Looks STRONG

Layered DEFENCE

Feels SAFE

Cyber Threats…no longer just an IT issue.

• Average time attackers stay in a network before detection is over 200 days

• Over 75% of all network intrusions are traced back to compromised credentials

• Average cost of a data breach to a company is $3.5 million

• Estimated cost of cybercrime to the global economy is $500 billion

Motivations• Enforcement of social or political points of view

• To gain long term trusted access to internal resources• Information• Compute power and bandwidth

• Obtain credentials for access to other services

• Extortion by means of• Business systems interruption• Threatening individuals privacy• or discrediting the organisation

Cyber Threats…there are 2 types of organisations affected:

Those that don’t know it (yet)

Those that have been breached

Changing nature of Cyber Attacks

Attacks and threats have grown substantially more sophisticated, frequent and

severe.In the vast majority of attacks, they compromise user credentials and use legitimate IT tools instead of malware.

We are now working under the assumptionthat we are already breached

5 Key RecommendationsAmit Yoran, RSA President

1. Even advanced protection can fail2. We need pervasive and true visibility of everything3. Identity and Authentication matter more than ever

• Don’t trust the trusted, protect them!4. Don’t mistake a malware solution for an Advanced Threat Strategy5. Use external Threat Intelligence Reports

What REALLY matters?

Brand • Trustworthiness

Reputation• Availability• Reliability

Credibility • Accreditation

Financials• Cost to prevent• Cost to repair

What needs protection?

• Logon credentials• Gaining trusted access• Across all entities

Identity• Infrastructure – admin, service, and system accounts• high costs to repair in both time and materials• Use MFA and education!

Resources• Privileged access to sensitive information• DLP helps classified/controlled, information• What about the rest?

Information

• Documents at rest, in transit, or shared externally• Encryption is the minimal level for everythingData

HOW?

Protect

Education and vigilance is key

Layered approach

Technology and People

Detect

Understand the scenarios

Look for anomalies

Test regularly

Analyse

Know the scale of the problem

Identify the potential impact

Protect the logs and other

information

Respond

Don’t react hastily, follow a plan

Call in the experts, including the

lawyers if necessary

Communicate clearly, but securely

Identity Management• Know who your people are and centralise management

of Identities:• Administrators and trusted authorities• Insiders• Externals

• Implement good housekeeping• Ensure training for security and privacy at all levels• Monitor behaviours and regulate access permissions• Implement key policies:

• Pin locks• Passwords• Multi-Factor authentication

Application and Device ManagementManagement based on characteristics:• Ownership• Support/Management• Level of trust• Device standards and capabilities• Location and usage scenario

Data SecurityEnable key features where possible:• Full drive encryption• Data replication services• Invest in Information Rights Management and

Data Loss Prevention for the most sensitive information

Whe

re to

st

art?

Multi-Factor Authentication

ͻ Enable/Enforce MFA to end-usersͻ Will enforce App Passwords for rich clients that don͛8t support MFA - Office 2013 (can preview ADAL)

- Office 2010 - Skype for Business - OneDrive for Business - Mail apps on smartphones

Multi-Factor Authentication

ͻ Second Factor options: - Mobile app (online and OTP) - Phone Call - SMSͻ Application passwordsͻ Default Microsoft greetings

Office 365 / Azure Administrators

ͻ Fraud alertͻ One-Time Bypassͻ Custom greetings/caller IDͻ Cachingͻ Trusted IPsͻ MFA SDKͻ Security Reportsͻ MFA for on-premises appsͻ Block/Unblock Usersͻ Event Confirmation

Azure AD Premium additional features

Access Control ServiceEnables the use of multiple IdPs to provision access to SaaS applications• Integrated Single Sign On

• Claims-based access control

• Centralised authorization into web applications

• Google, Yahoo!, Facebook, etc.

• Available in Basic and Premium

Cloud App Discovery

Azure Rights Management

Enable control of data beyond your security boundary• Limit access to known identities

• Monitor, track, change permissions in-flight

• Company policy templates, automated application, individual control

Protect a document and share

Customer registration and download

Track & Revoke

Track & Revoke

Resources

• Protecting Azure Blob Storage with Azure RMS Whitepaperhttp://blogs.msdn.com/b/rms/archive/2014/05/27/protecting-azure-blob-storage-with-azure-rms-whitepaper.aspx

• Information Protection and Control (IPC) in Office 365 with Microsoft Rights Management service (RMS) whitepaperhttp://www.microsoft.com/en-us/download/confirmation.aspx?id=34768

• Official RMS Team bloghttp://blogs.technet.com/b/rms/

• RMS Analyzer Toolhttp://blogs.technet.com/b/rms/

Azure Security CenterCurrently in public preview:

• Advanced Threat Analytics – global scale• Security monitoring and auditing• Threat detection and alerts• Hadoop cluster ingests massive quantities of data from

security feeds• Machine Learning and Real People! (cyber security

teams and partnerships)• In partnership with the major industry security vendors• Integrates with existing security solutions (SIEM)

Cloud Access Security Broker

Adallom: recently purchase by Microsoft• Centralised AuthN/AuthZ for all cloud application

• Agentless, flexible deployment options

• Integrated with solutions like CheckPoint, SIEM, DLP and MDM

Advanced Threat Analytics

Focus on what’s important, fast• Malicious attack detection

• Alerts for known security issues and risks

• Analysis for abnormal behaviour using machine learning

ATA: Pass-The-Hash Demo• Our bad guy is DodgyUser, he’s managed to get access to a PC and running his tools….• Our good guy is MarketingUser, he’s logged on to this pc and carrying out his work

normally

• DodgyUser is able to enumerate all users logged on, and obtain the HASH of their password:

ATA: Pass-The-Hash Demo• With this information, DodgyUser can now switch to use these credentials

on any machine and perform operations as that user

ATA: Pass-The-Hash Demo• ATA was watching:

ATA: Alerts

ATA: Alerts

Coming soon…Administrative

UnitsBYO SaaS

Applications

Pwd rollover for FB, Twitter and Linked In

Dynamic group membership

Conditional Access – per

app

Privileged Identity

management

Self-service app requests

Azure reporting API

Cloud Access Security Broker

(Adallom?)

Windows 10

• 110 million activations in just 2 months !• Deploy without re-imaging the device• Windows Hello & BitLocker• Registered hardware can be 2nd factor for sign-in to

all services• Separation of business and personal information• Same experience on Phone as on Desktop• Enterprise containerisation with Hyper-V• Universal App Store – with employee store

experience

Actions & Resources• Start using MFA for all your personal

accounts

• Consider security at the beginning of Solution Development

• Look for and highlight any risks or concerns at your customer

• Join the discussion on our Yammer group Security

• Use the Cloud Roadmap diagrams to explore solutions and options

• Use this deck, works well on mobileShare the message, raise awareness

Thank you !

Richard Diver @rdiver