Securing Privileged Access from Active Attacks Microsoft 2016 6/12/2018 8:16 PM BRK2145 Securing Privileged Access from Active Attacks Mark Simos Enterprise Cybersecurity Group Ryan Puffer Windows Server & Services © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Cybersecurity Reference Architecture DRAFT Software as a Service Office 365 80% + of employees admit using non-approved SaaS apps for work (Stratecast, December 2013) Security Operations Center (SOC) ASM Vulnerability Management Incident Response Investigation and Recovery Internet of Things Lockbox Logs & Analytics Active Threat Detection Unmanaged & Mobile Clients Identity & Access Information Protection Managed Security Provider UEBA ATA Enterprise Threat Detection Hunting Teams Azure Active Directory Analytics OMS Cloud App Security SIEM Conditional Access Analytics & Reporting SIEM Integration Intune MDM/MAM Extranet On Premises Datacenter(s) Express Route Microsoft Azure DLP Security Appliances NGFW AAD PIM IaaS/Hoster Azure Information Protection (AIP) Classification Labelling Encryption Rights Management Document Tracking Reporting SSL Proxy Office 365 ATP Email Gateway Anti-malware Multi-Factor Authentication IPS Azure Security Center Security Hygiene Threat Detection Windows Server 2016 Security Secure Boot, Nano Server, Just Enough Admin, Device Guard, Credential Guard, Remote Credential Guard, Hyper-V Containers, … VPN Hello for Business Azure Key Vault Intranet Enterprise Servers Azure App Gateway MIM PAM Shielded VMs Sensitive Workloads Azure Antimalware ATA VMs VMs Active Directory Admin Forest Network Security Groups Endpoint DLP Domain Controllers VPN Privileged Access Workstations SQL Encryption & Firewall Windows Information Protection Certification Authority (PKI) $ Managed Clients Legacy Windows Windows 10 Windows 10 Security Secure Boot Device Guard Credential Guard Remote Credential Guard Windows Hello Disk & Storage Encryption IoT Mac OS WEF EDR - Windows Defender ATP EPP - Windows Defender Nearly all customer breaches Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR) System Management + Patching - SCCM + Intune

SECURE MODERN ENTERPRISE A secure modern enterprise is resilient to threats Aligned to business objectives and current threat environment SECURE MODERN ENTERPRISE Identity Embraces identity as primary security perimeter and protects identity systems, admins, and credentials as top priorities Apps and Data Aligns security investments with business priorities including identifying and securing communications, data, and applications Identity Apps and Data Infrastructure Devices Infrastructure  Operates on modern platform and uses cloud intelligence to detect and remediate both vulnerabilities and attacks Devices Accesses assets from trusted devices with hardware security assurances, great user experience, and advanced threat detection Secure Platform (secure by design)

Identity Pillar Identity Major Identity Challenges 6/12/2018 8:16 PM Embraces identity as primary security perimeter and protects identity systems, admins, and credentials as top priorities Major Identity Challenges Identity system security is critical to all security assurances Attackers are actively targeting privileged access and identity systems Identity attacks like credential theft are difficult to detect and investigate Identity systems are complex and challenging to protect Individual accounts have large attack surface across devices and systems Securing Privileged Access Securing Identities © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The Modern Enterprise Microsoft Ignite 2015 6/12/2018 8:16 PM Azure Active Directory Rights Management Services Key Management Services PaaS IaaS Office 365 3rd Party IaaS Microsoft Azure Admin Environment 3rd Party SaaS High Value Assets Customer and Partner Access On-Premises Datacenters Branch Office Intranet and Remote PCs Mobile Devices © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity is the new security “perimeter” Microsoft Ignite 2015 6/12/2018 8:16 PM Identity is the new security “perimeter” Active Directory and Administrators control all the assets Active Directory Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity is the new security “perimeter” under attack Microsoft Ignite 2015 6/12/2018 8:16 PM Identity is the new security “perimeter” under attack Active Directory and Administrators control all the assets Browsing Attackers Can Steal any data Encrypt any data Modify documents Impersonate users Disrupt business operations Active Directory Azure Active Directory One small mistake can lead to attacker control © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Phase 1 Critical Mitigations: Typical Attack Chain Compromises privileged access Tier 0 Domain & Enterprise Admins 24-48 Hours Directory Database(s) Beachhead (Phishing Attack, etc.) Domain Controllers Lateral Movement Steal Credentials Compromise more hosts & credentials Tier 1 Server Admins Privilege Escalation Get Domain Admin credentials Execute Attacker Mission Steal data, destroy systems, etc. Persist Presence Tier 2 Workstation & Device Admins

Phase 1 Critical Mitigations: Credential Theft Demonstration Domain.Local DC Attack Operator DomainAdmin Client http://aka.ms/credtheftdemo

Making and Measuring Progress against Risk Microsoft Ignite 2015 6/12/2018 8:16 PM Making and Measuring Progress against Risk Attack Defense Securing Privileged Access Three Stage Roadmap Credential Theft & Abuse Prevent Escalation Prevent Lateral Traversal 2-4 weeks 1-3 months 6+ months Increase Privilege Usage Visibility Domain Controller (DC) Host Attacks Harden Configuration Reduce Agent Attack Surface http://aka.ms/privsec AD Attacks Assign Least Privilege Attacker Stealth Detect Attacks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protecting Active Directory and Admin privileges Microsoft Ignite 2015 6/12/2018 8:16 PM Protecting Active Directory and Admin privileges 2-4 weeks 1-3 months 6+ months First response to the most frequently used attack techniques 3. Unique Local Admin Passwords for Workstations http://Aka.ms/LAPS 4. Unique Local Admin Passwords for Servers http://Aka.ms/LAPS Active Directory Azure Active Directory 1. Separate Admin account for admin tasks 2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins http://Aka.ms/CyberPAW © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

First response to the most frequently used attack techniques Microsoft Ignite 2015 6/12/2018 8:16 PM First response to the most frequently used attack techniques 2-4 weeks 1-3 months 6+ months Attack Defense Credential Theft & Abuse Prevent Escalation Top Priority Mitigations Prevent Lateral Traversal Increase Privilege Usage Visibility DC Host Attacks Harden DC configuration Reduce DC Agent attack surface AD Attacks Assign Least Privilege Attacker Stealth Detect Attacks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protecting Active Directory and Admin privileges Microsoft Ignite 2015 6/12/2018 8:16 PM Protecting Active Directory and Admin privileges 2-4 weeks 1-3 months 6+ months Build visibility and control of administrator activity, increase protection against typical follow-up attacks 6. Attack Detection http://aka.ms/ata 2. Time-bound privileges (no permanent admins) http://aka.ms/PAM http://aka.ms/AzurePIM 3. Multi-factor for elevation Active Directory Azure Active Directory 9872521 1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.) http://aka.ms/CyberPAW 4. Just Enough Admin (JEA) for DC Maintenance http://aka.ms/JEA 5. Lower attack surface of Domain and DCs http://aka.ms/HardenAD © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Build visibility and control of admin activity Microsoft Ignite 2015 6/12/2018 8:16 PM Build visibility and control of admin activity 2-4 weeks 1-3 months 6+ months Defense Attack Credential Theft & Abuse Prevent Escalation Prevent Lateral Traversal Increase Privilege Usage Visibility DC Host Attacks Harden DC configuration Reduce DC Agent attack surface AD Attacks Assign Least Privilege Attacker Stealth Detect Attacks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protecting Active Directory and Admin privileges Microsoft Ignite 2015 6/12/2018 8:16 PM Protecting Active Directory and Admin privileges 2-4 weeks 1-3 months 6+ months 5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric) http://aka.ms/shieldedvms Move to proactive security posture 1. Modernize Roles and Delegation Model Active Directory Azure Active Directory 2. Smartcard or Passport Authentication for all admins http://aka.ms/Passport 3. Admin Forest for Active Directory administrators http://aka.ms/ESAE 4. Code Integrity Policy for DCs (Server 2016) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Move to proactive security posture Microsoft Ignite 2015 6/12/2018 8:16 PM Move to proactive security posture 2-4 weeks 1-3 months 6+ months Attack Defense Credential Theft & Abuse Prevent Escalation Prevent Lateral Traversal Increase Privilege Usage Visibility DC Host Attacks Harden DC configuration Reduce DC Agent attack surface AD Attacks Assign Least Privilege Attacker Stealth Detect Attacks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo time! Just Enough & Just In Time Administration

Secure Modern Enterprise The Microsoft Cybersecurity Services approach 6/12/2018 8:16 PM Secure Modern Enterprise The Microsoft Cybersecurity Services approach © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

SECURE MODERN ENTERPRISE Phase 2: Secure the Pillars Getting started Phase 2: Secure the Pillars Continue building a secure modern enterprise by adopting leading edge technology and approaches: Threat Detection – Integrate leading edge intelligence and Managed detection and response (MDR) capabilities Privileged Access – continue reducing risk to business critical identities and assets Cloud Security Risk – Chart a secure path into a cloud- enabled enterprise SaaS / Shadow IT Risk – Discover, protect, and monitor your critical data in the cloud Device & Datacenter Security – Hardware protections for Devices, Credentials, Servers, and Applications App/Dev Security – Secure your development practices and digital transformation components SECURE MODERN ENTERPRISE Phase 1: Build the Security Foundation Start the journey by getting in front of current attacks Critical Mitigations – Critical attack protections Attack Detection – Hunt for hidden persistent adversaries and implement critical attack detection Roadmap and planning – Share Microsoft insight on current attacks and strategies, build a tailored roadmap to defend your organization’s business value and mission Identity Apps and Data Infrastructure Devices Phase 2: Secure the Pillars Phase 1: Build Security Foundation – Critical Attack Defenses Secure Platform (secure by design)

Phase 1 Critical Mitigations Organizational Preparation Education Strategy & Integration Restrict Privilege Escalation Privileged Access Workstations Assess AD Security Tier 0 Domain & Enterprise Admins Directory Database(s) Restrict Lateral Movement Random Local Password Domain Controllers Attack Detection Advanced Threat Analytics (ATA) Hunt for Adversaries Attack Detection Hunt for Adversaries Tier 1 Server Admins Organizational Preparation Strategic Roadmap Technical Education Restrict Lateral Movement Tier 2 Workstation & Device Admins Restrict Privilege Escalation

RECOMMENDED FOR EVERY ENTERPRISE ORGANIZATION 6/12/2018 8:16 PM Secure Modern Enterprise Security Foundation RECOMMENDED FOR EVERY ENTERPRISE ORGANIZATION Microsoft is committed to mitigating security threats Microsoft is bringing the power of cloud to securing your assets Industry Leading Technology On-premises Integrated Intelligence In the cloud Critical security assurances | Cloud-powered Threat Detection | Major Incident Management © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Let’s hear from you! Are you using… 6/12/2018 8:16 PM Let’s hear from you! Where are you on the road to secure modern enterprise? Are you using… Dedicated Privileged Access Workstation (PAW) for IT administrators? Advanced Threat Analytics (ATA) or 3rd party UEBA solution? Local Administrator Password Solution (LAPS) Tool or 3rd party PAM solution for All Servers? All Workstations? © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Free IT Pro resources To advance your career in cloud technology Microsoft Ignite 2016 6/12/2018 8:16 PM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center www.microsoft.com/itprocareercenter Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials www.microsoft.com/itprocloudessentials Demos and how-to videos Microsoft Mechanics www.microsoft.com/mechanics Connect with peers and experts Microsoft Tech Community https://techcommunity.microsoft.com © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session 6/12/2018 8:16 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/12/2018 8:16 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.