• Physical and data security with access control, encryption and strong authentication
• Security best practices like penetration testing, defense-in-depth to protect against cyber-threats
• Unique customer controls with Rights Management Services to empower customers to protect information
The Office 365 Trust narrative
Compliance Commitment to industry standards and organizational compliance
• Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA
• Contractually commit to privacy, security and handling of customer data through Data Processing Agreements
• Admin Controls like Data Loss Prevention, Legal Hold, E-Discovery to enable organizational compliance
Privacy Privacy by design with commitment to use customers’ information only to provide services
• No mining of data for advertising
• Transparency with the location of customer data, who has access and under what circumstances
• Privacy controls to regulate sharing of sites, libraries, folders and communications with external parties
Exchange Hosted Services (part of
Office 365)
Hotmail
SSAE-16
U.S.-EU Safe Harbor
European Union Model Clauses
(EUMC)
Health Insurance Portability and Accountability Act
Business Associate Agreement (HIPAA BAA)
Data Processing Agreement (DPA)Active Directory
Microsoft Security Response Center (MSRC)
Global Foundation
Services (GFS)
ISO 27001 Certification
Microsoft Security
Essentials
1st Microsoft
Data Center
Trustworthy Computing
Initiative (TwC)
Microsoft Security Engineering Center -
Security Development Lifecycle (SDL)
Microsoft experience and credentials
Xbox Live
MSN
Bill Gates Memo
Windows Azure
FISMA
Windows Update
Malware Protection
Center
SAS-70
Microsoft Online
Services (MOS)
One of the world’s largest cloud providers & datacenter/network operators
CJIS Security Policy
Agreement
2005 2010 2013
Bing/MSN Search
1989 1995 2000
Outlook.com
Security
Security
Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats
Built in CapabilitiesFlexible Customer
Controls• Physical and data security with access
control, encryption and strong authentication
• Unique customer controls with Rights Management Services to empower customers to protect information
Built in Security Capabilities
Defense in depthmulti-dimensional approach to customer environment
Security Management
Network perimeter
Internal network
Host
Application
Data
User
Facility
Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption
Edge routers, firewalls, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Account management, training and awareness, screening
Physical controls, video surveillance, access control
Facility
Seismic bracing
24x7 onsite security staff
Days of backup power
Tens of thousands of servers
Perimeter security
Extensive monitoring
Multi-factor authentication
Fire suppression
11
• Microsoft disallows removable media and wireless devices in our data centers, but for emergency reasons (such as in case of fire) and to enable people to do their jobs, mobile phones are allowed. However, if such a device were to be attached to physical hardware, this action would trigger a security alert.
• Data center access is also checked and validated for each individual before entry.
Removable Media
Network perimeter
Internal Network
13
Physical separation between backend and public facing interfaces
Edge router security / firewalls implemented to secure network edge
Port scanningPerimeter Vulnerability scanning Network level DDOS & intrusion detection and prevention
• Ability to recognize DoS traffic patterns• Automatic traffic shaping kicks in when
spikes exceed normal• Mitigates: • Non-malicious excessive use• Buggy clients (BYOD)• Admin actions• DoS attacks
Throttling to Prevent DoS attacks
Internal network
15
Network level DDOS & intrusion detection and prevention
Networks within the Office 365 data centers are segmented
2FA for service access
Microsoft Corporate Network
Isolation between corporate environment and production access environment for all employees
Host/Application
Zero standing permissions in the service
Automated tooling for routine activities
Auditing of all operator access and actions
Security Development Lifecycle
Patching/Malware protection
Office 365
Microsoft Admin (user)
Account managementAutomatic account deletionUnique accountsZero access privileges
Training, policies and awareness
Background checks, screening
Zero access privilege & automated operations
18
Office 365 Datacenter Network
Microsoft Corporate Network
Lock Box: Role Based
Access Control
Grants least privilege required to complete task.Verify eligibility by checking if1. Background Check
Completed2. Fingerprinting
Completed3. Security Training
Completed
O365 AdminRequests Access
Grants temporary Privilege
Microsoft Admin (user)
Account managementAutomatic account deletionUnique accountsZero access privileges
Training, policies and awareness
Background checks, screening
Isolated Customer Data
DATA in Server
Multi-tenant environment is designed to support logical isolation of data that multiple customers store in same physical hardware.
Intended or unintended access of data belonging to a different customer/tenant is prevented by data isolation.
`
20
Backend:
Customer side
Encryption: BitLockerAvailable in Windows servers and clients
128 bit or 256 bit AES
Protects against the following scenariosUnauthorized physical access to servers / hardware in datacentersA disk or server not getting recycled appropriately
Windowscomputer
Windows server
Data disk
BitLocker protected
BitLocker protected
Customer
Encryption in Transit
SSL/TLS Encryption
Client to Server
Server to Server
Data center to Data
center
Windows PC
server server
Client server: SSL/TLS protected
Data disk Data disk
Server to server:SSL/TLS protected
Summary: Defense in depthmulti-dimensional approach to customer environment
Security Management
Network perimeter
Internal network
Host
Application
Data
User
Facility
Threat and vulnerability management, monitoring, and response
Edge routers, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Access control and monitoring, file/data integrity, encryption
Account management, training and awareness, screening
Physical controls, video surveillance, access control
Security Development LifecycleReduce vulnerabilities, limit exploit severity
Ongoing Process Improvements
Training Requirements Design Implementation Verification Release Response
Education
Administer and track security training
Process
Guide product teams to meet SDL requirements
AccountabilityEstablish release criteria & sign-off as part of FSR
IncidentResponse (MSRC)
Core SecurityTraining
Est. SecurityRequirements
Create Quality Gates / Bug Bars
Security & Privacy Risk Assess.
Establish DesignRequirements
Analyze AttackSurface
ThreatModeling
Use Approved Tools
Deprecate UnsafeFunctions
Static Analysis
Dynamic Analysis
Fuzz Testing
Attack Surface Review
Incident Response Plan
Final Security Review
Release Archive
Execute IncidentResponse Plan
24
Beyond industry best practices- Assume breach- security incident notification..
26
• Assume Breach
War game exercises (NEW)
Live site pentest (NEW)
Centralized securitylogging & monitoring (NEW)
Prevent BreachThreat model
Code review
Security development lifecycle (SDL)
Security testing
Assume breach identifies & addresses significant gaps: Detect attack & penetration Respond to attack & penetration Recover from data leakage or tampering
Scope ongoing live site testing of security response plans to drastically improve mean time to detection & recovery
Reduce exposure to internal attack (once inside, attackers have broad access)
Periodic environment post breach assessment & clean state
Prevent Breach and Assume Breach
Examples of vuln detection
Wargameexercises
Assume Breach
Redteaming
Blueteaming
Monitor emerging threats
Executepost breach
Insider attack simulation
Penetration TestingWe do our own penetration testing which is quite effective as we can test a number of rogue admin scenarios
Red Team / Blue Team war games
We also provide auditors with reports and communications to keep them apprised of the status of the system.
Furthermore, we validate the external surface of the service using third party penetration testing based upon the OWASP top ten.
• Outside In PEN testing• Weekly port scanning
Only protocol ports open to the world (over SSL)• Daily perimeter vuln scanning• OS Patching• Message hygiene
Antispam, Antivirus through FOPE• Network level DDOS detection and prevention
Arbor Peakflow• 0-human set engineer passwords
No weak/reused passwords
Outsider Attacks
Insider Attacks (ie Rogue Admin, disgruntled employee)
• 2FA required for service access• Auditing of all operator access and actions• 0-standing permissions in the service
Just in time elevations Automatic rejection of non-background check employees to high privilege
access Scrutinized manual approval for background checked employees
• Automatic account deletion When employee leaves When employee moves groups Lack of use
• Automated tooling for routine activities Deployment, Debugging, Diagnostic collection, Restarting services
• Passwords encrypted in password store Automation has access to passwords Highly scrutinized, manually approved access for humans
Security Incident Notification
31
DETECTION
RESPONSE
Breach
• A malicious act against the environment that results in unauthorized disclosure, or alteration and/or denial of data or service
• Initiate Breach Response procedures Declaration of Breach
Communication Remediation
Executive Reporting
Media Relations
Privacy
Containment
Eradication Recovery
Closure
Post mortem Documentation Process Improvem
ent
Customer Notification
User AccessIntegrated with Active Directory, Azure Active Directory and Active Directory Federation Services• Federation: Secure SAML token based authentication• Password Synchronization: Only a one way hash of the password
will be synchronized to WAAD such that the original password cannot be reconstructed from it.
Enables additional authentication mechanisms:• Two-Factor Authentication – including phone-based 2FA• Client-Based Access Control based on devices/locations• Role-Based Access Control32
Security – Key RisksType of Risk Protection mechanisms Implementation
Malicious or unauthorized physical access to data center / server / disks
BitLocker implemented on servers.
Facility access restrictions to servers/ datacenter
Backend control implemented in the service.
External malicious or unauthorized access to service and customer data
Zero standing access privilegesAutomated operationsAuditing of all access and actionsNetwork level DDOS / intrusion detection and preventionThreat management / Assume breach
Backend control implemented in the service.
Gaps in software that make the data & service to be vulnerable
Security Development Lifecycle Backend control implemented in the service.
Rogue administrators / employees in the service or data center
Zero standing access privilegesAutomated operationsAuditing of all access and actionsTrainingBackground checks / screeningThreat management / Assume breach
Backend control implemented in the service.
Microsoft Admin credentials get compromised
Multi factor authenticationZero standing access privilegesRequires Microsoft trusted computers to get onto management serversThreat management / Assume breach
Backend control implemented in the service.
Security – Key RisksType of Risk Protection mechanisms Implementation
Encryption keys get compromised
Secure key management processesAccess to key is limited or removed for people
Backend control implemented in the service.
Administrator’s computer gets compromised/lost
BitLocker on the disks of the computer.Remote desktop sessionDifferent credentialsZero standing access privileges
Backend control implemented in the service.
Law authorities accessing customer data.
Redirect request to customerThreat management and assume breach
Backend control implemented in the service.
Service and hence customer data becomes inaccessible due to an attack.
Network level DDOS / intrusion detection and prevention
Backend control implemented in the service.
Malware Anti Malware at host, application and transient data layers
Backend control implemented in the service.
Malfunction of software which enables unauthorized access to other user’s data in the tenant / other tenant / with no authentication
Security Development LifecycleConfiguration management
Backend control implemented in the service.
Security – Key RisksType of Risk Protection mechanisms Implementation
Interception of email to partners over Internet*
SMTP session to partners could be protected using opportunistic or forced TLS
Control available to customers.
Interception of client / server communication
SSL / TLS is implemented in all workloads.
Backend control implemented in the service.
Interception of communication between datacenters or between servers
Office 365 applications use SSL / TLS to secure various server-server communication.
All communication is on Microsoft owned networks.
Backend control implemented in the service.
Interception or access of content in transit or at rest by other people.**
Rights Management could be applied to the content.
Control available to customers.
Interception of email in transit or rest between users within organization*
S/MIME could be implemented and applied to emails
Control available to customers.
Interception of email in transit and rest to an external user*
Office 365 Message Encryption may be applied to messages
Control available to customers
Privacy
PrivacyPrivacy by design means that we do not use your information
for anything other than providing you services
No Advertising Transparency Privacy controls
• No advertising products out of Customer Data
• No scanning of email or documents to build analytics or mine data
• Various customer controls at admin and user level to enable or regulate sharing
• If the customer decides to leave the service, they get to take to take their data and delete it in the service
• Access to information about geographical location of data, who has access and when
• Notification to customers about changes in security, privacy and audit information
No Advertising
We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services.
We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two.
You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want.
Learn more about data portability and how we use your data.
Who owns the data I put in your service?
Will you use my data to build advertising products?
Transparency
Microsoft notifies you of changes in data center locations and any changes to compliance.
Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Who accesses and What is accessed?
Clear Data Maps and Geographic boundary information provided‘Ship To’ address determines Data Center Location
Where is Data Stored?
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
How Privacy of Data is Protected?Microsoft Online Services Customer Data1 Usage Data Account and
Address Book Data
Customer Data (excluding Core Customer data)
CoreCustomer Data
Operating and Troubleshooting the Service Yes Yes Yes Yes
Security, Spam and Malware Prevention Yes Yes Yes Yes
Improving the Purchased Service, Analytics Yes Yes Yes No
Personalization, User Profile, Promotions No Yes No No
Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No
Voluntary Disclosure to Law Enforcement No No No No
Advertising5 No No No No
We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Usage Data Address Book Data Customer Data (excluding Core Customer Data*) Core Customer Data
Operations Response Team (limited to key personnel only)
Yes. Yes, as needed. Yes, as needed. Yes, by exception.
Support Organization Yes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry. No.
Engineering Yes. No Direct Access. May Be Transferred During Trouble-shooting.
No Direct Access. May Be Transferred During Trouble-shooting.
No.
PartnersWith customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
Others in Microsoft No.No (Yes for Office 365 for small business Customers for marketing purposes).
No. No.
Compliance
Compliance
What does compliance mean to customers?
What standards do we meet?
What is regulatory compliance and organizational
compliance?
• Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA
• Contractually commit to privacy, security and handling of customer data through Data Processing Agreements
• Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance
Compliance Commitment to industry standards and organizational compliance
Built-in Capabilities for Global Compliance
Customer controls for compliance with internal
policies
What customer issues does this address
Independent
verification
Regulatory
compliance
Peace of mind
Standards & Certifications
45
SSAE/SOCISO27001EUMCFERPAFISMAPCIHIPAAHITECHITARHMG IL2CJIS
GlobalGlobalEuropeU.S.U.S.GlobalU.S.U.S.U.S.UKU.S.
FinanceGlobalEurope Education Government CardData Healthcare Healthcare DefenseGovernment Law Enforcement
Standards Certifications
Market Region
ISOSOC
HIPAA FedRAMP FERPA HMGIL2 EUMC TC260
MLPS
How Office 365 Controls meet Compliance?
Physical SecuritySecurity
Best PracticesSecure Network
LayerData
Encryption
Office 365 has over 900 controls Today!
Built-in Capabilities
Office 365 Service | Master GRC Control Sets | Certifications
DLP
OME
SMIME
RBAC
RMS
Account Mgmt.
Incident Monitoring
Data EncryptionEncryption of stored data and more…
Data Minimizatio
n & Retention
New Cert’s and
more…
Access Control
Offi
ce 3
65
Serv
ices A
UD
ITS
Approach to Compliance
47
Market & Competitive Intelligence
Compliance Manageme
nt Framework
Regulatory Impact
Analysis (RSIA)
Define Security,
and Privacy controls
Determine Implementatio
n Requirements
Implement Controls
Document Implementati
on
Continuous Monitoring
Independent
verification (Audits)
Remediation
Prioritize
Responsibilities in the Services worldMicrosoft is the Data Custodian/Processor
Customer is the Data Controller
Customers are involved in complying with regulationsWe satisfy various requirements for security, privacy and handling of customer dataExamples are DPAs with EU Model clauses, ISO, FISMA etc.
Customers would still have to do their part for components that run on-premisesClient side / desktop security and encryption standardsPhysical accessEnd user secret management
The elephant in the room…..
NSA, PRISM & Privacy
Trust and Confidence
We take privacy seriously and provide customer data only in response to specific, targeted lawful demands.
Trust that private information customers share with others or store in the cloud will remain private
Trust that governments will respect the privacy of users
Government Snooping
By default, no one has access to a customer’s data without authorization. We provide contractual guarantees concerning how access requests are handled.
We’re obligated to comply with applicable governmental laws i.e. we respond to legal demands for customer data and do not provide any government with direct and unfettered access to our customer’s data
We only pull/provide the specific data mandated by the relevant legal demand i.e. we must be served with a court order or subpoena for content or account information
We only respond to requests for specific accounts and identifiers
All requests are explicitly reviewed by the Microsoft compliance team, who ensures that the requests are valid, rejects
For more information, please see the official Microsoft blog, " Protecting customer data from government snooping"
Clearing the Air To be clear, here’s what we do, and what we don’t do:• We don’t provide any government
with direct, unfettered access to your data.
• We don’t assist any efforts to break our encryption or provide any government with encryption keys.
• We don’t engineer back doors
• We aren’t involved in any surveillance programs
• For business and government customers we can be even more specific: Microsoft has never provided data in response to a national security order.
The volume of information Microsoft provides to the U.S. Government has been significantly exaggerated
Microsoft publishes a Law Enforcement Requests Report Every Six Months here
Any requests we receive relate to specific accounts within the enterprise and not to all of the accounts or data within a particular enterprise
Microsoft only discloses customer data when it is served with a valid legal demand, and we only comply with orders for specific accounts or identifiers
Monday, February 17th
Exhibit Hall Hours 6:00pm – 8:00pm
6:00pm – 8:00pm Welcome Reception
Tuesday, February 18th
Exhibit Hall Hours 8:00am – 9:00am (Breakfast), 10:30am – 5:00pm
8:00am – 9:00am Breakfast (Exhibit Hall) 9:00am –10:30am General Session10:30am – 5:00pm Expo Hall Hours11:00am – 12:15pm Sessions & Hands-on Labs12:15pm – 2:00pm Lunch2:00pm – 5:00pm Sessions & Hands-on Labs5:00pm – 7:00pm Ask the Experts
Wednesday, February 19th
Exhibit Hall Hours 10:30am – 4:30pm
7:30am – 8:30am Breakfast8:30am – 11:30am Sessions & Hands-on Labs10:30am – 4:30pm Expo Hall Hours11:30am – 1:00pm Lunch1:00pm – 5:45pm Sessions & Hands-on Labs6:30pm – 9:30pm Attendee Party
Thursday, February 20th
Exhibit Hall Hours 9:00am – 12:00pm
8:00am – 9:00am Breakfast9:00am – 12:00pm Expo Hall Hours9:00am – 12:15pm Sessions & Hands-on Labs12:15pm – 1:30pm Lunch and Departures
Ask the ExpertsLocation: Meal Hall located on Level 1 in Pinyon Ballroom 4-8 Tuesday, February 18
TABLE TOPICS:Best Practices, Business Value, Clients & Mobility, Lync Meetings and Video, Lync Online, Networking, Platform, Server & Manageability, Voice, Lync Feedback Sessions
Meet face-to-face with the foremost experts in the Lync field and ask them the questions that have you stumped.
Location: Breakout rooms located on Level 1 5:00pm-7:00pm
GROUPS INCLUDE:Manageability – Pinyon 2Meetings & Web Experiences – Bluethorn 4-6Mobility – Bluethorn 7-9Presence & Chat – Pinyon 1Voice & Video – Bluethorn 1-3
Come participate in targeted Feedback Sessions to hear about the high-priority feature asks and help us improve the next release!
Lync Feedback
These sessions are meant to be informational, providing an understanding of the workload and conversational, to discuss your user scenarios and desired improvements.
Birds of a FeatherBirds of a Feather flock together! Join daily breakfast discussions of relevant topics by sitting in the separately designated areas of the Meal Hall. Seating will be sorted in a different way for each Birds of a Feather breakfast:Wednesday, February 19:Where are you from? Asia/Pacific, Eastern & Central Europe, Latin America, Middle East & Africa, US (West, Central & East) and Canada, Western Europe
Thursday, February 20:What is your interest?Best Practices, Business Value, Clients & Mobility, Lync Meetings and Video, Lync Online, Networking, Platform, Server & Manageability, Voice
#LyncConf14
/msftLYNC
/microsoft-lync
/MSFTLync
Lync Launch PadYou’ve launched Lync. Now Launch this.MS Pavilion – Expo Hall
Fill out evaluations to win prizesFill out evaluations on MyLync or MyLync Mobile.Prizes awarded daily.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.