11/27/2018 BRK2081 Windows Defender Application Guard making Microsoft Edge the world’s most secure browser! Chas Jeffries Lead Program Manager Windows Enterprise and Security © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Agenda Security landscape and Windows Defender Application Guard overview Demo: application guard stand-alone mode Containers Setup & deployment Demo: application guard enterprise mode Threat detection Q&A

Evolution of attacks Mischief Fraud and theft Damage and disruption 11/27/2018 Evolution of attacks Mischief Script kiddies Unsophisticated Fraud and theft Organized crime More sophisticated Damage and disruption Nations, terror groups, activists Very sophisticated and well resourced © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Anatomy of an attack ENTER ESTABLISH EXPAND ENDGAME 11/27/2018 Anatomy of an attack ATTACK Browser or doc exploit delivery USER Malicious attachment delivery ENTER Phishing attacks Kernel exploits DEVICE ESTABLISH Kernel-mode malware Pass-the-hash EXPAND NETWORK ENDGAME Business disruption Lost productivity Data theft Espionage, loss of IP Ransom © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Attacks happen fast and are hard to stop 11/27/2018 Attacks happen fast and are hard to stop If an attacker sends an email to 100 people in your company… …30 people will open it… …12 people will open the attachment or click on the link… …and all will do it in the 3 minutes 45 seconds… Source: Verizon 2016 Data Breach Investigations Report © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Anatomy of an attack: strontium 11/27/2018 Anatomy of an attack: strontium ATTACK PHISHING USER DEVICE BROWSER OR DOC EXPLOIT EXECUTION PASS-THE-HASH NETWORK ENDGAME Theft of sensitive information, disruption of government © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Theft of sensitive information, disruption of government 11/27/2018 Anatomy of an attack: strontium ATTACK Mon, 9 November 2015, 13:20 RE: Mission In Central African Republic John Smith John Smith <defense.adviser.smith@gmail.com> Dear Sir! Please be advised that The Spanish Army personnel and a large number of Spanish Guardia Civil officers currently deployed in the Central African Republic (CAR) as part of the European EUFOR RCA mission will return to Spain in early March as the mission draws to a close. Visit http://natoint.com/900117-spain-forces-conclude-mission-in-central-african-republic/ for additional info. Best regards, Capt. John Smith, Defence Adviser, Public Diplomacy Division NATO, Brussels Defence.adviser.smith@gmail.com PHISHING USER DEVICE Browser or Doc Exploit Execution PASS-THE-HASH NETWORK ENDGAME Theft of sensitive information, disruption of government © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

1 2 3 Anatomy of an attack: strontium Land on exploit page 11/27/2018 Anatomy of an attack: strontium 1 2 3 ATTACK PHISHING USER DEVICE Browser or Doc Exploit Execution PASS-THE-HASH NETWORK Land on exploit page Exploit runs Redirected to legitimate page ENDGAME Theft of sensitive information, disruption of government © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

The problem… The user sees a normal-looking website

Theft of sensitive information, disruption of government 11/27/2018 5:27 PM Anatomy of an attack: strontium ATTACK PHISHING USER DEVICE Browser or Doc Exploit Execution PASS-THE-HASH NETWORK ENDGAME Theft of sensitive information, disruption of government © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Protect Detect Respond Windows 7 Windows 10 11/27/2018 Protect Detect Respond Windows 7 Trusted Platform Module (TPM) SmartScreen BitLocker BitLocker to Go Windows 10 Windows Defender System Guard Windows Defender Exploit Guard Windows Defender Application Control Windows Defender Antivirus Windows Defender ATP Microsoft Edge Windows Hello Windows Hello Companion Devices Windows Information Protection Legacy or Modern Devices (Upgraded from Win 7 or 32-bit Windows 8) Windows Defender System Guard * Windows Defender Exploit Guard * Windows Defender Credential Guard Windows Defender Device Guard Windows Defender Application Guard BitLocker ** Windows Hello Biometric Sensors Modern Devices (Fresh install or upgrade from 64-bit Win 8 ) * Includes advanced functionality on modern devices ** Automatically provisioned © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

11/27/2018 So what’s changed? © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Current threat landscape Driving the need for hardware based isolation 15 14 6 6 5 5 6 2 2 1 Source: MSRC and Microsoft One Protection Team

Traditional platform stack 11/27/2018 Kernel Windows Platform Services Device Hardware Apps Traditional platform stack © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

System Guard Container 11/27/2018 5:27 PM System Guard Container Kernel Device Guard Credential Guard Trustlet Apps Windows Platform Services Hardware based isolation Windows 10 Kernel Device Hardware Hypervisor © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Microsoft Edge with Windows Defender Application Guard 11/27/2018 5:27 PM Microsoft Edge with Windows Defender Application Guard Moves browser sessions to an isolated, virtualized environment Provides significantly increased protection and hardens attacker favorite entry-point Device Hardware System Container Kernel Windows Platform Services Microsoft Edge Hypervisor (Hyper-V) Critical System Processes Apps © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Application Guard experience

User receives a suspicious email, unwittingly the user clicks the link

Natoint.com A new browser window appears, with window decoration and notification that the site the user wants to open is not an enterprise site and needs to open in a container

Natoint.com A new browser window appears, with window decoration and notification as the user lands on an untrusted website. The user clicks to allow the malware to run and the container is infected

Natoint.com The user closes the Edge window and the session is discarded when the user logs off

Back on the host, all is good Back on the host, all is good. The malware was not able to jump out of the container; it’s isolated to the container

Demo Windows Defender Application Guard Stand-alone Mode

Functionality in isolation 11/27/2018 Functionality in isolation © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Expected basic functionality 11/27/2018 Expected basic functionality Copy/paste Printing Administrator policy controls Host © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Persistence of user state between sessions The state of the container is persisted between sessions, i.e. cookies, remembered passwords, favorites, temporary files will be persisted from session to session in a container using temp VHD Host VM VHD

What is a container? Microsoft Build 2016 11/27/2018 5:27 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Server technology, powered by intelligent sharing 11/27/2018 5:27 PM Server technology, powered by intelligent sharing Services Network Experience Memory Files Configuration © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

So, we asked, why can’t we use them on client?

Leverage the power of containers POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

And next generation networking POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) HNS HCS Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

Application Guard enterprise mode POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

Application Guard service POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Monitor and enforce Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

User browses to a non-enterprise site POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Notification of a new URL Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

The URL is untrusted, it redirects to container POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Kernel Lookup fails, inject into container Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

Isolation and eviction 11/27/2018 Isolation and eviction Containers persist the life of the logged on session Containers are discarded on logoff or reboot 1 2 3 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Setup and deployment

Deployment workflow Plan and prepare Install Configure Enable Pre-requisites Enterprise Site List Install Windows Defender Application Guard Configure Windows Defender Application Guard Enable Windows Defender Application Guard

Configuring Site Lists All other sites Application Guard Neutral sites Host Enterprise Cloud resources Enterprise Resources (Intranet) Host + Application Guard

Network isolation policies Specification options IP Ranges Domain names Management channels Group Policy MDM/CSP SCCM (WMI)

Client requirements for deployment HW requirements CPU—64-bit with virtualization extensions RAM—8GB recommended Windows 10 Fall Creators Update Miscellaneous Enable CPU virtualization from BIOS

Configure policies  Turn On/Off Windows Defender Application Guard Copy-Paste Direction Host to Container Container to Host Copy-Paste Content Type Text Images Printers PDF XPS Local Printers Network Printers Strict versus Relaxed Content Filtering Allow Data Persistence On/Off Allow Auditing On/Off

Container auditing in Application Guard Host Host Event Log Policy Policy applied to container WDAG Container (events) Stored on VHD .evtx files Access with PowerShell Admin GP VHD

Prepare, deploy, and enable! 1. Install Turn Windows feature on or off PowerShell (Covers SCCM, MDT, etc.) 2. Configure Group Policies (ADMX) Systems Center (Configuration Mananger) Microsoft Intune 3. Enable Group Policies (ADMX) Systems Center (Configuration Manager) Microsoft Intune

Demo Windows Defender Application Guard Enterprise Mode

Windows Defender ATP integration

Adding a post-breach mindset 11/27/2018 Adding a post-breach mindset PRE-BREACH POST-BREACH Device protection Device Health attestation  Device Guard Device Control Security policies Device protection Device Health Attestation  Threat resistance SmartScreen AppLocker Device Guard Windows Defender Network/Firewall Identity protection Built-in 2FA Account lockdown Credential Guard Windows Hello :) Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows Hello ;) Identity protection Device protection/ Drive encryption Windows Information Protection Conditional access Information protection Information protection Device protection / Drive encryption Enterprise Data Protection Conditional access Threat resistance Windows Defender ATP Breach detection investigation & response Breach detection investigation and response Windows Defender Advanced Threat Protection (ATP) SmartScreen AppLocker Device Guard Windows Defender Windows Defender Application Guard © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

INTELLIGENCE DRIVEN ENDPOINT PROTECTION, DETECTION AND REPONSE 11/27/2018 WINDOWS DEFENDER ATP INTELLIGENCE DRIVEN ENDPOINT PROTECTION, DETECTION AND REPONSE Built into Windows 10, not bolted on Protection built deep into Windows and in the cloud provides best in class performance and eliminates 3rd party agents and complex infrastructure. Single pane of glass and centralized management Enterprise grade, easy to enable and integrate into your environment. Enabling security operations to investigate, determine scope of an incident and take action using correlated data across the suite. Analytics based, cloud powered protection and response Fusing the deep OS expertise, data science and Microsoft Intelligent Security Graph to quickly adapt to changing threats, deploy new defenses, and orchestrate remediation. Amplified by the power of Microsoft Secure Windows Defender Suite is a key component of the Microsoft Secure stack that brings together and amplifies security across devices, identity and information. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Azure ATP Cloud SecOps Console Windows Security Center Console Defender ATP Integration Host Encrypted Container Files Host SENSE Agent Processes Container SENSE Agent Registry data Windows 10 Service Agents Network pocket data Events

Key take aways Windows Defender Application Guard designed from the ground up using next generation Hyper-V client containers Completely isolates Microsoft Edge from the host PC using hardware based isolation with IE11 integration Integrated with Windows Defender ATP for threat detection Support to Enterprise and Stand-alone modes Application Guard will change the attacker playbook Available in Windows 10 Enterprise Edition Coming in the Windows 10 Fall Creators Update

How can I try it? Microsoft Technology Adoption (TAP) Program 11/27/2018 5:27 PM How can I try it? Microsoft Technology Adoption (TAP) Program TAP is a pre-release program run by Windows engineering to obtain deep customer feedback, early and throughout the development cycle to ensure new technology investments meets the needs of the marketplace Interested in joining TAP? Contact to email osnext@microsoft.com Microsoft Windows Insider Program (WIP) This program is designed exclusively for people who want be involved in the process. So if you want to help us build the best Windows yet, we want you to join us. be first to experience the new ideas and concepts we’re building. In return, we want to know what you think. You’ll get an easy-to-use Feedback Hub app to send us your feedback, which will help guide us along the way Interested in joining WIP? Visit https://insider.windows.com/ Windows Defender ATP Information & Trial Learn more about Windows Defender ATP here: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp Microsoft is offering a free 90-day trial program for Windows Defender ATP. Interested in a pilot? Visit http://aka.ms/wdatp © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session Tech Ready 15 11/27/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.