protecting your critical systems from new and unknown ... - olav tvedt.pdf · windows defender...
TRANSCRIPT
Protecting your critical systems from new and unknown malware, 0-days, and APT
WE DRIVE BUSINESS EVOLUTION FORWARD
The ONE solution
https://en.wikipedia.org/wiki/Snake_oil
WE DRIVE BUSINESS EVOLUTION FORWARD
Modern Users
WE DRIVE BUSINESS EVOLUTION FORWARD
Last Weeks Customer Incident
WE DRIVE BUSINESS EVOLUTION FORWARD
Luck vs SolutionLuck
- Honesty
- No Judgment
- Response time
Bad Luck
- (Just about)Only local Admin user
- User permission
Mitigation
- Monitoring (ATA)
- User Training
- Procedures, monitoring and alerts (ATP/ATA)
WE DRIVE BUSINESS EVOLUTION FORWARD
Affected ClientBad Luck
• USB Backup Disk
• Local Admin (Exception)
Mitigation
• Azure Backup
• LAPS
• Local Administrator Password Solution
• Device Guard
https://www.microsoft.com/en-us/download/details.aspx?id=46899
WE DRIVE BUSINESS EVOLUTION FORWARD
WHY!!!
WE DRIVE BUSINESS EVOLUTION FORWARD
Man vs Machine
WE DRIVE BUSINESS EVOLUTION FORWARD
Old School Security
o User Education
o Traditional best practices
o Avoid Exceptions
o Etc.
Think!!!
WE DRIVE BUSINESS EVOLUTION FORWARD
Windows Security History
November 2006August 2004
https://en.wikipedia.org/wiki/Timeline_of_Microsoft_Windows
WE DRIVE BUSINESS EVOLUTION FORWARD
Windows VistaUAC:
• Stopped more than 50% of 2000 backdoors, keyloggers, rootkits, mass mailers, trojan horses, spyware, adware, and various others directly
• Less then 5% survived UAV during reboot
http://us.norton.com/support/premium_services/malware_removal_guide.pdf
WE DRIVE BUSINESS EVOLUTION FORWARD
The Windows 10 Defense StackPROTECT, DETECT & RESPOND
PRE-BREACH POST-BREACH
Windows Defender ATP
Breach detection
investigation &
response
Device protection
Device Health attestation
Device Guard
Device Control
Security policies
Information protection
Device protection / Drive encryption
Enterprise Data Protection
Conditional access
Threat resistance
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Built-in 2FA
Account lockdown
Credential Guard Microsoft Passport
Windows Hello ;)
Identity protection
Breach detection
investigation &
response
Device protection
Information protection
Threat resistance
Conditional Access
Windows Defender ATP
Device integrity
Device control
BitLocker and BitLocker to Go
Windows Information Protection
SmartScreen
Windows Firewall
Microsoft Edge
Device Guard
Windows Defender
Windows Hello ;)
Credential Guard
Identity protection
WE DRIVE BUSINESS EVOLUTION FORWARD
POST-BREACHPRE-BREACH
Breach detection
investigation &
response
Device protection
Identity protection
Information protection
Threat resistance
Windows 10 Security on Legacy or Modern Devices (Upgraded from Windows 7 or 32-bit Windows 8)
WE DRIVE BUSINESS EVOLUTION FORWARD
Dynamic Lock / Goodbye
WE DRIVE BUSINESS EVOLUTION FORWARD
Hello (Word) For business
10 Print «Hello World!»
20 Goto 10
Run
WE DRIVE BUSINESS EVOLUTION FORWARD
Hello For Business
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification
WE DRIVE BUSINESS EVOLUTION FORWARD
Secure Boot / Bitlocker / BIOS -> UEFI
https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview
Show & Tell
WE DRIVE BUSINESS EVOLUTION FORWARD
The Guards
WE DRIVE BUSINESS EVOLUTION FORWARD
VIRTUALIZATION BASED SECURITY
Kernel
Windows Platform Services
Apps
Kernel
SystemContainer
Tru
stle
t #
1
Tru
stle
t #
2
Tru
stle
t #
3
Hypervisor
Device Hardware
Windows Operating System
Hyper-VHyper-V
WE DRIVE BUSINESS EVOLUTION FORWARD
Device guard in vbs environmentdecisive mitigation
Kernel
Windows Platform Services
Apps
Kernel
SystemContainer
DEV
ICE
GU
AR
D
Tru
stle
t #
2
Tru
stle
t #
3
Hypervisor
Device Hardware
Windows Operating System
Hyper-VHyper-V
WE DRIVE BUSINESS EVOLUTION FORWARD
Credential Guard
Not currently supported on Windows Server2016
WE DRIVE BUSINESS EVOLUTION FORWARD
WE DRIVE BUSINESS EVOLUTION FORWARD
WE DRIVE BUSINESS EVOLUTION FORWARD
Device GuardKMCI – Kernel Mode Code Integrity
UMCI – User Mode Code Integrity
Whitelist
◦ Applications / Apps
◦ Utilities
◦ Drivers
Audit / Enforce
Lock Policy
https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide
WE DRIVE BUSINESS EVOLUTION FORWARD
Drivers
https://msdn.microsoft.com/en-us/windows/hardware/drivers/dashboard/windows-certified-products-listv
WE DRIVE BUSINESS EVOLUTION FORWARD
Certificates and Views
2 314 831 bytes
888 068 bytes
WE DRIVE BUSINESS EVOLUTION FORWARD
Exceptions (Known Threats)
• Narrator
• Wifi
• Blacklist whitelisted
• Exploit Monday
•https://github.com/mattifestation/DeviceGuardBypassMitigationRules
WE DRIVE BUSINESS EVOLUTION FORWARD
Device Guard Getting started• Golden Image
• Audit Mode
• Failed
• Drivers
• Policy files
• Trial and error
• Maintaine
NB! Sign the policy
https://technet.microsoft.com/itpro/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-
device-guard
WE DRIVE BUSINESS EVOLUTION FORWARD
Group Policy
WE DRIVE BUSINESS EVOLUTION FORWARD
Config Manager
https://blogs.technet.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-
configuration-manager/
WE DRIVE BUSINESS EVOLUTION FORWARD
CMD:
Powershell Get-ExecutionPolicy
Powershell Set-ExecutionPolicy unrestricted -scope process; ./DG_Readiness_Tool_v2.1.ps1 –ready
Powershell Get-ExecutionPolicy
Powershell:
Get-ExecutionPolicy
Set-ExecutionPolicy unrestricted -scope process; ./DG_Readiness_Tool_v2.1.ps1 –ready
Get-ExecutionPolicy
Script
-Capable
-Enable –CG
-Enable -HVCI
WE DRIVE BUSINESS EVOLUTION FORWARD
Management• Group Policy
• Intune (Comming)
• System Center
WE DRIVE BUSINESS EVOLUTION FORWARD
New-CIPolicy -FilePath c:\MyRules\MyRule.xml -Level PcaCertificate -ScanPath
Set-RuleOption -FilePath c:\MyRules\MyRule.xml -Option X
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-
rules#code-integrity-policy-rules
WE DRIVE BUSINESS EVOLUTION FORWARD
Device Guard LinksBasic:
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#how-device-guard-features-help-protect-against-threats
https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide
https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard
http://www.exploit-monday.com/2016/09/introduction-to-windows-device-guard.html
Advanced:
https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/
https://technet.microsoft.com/en-us/library/mt634481.aspx
https://www.youtube.com/watch?v=n_fq1WnoQbI
https://github.com/mattifestation/DeviceGuardBypassMitigationRules
WE DRIVE BUSINESS EVOLUTION FORWARD
Conclusion
WE DRIVE BUSINESS EVOLUTION FORWARD
Machine vs Man
Olav TvedtSenior Principal Architect
Lumagate A/S
Blog: olavtvedt.blogspot.com
Twitter: OlavTwitt
Epost: [email protected]
Cloud and Datacenter Management
Windows and Devices for IT
31. Mai – www.mvpdagen.no