Chas Jeffries Principal Program Manager Windows Enterprise and Security Threat Landscape Demo Containers QampA Agenda Windows Defender Application Guard Overview Evolution of attacks Mischief ID: 644876
Download Presentation The PPT/PDF document "Microsoft Edge Security with Windows Def..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Microsoft Edge Security with Windows Defender Application Guard
Chas JeffriesPrincipal Program ManagerWindows Enterprise and Security Slide2
Threat Landscape
Demo
Containers
Q&A
Agenda
Windows Defender Application Guard OverviewSlide3
Evolution of
attacks
Mischief
Script kiddies
Unsophisticated
Fraud and theft
Organized crimeMore sophisticated
Damage and disruption
Nations, terror
groups, activists
Very sophisticated
and well resourcedSlide4
…12 people
will open the attachment or
click on the link…
…30 people
will open it…
Attacks happen fast and are
hard to stop
…and
all
will do it in the
3 minutes 45 seconds…
Source: Verizon 2016 Data Breach Investigations Report
If an attacker
sends an email
to
100 people
in your company…Slide5
Anatomy of an
attack
Kernel-mode malware
Kernel
exploits
Credential TheftMalicious attachment deliveryBrowser or doc exploit deliveryPhishing attacks
ATTACK
Espionage, loss of IP
Data theft
Ransom
Lost productivity
Business disruption
ENTER
ESTABLISH
EXPAND
ENDGAME
NETWORK
DEVICE
USERSlide6
PHISHING
Anatomy of an
attack: strontium
ATTACK
Theft of sensitive information, disruption of government.
NETWORK
DEVICE
USER
Browser or Doc Exploit
Execution
ENDGAME
PASS-THE-HASH
Mon, 9 November 2015, 13:20
RE: Mission In Central African Republic
John Smith
John Smith
<defense.adviser.smith@gmail.com>
Dear Sir!
Please be advised that The Spanish Army personnel and a large number of Spanish Guardia Civil officers currently deployed in the Central African Republic (CAR) as part of the European EUFOR RCA mission will return to Spain in early March as the mission draws to a close.
Visit
http://natoint.com/900117-spain-forces-conclude-mission-in-central-african-republic/
for additional info.
Best regards,
Capt. John Smith,
Defence
Adviser, Public Diplomacy Division NATO, Brussels
Defence.adviser.smith@gmail.comSlide7
PHISHING
Anatomy of an
attack: strontium
ATTACK
Theft of sensitive information, disruption of government.
NETWORK
DEVICE
USER
Browser or Doc Exploit
Execution
ENDGAME
PASS-THE-HASH
1
2
3
Land on exploit page
Exploit runs
Redirected to legitimate pageSlide8
Normal
looking
websiteSlide9
PHISHING
Anatomy of an
attack: strontium
ATTACK
Theft of sensitive information, disruption of government.
NETWORK
DEVICE
USER
Browser or Doc Exploit
Execution
ENDGAME
PASS-THE-HASHSlide10
Microsoft’s security posture
Today’s cloud-first, mobile-first world demands the highest level of identity & data security
Comprehensive monitoring tools to help you spot abnormalities and respond to attacks faster
Leading response and recovery technologies plus deep consulting expertise
Protect
Detect
RespondSlide11
Respond
Windows 7
Trusted Platform Module (TPM)
SmartScreen
BitLocker
BitLocker to Go
Windows 10Windows Trusted BootMicrosoft EdgeWindows DefenderWindows HelloCompanion Device FrameworkWindows Information ProtectionWindows Defender Advanced Threat ProtectionLegacy or Modern Devices (Upgraded from Win 7 or 32-bit Windows 8)Virtualization based securityUEFI Secure BootDevice GuardCredential GuardDevice EncryptionSecurity managementConditional AccessWindows Hello Biometric SensorsModern Devices (Fresh install or upgrade from 64-bit Win 8 )
Detect
ProtectSlide12
Current threat landscape
Driving the need
for hardware
based isolation
Our research indicates that there has been a dramatic increase in kernel exploits over the past two yearsSource: MSRC and Microsoft One Protection TeamSlide13
Traditional
platform stack
Kernel
Windows Platform Services
Device Hardware
AppsSlide14
Hardware based isolation
Windows 10
Device Hardware
Kernel
Windows Platform Services
Apps
System Container
Kernel
Device Guard
Credential
Guard
Trustlet
HypervisorSlide15
Microsoft Edge with Windows Defender Application Guard
Moves browser sessions to an isolated, virtualized environment
Provides significantly increased protection and hardens attacker favorite entry-point
Device Hardware
System Container
Kernel
Kernel
Windows Platform Services
Microsoft Edge
Hypervisor (Hyper-V)
Critical System Processes
Kernel
Windows Platform Services
AppsSlide16
Application Guard ExperienceSlide17
User receives
a suspicious email, unwittingly the
user clicks the link.Slide18
A new browser
window appears,
with window decoration and notification that
the site the user wants
to open is not an enterprise site and
needs to open in a container.Natoint.comNatoint.comSlide19
Natoint.com
Natoint.com
A new browser
window appears,
with window decoration and notification as
the user lands on an untrusted website. The malware runs and the container is infected.Slide20
The user closes
the Edge window and the session is discarded when the user logs off.
Natoint.com
Natoint.comSlide21
Back on the host,
all is good. The malware was not able to jump out
of the container,
it’s isolated to
the container.Slide22
Demo
Windows Defender Application GuardSlide23
Next Generation Client ContainersSlide24
Kernel
Windows Platform
Services
Hypervisor
Microsoft Edge
Host browser
Virtual Switch
WDAG Internals
GP or MDM
Enterprise client (Host)
POLICY
SITE LIST
Policy store
Kernel
Windows Platform
Services
Management
Hypervisor Security Isolation (HVSI)
Read
Browser
plug-in
Browser
plug-in
Virtual
Switch
plug-in
Notification
of a new URLSlide25
Kernel
Windows Platform
Services
Hypervisor
Microsoft Edge
Host browser
Virtual Switch
WDAG Internals
GP or MDM
Enterprise client (Host)
POLICY
SITE LIST
Policy store
Kernel
Windows Platform
Services
Management
Hypervisor Security Isolation (HVSI)
Read
Browser
plug-in
Browser
plug-in
Virtual
Switch
plug-in
Lookup fails, inject into ContainerSlide26
Productivity Features
Windows Defender Application GuardSlide27
Clipboard
Controlled with policy,
users can copy and paste plain text and graphics from the container to the host
Windows Defender Application Guard
Kernel
Windows Platform Services
Microsoft Edge
Non-enterprise sites
Windows Host OS
Kernel
Windows Platform Services
Microsoft Edge
Enterprise sitesSlide28
Windows Host OS
Kernel
Windows Platform Services
Microsoft Edge
Enterprise sites
Printing from a container
Controlled through policy, users can
print web content
and documents
from a containerSlide29
Persistence of user state between sessions
HOST
The state of the container is persisted between sessions, i.e. cookies, remembered passwords, favorites, temporary files will be persisted
from session to session in a container using temp VHD
VHD
VMSlide30Slide31
WDAG Isolation – Malware Threat Mitigation
The container provides complete isolation from the host
Any threat inside the container is isolated through hardware based isolation
When the user signs off the container is discarded and the threat mitigated
13
2Slide32
Microsoft Technology Adoption (TAP) Program
TAP is a pre-release program run by Windows engineering to obtain deep customer feedback, early and throughout the development cycle to ensure new technology investments meets the needs of the marketplaceInterested in joining TAP? Contact to email osnext@microsoft.com
Microsoft Windows Insider Program (WIP)
This program is designed exclusively for people who want be involved in the process. So if you want to help us build the best Windows yet, we want you to join us. be first to experience the new ideas and concepts we’re building. In return, we want to know what you think. You’ll get an easy-to-use Feedback Hub app to send us your feedback, which will help guide us along the wayInterested in joining WIP? Visit https://insider.windows.com/ Where can I try it?Slide33
TAP is a pre-release program run by Windows engineering to obtain deep customer feedback, early and throughout the development cycle to ensure new technology investments meets the needs of the marketplace. TAP is not a Deployment Support Program
Redstone 3 TAP
Criteria for participation
Actively deploying Windows 10
Leading edge in adopting new technologiesHas a long term vision on IT Strategy and willing to shareWilling to commit resources to participate and invest in program partnershipWilling to share feedbacks through Yammer.Next StepsContact to email osnext@microsoft.com TAP team will follow up with your account manager.Slide34
Questions?Slide35Slide36
Planning and environment setup
Windows 10 Enterprise RS3
TAP
HW requirements
CPU – 64bit with
virtualization extensions
RAM –
4GB min,
8GB recommended
Miscellaneous
Enable CPU virtualization
from BIOSSlide37
Planning and environment setup
1. Install
Turn Windows
feature on or off
PowerShell
(Covers SCCM, MDT, etc.)
2. Configure
Group Policies
(ADMX)
System Center
(Configuration
Manager
)
Microsoft Intune
3. Enable
Group Policies
(ADMX)
System Center
(Configuration Manager)
Microsoft Intune