Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Ignite 2016 6/2/2018 6:37 AM BRK2293

Similar presentations


Presentation on theme: "Microsoft Ignite 2016 6/2/2018 6:37 AM BRK2293"— Presentation transcript:

1 Microsoft Ignite 2016 6/2/2018 6:37 AM BRK2293 Mitigate datacenter security threats with guided investigation using Operations Management Suite Yuri Diogenes Senior Content Developer Enterprise Mobility + Security (OMS / Azure Security Center) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 YOUR YOUR IT ENVIRONMENT OPPORTUNITY

3 YOUR YOUR IT ENVIRONMENT O P P O R T U N I T Y Smart cities Sensors
Vehicles Partners Energy systems Cloud Equipment On-premises YOUR YOUR IT ENVIRONMENT O P P O R T U N I T Y Mobile devices Marketplaces Manufacturers Citizens Supply Chains Customers

4 YOUR IT ENVIRONMENT

5 closing the gap between discovery and action
PROTECT across all endpoints, from sensors to the datacenter DETECT using targeted signals, behavioral monitoring, and machine learning YOUR YOUR SECURITY POSTURE IT ENVIRONMENT ! RESPOND closing the gap between discovery and action

6 Critical Mitigations: Typical Attack Chain
Compromises privileged access Tier 0 Domain & Enterprise Admins 24-48 Hours Directory Database(s) Beachhead (Phishing Attack, etc.) Domain Controllers Lateral Movement Steal Credentials Compromise more hosts & credentials Tier 1 Server Admins Privilege Escalation Get Domain Admin credentials Execute Attacker Mission Steal data, destroy systems, etc. Persist Presence Key Slide Outcome - Credential theft attacks are highly impactful and highly prevalent – they can happen on just about any environment today. This is a view of a typical attack we see on a typical environment. *CLICK 1* Attacks start by gaining control of a “beachhead” computer in your network, sometimes called “Patient Zero”. [Attacker] This is usually a phishing attack, but can also be done by compromising a website frequently visited by your users, by delivering malware through advertising, or other techniques. [Green Circle] Most attackers target domain controllers to gain access to all identities *CLICK 2* The next step for attackers is typically to gather credentials available on the compromised machines (including local administrator password hashes) They then move laterally within that Tier to compromise other computers and harvest more credentials This requires the attack to be an administrator on the local machine. This can happen when A user running as a local admin clicks “allow” on a security warning dialog in a browser or other application Attacker exploits an unpatched vulnerability on a computer (whether the user is running locally as local admin or only with standard user privileges) *CLICK 3* The attackers can directly attempt to escalate their access to the environment by directly attacking servers *CLICK 4* More commonly, we see privilege escalation by stealing higher tier credentials (e.g. domain admins) where they are exposed on lower tier devices (e.g. standard workstations) This leads to an attacker gaining full control of the environment This is a shared state of control, so it doesn’t “kick out” the real admins This attack is very difficult to detect with conventional means because attackers are using real legitimate credentials (and can then move to creating fake accounts, insall malware on any computer, etc.) Tier 2 Workstation & Device Admins

7 6/2/2018 6:37 AM Many organizations learn how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Incident Response Stage 1 – Detect Stage 2 – Assess Stage 3 – Diagnose
6/2/2018 6:37 AM Incident Response Stage 1 – Detect Identifying suspicious activity requires a nexus of the latest intelligence capabilities, detection tools, and incident management solutions. Stage 2 – Assess Executing a preliminary assessment and evaluating its details as the investigation continues Stage 3 – Diagnose Examine the collected information, as well as to gain a better technical understanding of the event © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Leveraging OMS Security for Incident Response
6/2/2018 6:37 AM Leveraging OMS Security for Incident Response © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Attack Scenario Stage 1: Phishing e-mail (downloading malware)
6/2/2018 6:37 AM Attack Scenario Stage 1: Phishing (downloading malware) Stage 2: Lateral movement (suspicious activity) Stage 3: Privilege escalation (suspicious process) Stage 4: Cleaning evidence (event log) DETECT © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Demo: Leveraging OMS for Incident Response
Microsoft Ignite 2016 6/2/2018 6:37 AM Demo: Leveraging OMS for Incident Response Yuri Diogenes © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Botnet Scenario Stage 1 (Recruitment / Infection)
6/2/2018 6:37 AM Botnet Scenario Stage 1 (Recruitment / Infection) - Phishing (downloading malware / exploiting vulnerabilities) Stage 2 (Interaction): - Registration, C&C communication and external interaction (network communication) DETECT © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Demo: Leveraging OMS for Incident Response (BotNet Investigation)
Microsoft Ignite 2016 6/2/2018 6:37 AM Demo: Leveraging OMS for Incident Response (BotNet Investigation) Yuri Diogenes © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 6/2/2018 6:37 AM Leveraging OMS Security and Azure Security Center for Incident Response Azure Security Center OMS Security Security for OMS Log Analytics Threat detection using advanced analytics Collection of security data from virtually any source (Azure or AWS, Windows Server or Linux, VMware or OpenStack) Insight into security status (antimalware, system updates) Correlations to detect malicious activities and search for rapid investigation Integrates operational and security management Security for Azure Asset discovery and ongoing security assessment (OS configurations, system updates, SQL Db configurations, virtual network configurations) Actionable security recommendations with easy remediation Security policy for IT governance Integrated management and monitoring of partner security solutions & Microsoft Operations Management Suite © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Demo: Leveraging Azure Security for Incident Response
Microsoft Ignite 2016 6/2/2018 6:37 AM Demo: Leveraging Azure Security for Incident Response Yuri Diogenes © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 INTELLIGENCE PLATFORM INTELLIGENCE PARTNERS
Multi-factor authentication Data encryption User accounts Device log-ins Malware Unauthorized data access PLATFORM INTELLIGENCE PARTNERS Attacks INTELLIGENCE User log-ins Phishing Denial of service Spam System updates Enterprise security

17 OUR UNIQUE INTELLIGENCE
6/2/2018 6:37 AM OUR UNIQUE INTELLIGENCE 300B user authentications each month 1B Windows devices updated 200B s analyzed for spam and malware MSFT Field - Please view associated material at: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Learn more To learn more about Azure Security Center, visit:
6/2/2018 6:37 AM Learn more To learn more about Azure Security Center, visit: urity-center To learn more about OMS Security, visit: us/documentation/suites/operations- management-suite/ Also available at Ignite Bookstore Book signing session: 1 to 1:30PM at Ignite Bookstore (Expo Hall) © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 6/2/2018 6:37 AM Free IT Pro resources To advance your career in cloud technology Plan your career path Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Microsoft IT Pro Career Center Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Please evaluate this session
6/2/2018 6:37 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 6/2/2018 6:37 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Microsoft Ignite 2016 6/2/2018 6:37 AM BRK2293"

Similar presentations


Ads by Google