Securing the Digital Transformation - Concurrency

Dominos Pizzas (France) Evernote 50000000. ... Password Extraction. Respond. Detect. Recover. Protect. ... Local Admins can export Wifi Profiles...

2 downloads 626 Views 3MB Size
Securing the Digital Transformation Overview

Largest Data Breaches Hacks resulting in loss of more than 30,000 records Banner Health

Anthem 800000000

Clinton Campaign

Latest

British Airways

2015

2014

Adult Friend Finder

Community Health Services

Hacking Team

Ebay

Invest Bank

Japan Airlines

Kromtech

Telegram

Premera

MSpy

National Childbirth Trust

JP Morgan Chase 76000000

Verizon

Wendy’s Syrian Government

VK 100544934

Securus Technologies 70000000

Vtech

NASDAQ

Sony Pictures

Mac Rumours .com Neiman Marcus

Apple

Adobe 36000000

2013

MySpace 164000000

Experian / T-Mobile

CarPhone Warehouse

Dominos Pizzas (France)

AOL 2400000

Linux Ubuntu forums

Carefirst

AshleyMadison.com

uTorrent

Philippines’ Commission on Elections 55000000

Mail.ru 25000000

Central Hudson Gas & Electric

A&B Altegrity

Evernote 50000000

European Central Bank

Home Depot 56000000

Nintendo

LivingSocial 50000000

OHV

TalkTalk

Target 70000000

Staples

US Office of Personnel Management (2nd Breach)

UPS

US Office of Personnel Management

Yahoo Japan

Scribd Twitch TV Washington State Court System

Ubuntu

Source: Informationisbeautiful.net

Digital Transformation Realized™

2

Economic Impact from Cybercrime

$162m

$1 billion

$171m

Target

JPMorgan

Sony

Digital Transformation Realized™

3

Risk Mitigation and Digital Transformation

Digital Transformation Realized™

1

The Digital Transformation is driving change in the way IT is leveraged throughout the business

2

The way IT is secured and risks mitigated within the business will also rapidly evolve as threats enter new vectors

3

The technologies for mitigating risks are a combination of longstanding best practices and modern capabilities

4

The defense against the modern (and existing) threats of the Digital Transformation start now

4

The Digital Transformation is driving change in the way IT is leveraged throughout the business

Companies are Becoming More Digital

Customers

Partners

Employees

Enabling the customer experience with technology

Enabling partner interactions through technology

Driving efficiency in internal operations

Digital Transformation Realized™

6

Transformative vs. Non-Transformative

Digital Transformation Realized™

7

Digital Transformation

Modern IT Management DevOps and IT Service, Business Process Transformation, Governance

Mobile

Secure

Mobile

IoT, Mixed Reality, Collaboration, ECM, BPM

Analytics & Data BI, SQL, Predictive Analytics, Big Data

Digital Transformation Realized™

Modern Applications

Customer Engagement CRM, Extranets, B2B solutions

Cloud Data Center

Secure

Identity & Device Management , Cloud Integration & Management, Unified Communications

8

The way IT is secured and risks mitigated within the business will rapidly evolve as threats enter new vectors

Top New Threats with Financial Impact Customer User Database Compromise

Predictive Analytics Compromise

IoT Device Compromise

Source Code Compromise

Internal Identity Compromise

Social Engineering Theft

Confidential Data Compromise

Physical Access paired with Theft

Digital Transformation Realized™

10

Modern Security Layers to Mitigate Risk

Network

Operating System

Information

Communications

Digital Transformation Realized™

Identity

Management

Application

Physical

11

NIST Security Framework Identify

Recover

Respond

Digital Transformation Realized™

Digital Transformation

Protect

Detect

12

Risk Mitigation Combining Layers and NIST Identify

Network

 Cloud threat identification

Operating System Identity

Recover

Protect

 Declarative configuration

 Cloud consistent protection patterns

Application

Digital Transformation

Information Communications Management

Respond

Detect

 Automated response mechanisms

 Big data detection patterns

Physical Digital Transformation Realized™

13

Modern Security Layers and NIST Identify

Network The extent to which traffic can reach the intended destination based on its qualities, being from a known source, appropriate port, and of certain characteristics.

Recover

Millions of hacked agents

Digital Transformation

Protect

Network boundary is everywhere Respond

Detect

Applications are customer facing

Digital Transformation Realized™

14

Modern Security Layers and NIST Identify

Operating System The extent to which the operating system is protected from attack based on its inherent flaws, as well as the extent to which it provides for modern protections from modern invasive approaches.

Recover

Out-of-Date Operating Systems

Digital Transformation

Protect

Your clients are your network boundary Respond

Detect

IoT clients, mobile, and devices exposed

Digital Transformation Realized™

15

Modern Security Layers and NIST Identify

Identity The extent to which authentication to an application provides a more important role in security in the modern age, as well as what access the authenticated person has based on role based access control.

Recover

Weak passwords everywhere

Digital Transformation

Protect

Applications not properly identity secured

Brute force techniques increasing in capability

Digital Transformation Realized™

Respond

Detect

16

Modern Security Layers and NIST Identify

Application The security of the actual application itself, as was tested and written using patterns and practices which mitigate known threats and attack vectors. Applications using APIs and features with known flaws

Recover

Digital Transformation

Protect

Interaction between application components Respond

Detect

Boundary security flaws on endpoint

Digital Transformation Realized™

17

Modern Security Layers and NIST Identify

Information The extent to which documents and data are protected regardless of location and are controlled based on their qualities.

Confidential information is widely accessible

Recover

Digital Transformation

Protect

Secure content is used to gain other content Respond

Detect

Users who “should” have access change

Digital Transformation Realized™

18

Modern Security Layers and NIST Identify

Management The extent to which management tools have evolved to address modern threats which require analysis and response exceeding manual effort. These scenarios look more like “big data” and machine learning scenarios than manual reviews and responses that traditional security practices employed.

Breadth of threats exceeds human capabilities

Recover

Digital Transformation

Protect

Response needs are immediate Respond

Detect

Employees not properly trained

Digital Transformation Realized™

19

Modern Security Layers and NIST Identify

Communications The extent to which application communications (or even personal communications) are protected and private based on identity and application qualities.

No assurance that the network is secured

Recover

Digital Transformation

Protect

Modern devices are connected to the internet Respond

Detect

Pass-the-Hash, Password Extraction

Digital Transformation Realized™

20

The technologies for mitigating risks are a combination of longstanding best practices and modern capabilities

Mapping in Technology Solutions NIST CSF to Category / Microsoft technology map

Protect (PR)

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

PR.DS-4: Adequate capacity to ensure availability is maintained

PR.DS-5: Protections against data leaks are implemented

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity PR.DS-7: The development and testing environment(s) are separate from the production environment

Cloud Datacenter Modern IT Management

Operations Management Suite & System Center

Customer Enablement Cloud Datacenter Modern IT Management

Enterprise Mobility Suite Operations Management Suite & System Center Azure Resource Management Standards Office365

Customer Enablement Modern IT Management

Enterprise Mobility Suite Operations Management Suite & System Center

Cloud Datacenter Modern IT Management

Azure Resource Management Standards Visual Studio Team Services

Modern IT Management

Operations Management Suite &System Center ServiceNow

Modern IT Management

Visual Studio Team Services Operations Management Suite & System Center ServiceNow

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained

PR.IP-2: A System Development Life Cycle to manage systems

is implemented

Digital Transformation Realized™

22

Tool Categories and Mapping

Modern Service Management Platform

ServiceNow

Digital Transformation Realized™

Modern Operational and Automation Platform

Modern Development Platform

Operations Management Suite

Visual Studio Team Services

Predictive Analytics

Azure Machine Learning

23

Tool Categories and Mapping

Client Management Platform

Enterprise Mobility + Security Suite

Collaboration and Business Process Platform

Cloud Platform

End User Computing Platform

Office365

Azure Platform as a Service

Windows 10

Dynamics 365

Azure Cloud Platform, Windows Server

Microsoft IoT Platform

Azure Stack

Digital Transformation Realized™

24

Anatomy of Attacks and Defense Power BI

Log Data

IoT Suite I

EMS SCCM MIM

I

ATA

Inventory

Dynamics ServiceNow Log Data

ML OMS

Automation

Azure

Inventory

USTS ARM + Code DSC

Log Data

ARM + DSC Code

Azure Stack VM Ware

Log Data/IDS

Log Data

Network

System Center Digital Transformation Realized™

25

Demo

The defense against the modern threats of the Digital Transformation start now

Steps to Starting Out

First

Second

Then

Admit that you can do better

Know that you can always do better

Make a plan for addressing the security threats that are most relevant based on risk and financial impact

Digital Transformation Realized™

28

Who Do You Want to Be?

Disorganized, Hidden, Unprepared Digital Transformation Realized™

Organized, Transparent, Prepared 29

Get Specific with Assessments Discover

ID

System

Owner

00001

Workstations and Servers

Denise Smith

00002

Active Directory

Qiong Wu

00003

Workstations and Servers

Naoki Sato

00004

Business Culture

Daniel Roth

00005

WiFi

Andrea Dunker

00006

Workstations and Servers

Eric Gruber

Digital Transformation Realized™

Business Process

Hardware Product

Assess

Software Product

Configuration

Threat

Vulnerability

Controls

Impact (Low-MedHigh)

Complexity (Low-MedHigh)

Risk (Low-MedHgih)

Priority

X

Privilege Escalation

Local Administrators

LAPS

High

Low

High

1

Unauthorized Use

Privileged Accounts

MIM PAM

Med

Med

Low

4

X

Code Execution

Patching

SCCM

X

Med

Med

3

X

Social Engineering

Phishing

KnowBe4

High

Low

High

2

802.1X

Low

High

Med

5

Device Guard

High

High

Med

6

X

Unauthorized Pre-shared Key Use

X

X

Business Data Loss

Malicious Software

30

Concurrency’s Engagements

Plan and Design

Execution

Continuous Improvement

Review, assess and make a plan, strategic and tactical, working with CISO

Address threats through targeted process improvements, technologies, and education

Develop a backlog and keep improving the security state

Digital Transformation Realized™

31

Key points

Digital Transformation Realized™

1

Understand that security is not something to procrastinate on

2

Leverage NIST CSF to develop a prioritized plan

3

Address key operating system and identity threats first

4

Don’t underestimate the importance of a security management platform

32

Digging into the Details Presentations on individual scenarios for the Digital Transformation, including:

Securing the Client to Application Threat: Part 1

Securing the Client to Application Threat: Part 2

Securing Content and Communications

You will have access to the NIST to Technology Mapping, the whitepaper, and this presentation through a follow-up call Digital Transformation Realized™

33

Part 1: Securing the Client An Employee, their Laptop and a Hacker walk into a Bar…

What do you think? We are not an appealing target for attackers, I’m probably fine. I couldn’t stop them anyway. An attacker would need to get someone’s password to start hacking on us. Breaking into our Network would require an experienced and sophisticated attacker.

Digital Transformation Realized™

35

Attack Methods in this Demo  I’m using some of the laziest methods  They are easy to demo and understand  Much better methods and tools are available  They are easy to use, but might feel abstract

Digital Transformation Realized™

36

Attack Pyramid

Entry Reconn & Movement End Goal / Exfiltration Digital Transformation Realized™

37

Attack Plan

Digital Transformation Realized™

38

What could have stopped that? BitLocker Would have prevented access to the file system  Is built-in to Windows Enterprise/Pro Edition  Manage with GPO, MBAM, AAD Join / Intune − “InstantGo” capable devices (aka Connected Standby) − Microsoft Surface/Book, Lenovo ThinkPad, Dell Venue

Digital Transformation Realized™

39

Azure AD Join / Domain Join++  Conditional Access  Single Sign On  Enterprise State Roaming  MDM Registration / Intune  New Intune Portal!

Digital Transformation Realized™

40

What else could have happened? Social Engineering  Walk-up Access in office  Phishing with Macros  Remote Command and Control

Digital Transformation Realized™

41

Let’s go Phishing

What could have stopped that? Macro Security settings GPO to “Disable all except digitally signed”  GPO for Trust Center/Trusted Locations  Client Activity Analysis with Defender ATP

Digital Transformation Realized™

43

What’s on this Laptop?

What could have stopped that?  BitLocker (indirectly) − Encrypts the file system, not files  Azure Information Protection (Azure RMS) − Encrypts individual files by user action*  Windows Information Protection (WIP, prev. EDP) − Encrypt “Enterprise Data” by device policy

Digital Transformation Realized™

45

Where’s the Network?

What could have stopped that? Local Admins can export Wifi Profiles  Exports any network saved by any user  Also exports client-side certificates − Ensure the cert private key is not Exportable − Consider using RADIUS authentication  Consider managing Wifi setting with GPO/MDM

Digital Transformation Realized™

47

Attack Pyramid

Entry Reconn & Movement End Goal / Exfiltration Digital Transformation Realized™

48

Part 2: Securing the Servers

Attack Plan

Digital Transformation Realized™

50

What could have stopped that? − LAPS / Better Passwords • Generate and Rotate STRONG Local Admin Passwords − Device Guard / AppLocker (for non-admins) • Prevent running unsigned applications (mimikatz) − Credential Guard • Prevent dumping hashes − Advanced Threat Analytics • Detected machine account querying AD

Digital Transformation Realized™

51

What could have stopped that?  LAPS − Randomize and Change STRONG Local Admin Passwords  Windows Firewall − Block RDP / Disable RDP, allow trusted sources  Group Policy − Prevent Remote Use of Local Accounts  Network Segmentation − Separate Client and Servers networks with ACLs

Digital Transformation Realized™

52

What’s on this Server?

What could have stopped that? Group Managed Service Accounts − Passwords managed by Machines, not saved in registry

 Device Guard / AppLocker − Prevent running unsigned applications  GPO / Access Control − Prevent Service Accounts from logging in remotely  Monitor with OMS / SysMon

Digital Transformation Realized™

54

Attack Pyramid

Entry Reconn & Movement End Goal / Exfiltration Digital Transformation Realized™

55

Attack Plan

Digital Transformation Realized ™

Digital Transformation Realized™

@MrShannonFritz 56

Stealing AD from the Shadows

What could have stopped that?  Network Segmentation − Restrict network access to the DC’s  GPO / Access Control − Prevent Non-Domain Admin’s from logging in to DC’s − Prevent Domain Admin’s from being using on Non-DC’s  Isolation / Protection − Restrict access to the DC’s Physical / Virtual hardware

Digital Transformation Realized™

58

Attack Plan

Digital Transformation Realized™

59

Attack Mitigation Plan reconnaissance

stickykeys hijack remote shell macro

service secrets

data theft

rdp

wifi psk dump

bitlocker wip macro security gpo azure rms aad join / intune Digital Transformation Realized™

vss copy ntds.dit skeleton key krbtgt golden ticket

gpo isolation

certifitate wifi defender atp ata

gmsa

device guard

device guard oms / sysmon gpo / dsc 60

NIST Cybersecurity Framework Core Identify    

Asset Inventory Patches and Updates Risk Management Policies

 OMS : Operations Management Suite  SC Operations Mgr  SC Configuration Mgr  SC Service Manager  Intune  Cloud App Security  ServiceNOW

Protect

Detect

    

Credentials & Identity Network Access User Training Data Security Baseline Configuration

    

Nefarious Activity Malicious Code Unauthorized Users Unauthorized Devices External Services

         

MIM : Identity Mgr MIM PAM AAD Premium / PIM Azure MFA Intune Conditional Access Azure App Proxy BitLocker Office 365 ATP OMS

 Advanced Threat Analytics  OMS  Azure AD Premium  Defender ATP  Cloud App Security  O365 Compliance Cntr  Lookout App Security

Recover

Respond     

Investigations Forensics Incidents Containment Public Relations

 OMS  SC Service Manager  ServiceNOW

 Business Continuity  Communications

       

Hyper-V Storage Replica DFS OneDrive for Business OMS : Site Recovery SC DPM Veeam ServiceNOW

Microsoft and 3rd Party Products

Digital Transformation Realized™

61

Acknowledgements / Learn More  Sami Laiho – wioski.com  Sean Metcalf – adsecurity.org  Rob Fuller – mubix, room362.com, hak5  Paula Januszkiewicz – cqureacademy.com  Robert Reif – cynosure prime password research  Michael Goetzman – cyphercon.com  Marcus Murray & Hasain Alshakarti – Truesec  Troy Hunt – haveibeenpwned.com, troyhunt.com

Digital Transformation Realized™

62

Securing Content and Communication

Securing Content and Communication Review of security issues with content and communications scenarios and live review of example

Review of technologies to protect content and communications scenarios and live review of example

How to get started with protecting content and communications scenarios through both policy and technology

Digital Transformation Realized™

64

Data protection realities 87%

87% of senior managers admit to regularly uploading work files to a personal email or cloud account.* Digital Transformation Realized™

58% have accidentally sent sensitive information to the wrong person.*

58%

?%

Focus on data leak prevention for personal devices, but ignore the issue on corporate owned devices where the risks are the same 65

Security Issues with Content and Communications

Confidential content is everywhere

Certain locations should never access content

Digital Transformation Realized™

Content needs to be shared, despite its security status

Content is shared when not intended to be

66

Modern Content Security Needs

Protect various content types

Protect in-place and in-flight

Share with anyone securely

Important applications and services are enlightened

Meet with varied organizational needs

Protect everywhere and layer security

Digital Transformation Realized™

67

Technical Solution Layers Applied Network

• Location Awareness for Office365 w/ MFA

Application

• Office365 applies Azure Information Protection

Information

• Azure Information Protection

Operating System Identity Management

Digital Transformation Realized™

• Local Bitlocker Encryption • EM+S with Azure Active Directory Platform • Operations Management Suite (OMS) • Enterprise Mobility + Security • ServiceNow

68

Steps to Starting Out Define corporate content types and scenarios based on business use cases and organizational policies

Build rights management policies based on defined business requirements

Incrementally roll out location awareness and Azure Information Protection based on the defined rights management policies and business requirements

Digital Transformation Realized™

69

Concurrency’s engagements Plan and Design Review, assess and make a plan, strategic and tactical, working with CISO

Execution Address threats through targeted process improvements, technologies, and education

Continuous improvement Develop a backlog and keep improving the security state

Digital Transformation Realized™

70

Thank you!