Protecting your critical systems from new and unknown malware, 0-days, and APT

WE DRIVE BUSINESS EVOLUTION FORWARD

The ONE solution

https://en.wikipedia.org/wiki/Snake_oil

WE DRIVE BUSINESS EVOLUTION FORWARD

Modern Users

WE DRIVE BUSINESS EVOLUTION FORWARD

Last Weeks Customer Incident

WE DRIVE BUSINESS EVOLUTION FORWARD

Luck vs SolutionLuck

- Honesty

- No Judgment

- Response time

Bad Luck

- (Just about)Only local Admin user

- User permission

Mitigation

- Monitoring (ATA)

- User Training

- Procedures, monitoring and alerts (ATP/ATA)

WE DRIVE BUSINESS EVOLUTION FORWARD

Affected ClientBad Luck

• USB Backup Disk

• Local Admin (Exception)

Mitigation

• Azure Backup

• LAPS

• Local Administrator Password Solution

• Device Guard

https://www.microsoft.com/en-us/download/details.aspx?id=46899

WE DRIVE BUSINESS EVOLUTION FORWARD

WHY!!!

WE DRIVE BUSINESS EVOLUTION FORWARD

Man vs Machine

WE DRIVE BUSINESS EVOLUTION FORWARD

Old School Security

o User Education

o Traditional best practices

o Avoid Exceptions

o Etc.

Think!!!

WE DRIVE BUSINESS EVOLUTION FORWARD

Windows Security History

November 2006August 2004

https://en.wikipedia.org/wiki/Timeline_of_Microsoft_Windows

WE DRIVE BUSINESS EVOLUTION FORWARD

Windows VistaUAC:

• Stopped more than 50% of 2000 backdoors, keyloggers, rootkits, mass mailers, trojan horses, spyware, adware, and various others directly

• Less then 5% survived UAV during reboot

http://us.norton.com/support/premium_services/malware_removal_guide.pdf

WE DRIVE BUSINESS EVOLUTION FORWARD

The Windows 10 Defense StackPROTECT, DETECT & RESPOND

PRE-BREACH POST-BREACH

Windows Defender ATP

Breach detection

investigation &

response

Device protection

Device Health attestation

Device Guard

Device Control

Security policies

Information protection

Device protection / Drive encryption

Enterprise Data Protection

Conditional access

Threat resistance

SmartScreen

AppLocker

Device Guard

Windows Defender

Network/Firewall

Built-in 2FA

Account lockdown

Credential Guard Microsoft Passport

Windows Hello ;)

Identity protection

Breach detection

investigation &

response

Device protection

Information protection

Threat resistance

Conditional Access

Windows Defender ATP

Device integrity

Device control

BitLocker and BitLocker to Go

Windows Information Protection

SmartScreen

Windows Firewall

Microsoft Edge

Device Guard

Windows Defender

Windows Hello ;)

Credential Guard

Identity protection

WE DRIVE BUSINESS EVOLUTION FORWARD

POST-BREACHPRE-BREACH

Breach detection

investigation &

response

Device protection

Identity protection

Information protection

Threat resistance

Windows 10 Security on Legacy or Modern Devices (Upgraded from Windows 7 or 32-bit Windows 8)

WE DRIVE BUSINESS EVOLUTION FORWARD

Dynamic Lock / Goodbye

WE DRIVE BUSINESS EVOLUTION FORWARD

Hello (Word) For business

10 Print «Hello World!»

20 Goto 10

Run

WE DRIVE BUSINESS EVOLUTION FORWARD

Hello For Business

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification

WE DRIVE BUSINESS EVOLUTION FORWARD

Secure Boot / Bitlocker / BIOS -> UEFI

https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview

Show & Tell

WE DRIVE BUSINESS EVOLUTION FORWARD

The Guards

WE DRIVE BUSINESS EVOLUTION FORWARD

VIRTUALIZATION BASED SECURITY

Kernel

Windows Platform Services

Apps

Kernel

SystemContainer

Tru

stle

t #

1

Tru

stle

t #

2

Tru

stle

t #

3

Hypervisor

Device Hardware

Windows Operating System

Hyper-VHyper-V

WE DRIVE BUSINESS EVOLUTION FORWARD

Device guard in vbs environmentdecisive mitigation

Kernel

Windows Platform Services

Apps

Kernel

SystemContainer

DEV

ICE

GU

AR

D

Tru

stle

t #

2

Tru

stle

t #

3

Hypervisor

Device Hardware

Windows Operating System

Hyper-VHyper-V

WE DRIVE BUSINESS EVOLUTION FORWARD

Credential Guard

Not currently supported on Windows Server2016

WE DRIVE BUSINESS EVOLUTION FORWARD

WE DRIVE BUSINESS EVOLUTION FORWARD

WE DRIVE BUSINESS EVOLUTION FORWARD

Device GuardKMCI – Kernel Mode Code Integrity

UMCI – User Mode Code Integrity

Whitelist

◦ Applications / Apps

◦ Utilities

◦ Drivers

Audit / Enforce

Lock Policy

https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide

WE DRIVE BUSINESS EVOLUTION FORWARD

Drivers

https://msdn.microsoft.com/en-us/windows/hardware/drivers/dashboard/windows-certified-products-listv

WE DRIVE BUSINESS EVOLUTION FORWARD

Certificates and Views

2 314 831 bytes

888 068 bytes

WE DRIVE BUSINESS EVOLUTION FORWARD

Exceptions (Known Threats)

• Narrator

• Wifi

• Blacklist whitelisted

• Exploit Monday

•https://github.com/mattifestation/DeviceGuardBypassMitigationRules

WE DRIVE BUSINESS EVOLUTION FORWARD

Device Guard Getting started• Golden Image

• Audit Mode

• Failed

• Drivers

• Policy files

• Trial and error

• Maintaine

NB! Sign the policy

https://technet.microsoft.com/itpro/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-

device-guard

WE DRIVE BUSINESS EVOLUTION FORWARD

Group Policy

WE DRIVE BUSINESS EVOLUTION FORWARD

Config Manager

https://blogs.technet.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-

configuration-manager/

WE DRIVE BUSINESS EVOLUTION FORWARD

CMD:

Powershell Get-ExecutionPolicy

Powershell Set-ExecutionPolicy unrestricted -scope process; ./DG_Readiness_Tool_v2.1.ps1 –ready

Powershell Get-ExecutionPolicy

Powershell:

Get-ExecutionPolicy

Set-ExecutionPolicy unrestricted -scope process; ./DG_Readiness_Tool_v2.1.ps1 –ready

Get-ExecutionPolicy

Script

-Capable

-Enable –CG

-Enable -HVCI

WE DRIVE BUSINESS EVOLUTION FORWARD

Management• Group Policy

• Intune (Comming)

• System Center

WE DRIVE BUSINESS EVOLUTION FORWARD

New-CIPolicy -FilePath c:\MyRules\MyRule.xml -Level PcaCertificate -ScanPath

Set-RuleOption -FilePath c:\MyRules\MyRule.xml -Option X

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-

rules#code-integrity-policy-rules

WE DRIVE BUSINESS EVOLUTION FORWARD

Device Guard LinksBasic:

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#how-device-guard-features-help-protect-against-threats

https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide

https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard

http://www.exploit-monday.com/2016/09/introduction-to-windows-device-guard.html

Advanced:

https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/

https://technet.microsoft.com/en-us/library/mt634481.aspx

https://www.youtube.com/watch?v=n_fq1WnoQbI

https://github.com/mattifestation/DeviceGuardBypassMitigationRules

WE DRIVE BUSINESS EVOLUTION FORWARD

Conclusion

WE DRIVE BUSINESS EVOLUTION FORWARD

Machine vs Man

Olav TvedtSenior Principal Architect

Lumagate A/S

Blog: olavtvedt.blogspot.com

Twitter: OlavTwitt

Epost: Olav.Tvedt@Lumagate.com

Cloud and Datacenter Management

Windows and Devices for IT

31. Mai – www.mvpdagen.no