Microsoft CISO Workshop - PowerPoint Presentation

Microsoft CISO Workshop 3 - Identity and Access Management Microsoft Cybersecurity Solutions Group

Microsoft CISO workshop CISO WORKSHOP OBJECTIVE: Learn how Microsoft can help you achieve your cybersecurity goals Kickoff and introduction Lunch Your strategy Identity and access management Threat protection Information protection Joint planning Security management learnings and principles (A) Identify-Protect (B) Detect-Respond-Recover Typical stakeholders Identity Security Architects Identity Architects Identity Operations Teams Collaboration/Productivity Lead

Identity and Access Management Context Identity Perimeter History & Use Cases Accounts & Passwords Identity Systems Trends and Challenges Cost of Attack A Complete Strategy 3 rd party Account RISK Retiring Passwords Account Security Building an Identity Perimeter Customer Identities (B2C) Partner Access to Corporate Resources (B2B) Identity System Security

Evolution of IT, threats, and Microsoft Identity security INFORMATION TECHNOLOGY IDENTITY AND ACCESS TRENDSMICROSOFT IDENTITY APPROACHLocal Identities Enterprise Single Sign On + 2 factor authenticationHybrid and Federated Cloud IdentityWindows NT Domains + Enterprise Active Directory + Smartcard Authentication + Azure Active Directory + Passwordless Authentication + Hardware Credential Isolation Widespread Password Weakness and Re-use Credential Theft Attacks Mass Password Compromises Mainframes + PCs + Cloud + Internet of Things (IoT) + Datacenters + Mobile Devices

Trends and challenges Attackers using identity to bypass network controlsPhishing allow attackers to impersonate valid user IdentitiesCredential theft allows attackers to expand access by impersonating identitiesPasswords aren’t enough to protect identitiesSingle factor authentication (Passwords) without context isn’t enough assuranceAttacks on credentials circumvent software assurances (without hardware isolation)Identities being used outside networkCloud, Mobile, and IoT assets are frequently beyond reach of enterprise firewallsIdentity and Access controls are inconsistent on different cloud services and devices ****

Disrupt Attacker ROI Prioritize investments to maximize impact Defender Investment:Security budgetTeam time/attention Defender Return:Ruin Attacker ROIDeters opportunistic attacksSlows or stops determined attacksSecurity Return on Investment (SROI) Prioritizing defense can rapidly raise impact attacker cost & friction Attacker Investment: Increase Attack Friction & Cost Attacker Return: Successful Monetization Rapid detection and response drives down predictability and quantity of return

Identity Systems Infrastructure Applications Devices Standard Users Partner/B2B Customer/B2C Identity and access management LDAP Privileged Administrators Identity Perimeter Accounts

Accelerate your credential theft defenses Securing identity systems Critical Security Dependency Almost everything depends on their integrity(email, data, applications, infrastructure, etc.)Free technical guidancehttp://aka.ms/SPAroadmap Most major breaches target identity systems to get rapid access/control of data and applications Professional services http://aka.ms/cyber-services Harden to Highest Security Standards Invest in people, process, and technology to provide best protection and rapid detection, and response http://aka.ms/securitystandards Identity Systems LDAP Privileged Administrators Attack is now automated ( Death Star | GoFetch )

Partner/B2B Customer/B2C Standard Users Accounts Account security Success factors to increase attack cost Great experience For users, identity managers, and security Single Identity and Single Sign On (SSO) Strong assurances Additional Factors like biometrics and others Increase context in authentication / authorization decisions Time, date, geolocation Device integrity and compliance Known Bad sources from threat intelligence Behavior Analytics to understand normal profile for that user/entity Hardware assurance for credentials stored on devices Flexible Access Levels Allow for Low Risk Increase Assurance (add MFA) based on risk factors Decrease Access (Block download) based on risk factors Force Remediation for high risks (compromised devices and accounts) Privileged Administrators Credential Theft Cost of Attack Hardware Assurances Credential Abuse Cost of Attack Biometrics

Achieve End-user Promise Eliminate Passwords through strong and multifactor authenticationApproach to a Password-less World Develop and Deploy password-replacement offerings 1 Reduce user-visible password surface area 2 Transition users to using strong authentication instead of passwords 3 Today Achieve Security Promise Windows Hello for Business Available on all Windows 10 Machines today with improvements coming in RS4 and RS5 Microsoft Authenticator Available today across all mobile platforms, integral in corporate bootstrapping of MFA FIDO Microsoft + Third Party Eliminate passwords from identity directory 4

Identity perimeter Key requirement for moving to a Zero Trust Model Infrastructure Applications Devices Identity perimeter Visibility and control across your estate Identities Data usage across corporate and SaaS apps Managed and mobile devices Reinforced by device & hardware assurances

Evolution of security perimeters Physical Identity Network

Unmanaged Devices Network Perimeter Office 365 Approved Cloud Services Shadow IT Modernizing the security perimeter Threats Persistent Network protects against classic attacks … …but bypassed reliably with Phishing Credential theft Data moving out of the network Critical to build modern security perimeter based on Identity Identity and Access Management Strong Authentication + Monitoring and enforcement of policies Strength from Hardware & Intelligence – Auth & Access should consider device status, compromised credentials, & other threat intelligence Resources Identity P erimeter ?

VISIBILITY AND CONTROL AT THE PERIMETER User Role Group DeviceConfigLocationLast Sign-inConditional access risk Health/Integrity Client Config Last seen High Medium Low Firewall Intrusion Detection/Prevention Forward/Reverse Proxy Source: IP Address/Port Destination: IP Address/Port Signatures Analytics Allow List Authentication Intranet Resources Actions: Allow Allow Restricted Require MFA Block Force Remediation Actions: Allow Block Device Write Notes

Conditional Access Example User Role : Sales Account RepresentativeGroup: London UsersDevice: WindowsConfig: Corp ProxyLocation : London, UKLast Sign-in: 5 hrs agoOffice resourceConditionalaccess risk Health : Device compromisedClient : Browser Config : Anonymous Last seen : Asia High Medium Low Anonymous IP Unfamiliar sign-in location for this user Malicious activity detected on device Device Sensitivity : Medium Block access Force threat remediation For insights into password spray and other modern attack patterns, see https://channel9.msdn.com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3016

SharePoint Online & Office 365 apps Identity and Access Management Use Cases Remote Access to on-premises apps Azure AD Connect SSO to SaaS Access Panel/MyApps Self-Service capabilities B2B collaboration Dynamic Groups Office 365 App Launcher Conditional Access Multi-Factor Authentication Assign B2B users access to any app or service your organization owns Add B2B users with accounts in other Azure AD organizations 3 I need my customers and partners to access the apps they need from everywhere and collaborate seamlessly Microsoft Azure Active Directory Other organizations Add B2B users with MSA, Google, or other Identity Provider accounts Other Identity Providers* Google ID* Microsoft Account On- premises

Apps Analytics CRM and Marketing Automation Business Social IDs Business & Government IDs contoso Customers Azure AD B2C Azure Active Directory B2C Securely authenticate customers with their preferred identity provider Provide branded registration and login experiences Capture login, preference, and conversion data for customers

Accounts Great experience Strong assurances of identityPolicy control and responseIdentity perimeterVisibility and control across your estateIdentities Sensitive data usageCorporate and SaaS applicationsManaged and mobile devicesIdentity and access managementIdentity systems Critical dependency for most or all security assurancesHarden to Highest security standards

Questions?

Reference

Azure AD and ADFS best practices https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/Microsoft Password Guidancehttps://aka.ms/passwordguidance NIST Updated Password GuidanceIgnite Session: Azure Active Directory risk-based identity protectionhttps://channel9.msdn.com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3016 Additional Resources

Increasing attack cost User credential theft Low Touch: Phishing email a. Fake credential site b. Script to steal credential Zero Touch: Public password compromise Leaked credential detection and forced password reseta. Office 365 ATPWindows Defender SmartScreenb. Hardware Credential IsolationCredential Guard Windows Hello High Touch Operation: Compromise trusted device(s) via Spearphishing  malwarePhishing  lateral traversal  malware Advanced Host Detections: Defender ATP + Defender AV $ $$ $$$ $$ + Higher risk of detection Attack Options Defenses Attack Cost Link Link Link Link Link Link Link

Increasing attack cost Abuse credentials to access cloud assets Low Touch: Compromise user’s mobile device Phishing  fake MFA siteZero Touch: Access Cloud assets from any device Multi-factor authentication AAD and AD / PartnersAzure AD Identity ProtectionRisky Sign-ins (Suspicious or anonymous IP addresses, Impossible travel, unfamiliar locations, anomalous user behavior (UEBA), etc.)Conditional Access based on device health device, trusted domain membership and/or IP address High Touch Operation: Compromise trusted device(s) via Spearphishing  malwarePhishing  lateral traversal  malware Anomalous user behavior (UEBA) Azure Advanced Threat Protection Advanced Host Detections: Defender ATP + Defender AV $ $$ $$$ $$ + Higher risk of detection Attack Options Defenses Attack Cost Link Link Link Link Link Link

Increasing attack cost Abuse credentials to access on-premises assets Zero Touch: Access Extranet assets or VPN from any deviceMulti-factor authentication Partner(s)Anomaly Detection with SIEMPartner(s)High Touch Operation: Compromise trusted device(s) via Spearphishing  malwarePhishing  lateral traversal  malwareAnomalous user behavior (UEBA)Azure Advanced Threat Protection Advanced Host Detections:Defender ATP + Defender AV Attack Options Defenses Link Link High Touch: (Partner/ SupplierVariation ) Relay attack by compromising trusted business partners/suppliers $$$ $ $$ + Higher risk of detection Attack Cost $$$$ $$ Link

Impossible to forget Ease of use Fingerprint and facial recognition Hardware assurances (VBS) BIOMETRICS = Security and Productivity

Facial Recognition protected by vbs Kernel Windows Platform Services Apps Kernel Windows Defender System Guard Biometrics (Facial Only) Trustlet #2 Trustlet #3 Hypervisor Device Hardware Windows Operating System Hyper-V Hyper-V

Credential Isolation with Credential Guard Pass the Hash (PtH) attacks are the #1 go-to tool for hackers. Used in nearly every major breach and APT type of attackCredential Guard uses VBS to isolate Windows authentication from Windows operating systemProtects LSA Service (LSASS) and derived credentials (NTLM Hash) Fundamentally breaks derived credential theft using Mimikatz, Kernel Windows Platform Services Apps Kernel Windows Defender System Guard Credential Guard Trustlet #2 Trustlet #3 Hypervisor Device Hardware Windows Operating System Hyper-V Hyper-V