Concurrency Security Summit presentation

Securing the Digital TransformationOverview

2Digital Transformation Realized™

Latest

2015

2014

2013

Hacks resulting in loss of more than 30,000 records

Source: Informationisbeautiful.net

Largest Data Breaches

JP Morgan Chase

76000000

Target70000000

AOL2400000

Ebay

MySpace164000000Experian /

T-Mobile

Anthem800000000

BannerHealth

Mail.ru25000000

Linux Ubuntu forums

Clinton Campaign

Carefirst

BritishAirways

AshleyMadison.com

Adult Friend Finder

Dominos Pizzas

(France)

Evernote50000000

Home Depot56000000

European Central Bank

Kromtech

MSpyJapan

Airlines

Philippines’ Commission on

Elections55000000

Telegram

SecurusTechnologies

70000000NASDAQ

Sony Pictures

Nintendo

Neiman Marcus

Staples

OHVScribd

US Office of Personnel

Management (2nd Breach)

VK100544934

Vtech

UPS

Yahoo Japan

Washington State Court

System

Twitch TV

Ubuntu

Wendy’s

Verizon

uTorrent

Syrian Government

Adobe36000000

Central HudsonGas & Electric

National Childbirth

Trust

HackingTeamCarPhone

WarehouseInvestBank

Community Health

Services

Apple

A&BAltegrity

MacRumours

.com

Premera

LivingSocial50000000

TalkTalk

US Office of Personnel

Management


Economic Impact from Cybercrime

$162m $1 billion $171mTarget JPMorgan Sony


Risk Mitigation and Digital Transformation

The Digital Transformation is driving change in the way IT is leveraged throughout the business

The way IT is secured and risks mitigated within the business will also rapidly evolve as threats enter new vectors

The technologies for mitigating risks are a combination of longstanding best practices and modern capabilities

The defense against the modern (and existing) threats of the Digital Transformation start now

1

2

3

4

The Digital Transformation is driving change in the way IT is leveraged throughout the business


Companies are Becoming More Digital

Enabling the customer experience with technology

Enabling partner interactions through technology

Driving efficiency in internal operations

Customers Partners Employees


Transformative vs. Non-Transformative


Digital Transformation

Modern ApplicationsIoT, Mixed Reality,

Collaboration, ECM, BPM

SecureModern IT ManagementDevOps and IT Service,

Business Process Transformation, Governance

Customer EngagementCRM, Extranets, B2B solutions

Cloud Data CenterIdentity & Device Management ,

Cloud Integration & Management, Unified Communications

Analytics & DataBI, SQL, Predictive Analytics, Big Data

Mobile

SecureMobile

The way IT is secured and risks mitigated within the business will rapidly evolve as threats enter new vectors


Top New Threats with Financial Impact

Customer User Database Compromise

IoT Device Compromise

Internal Identity Compromise

Confidential Data Compromise

Predictive Analytics Compromise

Source Code Compromise

Social Engineering Theft

Physical Access paired with Theft


Modern Security Layers to Mitigate Risk

Network Operating System Identity Application

Information Communications Management Physical


NIST Security Framework

DetectRespond

Recover Protect


Identify


Risk Mitigation Combining Layers and NIST

Detect Big data detection patterns

Respond Automated response

mechanisms

Recover Declarative configuration

Protect Cloud consistent

protection patterns


Identify Cloud threat identification

Network

Identity

Application

Information

Communications

Management

Physical

Operating System


Modern Security Layers and NIST

DetectRespond

Recover Protect


IdentifyNetwork

The extent to which traffic can reach the intended destination based on its qualities, being

from a known source, appropriate port, and of certain characteristics.

Millions of hacked agents

Network boundary is everywhere

Applications are customer facing



DetectRespond

Recover Protect


IdentifyOperating System

The extent to which the operating system is protected from attack based on its inherent flaws,

as well as the extent to which it provides for modern protections from modern invasive

approaches.

Out-of-Date Operating Systems

Your clients are your network boundary

IoT clients, mobile, and devices exposed



Recover

DetectRespond

Protect


IdentifyIdentity

The extent to which authentication to an application provides a more important role in security in the

modern age, as well as what access the authenticated person has based on role based access control.

Weak passwords everywhere

Applications not properly identity secured

Brute force techniques increasingin capability



Recover

DetectRespond

Protect


IdentifyApplication

The security of the actual application itself, as was tested and written using patterns

and practices which mitigate known threats and attack vectors.

Applications using APIs and features with known flaws

Interaction between application components

Boundary security flaws on endpoint



DetectRespond

Recover Protect


IdentifyInformation

The extent to which documents and data are protected regardless of location and are

controlled based on their qualities.

Confidential information is widely accessible

Secure content is used to gain other content

Users who “should” have access change



Management

The extent to which management tools have evolved to address modern threats which require analysis and response exceeding manual effort. These scenarios look more like “big

data” and machine learning scenarios than manual reviews and responses that traditional security practices employed.

DetectRespond

Recover Protect


Identify

Breadth of threats exceeds human capabilities

Response needs are immediate

Employees not properly trained



Communications

The extent to which application communications (or even personal communications) are protected and private based on identity and application qualities.

No assurance that the network is secured

Modern devices are connected to the internet

Pass-the-Hash, Password Extraction

DetectRespond

Recover Protect


Identify

The technologies for mitigating risks are a combination of longstanding best practices and modern capabilities


NIST CSF to Category / Microsoft technology map

Mapping in Technology SolutionsPr

otec

t (PR

)

Data Security (PR.DS):Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

PR.DS-4: Adequate capacity to ensure availability is maintained

Cloud Datacenter Operations Management Suite & System CenterModern IT Management

PR.DS-5: Protections against data leaks are implemented

Customer Enablement Enterprise Mobility SuiteCloud Datacenter Operations Management Suite & System CenterModern IT Management Azure Resource Management Standards

Office365

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

Customer Enablement Enterprise Mobility SuiteModern IT Management Operations Management Suite & System Center

PR.DS-7: The development and testing environment(s) are separate from the production environment

Cloud Datacenter Azure Resource Management StandardsModern IT Management Visual Studio Team Services

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained

Modern IT Management Operations Management Suite &System CenterServiceNow

PR.IP-2: A System Development Life Cycle to manage systems is implemented

Modern IT Management Visual Studio Team ServicesOperations Management Suite & System CenterServiceNow


Tool Categories and Mapping

ServiceNow Operations Management Suite

Visual Studio Team Services

Azure Machine Learning

Modern Service Management Platform

Modern Operational and Automation

Platform

Modern Development Platform

Predictive Analytics


Tool Categories and Mapping

Enterprise Mobility + Security Suite

Office365

Dynamics 365

Azure Platform as a Service

Azure Cloud Platform, Windows Server

Azure Stack

Windows 10

Microsoft IoT Platform

Client Management Platform

Collaboration and Business

Process Platform

Cloud Platform

End User Computing Platform


Anatomy of Attacks and Defense

ServiceNow

Dynamics

Power BI

System Center

SCCM

MIM

ATA

Azure Stack

VM Ware

Network

EMS OMS USTS

Azure

ML Log Data

ARM + DSCCode

Inventory

Log Data

Log Data

Inventory

Automation

Log Data/IDS

ARM + Code DSC

Log Data

I

I

IoTSuite

Demo

The defense against the modern threats of the Digital Transformation start now


Steps to Starting Out

Admit that you can do better

Know that you can always do better

Make a plan for addressing the security threats that are most relevant

based on risk and financial impact

First Second Then


Who Do You Want to Be?

Disorganized, Hidden, Unprepared

Organized, Transparent, Prepared


Get Specific with Assessments

Discover Assess

ID System Owner Business Process

Hardware Product

Software Product Configuration Threat Vulnerability Controls

Impact(Low-Med-

High)

Complexity(Low-Med-

High)

Risk(Low-Med-

Hgih)Priority

00001 Workstations and Servers Denise Smith X Privilege

EscalationLocal

Administrators LAPS High Low High 1

00002 Active Directory Qiong Wu X UnauthorizedUse

Privileged Accounts MIM PAM Med Med Low 4

00003 Workstations and Servers Naoki Sato X Code Execution Patching SCCM X Med Med 3

00004 Business Culture Daniel Roth X Social

Engineering Phishing KnowBe4 High Low High 2

00005 WiFi Andrea Dunker X UnauthorizedUse Pre-shared Key 802.1X Low High Med 5

00006 Workstations and Servers Eric Gruber X Business Data

LossMalicious Software Device Guard High High Med 6


Concurrency’s Engagements

Review, assess and make a plan, strategic and tactical,

working with CISO

Address threats through targeted process improvements,

technologies, and education

Develop a backlog and keep improving the

security state

Plan and Design Execution Continuous Improvement


Key points

Understand that security is not something to procrastinate on

Leverage NIST CSF to develop a prioritized plan

Address key operating system and identity threats first

Don’t underestimate the importance of a security management platform

1

2

3

4


Digging into the Details

Presentations on individual scenarios for the Digital Transformation, including:

Securing the Client to Application Threat: Part 1

Securing the Client to Application Threat: Part 2

Securing Content and Communications

You will have access to the NIST to Technology Mapping, the whitepaper, and this presentation through a follow-up call

Part 1:Securing the Client

An Employee, their Laptop anda Hacker walk into a Bar…


We are not an appealing target for attackers, I’m probably fine. I couldn’t stop them anyway.An attacker would need to get someone’s password to start hacking on us.

Breaking into our Network would require an experienced and sophisticated attacker.

What do you think?


I’m using some of the laziest methods

They are easy to demo and understand

Much better methods and tools are available

They are easy to use, but might feel abstract

Attack Methods in this Demo


Attack Pyramid

EntryReconn

& Movement

End Goal / Exfiltration


Attack Plan


BitLocker

Would have prevented access to the file system Is built-in to Windows Enterprise/Pro Edition

Manage with GPO, MBAM, AAD Join / Intune− “InstantGo” capable devices (aka Connected Standby)−Microsoft Surface/Book, Lenovo ThinkPad, Dell Venue

What could have stopped that?


Conditional Access

Single Sign On

Enterprise State Roaming

MDM Registration / Intune

New Intune Portal!

Azure AD Join / Domain Join++


Social EngineeringWalk-up Access in office

Phishing with Macros

Remote Command and Control

What else could have happened?

Let’s go Phishing


Macro Security settings

GPO to “Disable all except digitally signed” GPO for Trust Center/Trusted Locations

Client Activity Analysis with Defender ATP


What’s on this Laptop?


BitLocker (indirectly)− Encrypts the file system, not files

Azure Information Protection (Azure RMS)− Encrypts individual files by user action*

Windows Information Protection (WIP, prev. EDP)− Encrypt “Enterprise Data” by device policy


Where’s the Network?


Local Admins can export Wifi Profiles Exports any network saved by any user

Also exports client-side certificates− Ensure the cert private key is not Exportable−Consider using RADIUS authentication

Consider managing Wifi setting with GPO/MDM



Attack Pyramid

EntryReconn

& Movement


Part 2:Securing the Servers


Attack Plan


− LAPS / Better Passwords• Generate and Rotate STRONG Local Admin Passwords

− Device Guard / AppLocker (for non-admins)• Prevent running unsigned applications (mimikatz)

− Credential Guard• Prevent dumping hashes

− Advanced Threat Analytics• Detected machine account querying AD



LAPS− Randomize and Change STRONG Local Admin Passwords

Windows Firewall− Block RDP / Disable RDP, allow trusted sources

Group Policy− Prevent Remote Use of Local Accounts

Network Segmentation− Separate Client and Servers networks with ACLs


What’s on this Server?


Group Managed Service Accounts− Passwords managed by Machines, not saved in registry

Device Guard / AppLocker− Prevent running unsigned applications

GPO / Access Control− Prevent Service Accounts from logging in remotely

Monitor with OMS / SysMon



Attack Pyramid

EntryReconn

& Movement


56Digital Transformation Realized™Digital Transformation Realized ™ @MrShannonFritz

Attack Plan

Stealing AD from the Shadows


Network Segmentation− Restrict network access to the DC’s

GPO / Access Control− Prevent Non-Domain Admin’s from logging in to DC’s− Prevent Domain Admin’s from being using on Non-DC’s

Isolation / Protection− Restrict access to the DC’s Physical / Virtual hardware



Attack Plan


Attack Mitigation Plan

stickykeys hijackremote shell macro

data theftwifi psk dump

reconnaissance

rdp

vss copy ntds.dit

bitlocker

macro security gpoazure rms

wipcertifitate wifidefender atp

service secrets

gpo

aad join / intune

atagmsa

device guard

isolation

gpo / dsc

skeleton keykrbtgt golden ticket

device guardoms / sysmon


NIST Cybersecurity Framework Core

Identify Asset Inventory Patches and Updates Risk Management Policies

Protect Credentials & Identity Network Access User Training Data Security Baseline Configuration

Detect Nefarious Activity Malicious Code Unauthorized Users Unauthorized Devices External Services

Respond Investigations Forensics Incidents Containment Public Relations

Recover Business Continuity Communications

Microsoft and 3rd Party Products

OMS : Operations Management Suite

SC Operations Mgr SC Configuration Mgr SC Service Manager Intune Cloud App Security ServiceNOW

MIM : Identity Mgr MIM PAM AAD Premium / PIM Azure MFA Intune Conditional Access Azure App Proxy BitLocker Office 365 ATP OMS

Advanced Threat Analytics

OMS Azure AD Premium Defender ATP Cloud App Security O365 Compliance Cntr Lookout App Security

OMS SC Service Manager ServiceNOW

Hyper-V Storage Replica DFS OneDrive for Business OMS : Site Recovery SC DPM Veeam ServiceNOW


Sami Laiho – wioski.com

Sean Metcalf – adsecurity.org

Rob Fuller – mubix, room362.com, hak5

Paula Januszkiewicz – cqureacademy.com

Robert Reif – cynosure prime password research

Michael Goetzman – cyphercon.com

Marcus Murray & Hasain Alshakarti – Truesec

Troy Hunt – haveibeenpwned.com, troyhunt.com

Acknowledgements / Learn More

Securing Content and Communication


Securing Content and Communication

Review of security issues with content and communications scenarios and live review of example

Review of technologies to protect content and communications scenarios and live review of example

How to get started with protecting content and communications scenarios through both policy and technology


Data protection realities

87% of senior managers admit to regularly uploading work files to a personal email or cloud account.*

87%

58% have accidentally sent sensitive information to the wrong person.*

58%

Focus on data leak prevention for personal devices, but ignore the issue on corporate owned devices where the risks are the same

? %


Security Issues with Content and Communications

Confidential content is

everywhere Content needs to be

shared,despite its

security status

Certain locations

should never access

content

Content is shared when not intended

to be


Modern Content Security Needs

Protect variouscontent types

Protect in-place and in-flight

Share with anyonesecurely

Important applications and

services are enlightened

Meet with varied organizational

needs

Protect everywhere and

layer security


Technical Solution Layers Applied

Network • Location Awareness for Office365 w/ MFA

Application • Office365 applies Azure Information Protection

Information • Azure Information Protection

Operating System • Local Bitlocker Encryption

Identity • EM+S with Azure Active Directory Platform

Management• Operations Management Suite (OMS)• Enterprise Mobility + Security• ServiceNow


Steps to Starting Out

Define corporate content types and scenarios based on business use cases and organizational policies

Build rights management policies based on defined business requirements

Incrementally roll out location awareness and Azure Information Protection based on the defined rights management policies and business requirements


Concurrency’s engagements

Plan and DesignReview, assess and make a plan, strategic and tactical, working with CISO

ExecutionAddress threats through targeted process improvements, technologies, and education

Continuous improvementDevelop a backlog and keep improving the security state

Thank you!