Securing the Digital Transformation Overview Largest Data Breaches - - PowerPoint PPT Presentation

Securing the Digital Transformation

Overview

2

Digital Transformation Realized™

Latest 2015 2014 2013

Hacks resulting in loss of more than 30,000 records

Source: Informationisbeautiful.net

Largest Data Breaches

JP Morgan Chase 76000000

Target

70000000

AOL 2400000

Ebay

MySpace 164000000

Experian / T-Mobile

Anthem 800000000

Banner Health

Mail.ru 25000000 Linux Ubuntu forums

Clinton Campaign

Carefirst

British Airways AshleyMadison.com

Adult Friend Finder Dominos Pizzas (France)

Evernote 50000000

Home Depot 56000000

European Central Bank

Kromtech

MSpy Japan Airlines

Philippines’ Commission on Elections 55000000 Telegram Securus Technologies 70000000

NASDAQ

Sony Pictures

Nintendo Neiman Marcus Staples OHV Scribd

US Office of Personnel Management (2nd Breach)

VK 100544934

Vtech

UPS

Yahoo Japan

Twitch TV Ubuntu Wendy’s

Verizon

uTorrent Syrian Government

Adobe 36000000

Central Hudson Gas & Electric National Childbirth Trust Hacking Team CarPhone Warehouse Invest Bank Community Health Services Apple A&B Altegrity

Mac Rumours .com

Premera

LivingSocial 50000000

TalkTalk

3

Digital Transformation Realized™

Economic Impact from Cybercrime

$162m $1 billion $171m

Target JPMorgan Sony

4

Digital Transformation Realized™

Risk Mitigation and Digital Transformation

The Digital Transformation is driving change in the way IT is leveraged throughout the business The way IT is secured and risks mitigated within the business will also rapidly evolve as threats enter new vectors The technologies for mitigating risks are a combination of longstanding best practices and modern capabilities The defense against the modern (and existing) threats of the Digital Transformation start now

1 2 3 4

The Digital Transformation is driving change in the way IT is leveraged throughout the business

6

Digital Transformation Realized™

Companies are Becoming More Digital

Enabling the customer experience with technology Enabling partner interactions through technology Driving efficiency in internal operations

Customers Partners Employees

7

Digital Transformation Realized™

Transformative vs. Non-Transformative

8

Digital Transformation Realized™

Digital Transformation

Modern Applications

IoT, Mixed Reality, Collaboration, ECM, BPM

Secure Modern IT Management

DevOps and IT Service, Business Process Transformation, Governance

Customer Engagement

CRM, Extranets, B2B solutions

Cloud Data Center

Identity & Device Management , Cloud Integration & Management, Unified Communications

Analytics & Data

BI, SQL, Predictive Analytics, Big Data

Mobile Secure Mobile

The way IT is secured and risks mitigated within the business will rapidly evolve as threats enter new vectors

10

Digital Transformation Realized™

Top New Threats with Financial Impact

Customer User Database Compromise IoT Device Compromise Internal Identity Compromise Confidential Data Compromise Predictive Analytics Compromise Source Code Compromise Social Engineering Theft Physical Access paired with Theft

11

Digital Transformation Realized™

Modern Security Layers to Mitigate Risk

Network Operating System Identity Application Information Communications Management Physical

12

Digital Transformation Realized™

NIST Security Framework

Detect Respond Recover Protect

Digital Transformation

Identify

13

Digital Transformation Realized™

Risk Mitigation Combining Layers and NIST

Detect

 Big data detection patterns

Respond

 Automated response mechanisms

Recover

 Declarative configuration

Protect

 Cloud consistent protection patterns

Digital Transformation

Identify

 Cloud threat identification

Network Identity Application Information Communications Management Physical Operating System

14

Digital Transformation Realized™

Modern Security Layers and NIST

Detect Respond Recover Protect

Digital Transformation

Identify

Network

The extent to which traffic can reach the intended destination based on its qualities, being from a known source, appropriate port, and of certain characteristics. Millions of hacked agents Network boundary is everywhere Applications are customer facing

15

Digital Transformation Realized™

Modern Security Layers and NIST

Detect Respond Recover Protect

Digital Transformation

Identify

Operating System

The extent to which the operating system is protected from attack based on its inherent flaws, as well as the extent to which it provides for modern protections from modern invasive approaches. Out-of-Date Operating Systems Your clients are your network boundary IoT clients, mobile, and devices exposed

16

Digital Transformation Realized™

Modern Security Layers and NIST

Recover Detect Respond Protect

Digital Transformation

Identify

Identity

The extent to which authentication to an application provides a more important role in security in the modern age, as well as what access the authenticated person has based on role based access control. Weak passwords everywhere Applications not properly identity secured Brute force techniques increasing in capability

17

Digital Transformation Realized™

Modern Security Layers and NIST

Recover Detect Respond Protect

Digital Transformation

Identify

Application

The security of the actual application itself, as was tested and written using patterns and practices which mitigate known threats and attack vectors. Applications using APIs and features with known flaws Interaction between application components Boundary security flaws on endpoint

18

Digital Transformation Realized™

Modern Security Layers and NIST

Detect Respond Recover Protect

Digital Transformation

Identify

Information

The extent to which documents and data are protected regardless of location and are controlled based on their qualities. Confidential information is widely accessible Secure content is used to gain other content Users who “should” have access change

19

Digital Transformation Realized™

Modern Security Layers and NIST

Management

The extent to which management tools have evolved to address modern threats which require analysis and response exceeding manual effort. These scenarios look more like “big data” and machine learning scenarios than manual reviews and responses that traditional security practices employed.

Detect Respond Recover Protect

Digital Transformation

Identify Breadth of threats exceeds human capabilities Response needs are immediate Employees not properly trained

20

Digital Transformation Realized™

Modern Security Layers and NIST

Communications

The extent to which application communications (or even personal communications) are protected and private based on identity and application qualities. No assurance that the network is secured Modern devices are connected to the internet Pass-the-Hash, Password Extraction Detect Respond Recover Protect

Digital Transformation

Identify

The technologies for mitigating risks are a combination of longstanding best practices and modern capabilities

22

Digital Transformation Realized™

NIST CSF to Category / Microsoft technology map

Mapping in Technology Solutions

Protect (PR) Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability

• f information.

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition PR.DS-4: Adequate capacity to ensure availability is maintained Cloud Datacenter Operations Management Suite & System Center Modern IT Management PR.DS-5: Protections against data leaks are implemented Customer Enablement Enterprise Mobility Suite Cloud Datacenter Operations Management Suite & System Center Modern IT Management Azure Resource Management Standards Office365 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity Customer Enablement Enterprise Mobility Suite Modern IT Management Operations Management Suite & System Center PR.DS-7: The development and testing environment(s) are separate from the production environment Cloud Datacenter Azure Resource Management Standards Modern IT Management Visual Studio Team Services

PR.IP-1: A baseline configuration of information

technology/industrial control systems is created and maintained Modern IT Management Operations Management Suite &System Center ServiceNow

PR.IP-2: A System Development Life Cycle to manage systems

is implemented Modern IT Management Visual Studio Team Services Operations Management Suite & System Center ServiceNow

23

Digital Transformation Realized™

Tool Categories and Mapping

ServiceNow Operations Management Suite Visual Studio Team Services Azure Machine Learning

Modern Service Management Platform Modern Operational and Automation Platform Modern Development Platform Predictive Analytics

24

Digital Transformation Realized™

Tool Categories and Mapping

Enterprise Mobility + Security Suite Office365 Dynamics 365 Azure Platform as a Service Azure Cloud Platform, Windows Server Azure Stack Windows 10 Microsoft IoT Platform

Client Management Platform Collaboration and Business Process Platform Cloud Platform End User Computing Platform

25

Digital Transformation Realized™

Anatomy of Attacks and Defense

ServiceNow Dynamics Power BI System Center SCCM MIM ATA Azure Stack VM Ware Network EMS OMS USTS Azure ML

Log Data ARM + DSC Code Inventory Log Data Log Data Inventory Automation Log Data/IDS ARM + Code DSC Log Data

I I IoT Suite

Demo

The defense against the modern threats of the Digital Transformation start now

28

Digital Transformation Realized™

Steps to Starting Out

Admit that you can do better Know that you can always do better Make a plan for addressing the security threats that are most relevant based on risk and financial impact

First Second Then

29

Digital Transformation Realized™

Who Do You Want to Be?

Disorganized, Hidden, Unprepared Organized, Transparent, Prepared

30

Digital Transformation Realized™

Get Specific with Assessments

Discover Assess ID System Owner Business Process Hardware Product Software Product Configuration Threat Vulnerability Controls Impact (Low-Med- High) Complexity (Low-Med- High) Risk (Low-Med- Hgih) Priority 00001 Workstations and Servers Denise Smith X Privilege Escalation Local Administrators LAPS High Low High 1 00002 Active Directory Qiong Wu X Unauthorized Use Privileged Accounts MIM PAM Med Med Low 4 00003 Workstations and Servers Naoki Sato X Code Execution Patching SCCM X Med Med 3 00004 Business Culture Daniel Roth X Social Engineering Phishing KnowBe4 High Low High 2 00005 WiFi Andrea Dunker X Unauthorized Use Pre-shared Key 802.1X Low High Med 5 00006 Workstations and Servers Eric Gruber X Business Data Loss Malicious Software Device Guard High High Med 6

31

Digital Transformation Realized™

Concurrency’s Engagements

Review, assess and make a plan, strategic and tactical, working with CISO Address threats through targeted process improvements, technologies, and education Develop a backlog and keep improving the security state

Plan and Design Execution Continuous Improvement

32

Digital Transformation Realized™

Key points

Understand that security is not something to procrastinate on Leverage NIST CSF to develop a prioritized plan Address key operating system and identity threats first Don’t underestimate the importance of a security management platform

1 2 3 4

33

Digital Transformation Realized™

Digging into the Details

Presentations on individual scenarios for the Digital Transformation, including:

Securing the Client to Application Threat: Part 1 Securing the Client to Application Threat: Part 2 Securing Content and Communications

You will have access to the NIST to Technology Mapping, the whitepaper, and this presentation through a follow-up call

Part 1: Securing the Client

An Employee, their Laptop and a Hacker walk into a Bar…

35

Digital Transformation Realized™

We are not an appealing target for attackers, I’m probably

• fine. I couldn’t stop them anyway.

An attacker would need to get someone’s password to start hacking on us. Breaking into our Network would require an experienced and sophisticated attacker.

What do you think?

36

Digital Transformation Realized™

 I’m using some of the laziest methods  They are easy to demo and understand  Much better methods and tools are available  They are easy to use, but might feel abstract

Attack Methods in this Demo

37

Digital Transformation Realized™

Attack Pyramid

Entry Reconn & Movement End Goal / Exfiltration

38

Digital Transformation Realized™

Attack Plan

39

Digital Transformation Realized™

BitLocker Would have prevented access to the file system

 Is built-in to Windows Enterprise/Pro Edition  Manage with GPO, MBAM, AAD Join / Intune − “InstantGo” capable devices (aka Connected Standby) − Microsoft Surface/Book, Lenovo ThinkPad, Dell Venue

What could have stopped that?

40

Digital Transformation Realized™

 Conditional Access  Single Sign On  Enterprise State Roaming  MDM Registration / Intune  New Intune Portal!

Azure AD Join / Domain Join++

41

Digital Transformation Realized™

Social Engineering

 Walk-up Access in office  Phishing with Macros  Remote Command and Control

What else could have happened?

Let’s go Phishing

43

Digital Transformation Realized™

Macro Security settings GPO to “Disable all except digitally signed”

 GPO for Trust Center/Trusted Locations  Client Activity Analysis with Defender ATP

What could have stopped that?

What’s on this Laptop?

45

Digital Transformation Realized™

 BitLocker (indirectly) − Encrypts the file system, not files  Azure Information Protection (Azure RMS) − Encrypts individual files by user action*  Windows Information Protection (WIP , prev. EDP) − Encrypt “Enterprise Data” by device policy

What could have stopped that?

Where’s the Network?

47

Digital Transformation Realized™

Local Admins can export Wifi Profiles

 Exports any network saved by any user  Also exports client-side certificates − Ensure the cert private key is not Exportable − Consider using RADIUS authentication  Consider managing Wifi setting with GPO/MDM

What could have stopped that?

48

Digital Transformation Realized™

Attack Pyramid

Entry Reconn & Movement End Goal / Exfiltration

Part 2: Securing the Servers

50

Digital Transformation Realized™

Attack Plan

51

Digital Transformation Realized™

− LAPS / Better Passwords

• Generate and Rotate STRONG Local Admin Passwords

− Device Guard / AppLocker (for non-admins)

• Prevent running unsigned applications (mimikatz)

− Credential Guard

• Prevent dumping hashes

− Advanced Threat Analytics

• Detected machine account querying AD

What could have stopped that?

52

Digital Transformation Realized™

 LAPS − Randomize and Change STRONG Local Admin Passwords  Windows Firewall − Block RDP / Disable RDP , allow trusted sources  Group Policy − Prevent Remote Use of Local Accounts  Network Segmentation − Separate Client and Servers networks with ACLs

What could have stopped that?

What’s on this Server?

54

Digital Transformation Realized™

Group Managed Service Accounts

− Passwords managed by Machines, not saved in registry  Device Guard / AppLocker − Prevent running unsigned applications  GPO / Access Control − Prevent Service Accounts from logging in remotely  Monitor with OMS / SysMon

What could have stopped that?

55

Digital Transformation Realized™

Attack Pyramid

Entry Reconn & Movement End Goal / Exfiltration

56

Digital Transformation Realized™

Digital Transformation Realized ™

@MrShannonFritz

Attack Plan

Stealing AD from the Shadows

58

Digital Transformation Realized™

 Network Segmentation − Restrict network access to the DC’s  GPO / Access Control − Prevent Non-Domain Admin’s from logging in to DC’s − Prevent Domain Admin’s from being using on Non-DC’s  Isolation / Protection − Restrict access to the DC’s Physical / Virtual hardware

What could have stopped that?

59

Digital Transformation Realized™

Attack Plan

60

Digital Transformation Realized™

Attack Mitigation Plan

stickykeys hijack remote shell macro data theft wifi psk dump reconnaissance rdp vss copy ntds.dit bitlocker macro security gpo azure rms wip certifitate wifi defender atp service secrets gpo aad join / intune ata gmsa device guard isolation gpo / dsc skeleton key krbtgt golden ticket device guard

• ms / sysmon

61

Digital Transformation Realized™

NIST Cybersecurity Framework Core Identify

• Asset Inventory
• Patches and Updates
• Risk Management
• Policies

Protect

• Credentials & Identity
• Network Access
• User Training
• Data Security
• Baseline Configuration

Detect

• Nefarious Activity
• Malicious Code
• Unauthorized Users
• Unauthorized Devices
• External Services

Respond

• Investigations
• Forensics
• Incidents
• Containment
• Public Relations

Recover

• Business Continuity
• Communications

Microsoft and 3rd Party Products

• OMS : Operations

Management Suite

• SC Operations Mgr
• SC Configuration Mgr
• SC Service Manager
• Intune
• Cloud App Security
• ServiceNOW
• MIM : Identity Mgr
• MIM PAM
• AAD Premium / PIM
• Azure MFA
• Intune
• Conditional Access
• Azure App Proxy
• BitLocker
• Office 365 ATP
• OMS
• Advanced Threat

Analytics

• OMS
• Azure AD Premium
• Defender ATP
• Cloud App Security
• O365 Compliance Cntr
• Lookout App Security
• OMS
• SC Service Manager
• ServiceNOW
• Hyper-V
• Storage Replica
• DFS
• OneDrive for Business
• OMS : Site Recovery
• SC DPM
• Veeam
• ServiceNOW

62

Digital Transformation Realized™

 Sami Laiho – wioski.com  Sean Metcalf – adsecurity.org  Rob Fuller – mubix, room362.com, hak5  Paula Januszkiewicz – cqureacademy.com  Robert Reif – cynosure prime password research  Michael Goetzman – cyphercon.com  Marcus Murray & Hasain Alshakarti – Truesec  Troy Hunt – haveibeenpwned.com, troyhunt.com

Acknowledgements / Learn More

Securing Content and Communication

64

Digital Transformation Realized™

Securing Content and Communication

Review of security issues with content and communications scenarios and live review of example Review of technologies to protect content and communications scenarios and live review of example How to get started with protecting content and communications scenarios through both policy and technology

65

Digital Transformation Realized™

Data protection realities

87% of senior managers admit to regularly uploading work files to a personal email or cloud account.*

87%

58% have accidentally sent sensitive information to the wrong person.*

58%

Focus on data leak prevention for personal devices, but ignore the issue on corporate

• wned devices where the risks

are the same

? %

66

Digital Transformation Realized™

Security Issues with Content and Communications

Confidential content is everywhere Content needs to be shared, despite its security status Certain locations should never access content Content is shared when not intended to be

67

Digital Transformation Realized™

Modern Content Security Needs

Protect various content types Protect in-place and in-flight Share with anyone securely Important applications and services are enlightened Meet with varied

• rganizational

needs Protect everywhere and layer security

68

Digital Transformation Realized™

Technical Solution Layers Applied

Network

• Location Awareness for Office365 w/ MFA

Application

• Office365 applies Azure Information Protection

Information

• Azure Information Protection

Operating System

• Local Bitlocker Encryption

Identity

• EM+S with Azure Active Directory Platform

Management

• Operations Management Suite (OMS)
• Enterprise Mobility + Security
• ServiceNow

69

Digital Transformation Realized™

Steps to Starting Out

Define corporate content types and scenarios based on business use cases and

• rganizational policies

Build rights management policies based on defined business requirements Incrementally roll out location awareness and Azure Information Protection based

• n the defined rights management policies and business requirements

70

Digital Transformation Realized™

Concurrency’s engagements

Plan and Design Review, assess and make a plan, strategic and tactical, working with CISO Execution Address threats through targeted process improvements, technologies, and education Continuous improvement Develop a backlog and keep improving the security state

Thank you!