Presentation is loading. Please wait.

Presentation is loading. Please wait.

11/27/2018 BRK2081 Windows Defender Application Guard making Microsoft Edge the world’s most secure browser! Chas Jeffries Lead Program Manager Windows.

Published byMillicent Mitchell Modified over 6 years ago

Similar presentations

Presentation on theme: "11/27/2018 BRK2081 Windows Defender Application Guard making Microsoft Edge the world’s most secure browser! Chas Jeffries Lead Program Manager Windows."— Presentation transcript:

1 11/27/2018 BRK2081 Windows Defender Application Guard making Microsoft Edge the world’s most secure browser! Chas Jeffries Lead Program Manager Windows Enterprise and Security © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

2 Agenda Security landscape and Windows Defender Application Guard overview Demo: application guard stand-alone mode Containers Setup & deployment Demo: application guard enterprise mode Threat detection Q&A

3 Evolution of attacks Mischief Fraud and theft Damage and disruption
11/27/2018 Evolution of attacks Mischief Script kiddies Unsophisticated Fraud and theft Organized crime More sophisticated Damage and disruption Nations, terror groups, activists Very sophisticated and well resourced © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

4 Anatomy of an attack ENTER ESTABLISH EXPAND ENDGAME
11/27/2018 Anatomy of an attack ATTACK Browser or doc exploit delivery USER Malicious attachment delivery ENTER Phishing attacks Kernel exploits DEVICE ESTABLISH Kernel-mode malware Pass-the-hash EXPAND NETWORK ENDGAME Business disruption Lost productivity Data theft Espionage, loss of IP Ransom © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

5 Attacks happen fast and are hard to stop
11/27/2018 Attacks happen fast and are hard to stop If an attacker sends an to 100 people in your company… …30 people will open it… …12 people will open the attachment or click on the link… …and all will do it in the 3 minutes 45 seconds… Source: Verizon 2016 Data Breach Investigations Report © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

6 Anatomy of an attack: strontium
11/27/2018 Anatomy of an attack: strontium ATTACK PHISHING USER DEVICE BROWSER OR DOC EXPLOIT EXECUTION PASS-THE-HASH NETWORK ENDGAME Theft of sensitive information, disruption of government © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

7 Theft of sensitive information, disruption of government
11/27/2018 Anatomy of an attack: strontium ATTACK Mon, 9 November 2015, 13:20 RE: Mission In Central African Republic John Smith John Smith Dear Sir! Please be advised that The Spanish Army personnel and a large number of Spanish Guardia Civil officers currently deployed in the Central African Republic (CAR) as part of the European EUFOR RCA mission will return to Spain in early March as the mission draws to a close. Visit for additional info. Best regards, Capt. John Smith, Defence Adviser, Public Diplomacy Division NATO, Brussels PHISHING USER DEVICE Browser or Doc Exploit Execution PASS-THE-HASH NETWORK ENDGAME Theft of sensitive information, disruption of government © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

8 1 2 3 Anatomy of an attack: strontium Land on exploit page
11/27/2018 Anatomy of an attack: strontium 1 2 3 ATTACK PHISHING USER DEVICE Browser or Doc Exploit Execution PASS-THE-HASH NETWORK Land on exploit page Exploit runs Redirected to legitimate page ENDGAME Theft of sensitive information, disruption of government © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

9 The problem… The user sees a normal-looking website

10 Theft of sensitive information, disruption of government
11/27/2018 5:27 PM Anatomy of an attack: strontium ATTACK PHISHING USER DEVICE Browser or Doc Exploit Execution PASS-THE-HASH NETWORK ENDGAME Theft of sensitive information, disruption of government © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

11 Protect Detect Respond Windows 7 Windows 10
11/27/2018 Protect Detect Respond Windows 7 Trusted Platform Module (TPM) SmartScreen BitLocker BitLocker to Go Windows 10 Windows Defender System Guard Windows Defender Exploit Guard Windows Defender Application Control Windows Defender Antivirus Windows Defender ATP Microsoft Edge Windows Hello Windows Hello Companion Devices Windows Information Protection Legacy or Modern Devices (Upgraded from Win 7 or 32-bit Windows 8) Windows Defender System Guard * Windows Defender Exploit Guard * Windows Defender Credential Guard Windows Defender Device Guard Windows Defender Application Guard BitLocker ** Windows Hello Biometric Sensors Modern Devices (Fresh install or upgrade from 64-bit Win 8 ) * Includes advanced functionality on modern devices ** Automatically provisioned © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

12 11/27/2018 So what’s changed? © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

13 Current threat landscape Driving the need for hardware based isolation
15 14 6 6 5 5 6 2 2 1 Source: MSRC and Microsoft One Protection Team

14 Traditional platform stack
11/27/2018 Kernel Windows Platform Services Device Hardware Apps Traditional platform stack © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

15 System Guard Container
11/27/2018 5:27 PM System Guard Container Kernel Device Guard Credential Guard Trustlet Apps Windows Platform Services Hardware based isolation Windows 10 Kernel Device Hardware Hypervisor © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

16 Microsoft Edge with Windows Defender Application Guard
11/27/2018 5:27 PM Microsoft Edge with Windows Defender Application Guard Moves browser sessions to an isolated, virtualized environment Provides significantly increased protection and hardens attacker favorite entry-point Device Hardware System Container Kernel Windows Platform Services Microsoft Edge Hypervisor (Hyper-V) Critical System Processes Apps © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

17 Application Guard experience

18 User receives a suspicious email, unwittingly the user clicks the link

19 Natoint.com A new browser window appears, with window decoration and notification that the site the user wants to open is not an enterprise site and needs to open in a container

20 Natoint.com A new browser window appears, with window decoration and notification as the user lands on an untrusted website. The user clicks to allow the malware to run and the container is infected

21 Natoint.com The user closes the Edge window and the session is discarded when the user logs off

22 Back on the host, all is good
Back on the host, all is good. The malware was not able to jump out of the container; it’s isolated to the container

23 Demo Windows Defender Application Guard Stand-alone Mode

24 Functionality in isolation
11/27/2018 Functionality in isolation © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

25 Expected basic functionality
11/27/2018 Expected basic functionality Copy/paste Printing Administrator policy controls Host © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

26 Persistence of user state between sessions
The state of the container is persisted between sessions, i.e. cookies, remembered passwords, favorites, temporary files will be persisted from session to session in a container using temp VHD Host VM VHD

27 What is a container? Microsoft Build 2016 11/27/2018 5:27 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Server technology, powered by intelligent sharing
11/27/2018 5:27 PM Server technology, powered by intelligent sharing Services Network Experience Memory Files Configuration © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 So, we asked, why can’t we use them on client?

30 Leverage the power of containers
POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

31 And next generation networking
POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) HNS HCS Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

32 Application Guard enterprise mode
POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

33 Application Guard service
POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Monitor and enforce Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

34 User browses to a non-enterprise site
POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Notification of a new URL Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

35 The URL is untrusted, it redirects to container
POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Kernel Lookup fails, inject into container Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in

36 Isolation and eviction
11/27/2018 Isolation and eviction Containers persist the life of the logged on session Containers are discarded on logoff or reboot 1 2 3 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

37 Setup and deployment

38 Deployment workflow Plan and prepare Install Configure Enable
Pre-requisites Enterprise Site List Install Windows Defender Application Guard Configure Windows Defender Application Guard Enable Windows Defender Application Guard

39 Configuring Site Lists
All other sites Application Guard Neutral sites Host Enterprise Cloud resources Enterprise Resources (Intranet) Host + Application Guard

40 Network isolation policies
Specification options IP Ranges Domain names Management channels Group Policy MDM/CSP SCCM (WMI)

41 Client requirements for deployment
HW requirements CPU—64-bit with virtualization extensions RAM—8GB recommended Windows 10 Fall Creators Update Miscellaneous Enable CPU virtualization from BIOS

42 Configure policies  Turn On/Off Windows Defender Application Guard
Copy-Paste Direction Host to Container Container to Host Copy-Paste Content Type Text Images Printers PDF XPS Local Printers Network Printers Strict versus Relaxed Content Filtering Allow Data Persistence On/Off Allow Auditing On/Off

43 Container auditing in Application Guard
Host Host Event Log Policy Policy applied to container WDAG Container (events) Stored on VHD .evtx files Access with PowerShell Admin GP VHD

44 Prepare, deploy, and enable!
1. Install Turn Windows feature on or off PowerShell (Covers SCCM, MDT, etc.) 2. Configure Group Policies (ADMX) Systems Center (Configuration Mananger) Microsoft Intune 3. Enable Group Policies (ADMX) Systems Center (Configuration Manager) Microsoft Intune

45 Demo Windows Defender Application Guard Enterprise Mode

46 Windows Defender ATP integration

47 Adding a post-breach mindset
11/27/2018 Adding a post-breach mindset PRE-BREACH POST-BREACH Device protection Device Health attestation  Device Guard Device Control Security policies Device protection Device Health Attestation  Threat resistance SmartScreen AppLocker Device Guard Windows Defender Network/Firewall Identity protection Built-in 2FA Account lockdown Credential Guard Windows Hello :) Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows Hello ;) Identity protection Device protection/ Drive encryption Windows Information Protection Conditional access Information protection Information protection Device protection / Drive encryption Enterprise Data Protection Conditional access Threat resistance Windows Defender ATP Breach detection investigation & response Breach detection investigation and response Windows Defender Advanced Threat Protection (ATP) SmartScreen AppLocker Device Guard Windows Defender Windows Defender Application Guard © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

48 INTELLIGENCE DRIVEN ENDPOINT PROTECTION, DETECTION AND REPONSE
11/27/2018 WINDOWS DEFENDER ATP INTELLIGENCE DRIVEN ENDPOINT PROTECTION, DETECTION AND REPONSE Built into Windows 10, not bolted on Protection built deep into Windows and in the cloud provides best in class performance and eliminates 3rd party agents and complex infrastructure. Single pane of glass and centralized management Enterprise grade, easy to enable and integrate into your environment. Enabling security operations to investigate, determine scope of an incident and take action using correlated data across the suite. Analytics based, cloud powered protection and response Fusing the deep OS expertise, data science and Microsoft Intelligent Security Graph to quickly adapt to changing threats, deploy new defenses, and orchestrate remediation. Amplified by the power of Microsoft Secure Windows Defender Suite is a key component of the Microsoft Secure stack that brings together and amplifies security across devices, identity and information. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

49 Azure ATP Cloud SecOps Console Windows Security Center Console Defender ATP Integration Host Encrypted Container Files Host SENSE Agent Processes Container SENSE Agent Registry data Windows 10 Service Agents Network pocket data Events

50

51 Key take aways Windows Defender Application Guard designed from the ground up using next generation Hyper-V client containers Completely isolates Microsoft Edge from the host PC using hardware based isolation with IE11 integration Integrated with Windows Defender ATP for threat detection Support to Enterprise and Stand-alone modes Application Guard will change the attacker playbook Available in Windows 10 Enterprise Edition Coming in the Windows 10 Fall Creators Update

52 How can I try it? Microsoft Technology Adoption (TAP) Program
11/27/2018 5:27 PM How can I try it? Microsoft Technology Adoption (TAP) Program TAP is a pre-release program run by Windows engineering to obtain deep customer feedback, early and throughout the development cycle to ensure new technology investments meets the needs of the marketplace Interested in joining TAP? Contact to Microsoft Windows Insider Program (WIP) This program is designed exclusively for people who want be involved in the process. So if you want to help us build the best Windows yet, we want you to join us. be first to experience the new ideas and concepts we’re building. In return, we want to know what you think. You’ll get an easy-to-use Feedback Hub app to send us your feedback, which will help guide us along the way Interested in joining WIP? Visit Windows Defender ATP Information & Trial Learn more about Windows Defender ATP here: Microsoft is offering a free 90-day trial program for Windows Defender ATP. Interested in a pilot? Visit © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

53 Please evaluate this session
Tech Ready 15 11/27/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

54

Download ppt "11/27/2018 BRK2081 Windows Defender Application Guard making Microsoft Edge the world’s most secure browser! Chas Jeffries Lead Program Manager Windows."

Similar presentations

Microsoft Virtual Academy

Microsoft Virtual Academy
Protect your endpoints from malware threats with Windows Defender

Protect your endpoints from malware threats with Windows Defender
Microsoft Virtual Academy

Microsoft Virtual Academy
Secure Hyperconnectivity with TeamViewer and Windows technologies

Secure Hyperconnectivity with TeamViewer and Windows technologies
Deploy and get started with Microsoft Advanced Threat Analytics

Deploy and get started with Microsoft Advanced Threat Analytics
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Secure Windows 10 with Intune, Azure AD and Configuration Manager

Secure Windows 10 with Intune, Azure AD and Configuration Manager
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!

How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!
How To Deliver Apps Faster And Secure Them The Microsoft Way

How To Deliver Apps Faster And Secure Them The Microsoft Way
Cloud Security IS Application-Centric Security

Cloud Security IS Application-Centric Security
6/4/2018 THR2256 Windows Defender Application Guard making Microsoft Edge the world’s most secure browser! Chas Jeffries Lead Program Manager Windows.

6/4/2018 THR2256 Windows Defender Application Guard making Microsoft Edge the world’s most secure browser! Chas Jeffries Lead Program Manager Windows.
Azure Information Protection Strategy and Roadmap

Azure Information Protection Strategy and Roadmap
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
Microsoft Virtual Academy

Microsoft Virtual Academy
Deployment Planning Services

Deployment Planning Services
Contain and Isolate Ransomware with Citrix and Microsoft

Contain and Isolate Ransomware with Citrix and Microsoft
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

Similar presentations

Ads by Google