How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Transcription

1

2

3

4

5 How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

6 Domain.Local DC Client DomainAdmin Attack Operator

7

8 Advise Protect Detect Respond E N G A G E

9 Assessment, Education, Mitigations Premier Security Advisor Security Assessments Workshops Active Directory Windows SQL Exchange Securing Windows Client Securing Windows Server Forensics (english) Web Servers Sharepoint Direct Access PKI Bitlocker and MBAM Right Management Services Certificate Services Mitigations POP - Securing Lateral Account Movements POP - EMET POP Hardening AD Domain and DC Bulletin Advisor Direct Access Endpoint Protection Enterprise Auditing Microsoft Confidential

10

11 Protect Protection for your most valuable assets and accounts to help prevent compromise from cyber-attacks Microsoft Security Risk Assessment (MSRA) Rapid review of customer s IT security program, tailored to business and security needs On-site, in-person interviews and technical examination to provide a comprehensive look at security technologies and operational practices Examination of the program s business foundations, including security goals, risk posture, and policies and standards Security Development Lifecycle Services (SDL) Microsoft provides an assessment of your software assurance program, identifies enhancements, and delivers a roadmap to strengthen and mature your software development practices. Enhanced Security Administration Environment (ESAE) & Privileged Administrator Workstation (PAW) The ESAE offering leverages advanced security technologies and recommended practices to provide administrative environments and workstations with enhanced security protection. EMET Enterprise Reporting (EMET ERS) Pilot deployment of (EMET) to including deployment of Enterprise Reporting Services and dashboard for all EMET mitigated events. Detect Respond Continuous monitoring of your network for attacks, vulnerabilities, and persistent threats Investigate and disrupt suspicious events to provide a diagnosis and potential mitigations Microsoft Threat Detection Service (MTDS) Allows customers to detect errors and report them to check for malicious activity. It also helps in deriving intelligence from the error reports to regulate and manage errors efficiently. Persistent Adversary Detection Service (PADS) Proactively determine whether a system is under threat via a discreet incident response prior to an actual emergency and examines high value assets or a sample of systems for signs of advanced implants not typically found by commodity anti-virus or intrusion detection system technologies. Incident Response Microsoft offers the IR&R service to determine whether a system is under targeted exploitation via a discreet incident response engagement that examines high value assets or exploited systems for signs of advanced implants not typically found by commodity anti-virus or intrusion detection system technologies.

12 Our approach consists of the following strategic assessments to help assess the current environment and processes, and then deliver a roadmap for meeting business goals and objectives: Assessments The MSRA was developed by Microsoft to provide a Risk Assessment service to help customers manage risk in their complex enterprise environments. SDL is a software development process that helps customers build more secure software and address security compliance requirements while reducing development cost.

13 The main recommendations concern credential hygiene, security monitoring, and configuration management. All three of these items should be done as quickly as possible because of the extreme risk of credential theft and of compromise to the CUSTOMER systems

14 48 hours - The average time it takes to get Domain Administrator credentials once a single machine has been compromised within the environment.

15 With 8.1/2012 R2 Features Production Domain(s) Domain and Forest Enhanced Security Admin Environment (ESAE) Domain and Forest Administration Security Alerting Hardened Hosts and Accounts Application & Service Hardening Server and System Management App and Data Management Privileged Account Workstation (PAW) Lateral Traversal Mitigations Helpdesk and Workstation Management User Assistance and Support Managed Access Request System (MARS) Protected Users Auth Policies and Silos RDP w/restricted Admin

16 EMET Production Pilot Assist with your EMET Deployment to pilot group of workstations EMET ERS (Enterprise Reporting Services) Deployment and Configuration Provides a Dashboard roll-up view of EMET events Top 10 Machines; Hourly EMET mitigation events; Compliance Reports; Trending and Analysis Benefits: All EMET Agents will act as a sensor on your network EMET ERS can be used to help speed tune EMET during your pilot and deployment and provide basic detection EMET will also work in conjunction with MTDS

17 MTDS On premise MTDS Hosted Malware will normally cause applications or the whole operating system to crash. These crashes which include a memory dump can be collected and analysed. No agent required simple configuration update to point error logs to a central collector. Can detect 0-day and custom unique malware code. Robust Security Technologies Reporting with Actionable Data Unique to Microsoft Unique malware database which is built up by the worlds largest sensor network

18 Worldwide Sensor Network and Ecosystem Insight

19 Respond - IR/PADS

20 The Incident Response and Recovery Service (IR&R) is an offering for clients who are looking to investigate and disrupt today s determined human adversaries and similar advanced actors who specialize in targeted exploitation. The service is an onsite, discreet incident response engagement that involves the examination of high value assets or known exploited systems for signs of advanced implants not typically found by commodity AV or IDS technologies. A team of Microsoft IR&R consultants travel to the customer site and perform analyses on the affected servers or endpoints as a starting point. The team utilizes a sophisticated toolset that leverage custom Microsoft capabilities including specialized detection tools, malware analysis, signature generation, and custom cyber intelligence. Typical period of performance is one work week at the customer site, but can be customized for large clients with multiple geographic sites or organizational components.

21 What if I have a Cybersecurity Incident? For Incident Response, start using your existing Microsoft Premier Services agreement GBS Security Deep Remote Technical Support Cybersecurity IR&R Team Onsite Security Incident Response Team Any staff member who has been authorized with access to open Premier Support cases should do so with a Severity A classification for Cyber incidents. GBS First Responder Global Onsite Support within 24-hours or less

22 Under attack Suspicious of an attack/needs detection Cybersecurity strategy & approach IR&R PADS MTDS MSRA, ADSA SDL ESAE PAW EMET-ERS

23 Massive global telemetry Software and Services company Target for cyber attacks Malicious Software Removal Tool 700 millions monthly Bing +18B pages scans per month Windows Defender 250 millions Exchange Online 35 billion messages scanned Digital Crimes Unit (CITP) Builds the software people relies on Security Development Lifecycle ISO/IEC :2011 Operates major online and cloud services Cloud Security Alliance Unparalleled visibility into the threat environment MSIT ISRM internal experiences ACE team Global Foundation Services Global Business Support Security

24 Massimo Agrelli CyberSecurity Architect Microsoft Services Cybersecurity Global Practice 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.