![Page 1: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/1.jpg)
Andrew IdellFrank Brinkmann
February 1, 2017
How to Harden Your Enterprise in Today’s Threat Landscape
![Page 2: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/2.jpg)
Frank Brinkmann• 19 years with Microsoft and more than 23 years in IT:
• Director, Cybersecurity Protection Team (CPT), part of the Enterprise Cybersecurity Group. This team develops, pilots, and maintains the cybersecurity consulting offerings that protect our customers’ critical assets
![Page 3: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/3.jpg)
Andrew Idell• 13 years at Microsoft, 21 years total in IT
• Cybersecurity Architect – Cybersecurity Protection Team (CPT), part of the Enterprise Cybersecurity Group
• Holds the CISSP and MCM: Directory Services certifications
• Andrew’s career focused has on Active Directory, PKI, and Windows Security, including work in Corporate IT, as an Microsoft Certified Trainer, and as a consultant at Microsoft Partners. Since joining Microsoft, Andrew has spent time in Product Support, Microsoft Consulting Services in Infrastructure and Cybersecurity, before joining ECG at its beginning in 2015.
![Page 4: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/4.jpg)
Agenda
The Security Challenge
Common Security Misconceptions
Addressing the Real Concerns
Conclusion and Take-Aways
![Page 5: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/5.jpg)
1. The Security Challenge
![Page 6: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/6.jpg)
Why is securing today’s datacenter a challenge?
![Page 7: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/7.jpg)
These challenges can leave your business vulnerableFor example: The typical attack timeline & observations
24-48 Hours
Initial user
compromise
or entry
vector
Core securitycompromised
(Domain Admin)
Average 140+ days
Service outage or data exfiltration
Attack detected
![Page 8: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/8.jpg)
2. Common Security Misconceptions
![Page 9: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/9.jpg)
“My enterprise needs to be very concerned
about 0-days.”
![Page 10: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/10.jpg)
Actually...
https://www.microsoft.com/security/sir/default.aspx
Not overall, because most companies are compromised by old and unpatched vulnerabilities in software running on top of Windows
http://www.infoworld.com/article/3075830/security/zero-days-arent-the-problem-patches-are.html
![Page 11: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/11.jpg)
So what should I do?
Step 1:
Step 2:
Step 3:
![Page 12: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/12.jpg)
How can Microsoft help me?
Option 1:
Option 2:
Option 3:
SECURITY INVESTIGATION
AND EVENT MONITORING
VULNERABILITY AND
PATCH MANAGEMENT
MALWARE
DETECTION
![Page 13: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/13.jpg)
“Will using systems management and security software on
my Domain Controllers improve my security?”
![Page 14: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/14.jpg)
Not really…
Why?
If the agents are running as System or Administrator, and the administrators of these systems are not properly protected
How?
• The Credential Tier Model
• Credential Hygiene
![Page 15: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/15.jpg)
The Credential Tier Model
Tier 2 Workstation
& Device
Admins
Tier 0Domain &
Enterprise
Admins
Tier 1Server
Admins
Rule #3:
Rule #2:
Rule #1:
![Page 16: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/16.jpg)
Tier 2 Workstation
& Device
Admins
Tier 0Domain &
Enterprise
Admins
Tier 1Server
Admins
1. Beachhead (Phishing Attack, etc.)
2. Lateral Movementa. Steal Credentials
b. Compromise more hosts &
credentials
3. Privilege Escalationa. Get Domain Admin credentials
4. Execute Attacker Missiona. Steal data, destroy systems, etc.
b. Persist Presence
When those rules aren’t followed: a typical attack chain
24-48 Hours
![Page 17: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/17.jpg)
So what should I do?
Step 1:
Step 2:
Step 3:
![Page 18: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/18.jpg)
How can Microsoft help me?
Option 1:
http://aka.ms/cyberpaw
http://aka.ms/tiermodel
Option 2:
![Page 19: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/19.jpg)
“Using jump servers and multi-factor
authentication protect my administrators”
![Page 20: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/20.jpg)
Not really…
Why?
If the system used to log in with multi-factor authentication to your jump servers is compromised.
Don’t new OS features like Credential Guard, Device Guard and Defender ATP mitigate
these threats?
And what about multi-factor authentication like Smart Cards and Windows Hello for Business?
![Page 21: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/21.jpg)
Why the starting point has to be clean:
![Page 22: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/22.jpg)
So what should I do?
Step 2:
Step 1:
Step 3:
![Page 23: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/23.jpg)
How can Microsoft help me?
Option 1:
http://aka.ms/cyberpaw
http://aka.ms/cleansource
Option 2:
![Page 24: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/24.jpg)
“Using virtualization and shared infrastructure in my Private
Cloud reduces complexity, thereby increasing security”
![Page 25: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/25.jpg)
Not really…
Why?
Unless the virtual machines can be isolated from the virtualization admins, and their storage encrypted with a key inaccessible by any storage administrators.
Why are Domain Controllers special?
What is the issue?
![Page 26: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/26.jpg)
So what should I do?
Option 2:
Option 1:
![Page 27: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/27.jpg)
How can Microsoft help me?
Option 1:
https://blogs.technet.microsoft.com/datacentersecurity/2016/03
/16/windows-server-2016-and-host-guardian-service-for-
shielded-vms/
Option 2:
![Page 28: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/28.jpg)
3. Addressing the Real Concerns
![Page 29: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/29.jpg)
Every misconception is based on a legitimate concern
Security Need or Concern Solutions Microsoft Services Offerings
Protecting Administrators and their Credentials
• Use hardened, dedicated workstations for administrative tasks
• Deploy a separate, hardened forest for your admin users and workstations
• Privileged Access Workstation (PAW)• Enhanced Security Administrative
Environment (ESAE)
Hardening Tier-0 Servers • Remove upstream risks• Deploy Shielded VMs and the Host
Guardian Service• Deploying official Windows Security
Templates to DCs and other Tier 0 servers-
• Active Directory Hardening (ADH)• HGS for Guarded Fabric and Shielded VMs
Hardening Active Directory • Reducing membership in Tier- 0 groups• Deploying official Windows Security
Templates• Implementing an OU and policy structure
that enforces the Tier Model
• Active Directory Hardening (ADH)• Offline Assessment for
Active Directory Services (OAADS)
Detecting and Responding to Attacks • Deploying a detection solution that
leverages machine learning to reduce the “noise” and false positives
• Operations Management Suite, Advanced Threat Analytics or Windows Defender ATP
• Enterprise Threat Detection (ETD)Advanced Threat Analytics Implementation Services (ATA-IS)
•
• Offline Assessment forActive Directory Services (OAADS)
![Page 30: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/30.jpg)
4. Conclusion/Take-Aways
![Page 31: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/31.jpg)
Key Take-Aways
Common security misconceptions are
a reflection of genuine security
concerns.
Microsoft has public guidance for
solutions to address these concerns.
Microsoft Services can help
accelerate the adoption of these
solutions in your enterprise.
![Page 32: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/32.jpg)
Reference LinksPrivileged Access Workstation: http://aka.ms/cyberpaw
The Credential Tier Model: http://aka.ms/tiermodel
The clean-source principle: http://aka.ms/cleansource
The Ten Immutable Laws of Security Administration:
https://technet.microsoft.com/en-us/library/cc722488.aspx
Sticking with Well-Known and Proven Solutions:
https://blogs.technet.microsoft.com/fdcc/2010/10/06/sticking-with-well-known-and-
proven-solutions/
Responding to IT Security Incidents:
https://technet.microsoft.com/en-us/library/cc700825.aspx
![Page 33: How to Harden Your Enterprise in Today’s Threat … to Harden Your Enterprise in Today’s Threat Landscape Frank Brinkmann •19 years with Microsoft and more than 23 years in IT:](https://reader034.vdocument.in/reader034/viewer/2022042611/5b1d70097f8b9a64508b705b/html5/thumbnails/33.jpg)
© 2016 Microsoft Corporation. All rights reserved. The text in this document is available under the Creative Commons Attribution 3.0 License, additional terms may apply. All other content contained in this
document (including, without limitation, trademarks, logos, images, etc.) are not included within the Creative Commons license grant. This document does not provide you with any legal rights to any
intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some
examples are for illustration only and are fictitious. No real association is intended or inferred. Microsoft makes no warranties, express or implied, with respect to the information provided here.