This document discusses evolving cybersecurity strategies and moving to an identity-driven security model. It argues that the traditional approach of using many separate "best of breed" security products is too complex, expensive, and slow. Instead, it recommends moving to an integrated security platform centered around identity. This platform would provide pre-integrated solutions, identity-based policies, and machine learning capabilities to detect threats faster. It also discusses leveraging cloud infrastructure and workloads for improved security through features like regular updates and an "intelligent security graph" using data from billions of signals.
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
1. Identity as the New
Security Boundary
Jim Bryson + Dave Dixon
Technology Solutions Professionals – Microsoft
State and Local Government Secure Enterprise
Evolving Cyber Security Strategies
2. “THE STATE OF THE STATE” IN CYBERSECURITY
Asymmetrical threat
creates resource
drain
You are fighting a
profit-motivated, well
resourced HUMAN
adversary
Public sector orgs are
being explicitly
targeted
Result ? Half of
reported security
incidents are in the
public sector
The cost can be
enormous – $4M per
breach on average
(can be a lot more –
see OPM)
And even if you had
the money, there
aren’t enough trained
cyber techs to tackle
the problem
CONCLUSION: Trying to solve the security problem at an individual org level with current approaches is not
working and may bankrupt your organization. So what can we do differently ?
Two arguments/ideas for your consideration.
3. BEGIN MOVING TO BEST OF BREED SECURITY PLATFORM
Pubsec organizations typically
have upwards of 30-40 “best
of breed” security vendors to
manage
If they choose to integrate
these, significant cost and
complexity
If they choose not to integrate,
humans become the
integration and limit response
time and decision quality – i.e.
attacks at Internet speed,
response at human speed
Need to begin moving to a
security platform that is pre-
integrated, identity-driven
(90+% of attacks), policy-
based to respond on Internet
time
5. MOVE MORE
WORKLOADS TO
HYPERSCALE
CLOUD
1B annual spend on cyber security – economics of running your workloads in our
cloud are TRANSFORMATIONAL – pay for a “slice” rather than owning the whole
thing
Reduced window of attack due to rolling updates
Platform approach – “built in, not bolt on”, integrated, automated, policy-based
Designed for mobile first, cloud first
Intelligent security graph - our most unique global asset in the fight, informed by
trillions of feeds. Machine learning helps sort the signal from the noise. This signal is
leveraged across all our security services
Certs AND a track record - we defend 200+ of the largest cloud services in the
world, some since 1998 (Windows Update). Oh yeah and Microsoft itself.
6. Our most unique global asset in the
fight, informed by trillions of feeds.
Machine learning helps sort the
signal from the noise. This signal is
leveraged across all of Microsoft’s
security services
450B
monthly
authentications
18+B
Bing web pages
scanned750M+
Azure user
accounts
Enterprise
security for
90%
of Fortune 500
Malware data
from Windows
Defender
Shared threat
data from partners,
researchers and law
Enforcement
worldwide
Botnet data from
Microsoft Digital
Crimes Unit
1.2B
devices scanned
each month
400B
emails analyzed
200+
global cloud
consumer and
Commercial services
INTELLIGENT SECURITY GRAPH
7. Shadow
IT
Data breach
IDENTITY – DRIVEN SECURITY
Employees
Partners
Customers
Cloud apps
Identity Devices Apps & Data
Transition to
cloud & mobility
New attack
landscape
Current defenses
not sufficient
Identity breach On-premises apps
SaaS
Azure
8. Web apps
(Azure Active Directory
Application Proxy)
Integrated
custom apps
SaaS apps
OTHER DIRECTORIES
2900+ pre-integrated popular
SaaS apps and self-service integration via
templates
Secure Sign-In Activity with Conditional
Access, MFA, and Single Sign-On
Easily publish on-premises web apps via
Application Proxy + custom apps
Microsoft Azure
Desktop
Virtualization
Informa
tion
protecti
on
Mobile device
& application
management
Identity
and
Access
Manage
ment
IDENTITY – DRIVEN SECURITY
10. CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically
protects against suspicious logins and
compromised credentials
Gain insights from a consolidated view of
machine learning based threat detection
Leaked
credentials
Infected
devices Configuration
vulnerabilities
Risk-based
policies
MFA Challenge
Risky Logins
Block attacks
Change bad
credentials
Machine-Learning Engine
Brute force
attacks
Suspicious sign-
in activities
11. CLOUD-POWERED PROTECTION
Discover, restrict, and monitor privileged identities
Enforce on-demand,just-in-timeadministrativeaccess when needed
Provides more visibilitythrough alerts, auditreports and access reviews
Global
Administrator
Billing
Administrator
Exchange
Administrator
User
Administrator
Password
Administrator
12. IDENTITY – DRIVEN SECURITY
Microsoft Advanced Threat Analytics (ATA)
Behavioral Analytics
Detection of known malicious attacks
Detection of known security issues
On-premises detection
Cloud App Security
Behavioral analytics
Detection in the cloud
Anomaly detection
Azure Active Directory Premium
Security reporting and monitoring (access & usage)
13. Identity is the New Security
Security Features for
Identity in Windows 10.
14. PROTECT FROM WITHIN
Operating system uses defense in depth to address
threats that get inside the perimeter
Windows 10
15. Achieve more and transform your business with the most secure Windows ever.
Safer and
more secure
Powerful,
modern devices
More personalMore productive
17. Simplify access to
devices and apps
Protect at the
front door
Safeguard your
credentials
IDENTITY & ACCESS MANAGEMENT
Prove users are authorized and secure before granting access to apps and data
18. Windows Trusted Boot
Windows Hello
Credential Guard
Device Guard
Enterprise Data Protection
Windows Defender ATP
WINDOWS 7 WINDOWS 10
19. Windows Trusted Boot
Windows Hello
Credential Guard
Device Guard
Windows Information
Protection
Windows Defender ATP
WINDOWS 7 WINDOWS 10
20. Windows 10 Security on Modern Devices
(Fresh Install or upgraded from 64-bit Windows 8 )
POST-BREACHPRE-BREACH
Breach detection
investigation &
response
Device
protection
Identity
protection
Information
protection
Threat
resistance
21. SECURED BY
HARDWARE
USER CREDENTIAL
An asymmetrical key pair
Provisioned via PKI or created
locally via Windows 10
WINDOWS HELLO FOR BUSINESS
Device-Based Multi-Factor
UTILIZE FAMILIAR
DEVICES
22. Improved security
Fingerprint and facial recognition
Ease of use
Impossible to forget
VBS support
BIOMETRIC MODALITIES
23. PIN
Simplest implementation option
No hardware dependencies
User familiarity
Windows Hello
Higher security
Ease of use
Impossible to forget
Fingerprint, Facial, Iris
Windows Hello
Sample design, UI not final
24. A world beyond passwords with two factor authentication
PIN or Biometric plus your device (PC or Phone)
Breach, theft, and phish proof identities
Single sign-on on-prem, on the web, across sites
Sign-in to devices using Azure Active Directory
IDENTITY
FOR
BUSINESS
26. Typical multi-factor authentication implementations
LIMITED USE
OF MFA
CREATES
WEAK LINKS User
UN/Password
High-value assets
Most network resources
32. TODAY’S
SECURITY
CHALLENGE
PASS THE HASH
ATTACKS
Pass the hash attacks have gone
from hypothetical to very real
threats
Enables an attacker to get user
access tokens using common tools
like MimiKatz
Once obtained an attacker is often
able to steal additional access tokens
Enables an attacker to frequently
persist even once detected
34. SOLUTION
VSM uses Hyper-V powered secured
execution environment to protect
NTLM tokens – you can get things in
but can’t get things out
Decouples NTLM hash from
logon secret
Fully randomizes and manages full
length NTLM hash to prevent brute
force attack
Requires Windows 10 client and
domain controller
PASS THE HASH
ATTACKS
35. CREDENTIAL
GUARD
Securing your
credentials
Uses built-in hypervisor
Isolates the Local Security
Authority (LSA)
Blocks all insecure
authentication protocols,
include NTLMv1, MS-CHAPv2,
and weaker Kerberos
encryption types, such as DES
36. VIRTUALIZATION BASED SECURITY WINDOWS 10
Kernel
Windows Platform
Services
Apps
Kernel
SystemContainer
Trustlet#1
Trustlet#2
Trustlet#3
Hypervisor
Device Hardware
Windows Operating System
Hyper-VHyper-V
37. TODAY’S SOLUTION: CREDENTIAL GUARD
Pass the Hash (PtH) attacks are the
#1 go-to tool for hackers. Used in
nearly every major breach and APT
type of attack
Credential Guard uses VBS to isolate
Windows authentication from
Windows operating system
Protects LSA Service (LSASS) and
derived credentials (NTLM Hash)
Fundamentally breaks derived
credential theft using MimiKatz,
Kernel
Windows Platform
Services
Apps
Kernel
SystemContainer
Credential
Guard
Trustlet#2
Trustlet#3
Hypervisor
Device Hardware
Windows Operating System
Hyper-VHyper-V