iaas paas saas this is, in fact, the only risk to which we can lose the entire company. chief risk...
TRANSCRIPT
Surviving the New IT Reality
PCIT-B211
Janwillem KokEnterprise ArchitectMicrosoft Services
Ruud van VelsenPrincipal ConsultantMicrosoft Services
IT has changed foreverThe new IT reality requires a new mindsetRisk Based Management is key to survival
Introduction
So What Is This New Reality About?Less Direct Control Than EverMore Risk Than Ever
Less Control - Cloud
IaaS
PaaS
SaaS
Operating System
Application
Data
Network
Hardware
BYOD
BringYourOwnDisaster
Less Control - Devices
Network
Hardware
Operating System
App
Data
AppApp
Data
Data
More Risk, Really?
This is, in fact, the only risk to which we can lose the entire company.
Chief Risk Manager
Competitors wantyour Intellectual
Property
Organized crime wantsyour money
Intel Agencies want your personal data
Terrorists wantyour life
Why Is This Happening?Security is something we all love to hateMany IT environments are close to indefensible(Application) patch managementAsset managementAnti-malwareFirewall rulesCode qualityLegacy hard- & softwareEnd-user/administrator awareness & maturity
There’s a huge gap between the threats and our protective measures to defend against those attacks.Khalid Kark, vice president and research director, Forrester Research Inc.
At the same time:Attackers have learned the value of living in a connected worldThey have invested deeply in security for well over a decade
Ok, So What to Do ?
Start with the right assumptions:
You are a targetYour IT is, or will be, compromisedYou cannot defend or control everything
Risk Based Management
High Value Assets
Business Critical Processes
Attack Scenarios“If you protect your paper clips and
diamonds with equal vigor, you’ll soon have more paper clips and fewer diamonds”
-Attributed to Dean Rusk, US Secretary of State, 1961-1969
Actors
Business Owned IT Supported
Risk Based Decision Framework
Analyse:• Tactics• Techniques• Procedures
High Value AssetsIdentify
Protect
Detect
Respond
Recover
Current state Cyber
Capabilities
Desired state Cyber
Capabilities
Actors
Detailed Capability Model
High Privileg
e Account
s
Anomaly Detectio
n
Attack High
Privilege accounts
Incident Respons
e
OK, So What To Do?
Respond & Recover
DetectProtect
One More Thing…
No such thing as a
silver bullet…
Protect
Risk Based Protection: Zoning
High Risk Data Zone
Medium Risk Data Zone
High Business Impact Data
Medium Business Impact Data
$$$$$
$$$
Low Risk Data Zone
Low Business Impact Data $
Zoning: Expected BenefitsGoal Benefit
Differentiation of controls per Zone
Cost avoidance
Reduce risk of attack moving from one Zone to another
Risk likelihood and impact reduction
Enable secure adoption of Cloud and Consumerization
Business enablement
One Open Network
Contoso.com
Zoning High Level Architecture
1. Move the most valuable assets to a highly secure environment
2. Move the most exposed assets to a separate environment
3. Move the most vulnerable assets out of the Open Network
Office Automation Medium/Low Risk Data Office
AutomationContoso.com
Secure Cell
High Risk DataSecure Cell Secure.com
Containment
W2K, Old Java,
Test Contain.com
W2K, Old Java,
Test
Access Services
Internet Facing Apps
Secure Cell
Office Automati
on
Access Services
Internet Facing Apps
External Connect
External.com
A Note On Impact ReductionTitanic Architecture
Bulkheads
Not strong enoughNot high enough
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Zone Bulkhead Height
Basic Infrastructure
Network, Storage, Desktop, Servers, etc.
Management
Asset Management (incl AV, patching and configuration)
Security
Identity and Access management
Application Services
E.g. LDAP, Search
Remember That Thing About Less Control?
Application
Network stack
Operating System
MBI Data
“Bring your own device” or
Cloud
Application
Network stack
Other data
Operating System
MBI Data
ApplicationPart of Medium Risk Zone
Fully isolated
application
Internal server
application
Zoning Decision TreeExample Controls
Adequate?
Start
Encryption (e.g. RMS)
Adequate?
Adequate?
No
No
No
Yes Done
Yes Done
Yes Done
Sandboxing, Presentation virtualization (e.g. RDS)Health check/contractual, Mobile Device Management
Application Protection
Network stack
Operating System
Data Protection
Fully managed corporate device
LBI
MBI
H
BI
Browsing on domain controllers/serversBrowsing in admin contextFavors for friendsRunning stuff from USB sticksUsing the network for personal stuff…
Protect: Fireable Offenses
Weak protocols (ie: LMHash, FTP)Weak/shared/well-known passwordsUnsupported software (ie: Windows 9x/NT/2000/XP/Java/Linux)Hostbased protection (firewall, etc)OWASP (ie: SQL injections, XSS)Any-to-Any firewall rulesApplication level patchingWe’ll fix things once we’re live…
Protect – Non Negotiables
Protect - Must-Do’sIncident response organizationSecurity information & event managementAsset / configuration managementImplement clean, current baselinesSecure coding practices (SDL)Service account managementProtect & restrict high privilege accounts
Credential partitioningNo privilege account logon to lower trust systemsAlso applies to privileged service accounts
Use dedicated admin workstationsMultifactor authenticationRestrict local admin accounts
Protect the High Privilege Accounts
Access: Users and Workstations
Power: Domain Controllers
Data: Servers and Applications
Crown jewels
DCIM-B213 TWC: Pass-the-Hash and Credential Theft Mitigation Architectures
DCIM-B359 TWC: Pass-the-Hash: How Attackers Spread and How to Stop Them
Detect
“69% of breaches were discovered by external parties”
“66% took months or more to discover”
“In most cases...the victim could have discovered the breach had they been more diligent in monitoring and analyzing event-related information at the time of the incident.”
2013 Verizon Data Breach Report
A Complete Security System
Protective Controls
Detective Controls
Why not just protective controls?• Nobody can think of everything• Time/tools erode all protections
By 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response approaches, up from less than 10% in 2013
(Gartner, May 2013)
Reconnaissance
Weaponization Delivery Exploitation Installation Command
and ControlActions on Objective
Actor - Tactics, Techniques, Procedures
Note: From Lockheed Martin, Intelligence-Driven Computer Network Defense
E.g. Facebook
E.g. Flash in Word
E.g. Email/Waterhole/USB
E.g. Standard functionality/vulnerability
E.g. RAT Call home
e.g Extract IP/Destruct
Great reference: Mitre.org
Detection – The Basic PlanFirst, get “Many Eyes” on the environment Inventory assetsComputers, Devices, People
Select high-risk and high-valueCollect baselinesDefine behavior characteristics and statisticsLogons, Software, Performance, Netflows, Traffic
Define thresholds, message throttlingCreate alertsStart simple
Respond / Recover
Don’t…
…underestimate the power of wishful
denial
…overestimate ability to execute
…try to boil the ocean
PANIC…
Assess extent of compromise
Focus on what’s important
Prioritize and take small steps
Do…
The Perfect PlanClose all internet / remote accessChange all passwordsRebuild Active DirectoryRebuild all hosts from scratchUpdate all software, defenses, policiesFix vulnerabilitiesRestore data and legitimate applicationsEducate end-usersTurn everything back on
Boiling the Ocean
…not so muchToo bigToo complexToo costlyToo disruptive
Which leaves… “Plan B”
The Perfect Plan…
Women and children first!Define & locate “Diamonds”Create safe havenMove Diamonds over
Declare old environment to be aZooGraveyard
A More Realistic Recovery Plan…
Recovery Plan Characteristics
Build New Environment3
Scan, Clean, and Rebuild DCs2
Effectiveness Depends on Execution
Scan and Clean1
Inherent High Effectiveness Inherent Low Effectiveness
Low Attacker Skill/Presence0% chance of persistence
High Attacker Skill/Presence
100% chance of persistence
$$$$$$$
$$$
$
There is never 100% guarantee of recovery
There is never 100% guarantee of security eitherSkill level of adversary impacts likelihood of success
Adversaries are human operatorsBad – Can adapt and adjust to our tacticsGood – Reaction speed is human, like the defenders
As we get better, so will theyNew places to hide, new techniques, etc.
Recovery Dynamics
The New MindsetWe all swim in a sea full of sharksWe cannot defend or control everythingRisk is a business issue
Focus on your diamondsChoose solutions that match the riskBe prepared, start today
Surviving in the New IT Reality
Breakout Sessions (session codes and titles)DCIM-B213 TWC: Pass-the-Hash and Credential Theft Mitigation Architectures
DCIM-B366 TWC: Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List
DCIM-B359 TWC: Pass-the-Hash: How Attackers Spread and How to Stop Them
DCIM-B216 TWC: Securing Your Business: Getting the Most from Your Premier Services
PCIT-B319 TWC: Social Engineering: Manipulations, Targeted Attacks, and IT Security
WIN-B335 Making Sense of the Microsoft Information Protection Stack
DCIM-B374 TWC: Fighting Evil with Good
Related content
Microsoft Solutions Experience Location (MSE)
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.