An overview of current cyber security concerns and ways to combat them, as well as an introduction to some of the capabilities of Azure Active Directory
3. Cyber Threats
…no longer just an IT issue.
• Average time attackers stay in a network before detection is over 200 days
• Over 75% of all network intrusions are traced back to compromised credentials
• Average cost of a data breach to a company is $3.5 million
• Estimated cost of cybercrime to the global economy is $500 billion
4. Motivations
• Enforcement of social or political points of view
• To gain long term trusted access to internal resources
• Information
• Compute power and bandwidth
• Obtain credentials for access to other services
• Extortion by means of
• Business systems interruption
• Threatening individuals privacy
• or discrediting the organisation
5. Cyber Threats
…there are 2 types of organisations affected:
Those that don’t
know it (yet)
Those that have
been breached
6. Changing nature of Cyber Attacks
Attacks and threats have grown substantially more
sophisticated, frequent and severe.
In the vast majority of attacks, they compromise user credentials
and use legitimate IT tools instead of malware.
We are now working under the assumption
that we are already breached
7.
8. 5 Key Recommendations
Amit Yoran, RSA President
1. Even advanced protection can fail
2. We need pervasive and true visibility of everything
3. Identity and Authentication matter more than ever
• Don’t trust the trusted, protect them!
4. Don’t mistake a malware solution for an Advanced Threat Strategy
5. Use external Threat Intelligence Reports
9. What REALLY matters?
Brand • Trustworthiness
Reputation
• Availability
• Reliability
Credibility • Accreditation
Financials
• Cost to prevent
• Cost to repair
10. What needs protection?
•Logon credentials
•Gaining trusted access
•Across all entities
Identity
•Infrastructure – admin, service, and system accounts
•high costs to repair in both time and materials
•Use MFA and education!
Resources
•Privileged access to sensitive information
•DLP helps classified/controlled, information
•What about the rest?
Information
•Documents at rest, in transit, or shared externally
•Encryption is the minimal level for everythingData
11. HOW?
Protect
Education and
vigilance is key
Layered approach
Technology and
People
Detect
Understand the
scenarios
Look for anomalies
Test regularly
Analyse
Know the scale of
the problem
Identify the
potential impact
Protect the logs
and other
information
Respond
Don’t react hastily,
follow a plan
Call in the experts,
including the
lawyers if necessary
Communicate
clearly, but securely
12. Identity Management
• Know who your people are and centralise management of Identities:
• Administrators and trusted authorities
• Insiders
• Externals
• Implement good housekeeping
• Ensure training for security and privacy at all levels
• Monitor behaviours and regulate access permissions
• Implement key policies:
• Pin locks
• Passwords
• Multi-Factor authentication
13. Application and Device Management
Management based on characteristics:
• Ownership
• Support/Management
• Level of trust
• Device standards and capabilities
• Location and usage scenario
14. Data Security
Enable key features where possible:
• Full drive encryption
• Data replication services
• Invest in Information Rights Management and Data Loss
Prevention for the most sensitive information
17. Multi-Factor Authentication
Enable/Enforce MFA to end-users
Will enforce App Passwords for
rich clients that don t support MFA
- Office 2013 (can preview ADAL)
- Office 2010
- Skype for Business
- OneDrive for Business
- Mail apps on smartphones
Multi-Factor
Authentication
Second Factor options:
- Mobile app (online and OTP)
- Phone Call
- SMS
Application passwords
Default Microsoft greetings
Office 365 /
Azure Administrators
Fraud alert
One-Time Bypass
Custom greetings/caller ID
Caching
Trusted IPs
MFA SDK
Security Reports
MFA for on-premises apps
Block/Unblock Users
Event Confirmation
Azure AD Premium
additional features
18. Access Control Service
Enables the use of multiple
IdPs to provision access to
SaaS applications
• Integrated Single Sign On
• Claims-based access control
• Centralised authorization into web
applications
• Google, Yahoo!, Facebook, etc.
• Available in Basic and Premium
20. Azure Rights Management
Enable control of data
beyond your security
boundary
• Limit access to known identities
• Monitor, track, change
permissions in-flight
• Company policy templates,
automated application, individual
control
25. Resources
• Protecting Azure Blob Storage with Azure RMS Whitepaper
http://blogs.msdn.com/b/rms/archive/2014/05/27/protecting-azure-blob-storage-with-azure-rms-whitepaper.aspx
• Information Protection and Control (IPC) in Office 365 with Microsoft
Rights Management service (RMS) whitepaper
http://www.microsoft.com/en-us/download/confirmation.aspx?id=34768
• Official RMS Team blog
http://blogs.technet.com/b/rms/
• RMS Analyzer Tool
http://blogs.technet.com/b/rms/
26. Azure Security Center
Currently in public preview:
• Advanced Threat Analytics – global scale
• Security monitoring and auditing
• Threat detection and alerts
• Hadoop cluster ingests massive quantities of data from security feeds
• Machine Learning and Real People! (cyber security teams and partnerships)
• In partnership with the major industry security vendors
• Integrates with existing security solutions (SIEM)
27. Cloud Access Security Broker
Adallom: recently purchase by Microsoft
• Centralised AuthN/AuthZ for all cloud application
• Agentless, flexible deployment options
• Integrated with solutions like CheckPoint, SIEM, DLP and MDM
28. Advanced Threat Analytics
Focus on what’s
important, fast
• Malicious attack detection
• Alerts for known security
issues and risks
• Analysis for abnormal
behaviour using machine
learning
29. ATA: Pass-The-Hash Demo
• Our bad guy is DodgyUser, he’s managed to get access to a PC and running his tools….
• Our good guy is MarketingUser, he’s logged on to this pc and carrying out his work
normally
• DodgyUser is able to enumerate all users logged on,
and obtain the HASH of their password:
30. ATA: Pass-The-Hash Demo
• With this information, DodgyUser can now switch to use these credentials
on any machine and perform operations as that user
34. Coming soon…
Administrative
Units
BYO SaaS
Applications
Pwd rollover
for FB, Twitter
and Linked In
Dynamic group
membership
Conditional
Access – per
app
Privileged
Identity
management
Self-service
app requests
Azure
reporting API
Cloud Access
Security Broker
(Adallom?)
35. Windows 10
• 110 million activations in just 2 months !
• Deploy without re-imaging the device
• Windows Hello & BitLocker
• Registered hardware can be 2nd factor for sign-in to all services
• Separation of business and personal information
• Same experience on Phone as on Desktop
• Enterprise containerisation with Hyper-V
• Universal App Store – with employee store experience
36. Actions & Resources
• Start using MFA for all your personal accounts
• Consider security at the beginning of Solution
Development
• Look for and highlight any risks or concerns
at your customer
• Join the discussion on our Yammer group
Security
• Use the Cloud Roadmap diagrams to explore
solutions and options
• Use this deck, works well on mobile
Share the message, raise awareness
Layered security, protection and isolation
When we look the way we have been building security over the last 10 years, it has been focused on a “Defence In Depth” approach: protecting assets, data and identities at multiple levels through our IT infrastructure.
This has worked well when we had control of our infrastructure and knew where the boundaries were.
Previously we only had to worry about our data centres, networks, and managed devices.
Now we have BYOD, Social Networking, Work-from-anywhere, and apps that we have little control over, or zero visibility.
The landscape has changed, and our approach to protection has to change also: we need new strategies and new tools
Some worrying facts – you might not know you are being attacked until its already too late.
Source: https://www.microsoft.com/en-us/server-cloud/products/advanced-threat-analytics/#Fragment_Scenario2
Assume Breached – this is rapidly being adopted as the security industry standard approach – go hunting for vulnerabilities, check in on trusted solutions to ensure they are being used appropriately, and by the right people, and protect the most vulnerable accounts (those that will do the most damage if compromised).
Unfortunately the bad guys are winning, and there is no sign of the breaches reducing, only getting worse.
Unless we do something about it !
Source: Escaping Security’s Dark Ages https://www.youtube.com/watch?v=op-2Aj6Wizo
For every solution ask: “how does this really help?”
True visibility requires control over IDENTITY. Everywhere.
Focus on what is important and identify threats quicker
Brand: It takes years to build the trust, but only takes a simple mistake to break it
Reputation: doing what you say you are going to do, being predictable and reliable
Financials: Cost to prepare, or cost to repair (some pay the ransom)
To protect our most trusted identities we can deploy technologies that utilise behavioural analytics and machine learning to identify changes in behaviour and unusual activity, 24/7
We also need to deploy MFA and most importantly educate our users.
MFA is available for all Azure Administrators and all Office 365 subscription users.
When enabled for Azure AD Premium, additional functionality is available.