one microsoft security pitchwtstreaming.blob.core.windows.net/...presentation... · • steal any...
TRANSCRIPT
![Page 1: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/1.jpg)
![Page 2: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/2.jpg)
![Page 3: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/3.jpg)
![Page 4: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/4.jpg)
![Page 5: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/5.jpg)
![Page 6: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/6.jpg)
![Page 7: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/7.jpg)
![Page 8: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/8.jpg)
![Page 9: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/9.jpg)
![Page 10: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/10.jpg)
![Page 11: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/11.jpg)
![Page 12: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/12.jpg)
Securing
Privileged
Access
Information
Protection
Datacenter
Security
Securing High
Value AssetsInformation Worker
and
Device Protection
![Page 13: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/13.jpg)
Admin Environment
On-Premises
Datacenters
3rd Party SaaS
Customer and
Partner AccessBranch Office Intranet and Remote PCs
High Value Assets
3rd Party IaaS
Mobile Devices
Microsoft AzureOffice 365
Azure Active
Directory
Rights Management
Services Key Management
ServicesIaaSPaaS
![Page 14: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/14.jpg)
More than 200 days (varies by industry)
First Host Compromised Domain Admin Compromised Attack Discovered
Research & Preparation Attacker Undetected (Data Exfiltration)
24-48 Hours
![Page 15: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/15.jpg)
Active Directory and Administrators control all the assets
![Page 16: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/16.jpg)
under attack
One small mistake can
lead to attacker control
Attackers Can
• Steal any data
• Modify
documents
• Impersonate users
• Disrupt business
operations
Active Directory and Administrators control all the assets
![Page 17: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/17.jpg)
Tier 2 Workstation &
Device Admins
Tier 0Domain &
Enterprise Admins
Tier 1Server Admins
1. Beachhead (Phishing Attack, etc.)
2. Lateral Movementa. Steal Credentials
b. Compromise more hosts &
credentials
3. Privilege Escalationa. Compromise unpatched servers
b. Get Domain Admin credentials
4. Execute Attacker Missiona. Steal data, destroy systems, etc.
b. Persist Presence
24-48 Hours
http://aka.ms/pthdemo
![Page 18: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/18.jpg)
How to protect your privileges against these attacks
2-4 weeks 1-3 months 6+ months
Attack Defense
Three Stage Mitigation Plan
http://aka.ms/SPAroadmap
![Page 19: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/19.jpg)
1. Separate Admin account for admin tasks
3. Unique Local Admin Passwords
for Workstationshttp://Aka.ms/LAPS
2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW
4. Unique Local Admin
Passwords for Servershttp://Aka.ms/LAPS
2-4 weeks 1-3 months 6+ months
First response to the most frequently used attack techniques
![Page 20: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/20.jpg)
First response to the most frequently used attack techniques2-4 weeks 1-3 months 6+ months
Top Priority Mitigations
Attack Defense
![Page 21: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/21.jpg)
2. Time-bound privileges (no permanent admins)http://aka.ms/PAM http://aka.ms/AzurePIM
1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening
(Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW
4. Just Enough Admin (JEA)
for DC Maintenancehttp://aka.ms/JEA
9872521
6. Attack Detectionhttp://aka.ms/ata
5. Lower attack surface
of Domain and DCs http://aka.ms/HardenAD
2-4 weeks 1-3 months 6+ months
Build visibility and control of administrator activity, increase protection against typical follow-up attacks
3. Multi-factor for elevation
![Page 22: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/22.jpg)
2-4 weeks 1-3 months 6+ monthsAttack Defense
![Page 23: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/23.jpg)
2. Smartcard or Passport
Authentication for all adminshttp://aka.ms/Passport
1. Modernize Roles and
Delegation Model
3. Admin Forest for Active
Directory administratorshttp://aka.ms/ESAE
5. Shielded VMs for
virtual DCs (Server 2016
Hyper-V Fabric)http://aka.ms/shieldedvms
4. Code Integrity
Policy for DCs
(Server 2016)
2-4 weeks 1-3 months 6+ months
Move to proactive security posture
![Page 24: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/24.jpg)
2-4 weeks 1-3 months 6+ monthsAttack Defense
![Page 25: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/25.jpg)
How Can Microsoft Services Help?
Assess your current risk level and build a plan
Prioritized
Tailored to your needs
Rapid deployment of proven solutions
Support and operationalize new technologies
Accelerate deployment to maximize your defenses!
![Page 26: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/26.jpg)
ASSUME BREACH
![Page 27: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/27.jpg)
![Page 28: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/28.jpg)
![Page 29: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/29.jpg)
Service
Delivery Management
Proactive
Services
Problem Resolution Services
Premier Support
Cyber Incident Response
Respond - Incident Response via PremierBased on proven response practices
![Page 30: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/30.jpg)
Response ScenarioNon-malicious or Internal
![Page 31: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/31.jpg)
Response ScenarioMalicious - External
![Page 32: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/32.jpg)
What Every Customer Needs to Do Roadmap to improve your cybersecurity position
![Page 33: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/33.jpg)
![Page 34: One Microsoft Security Pitchwtstreaming.blob.core.windows.net/...Presentation... · • Steal any data • Modify documents • Impersonate users • Disrupt business operations Active](https://reader033.vdocuments.us/reader033/viewer/2022042108/5e87f98a3bdfb60edf4c55f2/html5/thumbnails/34.jpg)