Beyond the Fortress Network   David C. Broussard Principal Consultant @dbroussa Blogs.catapultsystems.com/dbroussard

Who am I? Principal Consultant and O365 Evangelist Been in IT since 1990, SharePoint since 2003, and Catapult since 2007

The Fortress Network Deny Access to data Build defense in depth to prevent malicious access Control access through highly secured gateways Once inside, free to move about the fortress and manipulate data with substantially less security Hard to get into for normal users Focused on access to data as opposed to securing the data itself Deny malicious users from accessing data except from inside of our secure network The cloud is seen as insecure primarily because we (IT) no longer can restrict access to the information Or can we? However, even the Fortress Network didn’t work completely What about email? Didn’t we lose control of that document once we hit send?

Security in the old mindset More layers is better (Firewalls, Network Segments, VPNS, etc.) Defense in Depth Inside the network the Trusted Professional concept is used Security is more important than user ability to accomplish their jobs Build high walls around our data Firewalls Network segments VPNs NTFS permissions Build deep defense in depth DMZs Detonation Chambers Pre-scan incoming requests (honey traps, URL scans) Malware protection Malicious link detection Spam and virus software on desktops and servers Interior security was much less strenuous Virus scans Malware But assumption was if you had access you could do anything This Photo by Unknown Author is licensed under CC BY-NC

What are we concerned about again? Prevent data from leaving our organization Prevent our systems from being compromised so that our team can work What about our employees getting their jobs done? What about not making their jobs harder?

We’re concerned about these: 9/17/2018 4:38 AM We’re concerned about these: People are busy, getting their job done is top-of-mind There is one person in every organization who will click on anything © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Did it work? ~70-80% of data breaches happened from inside of the network How does this happen, we built a Fortress for our data? Two types of breaches Malicious external actor Malicious internal actor

Bad EXTERNAL actor Requirements Result Have something of value that someone else wants Bad actor outside of your org Ability to get to your data Ability to appear to be someone who can get to your data Ability to trick employee into giving them access to your data Result Plethora of data breaches…not because of bad network security, but because employee gave up identity or access

Story Time Hollywood celebrities photo hack Result Something of value (private photos) Bad actor (duh) Data stored in Cloud (Azure & AWS) – Cloud security blocks bad actor access Ability to pretend to be employee (Apple iCloud doesn’t stop allowing password guesses after repeated attempts) Result Lots of celebrities have leaked photos Apple fixes iCloud vulnerability

Story Time 2 Sony Data Breach Result Something of value (Movies, Internal commo, etc.) External bad actor (duh) Data Stored in hybrid environment (Fortress blocks) Ability to access data (strong authentication prevents) Ability to trick employee into allowing access (Malware/Phishing attack) Result Bad actors exfiltrate hundreds of TB of data without anyone knowing Eventually blackmail Sony about The Interview Exposes internal conduct of Sony that they would have preferred to keep internal (salaries, comments about talent, etc)

Malicious INTERNAL Actor Requirements Have something of value that someone else wants Bad actor inside of your org Ability to get to your data (they need to do their job) Ability to get data outside of org (also known as Internet access, thumb drives, email, and physical access to the network) Result Data walks out of organization, usually without your knowledge Sometimes audits will show where it came from, but the damage is done

Story Time 3 The upset employee Result Something of value (list of executive pay over time, company announces reduction in employee pay but not for executives) Bad actor (oh yeah) Ability to get to data (at least one employee with access to the spreadsheet had access) Ability to exfiltrate (email to local newspaper) Result Company looks bad to employees and community

Story Time 4 The enterprising Account Exec Result Something of value (list of customers, contracts, terms, dates) Bad actor (duh) Has access to CRM/ERP and call pull all data and export to Excel Emails workbook to self Leaves to work for competitor Result Loss of market share Loss of customer confidence

Core questions about security Do we know who is accessing our data? Can we grant access in real time…based on risk? Can we protect our data even when its NOT in our network? What tools do we have to find and react to a breach? Do our users love their security experience?

Identity & access management Threat protection Information protection 9/17/2018 4:38 AM Identity & access management Threat protection Information protection Security management Protect users’ identities & control access to valuable resources based on user risk level Protect against advanced threats and recover quickly when attacked Ensure documents and emails are seen only by authorized people Gain visibility and control over security tools Azure Information Protection Office 365 Data Loss Prevention Windows Information Protection Microsoft Cloud App Security Office 365 Advanced Security Mgmt. Microsoft Intune Advanced Threat Analytics Windows Defender Advanced Threat Protection Office 365 Advanced Threat Protection Office 365 Threat Intelligence Azure Active Directory Conditional Access Windows Hello Windows Credential Guard Azure Security Center Office 365 Security Center Windows Defender Security Center © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Password/Hash Dumping EXPLOITATION DELIVERY COMMAND AND CONTROL Password/Hash Dumping 3 Threat Actor gather credentials on compromised machine Employee A opens infected email on workstation 2 A Malware 4 Threat Actors move laterally within network using compromised credentials Compromised Credential Threat Actor targets employees via phishing campaign 1 Phishing 5 Threat Actors use compromised devices/accounts to exfiltrate PII 48 Hours 200+ Days PII Leak/Exfiltrate Data Credentials harvested after Employee attempts login to bogus site 2 Infected phone disables Antivirus; and compromised credentials used to access Email service 3 Control Evasion Employee B opens infected email using mobile device 2 B Malware 3 Compromised credentials used to access service ACTIONS ON OBJECTIVE

Mobile Device Management Intune Basic version is part of O365 Extended version is part of EM-S Allows admins to register devices, remote wipe, set policies, control leakage Works on iOS, Android, Windows, MacOS (in preview)

Risk Based Access Use Azure AD (Premium) to control access to your resources Use Multi-Factor Authentication to ensure that user is who they say they are EM-S allows for Risk assessments of logins and automatic MFA or Denial based on risk, location, application

Data Loss Prevention and Encryption DLP and Azure Information Protection both offer tools to secure your information Use “sensitive information types” to identify documents and emails that should not leave the organization or that should be encrypted AIP can be used to revoke rights to an email or document even after it has left the organization

Threat Detection and Prevention EM-S provides a suite of tools to detect and prevent threats Advanced Threat Protection - Stop malicious links and attachments before users click on them Azure AD Identity Protection – Monitor users accounts that may be for sale on the Deep/Dark Web and elevate their risk Cloud App Security – Provide risk analysis and discovery of who is using what 3rd Party Apps in your organization Advanced Threat Analytics – Tools to monitor threats to your organization in real time using Microsoft’s entire cloud infrastructure as a data source

Tools that you didn’t know you had Audit Logs Alerts Compliance Search Supervisory Search Dashboards Secure Score

Learn More http://get.catapultsystems.com/0365-business-registration http://get.catapultsystems.com/0365-bootcamp-registration-it-track/ @CloudWhisperers