Seguridad en un Mundo móvil #MicrosoftSecure...
Transcript of Seguridad en un Mundo móvil #MicrosoftSecure...
Protección integral frente a las amenazas
#MicrosoftSecure
Victor Recuero - Consultor Cloud en Seguridad e Identidad
Sergio Medina - Ingeniero de Soporte en Identidad
Alberto López - Consultor Cloud en Seguridad e Identidad
David Marin – Especialista Técnico en Windows 10
Seguridad en un
Mundo móvil
Unmanaged & Mobile Clients
Sensitive
Workloads
Cybersecurity Reference Architecture
Intranet
Extranet
Azure Key Vault
Azure Security Center• Security Hygiene
• Threat Detection
System Management + Patching (SCCM + Intune)
Microsoft Azure
On Premises Datacenter(s)
NGFW
IPS
DLP
SSL Proxy
Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
63% of confirmed data breaches involve weak, default, or
stolen passwords (Verizon 2016 DBR)
Colocation
$ Windows 10
EPP - Windows Defender
EDR - Windows Defender ATPMac
OS
Multi-Factor
Authentication
MIM PAMAzure App Gateway
Network Security Groups
AAD PIM
Azure Antimalware
Disk & Storage Encryption
SQL Encryption & Firewall
Hello for
Business
Windows
Info Protection
Enterprise Servers
VPN
VPN
VMs VMs
Certification
Authority (PKI)
Incident
Response
Vulnerability
Management
Enterprise
Threat
Detection
Analytics
Managed
Security
Provider OMS
ATA
SIEM
Security Operations
Center (SOC)
Logs & AnalyticsActive Threat Detection
Hunting
Teams
Investigation
and Recovery
WEF
SIEM
Integration
IoT
Identity &
Access
80% + of employees admit using
non-approved SaaS apps for work
(Stratecast, December 2013)
UEBA
Windows 10 Security
• Secure Boot
• Device Guard
• Application Guard
• Credential Guard
• Windows Hello
Managed ClientsLegacy
Windows
Security
Appliances
Windows Server 2016 Security
Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers,
Device Guard, Credential Guard, Remote Credential Guard, …
Software as a Service
AAD Identity
Protection
ATA
Privileged Access Workstations (PAWs)
Internet of Things
• Device Health
Attestation
• Remote
Credential Guard
Intune MDM/MAM
Conditional Access
Cloud App Security
Azure
Information
Protection (AIP)• Classify
• Label
• Protect
• Report
Office 365 DLP
Endpoint DLP
Structured Data &
3rd party Apps
DDoS attack prevention
Cla
ssif
icati
on
Lab
els
ASM
Lockbox
Office 365
Information Protection
Backup and Site Recovery
Shielded VMs
Domain Controllers
Office 365 ATP• Email Gateway
• Anti-malware
Hold Your Own
Key (HYOK)
ESAE
Admin Forest
Unmanaged & Mobile Clients
Sensitive
Workloads
Cybersecurity Reference Architecture
Intranet
Extranet
Azure Key Vault
Azure Security Center• Security Hygiene
• Threat Detection
System Management + Patching (SCCM + Intune)
Microsoft Azure
On Premises Datacenter(s)
NGFW
IPS
DLP
SSL Proxy
Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
63% of confirmed data breaches involve weak, default, or
stolen passwords (Verizon 2016 DBR)
Colocation
$ Windows 10
EPP - Windows Defender
EDR - Windows Defender ATPMac
OS
Multi-Factor
Authentication
MIM PAMAzure App Gateway
Network Security Groups
AAD PIM
Azure Antimalware
Disk & Storage Encryption
SQL Encryption & Firewall
Hello for
Business
Windows
Info Protection
Enterprise Servers
VPN
VPN
VMs VMs
Certification
Authority (PKI)
Incident
Response
Vulnerability
Management
Enterprise
Threat
Detection
Analytics
Managed
Security
Provider OMS
ATA
SIEM
Security Operations
Center (SOC)
Logs & AnalyticsActive Threat Detection
Hunting
Teams
Investigation
and Recovery
WEF
SIEM
Integration
IoT
Identity &
Access
80% + of employees admit using
non-approved SaaS apps for work
(Stratecast, December 2013)
UEBA
Windows 10 Security
• Secure Boot
• Device Guard
• Application Guard
• Credential Guard
• Windows Hello
Managed ClientsLegacy
Windows
Security
Appliances
Windows Server 2016 Security
Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers,
Device Guard, Credential Guard, Remote Credential Guard, …
Software as a Service
AAD Identity
Protection
ATA
Privileged Access Workstations (PAWs)
Internet of Things
• Device Health
Attestation
• Remote
Credential Guard
Intune MDM/MAM
Conditional Access
Cloud App Security
Azure
Information
Protection (AIP)• Classify
• Label
• Protect
• Report
Office 365 DLP
Endpoint DLP
Structured Data &
3rd party Apps
DDoS attack prevention
Cla
ssif
icati
on
Lab
els
ASM
Lockbox
Office 365
Information Protection
Backup and Site Recovery
Shielded VMs
Domain Controllers
Office 365 ATP• Email Gateway
• Anti-malware
Hold Your Own
Key (HYOK)
ESAE
Admin Forest
CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically protects against suspicious logins and compromised credentials
Gain insights from a consolidated view of machine learning based threat detection
Leaked credentials
Infected devices Configuration
vulnerabilities Risk-based
policies
MFA Challenge Risky Logins
Block attacks
Change bad credentials
Machine-Learning Engine
Brute force attacks
Suspicious sign-in activities
CLOUD-POWERED PROTECTION
Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools
Security/Monitoring/Reporting SolutionsNotifications
Data Extracts/Downloads
Reporting APIs
Apply Microsoft learnings to your existing security tools
Microsoft machine - learning engine
Leaked credentials
Infected devices Configuration
vulnerabilities Brute force
attacksSuspicious sign-
in activities
CLOUD-POWERED PROTECTION
Discover, restrict, and monitor privileged identities
Enforce on-demand, just-in-time administrative access when needed
Provides more visibility through alerts, audit reports and access reviews
Global Administrator
Billing Administrator
Exchange Administrator
User Administrator
Password Administrator
CLOUD-POWERED PROTECTION
How time-limited activation of privileged roles works
MFA is enforced during the activation process
Alerts inform administrators about out-of-band changes
Users need to activate their privileges to perform a task
Users will retain their privileges for a pre-configured amount of time
Security admins can discover all privileged identities, view audit reports and review everyone who has is eligible to activate via access reviews
Audit
SECURITY ADMIN
Configure Privileged
Identity Management
USER
PRIVILEGED IDENTITY MANAGEMENT
Identity
verificationMonitor
Access reports
MFA
ALERT
Read only
ADMIN PROFILES
Billing Admin
Global Admin
Service Admin
CLOUD-POWERED PROTECTION
Removes unneeded permanent
admin role assignments
Limits the time a user has admin
privileges
Ensures MFA validation prior to
admin role activation
Reduces exposure to attacks targeting admins
Separates role administration
from other tasks
Adds roles for read-only views
of reports and history
Asks users to review and justify
continued need for admin role
Simplifies delegation
Enables least privilege role
assignments
Alerts on users who haven’t
used their role assignments
Simplifies reporting on admin
activity
Increases visibility and finer-grained control
Conditions
Allow access or
Block access
Actions
Enforce MFA per
user/per app
User, App sensitivity
Device state
LocationUser
NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES
CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT
MFA
IDENTITY PROTECTION
Risk
CLOUD-POWERED PROTECTION
Microsoft Azure
IaaS SaaSPaaS
Key Vault offers an easy, cost-effective way to
safeguard keys and other secrets used by
cloud apps and services using HSMs.
Import
keys
HSM
Key Vault
Monitoring
Encrypt keys and small secrets
like passwords using keys
stored in tightly controlled and
monitored Hardware Security
Modules (HSMs)
Import or generate your keys
in HSMs for added assurance -
keys never leave the HSM
boundary
Comply with regulatory
standards for secure key
management, including the US
Government FIPS 140-2 Level
2 and Common Criteria EAL 4+
Monitor and audit key use through Azure logging – pipe logs into HDInsight or your SIEM for additional analysis
Creates a Key Vault in Azure
Adds keys / secrets to the Vault
Grants permission to specific application(s) to perform specific operations using keys e.g. decrypt, unwrap
Enables usage logs
Manages keys Deploys application
Tells application the URI of the key / secret
Application programmatically uses key / secret (and may abuse) but never sees the keys
Reviews usage logs to confirm proper key use and compliance with data security standards
Monitors access to keys
Unmanaged & Mobile Clients
Sensitive
Workloads
Cybersecurity Reference Architecture
Intranet
Extranet
Azure Key Vault
Azure Security Center• Security Hygiene
• Threat Detection
System Management + Patching (SCCM + Intune)
Microsoft Azure
On Premises Datacenter(s)
NGFW
IPS
DLP
SSL Proxy
Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
63% of confirmed data breaches involve weak, default, or
stolen passwords (Verizon 2016 DBR)
Colocation
$ Windows 10
EPP - Windows Defender
EDR - Windows Defender ATPMac
OS
Multi-Factor
Authentication
MIM PAMAzure App Gateway
Network Security Groups
AAD PIM
Azure Antimalware
Disk & Storage Encryption
SQL Encryption & Firewall
Hello for
Business
Windows
Info Protection
Enterprise Servers
VPN
VPN
VMs VMs
Certification
Authority (PKI)
Incident
Response
Vulnerability
Management
Enterprise
Threat
Detection
Analytics
Managed
Security
Provider OMS
ATA
SIEM
Security Operations
Center (SOC)
Logs & AnalyticsActive Threat Detection
Hunting
Teams
Investigation
and Recovery
WEF
SIEM
Integration
IoT
Identity &
Access
80% + of employees admit using
non-approved SaaS apps for work
(Stratecast, December 2013)
UEBA
Windows 10 Security
• Secure Boot
• Device Guard
• Application Guard
• Credential Guard
• Windows Hello
Managed ClientsLegacy
Windows
Security
Appliances
Windows Server 2016 Security
Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers,
Device Guard, Credential Guard, Remote Credential Guard, …
Software as a Service
AAD Identity
Protection
ATA
Privileged Access Workstations (PAWs)
Internet of Things
• Device Health
Attestation
• Remote
Credential Guard
Intune MDM/MAM
Conditional Access
Cloud App Security
Azure
Information
Protection (AIP)• Classify
• Label
• Protect
• Report
Office 365 DLP
Endpoint DLP
Structured Data &
3rd party Apps
DDoS attack prevention
Cla
ssif
icati
on
Lab
els
ASM
Lockbox
Office 365
Information Protection
Backup and Site Recovery
Shielded VMs
Domain Controllers
Office 365 ATP• Email Gateway
• Anti-malware
Hold Your Own
Key (HYOK)
ESAE
Admin Forest
Device protection
Device Health attestation
Device Guard
Device Control
Security policies
Device protection
Device Integrity
Device Control
Cryptographic
Processor
Virtualization based
Security
Information protection
Device protection / Drive encryption
Enterprise Data Protection
Conditional access
Information protection
BitLocker and
BitLocker to Go
Windows
Information
Protection
Threat resistance
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Threat resistance
SmartScreen
Windows Firewall
Microsoft Edge
Device Guard
Windows Defender AV
Built-in 2FA
Account lockdown
Credential Guard Microsoft Passport
Windows Hello ;)
Identity protection
Windows Hello :)
Credential Guard
Identity protection
THE WINDOWS 10 DEFENSE STACK
VIRTUALIZATION BASED SECURITY WINDOWS 10
Kernel
Windows Platform Services
Apps
Kernel
SystemContainer
Tru
stle
t#
1
Tru
stle
t#
2
Tru
stle
t#
3
Hypervisor
Device Hardware
Windows Operating System
Hyper-VHyper-V
Device protection
Device Health attestation
Device Guard
Device Control
Security policies
Device protection
Device Integrity
Device Control
Cryptographic
Processor
Virtualization based
Security
Information protection
Device protection / Drive encryption
Enterprise Data Protection
Conditional access
Information protection
BitLocker and
BitLocker to Go
Windows
Information
Protection
Threat resistance
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Threat resistance
SmartScreen
Windows Firewall
Microsoft Edge
Device Guard
Windows Defender AV
Built-in 2FA
Account lockdown
Credential Guard Microsoft Passport
Windows Hello ;)
Identity protection
Windows Hello :)
Credential Guard
Identity protection
THE WINDOWS 10 DEFENSE STACK
Device protection
Device Health attestation
Device Guard
Device Control
Security policies
Device protection
Device Integrity
Device Control
Cryptographic
Processor
Virtualization based
Security
Information protection
Device protection / Drive encryption
Enterprise Data Protection
Conditional access
Information protection
BitLocker and
BitLocker to Go
Windows
Information
Protection
Threat resistance
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Threat resistance
SmartScreen
Windows Firewall
Microsoft Edge
Device Guard
Windows Defender AV
Built-in 2FA
Account lockdown
Credential Guard Microsoft Passport
Windows Hello ;)
Identity protection
Windows Hello :)
Credential Guard
Identity protection
THE WINDOWS 10 DEFENSE STACK
PRE-BREACH
Device protection
Device Health attestation
Device Guard
Device Control
Security policies
Device protection
Device Integrity
Device Control
Cryptographic
Processor
Virtualization based
Security
Information protection
Device protection / Drive encryption
Enterprise Data Protection
Conditional access
Information protection
BitLocker and
BitLocker to Go
Windows
Information
Protection
Threat resistance
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Threat resistance
SmartScreen
Windows Firewall
Microsoft Edge
Device Guard
Windows Defender AV
Built-in 2FA
Account lockdown
Credential Guard Microsoft Passport
Windows Hello ;)
Identity protection
Windows Hello :)
Credential Guard
Identity protection
THE WINDOWS 10 DEFENSE STACK
POST-BREACH
Windows Defender ATP
Breach detection
investigation &
response
Breach detection
investigation &
response
Windows Defender
Advanced Threat
Protection (ATP)
ADDING A POST-BREACH MINDSET
Device protection
Device Health attestation
Device Guard
Device Control
Security policies
Device protection
Device Integrity
Device Control
Cryptographic
Processor
Virtualization based
Security
Information protection
Device protection / Drive encryption
Enterprise Data Protection
Conditional access
Information protection
BitLocker and
BitLocker to Go
Windows
Information
Protection
Threat resistance
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Threat resistance
SmartScreen
Windows Firewall
Microsoft Edge
Device Guard
Windows Defender AV
Built-in 2FA
Account lockdown
Credential Guard Microsoft Passport
Windows Hello ;)
Identity protection
Windows Hello :)
Credential Guard
Identity protection
PRE-BREACH
Median number of days attackers are
present on a victims network before
detection
200+Days after detection
to full recovery
80Impact of lost
productivity and growth
$3Trillion
Average cost of a data breach (15% YoY
increase)
$3.5Million
“ THERE ARE TWO KINDS OF BIG COMPANIES, THOSE WHO’VE BEEN HACKED, AND THOSE WHO DON’ T
KNOW THEY’VE BEEN HACKED.”
- J A M E S C O M E Y , F B I D I R E C T O R
HOW DO BREACHES OCCUR?
Malware and vulnerabilities are not the only thing
to worry about
99.9%of exploited Vulnerabilities were used more than a year after the CVE was published
46%of compromised systems had no malware on them
50%of those who open and click attachments do so within the first hour
23%of recipients opened phishing messages (11% clicked on attachments)
Fast and effective phishing attacks
give you little time to react
WHAT MAKES IT AN ADVANCED ATTACK?
The attacker’s challenge
What makes is an APT?
Recon DeliveryExploitatio
nC&C
EoP &
Lateral
movement
Asset Exfiltration
Targeted attacksare often and complex and
lengthy operation
Much like in real-life attacks, planning, control and time is required for a
successful attack to take place
The attacker’s “kill-chain”
While the compromise itself may
take minutes, planning, lateral
movement and exfiltration of
data can take days, weeks or
months
helps enterprise customers detect and remediate
Advanced Attacks and data breaches
Windows Defender ATP
Powered by cloud
Machine Learning
Analytics over the largest
sensor array in the world
Universal end-point
behavioral sensor,
built into Win10,
with no additional
deployment
requirements
Enhanced by the
community of our
Hunters,
researchers and
threat intelligence
Built into
Why Microsoft is in a unique position
Over 1M Microsoft corporate machines
New code, new products, new files
Most are local admins
Hundreds of labs, malware enclaves
1.2 Billion Windowsmachines reporting
1M files detonated daily
Advanceddetection algorithms
& Statistical modelling
APT hunters –OS Security, Exploit & Malware Researchers, & Threat Intelligence
11M Enterprise machines reporting
2.5T URLs indexed and 600M reputation
look ups
Combined Microsoft Stack:
Maximize detection coverage throughout the attack stages
User browses
to a website
http://
User runs a
program
Office 365 ATP ATAWindows Defender ATPEmail protection User protectionEnd Point protection
User receives
an email
Opens an
attachment
Clicks on a URL Exploitation Installation C&C channel PersistencePrivilege
escalation Reconnaissance
Lateral
movement
Access to shared
resources
PIVOT - ACROSS MICROSOFT ATP SERVICES
Unmanaged & Mobile Clients
Sensitive
Workloads
Cybersecurity Reference Architecture
Intranet
Extranet
Azure Key Vault
Azure Security Center• Security Hygiene
• Threat Detection
System Management + Patching (SCCM + Intune)
Microsoft Azure
On Premises Datacenter(s)
NGFW
IPS
DLP
SSL Proxy
Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
63% of confirmed data breaches involve weak, default, or
stolen passwords (Verizon 2016 DBR)
Colocation
$ Windows 10
EPP - Windows Defender
EDR - Windows Defender ATPMac
OS
Multi-Factor
Authentication
MIM PAMAzure App Gateway
Network Security Groups
AAD PIM
Azure Antimalware
Disk & Storage Encryption
SQL Encryption & Firewall
Hello for
Business
Windows
Info Protection
Enterprise Servers
VPN
VPN
VMs VMs
Certification
Authority (PKI)
Incident
Response
Vulnerability
Management
Enterprise
Threat
Detection
Analytics
Managed
Security
Provider OMS
ATA
SIEM
Security Operations
Center (SOC)
Logs & AnalyticsActive Threat Detection
Hunting
Teams
Investigation
and Recovery
WEF
SIEM
Integration
IoT
Identity &
Access
80% + of employees admit using
non-approved SaaS apps for work
(Stratecast, December 2013)
UEBA
Windows 10 Security
• Secure Boot
• Device Guard
• Application Guard
• Credential Guard
• Windows Hello
Managed ClientsLegacy
Windows
Security
Appliances
Windows Server 2016 Security
Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers,
Device Guard, Credential Guard, Remote Credential Guard, …
Software as a Service
AAD Identity
Protection
ATA
Privileged Access Workstations (PAWs)
Internet of Things
• Device Health
Attestation
• Remote
Credential Guard
Intune MDM/MAM
Conditional Access
Cloud App Security
Azure
Information
Protection (AIP)• Classify
• Label
• Protect
• Report
Office 365 DLP
Endpoint DLP
Structured Data &
3rd party Apps
DDoS attack prevention
Cla
ssif
icati
on
Lab
els
ASM
Lockbox
Office 365
Information Protection
Backup and Site Recovery
Shielded VMs
Domain Controllers
Office 365 ATP• Email Gateway
• Anti-malware
Hold Your Own
Key (HYOK)
ESAE
Admin Forest
Control AccessDatabase Access: Azure Active Directory Authentication (AAD)
Application Access: Row-Level Security (RLS), Dynamic Data Masking
Proactive MonitoringTracking & Detecting : Auditing & Threat Detection
Protect Data Encryption at rest :Transparent Data Encryption (TDE)
Encryption in use (client) : Always Encrypted (AE)
Security :
Control AccessDatabase Access: Azure Active Directory Authentication (AAD)
Application Access: Row-Level Security (RLS), Dynamic Data Masking
Proactive MonitoringTracking & Detecting : Auditing & Threat Detection
Protect Data Encryption at rest :Transparent Data Encryption (TDE)
Encryption in use (client) : Always Encrypted (AE)
Security :
✓ Server-side encryption of the data on physical disk
✓ Simple to Use , Zero application changes
✓ Support for all database operations (ex. joins) on data
✓ SQL Database service manages your keys
✓ AES-NI Hardware Acceleration (2-3% performance impact )
Protect data on SQL database physical storage
from unauthorized access,
SQL Database
Customer1
Customer2
Customer3
Client side
encryption
Client-side encryption of
sensitive data using keys that
are never given to the
database system.
Queries on
Encrypted Data
Support for equality
comparison, incl. join, group
by and distinct operators.
Application
Transparency
Minimal application changes
via server and client library
enhancements.
Protects the highly sensitive data in-use
from high privilege SQL users.
Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server
Control AccessDatabase Access: Azure Active Directory Authentication (AAD)
Application Access: Row-Level Security (RLS), Dynamic Data Masking
Proactive MonitoringTracking & Detecting : Auditing & Threat Detection
Protect Data Encryption at rest :Transparent Data Encryption (TDE)
Encryption in use (client) : Always Encrypted (AE)
Security :
✓ Alternative to SQL Server authentication
✓ Simplifies database permission management using
external Azure Active Directory groups
✓ Allows password rotation in a single place
A central place to manage users across services
Status: Preview
ADO
.NET 4.6
ADALSQLMultiple authentication methods
✓ Username/password for Azure AD managed accounts
✓Integrated Windows authentication , for federated domains
which is authenticated via Azure AD
✓ Certificate-based authentication, in case the certificate
registered with Azure Active Directory
Limit Access to
Sensitive Data
Protects against unauthorized
access to sensitive data in the
application, using built-in or
custom masking rules.
Privileged users can still see
unmasked data.
Application
Transparency
Data is masked on-the-fly,
underlying data in the database
remains intact. Transparent to
the application and applied
according to user privilege.
Limit the exposure of sensitive data by obfuscating query results for app users and engineer
APP Users Dev Users
Fine-grained
Access Control
Control both read- and write-
access to specific rows of data
in a shared database.
Flexible access criteria (user
identity, role/group
memberships, connection data,
time of day, etc).
Application
Transparency
• RLS works transparently at
query time, no app changes
needed.
• Reduces application
maintenance and code
complexity.
Centralize your row access logic within the database.
Control AccessDatabase Access: Azure Active Directory Authentication (AAD)
Application Access: Row-Level Security (RLS), Dynamic Data Masking
Proactive MonitoringTracking & Detecting : Auditing & Threat Detection
Protect Data Encryption at rest :Transparent Data Encryption (TDE)
Encryption in use (client) : Always Encrypted (AE)
Security :
✓ Configurable audit policy via the Azure portal and
standard API
✓ Audit logs reside in your Azure Storage account
✓ Azure portal viewer and excel templates for
analysis of audit log
Gain insight into database events and
streamline compliance-related tasks
Azure DB Auditing
Audit
log
Azure Storage
✓ Configurable threat detection policy via the Azure portal
and standard API
✓ Multiple set of algorithms, which detect potential SQL
injections and unusual behavior patterns
✓ Immediate notification upon suspicious activities detection
✓ Investigate and mitigate threats using Azure portal.
Detects suspicious database activities indicating
possible malicious intent to access, breach or
exploit data in the database
SQL
Database
SQL
Threat
Detection
Web
App
External Attacker
Status: Preview
Malicious insider
What is Multi-Factor Authentication?
The use of two or more of the following factors:
It’s stronger when two different channels are used (out-of-band authentication).
What is Azure Multi-Factor Authentication?
It is an Azure Identity and Access management service that prevents unauthorized access to on-premises and cloud applications by providing an additional level of authentication.
It is trusted by thousands of enterprises to authenticate employee, customer, and partner access.
Text MessageSMS message
One way or two-way acknowledgement
Mobile AppNotification – verification code is delivered to mobile app
OATH TOTP
Verification Code – a verification code is xxx
Multi-platform: iOS, Android, Windows Phone
OATH TOTP Hard Tokens (MFA Server Only)OTP generated using algorithm based on shared secret and current time.
Phone CallCall placed to designated phone number (wireless or landline)
Simple Acknowledgement (#) or special PIN
Mobile AppNotification – verification code is delivered to mobile app
OATH TOTP
Verification Code – a verification code is xxx
Multi-platform: iOS, Android, Windows Phone
OATH TOTP Hard Tokens (MFA Server Only)OTP generated using algorithm based on shared secret and current time.
Phone CallCall placed to designated phone number (wireless or landline)
Simple Acknowledgement (#) or special PIN
Text MessageSMS message
One way or two-way acknowledgement
OATH TOTP Hard Tokens (MFA Server Only)OTP generated using algorithm based on shared secret and current time.
Phone CallCall placed to designated phone number (wireless or landline)
Simple Acknowledgement (#) or special PIN
Text MessageSMS message
One way or two-way acknowledgement
Mobile AppNotification is delivered to mobile app –
Simple Acknowledgement (#) or special PIN
Software OATH Time-based-One-Time-Password (TOTP)
Multi-platform: iOS, Android, Windows Phone
▪
▪ https://azure.microsoft.com/en-us/documentation/services/multi-factor-authentication/
▪ https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server/
▪ https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-advanced-vpn-configurations/
▪
▪
▪
Unmanaged & Mobile Clients
Sensitive
Workloads
Cybersecurity Reference Architecture
Intranet
Extranet
Azure Key Vault
Azure Security Center• Security Hygiene
• Threat Detection
System Management + Patching (SCCM + Intune)
Microsoft Azure
On Premises Datacenter(s)
NGFW
IPS
DLP
SSL Proxy
Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
63% of confirmed data breaches involve weak, default, or
stolen passwords (Verizon 2016 DBR)
Colocation
$ Windows 10
EPP - Windows Defender
EDR - Windows Defender ATPMac
OS
Multi-Factor
Authentication
MIM PAMAzure App Gateway
Network Security Groups
AAD PIM
Azure Antimalware
Disk & Storage Encryption
SQL Encryption & Firewall
Hello for
Business
Windows
Info Protection
Enterprise Servers
VPN
VPN
VMs VMs
Certification
Authority (PKI)
Incident
Response
Vulnerability
Management
Enterprise
Threat
Detection
Analytics
Managed
Security
Provider OMS
ATA
SIEM
Security Operations
Center (SOC)
Logs & AnalyticsActive Threat Detection
Hunting
Teams
Investigation
and Recovery
WEF
SIEM
Integration
IoT
Identity &
Access
80% + of employees admit using
non-approved SaaS apps for work
(Stratecast, December 2013)
UEBA
Windows 10 Security
• Secure Boot
• Device Guard
• Application Guard
• Credential Guard
• Windows Hello
Managed ClientsLegacy
Windows
Security
Appliances
Windows Server 2016 Security
Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers,
Device Guard, Credential Guard, Remote Credential Guard, …
Software as a Service
AAD Identity
Protection
ATA
Privileged Access Workstations (PAWs)
Internet of Things
• Device Health
Attestation
• Remote
Credential Guard
Intune MDM/MAM
Conditional Access
Cloud App Security
Azure
Information
Protection (AIP)• Classify
• Label
• Protect
• Report
Office 365 DLP
Endpoint DLP
Structured Data &
3rd party Apps
DDoS attack prevention
Cla
ssif
icati
on
Lab
els
ASM
Lockbox
Office 365
Information Protection
Backup and Site Recovery
Shielded VMs
Domain Controllers
Office 365 ATP• Email Gateway
• Anti-malware
Hold Your Own
Key (HYOK)
ESAE
Admin Forest
Microsoft Advanced Threat Analytics
brings the behavioral analytics concept
to IT and the organization’s users.
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
An on-premises platform to identify advanced security attacks and insider threats before
they cause damage
Detect threats fast with Behavioral Analytics
Adapt as fast as your enemies
Focus on what is important fast using the simple attack timeline
Reduce the fatigue of false positives
Prioritize and plan for next steps
How Microsoft Advanced Threat Analytics Works4/12/2017 62
Analyze1After installation:
• Simple nonintrusive port-mirroring, or
deployed directly onto domain
controllers
• Remains invisible to the attackers
• Analyzes all Active Directory network
traffic
• Collects relevant events from SIEM and
information from Active Directory (titles,
group membership and more)
How Microsoft Advanced Threat Analytics Works
ATA:
• Automatically starts learning and
profiling entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the
activities of the users, devices, and
resources
Learn2
What is an entity?
An entity represents users, devices, or resources
How Microsoft Advanced Threat Analytics Works
Detect3 Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only alerts if abnormal activities are contextually
aggregated
• Uses world-class security research to detect known
attacks and security issues (regional or global)
ATA not only compares the entity’s behavior to its own, but also to the behavior of other entities in the environment.
How Microsoft Advanced Threat Analytics Works
Alert4
ATA reports all suspicious
activities on a simple,
functional, usable attack
timeline
ATA identifies
Who?
What?
When?
How?
For each suspicious
activity, ATA provides
recommendations for
the investigation and
remediation
Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
Abnormal working hours
Brute force using NTLM, Kerberos or LDAP
Sensitive accounts exposed in plain text authentication
Service accounts exposed in plain text authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information (DPAPI) Request
Abnormal authentication requests
Abnormal resource access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
MS14-068 exploit (Forged PAC)
MS11-013 exploit (Silver PAC)
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
ATA detects a wide range of suspicious activities
Reconnaissance
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance
Enable security
at cloud speed
Gain visibility
and control Detect cyber
attacksIntegrate partner
solutions
Provides a unified view of security across all your Azure subscriptions, including
vulnerabilities and threats detected
Enables you to define security policies for hardening cloud configurations
APIs, SIEM connector and Power BI dashboards make it easy to access, integrate, and
analyze security information using existing tools and processes
Gain visibility and control
Preview
Log
Analytics/
SIEMStandard Log
Connector(ArcSight, Splunk, etc)
REST APIs(Activity Logs, Security
Center Alerts, AAD Logs)Azure Monitor Eventhub
(Service Diagnostics -NSG, Key Vault)
Azure LogIntegration
Azure Monitor Service(VM Diagnostics)
Continuously assesses the security of your workloads even as they change
Creates policy-driven recommendations and guides users through the process
of remediating security vulnerabilities
Enables rapid deployment of built-in security controls as well as products and
services from security partners (firewalls, endpoint protection, and more)
Recommends and streamlines provisioning of partner solutions
Integrates signals for centralized alerting and advanced detection
Enables monitoring and basic management with easy access to advanced configuration
using the partner solution
Leverages Azure Marketplace for commerce and billing
Analyzes security data from your Azure virtual machines, Azure services (like Azure
SQL databases), the network, and connected partner solutions
Leverages security intelligence and advanced analytics to detect threats more
quickly and reduce false positives
Creates prioritized security alerts and incidents that provide insight into the attack
and recommendations on how to remediate
Unmanaged & Mobile Clients
Sensitive
Workloads
Cybersecurity Reference Architecture
Intranet
Extranet
Azure Key Vault
Azure Security Center• Security Hygiene
• Threat Detection
System Management + Patching (SCCM + Intune)
Microsoft Azure
On Premises Datacenter(s)
NGFW
IPS
DLP
SSL Proxy
Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
63% of confirmed data breaches involve weak, default, or
stolen passwords (Verizon 2016 DBR)
Colocation
$ Windows 10
EPP - Windows Defender
EDR - Windows Defender ATPMac
OS
Multi-Factor
Authentication
MIM PAMAzure App Gateway
Network Security Groups
AAD PIM
Azure Antimalware
Disk & Storage Encryption
SQL Encryption & Firewall
Hello for
Business
Windows
Info Protection
Enterprise Servers
VPN
VPN
VMs VMs
Certification
Authority (PKI)
Incident
Response
Vulnerability
Management
Enterprise
Threat
Detection
Analytics
Managed
Security
Provider OMS
ATA
SIEM
Security Operations
Center (SOC)
Logs & AnalyticsActive Threat Detection
Hunting
Teams
Investigation
and Recovery
WEF
SIEM
Integration
IoT
Identity &
Access
80% + of employees admit using
non-approved SaaS apps for work
(Stratecast, December 2013)
UEBA
Windows 10 Security
• Secure Boot
• Device Guard
• Application Guard
• Credential Guard
• Windows Hello
Managed ClientsLegacy
Windows
Security
Appliances
Windows Server 2016 Security
Secure Boot, Nano Server, Just Enough Admin, Hyper-V Containers,
Device Guard, Credential Guard, Remote Credential Guard, …
Software as a Service
AAD Identity
Protection
ATA
Privileged Access Workstations (PAWs)
Internet of Things
• Device Health
Attestation
• Remote
Credential Guard
Intune MDM/MAM
Conditional Access
Cloud App Security
Azure
Information
Protection (AIP)• Classify
• Label
• Protect
• Report
Office 365 DLP
Endpoint DLP
Structured Data &
3rd party Apps
DDoS attack prevention
Cla
ssif
icati
on
Lab
els
ASM
Lockbox
Office 365
Information Protection
Backup and Site Recovery
Shielded VMs
Domain Controllers
Office 365 ATP• Email Gateway
• Anti-malware
Hold Your Own
Key (HYOK)
ESAE
Admin Forest