26
FTL CIO Council October 18, 2017 Meeting Anthony Puca Cloud Infrastructure Architect |Federal Government
FTLCIOCouncilOctober18,2017MeetingAnthonyPucaCloudInfrastructureArchitect |FederalGovernment
http://www.amazon.com/System-Center-Configuration-Manager-Unleashed/dp/0672330237
http://www.amazon.com/Microsoft-Office-365-Administration-Inside/dp/0735678235
(http://www.amazon.com/Microsoft-Azure-Planning-Deploying-Managing/dp/1484210441)
4
Momentum
750million
194billion
188billion
340billion
>90%ofFortune500useMicrosoftCloud
5
CloudbusinessvaluemadeeasyOnPremises
Toppings
TomatoSauce
Assembly
Peel/Cutter
Oven
PizzaDough
Beverages
Dining Table
Electric/Gas
Youmanage
Infrastructure(asaService)
Toppings
TomatoSauce
Assembly
Peel/Cutter
Oven
PizzaDough
Beverages
Dining Table
Electric/Gas
ManagedbyVendor
Youmanage
Take&BakeMadeatHome
Platform(asaService)
ManagedbyVendor
Youmanage
Toppings
TomatoSauce
Assembly
Peel/Cutter
Oven
PizzaDough
Dining Table
Electric/Gas
Beverages
PizzaDelivered
ManagedbyVendor
Software(asaService)
Toppings
TomatoSauce
Assembly
Peel/Cutter
Oven
PizzaDough
Dining Table
Electric/Gas
Beverages
DineOut
YouManage
VendorManages
6
AzurebusinessvalueOnPremises
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Youmanage
Infrastructure(asaService)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
ManagedbyM
icrosoft
Youmanage
Windows AzureVirtualMachinesWindows ServerHyper-VWindows Server
Platform(asaService)
ManagedbyM
icrosoft
Youmanage
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Windows AzureCloudServices
ManagedbyM
icrosoft
Software(asaService)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Office365DynamicsCRM
YouManage
MicrosoftManages
7
RegulatoryCompliance
8
TrustCenter- https://www.microsoft.com/en-us/TrustCenter/default.aspx
Azurecovers54complianceregimesAzurehasthedeepest andmostcomprehensive compliancecoverageinthe industry
USGov
HIPAA/HITECHAct
ModerateJABP-ATO FIPS140-2
FERPA
DoDDISASRGLevel2 ITAR CJIS
GxP21CFRPart 11
IRS1075Section508VPAT
Global
ISO27001SOC1Type2ISO27018
CSASTARSelf-Assessment
Regional
SingaporeMTCS
UKG-Cloud
AustraliaIRAP/CCSL
FISCJapan
ChinaDJCP
NewZealandGCIO
ChinaGB18030
EUModelClauses
ENISAIAF
ArgentinaPDPA
JapanCSMarkGold
SP800-53&171
ChinaTRUCS
SpainENS
Industry
PCIDSSLevel1 CDSA
SharedAssessmentsMPAA
JapanMyNumber Act
FACTUK
HighJABP-ATO
GLBA
DoDDISASRGLevel4
MARS-E FFIEC
ISO27017SOC2Type2 SOC3
IndiaMeitY
CanadaPrivacyLaws
PrivacyShield
ISO22301
GermanyITGrundschutzworkbook
SpainDPA
CSASTARCertification
CSASTARAttestation
HITRUST IGToolkitUK
DoDDISASRGLevel5
ISO9001
Trust
ISO27001
FERPA
HIPAA/BAA
15
DetectRespond
Recover Protect
DigitalTransformation
Identify
16
Protect Detect Respond Recover
AzureADIdentity Protection
Advanced ThreatAnalytics/Identity ManagerOffice365ATP
Windows DefenderATP/DefenderAV
MicrosoftCloudApp Security
AzureSecurity CenterAzureWebApp Firewall/SQLThreatDetection
AzureMarketplacePartnerCapability
AttackTimelineGeneration
Isolatemachinefromnetwork
RemoveMalware
Block&CleanEmail
Self-ServicePasswordReset
ObserveAdversaryOperation
RefineDetectionsandPreventions
EventCorrelation&DynamicQueries
AttackImpactanalysisUser&Entity
BehaviorAnalytics
FileBehaviorAnalysis(Sandbox Detonation orRealtimeMonitoring)
MaliciousURLsandIPaddresses
OWASPTopRisks(SQLInjection, XSS,etc.)
Anti-malware
Quarantine sharedSensitive Data
OnDemandDetonation
MachineLearningBlockingRisky Events Anomaly Detection
17
TrendsinCloudSecurity
18
Coresecurityquestions
Thereisonepersonineveryorganizationwhowillclickonanything
1. Weknowthatadministratorshavethekeystothekingdom;wegavethemthosekeysdecadesago
2. Butthoseadministratorsprivilegesarebeingcompromisedthroughsocialengineering,bribery,coercion,privateinitiatives
Stolenadmincredentials
Insiderattacks
Phishingattacks
20
FirstWorkstationCompromised
24-48Hours
DomainAdminCompromised
AttackDiscovered
DataExfiltration(AttackerUndetected)11-14months
Research&Preparation
Theanatomyofatypicalbreach
21
PLAN ENTER TRAVERSE EXECUTE MISSION
4 Threat Actorsexfiltrate PIIandothersensitivebusiness dataThreatActortargetsemployee(s)
viaphishingcampaign1
Workstationcompromised,threatactorgatherscredentials2a
Threat Actorsuse stolencredentialstomovelaterally3a
EmployeeBopensinfectedemail(MobileorPC).Attackerdisablesantivirus
2b Compromisedcredentials/deviceusedtoaccesscloudservice /enterpriseenvironment
3bc
Credentialsharvestedwhenemployeelogsintofakewebsite
2c
A.EnterandNavigate
Anyemployeeopensattackemailà Accesstomost/allcorporate data
B.DeviceCompromiseTargetedemployeeopensattackemailà Accesstosamedataasemployee
C. RemoteCredentialHarvesting
Targetedemployee(s)entercredentialsinwebsiteà Accesstosamedataasemployee(s)
CommonAttacks
Any
ProblemAbreachwill(alreadydid?) happenLackingthesecurity-analysismanpowerCan’tdetermine theimpactofthebreachUnabletoadequately respond tothebreach
Newapproach(inadditionto‘prevention’)Limitorblock thebreachfromspreadingDetectthebreachRespond tothebreach
Network OperatingSystem Identity Application
Information Communications Management Physical
24
InternetofThingsUnmanaged&Mobile Clients
SensitiveWorkloads
CybersecurityReferenceArchitecture
ExtranetAzureKeyVault
Microsoft Azure
OnPremisesDatacenter(s)
NGFW
Nearlyall customerbreachesthatMicrosoft’sIncidentResponseteaminvestigatesinvolvecredentialtheft63%ofconfirmeddatabreachesinvolveweak,default,orstolenpasswords(Verizon2016DBR)
Colocation
$
MacOS
Multi-FactorAuthentication
MIMPAM
Network Security Groups
AzureADPIM
WindowsInfoProtection
Enterprise Servers
VPN
VPN
VMs VMs
CertificationAuthority(PKI)
Security Operations Center (SOC)
WEF
SIEMIntegration
IoT
Identity & Access
Windows10Managed Clients
SoftwareasaService
ATA
AzureInformation
Protection(AIP)• Classify• Label• Protect• Report
EndpointDLP
ClassificationLabe
ls
Office 365
Information Protection
LegacyWindows
HoldYourOwnKey(HYOK)
80%+ofemployeesadmitusingnon-approvedSaaS appsforwork (Stratecast, December2013)
IPS
EdgeDLP
SSLProxy
AzureADIdentity Protection
SecurityAppliances
Lastupdated July2017– latestathttp://aka.ms/MCRA
EPP-WindowsDefenderAV
EDR- WindowsATP
AzureSQLThreatDetection
Windows Server2016SecurityShieldedVMs,DeviceGuard,CredentialGuard,JustEnoughAdmin,Hyper-VContainers,Nanoserver, DefenderAV,DefenderATP(Roadmap),andmore…
AzureAppGateway
AzureAntimalware
SQLEncryption &DataMasking
SQLFirewall
Disk&StorageEncryption
ConditionalAccess
Office 365ATP• EmailGateway• Anti-malware • Threat Protection
• Threat Detection
AzureSecurityCenter (ASC)
Analytics/UEBA
MSSPWindowsSecurityCenter
AzureSecurityCenter
VulnerabilityManagement
SIEM
Office365• Security&Compliance• Threat Intelligence
HelloforBusiness
Windows 10Security• SecureBoot• DeviceGuard• Exploit Guard• Application Guard• Credential Guard
• Windows Hello• RemoteCredential Guard
• DeviceHealthAttestation
Security Development Lifecycle (SDL)CybersecurityOperationsService(COS) IncidentResponseand
RecoveryServices
Office 365DLP
CloudAppSecurity
LockboxASM
IntuneMDM/MAM
DDoSattackmitigation
Backup&SiteRecoverySystemCenterConfigurationManager+Intune
PrivilegedAccessWorkstations(PAWs)
Shielded VMs
ESAEAdminForest
DomainControllers
25
TrendsinGlobalCybersecurity
1. Severityofvulnerabilities2. Vulnerabilitycomplexity3. Newapplicationvulnerabilities4. Platform-agnosticvulnerabilities5. DecliningJavaexploits6. Extentofexploitkits7. Mostcommonlydetectedobjects–Flash/Silverlight(akaActiveX)8. Globalsecurityconcerns9. IncreasedTrojanlevels10. Continuedcomplexityofthreats
Findoutaboutthelatestthreatstoendpointsandthecloudhttps://www.microsoft.com/en-us/security/intelligence-report
� Exploreadditionalresources:– TrustworthyComputingCloudServices:
www.microsoft.com/trustedcloud
– MicrosoftTrustCenterforMicrosoftAzure:http://www.windowsazure.com/en-us/support/trust-center
