Upload
itcamp
View
889
Download
0
Embed Size (px)
Citation preview
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
2016 – A New Era of OS and Cloud Security
Tudor Damian
Microsoft Cloud and Datacenter Management MVP
Certified Ethical Hacker
[email protected] / @tudydamian / tudy.tel
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Many thanks to our sponsors & partners!
GOLD
SILVER
PARTNERS
PLATINUM
POWERED BY
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Overview of Security Trends
• Windows security on-prem & Cloud-enabled improvements
– Guarded Fabric
• Shielded VMs & Hypervisor Code Integrity (HVCI)
– Device Guard
– Provable PC Health (PPCH) Service
– Advanced Threat Analytics
– Windows Defender Advanced Threat Protection
– Azure Security Center
– Operations Management Suite
Agenda
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
INDUSTRY SECURITY TRENDS
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
The Evolution of Attacks
Volume and Impact
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
Ignite 2015 BRK2325
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
The Evolution of Attacks
2005-PRESENT
Organized Crime
RANSOMWARE, CLICK-FRAUD,
IDENTITY THEFT
Motive: Profit
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
Ignite 2015 BRK2325
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
The Evolution of Attacks
2005-PRESENT
Organized Crime
RANSOMWARE, CLICK-FRAUD,
IDENTITY THEFT
Motive: Profit
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2012 - Beyond
Nation States, Activists, Terror
Groups
BRAZEN, COMPLEX,
PERSISTENT
Motives:IP Theft,Damage,
Disruption
2003-2004
Ignite 2015 BRK2325
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Changing nature of cybersecurity attacks
Causing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs
Compromising user credentials in the vast majority of attacks
Today’s cyber attackers are:
Staying in the network an average of eight months before detection
Using legitimate IT tools rather than malware – harder to detect
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Changing nature of cybersecurity attacks
Today’s cyber attackers are:
Causing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs
Compromising user credentials in the vast majority of attacks
Staying in the network an average of eight months before detection
Using legitimate IT tools rather than malware – harder to detect
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Changing nature of cybersecurity attacks
Today’s cyber attackers are:
Causing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs
Compromising user credentials in the vast majority of attacks
Staying in the network an average of eight months before detection
Using legitimate IT tools rather than malware – harder to detect
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Changing nature of cybersecurity attacks
Today’s cyber attackers are:
Causing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs
Compromising user credentials in the vast majority of attacks
Staying in the network an average of eight months before detection
Using legitimate IT tools rather than malware – harder to detect
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Median number of days attackers are
present on a victims network before
detection
200+Days after detection
to full recovery
80Impact of lost
productivity and growth
$3Trillion
Average cost of a data breach (15% YoY
increase)
$3.5Million
“ T H E R E A R E T W O K I N D S O F B I G C O M PA N I ES , T H O S E W H O ’ V E B E E N H A C K E D, A N D T H O S E W H O D O N ’ T K N OW T H E Y ’ V E B E E N H A C K E D.”
- J A M E S C O M E Y , F B I D I R E C T O R
Build 2016 B890
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Timeline of discovery for cyber attacks worldwide
Hours, 9%
Days, 8%
Weeks, 16%
Months, 62%
Years, 5%
Hours Days Weeks Months Years
Source: Verizon
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Some Verizon DBIR findings
– The time to compromise is almost always days or less, if
not minutes or less
– 85% of breaches took weeks to discover
– 96% of breaches were not highly difficult
– 97% of breaches were avoidable through
simple/intermediate controls
– 63% of confirmed data breaches involved weak, default or
stolen passwords
– 95% of confirmed web app breaches were financially
motivated
• The 2014 DBIR report shows that 92% of the
100.000 incidents they’ve analyzed over the past 10
years can be described by just 9 basic patterns
Verizon Data Breach Investigations Report
Source: http://www.verizonenterprise.com/DBIR/
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Pwn2Own 2014-2016
• Sandbox escapes or 3rd party code execution:– Internet Explorer
– Edge
– Mozilla Firefox
– Google Chrome
– Adobe Flash
– Adobe Reader XI
– Apple Safari on Mac OS X
– Windows
– OS X
• 2014 - $850.000 total prize money, paid to 8 entrants
• 2015 - $557.500 total prize money, paid to 6 entrants
• 2016 - $460.000 total prize moneySources:http://www.eweek.com/security/pwn2own-2014-claims-ie-chrome-safari-and-more-firefox-zero-days.htmlhttp://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204http://www.securityweek.com/pwn2own-2016-hackers-earn-460000-21-new-flaws
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Heartbleed (2014)
• Shellshock (2014)
• BadUSB (2014)
• Equation Group (Kaspersky study, 2015)
• Lenovo’s Superfish (2014-2015)
• OAuth & OpenID Covert Redirect (2014)
• Poodle, Freak and Drown SSL attacks (2014-2016)
• Stagefright vulnerability (Android, 2015)
• XCodeGhost malware (iOS, 2015)
• Gemalto SIM cards (2015)
• GSM SS7 vulnerabilities (2014-2016)
Other recent “happenings” in the IT industry
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• We have to stop focusing on preventing a data breach and
start assuming the breach has already happened
• Currently: a one-sided, purely preventative strategy
• Future: emphasis on breach detection, incident response,
and effective recovery
– Start thinking about the time when a breach will (almost inevitably)
occur in your infrastructure
– Be prepared for that!
Assume Breach - a change in mindset
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
GUARDED FABRIC
Shielded VMs, Hypervisor Code Integrity (HVCI)
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Fabric, workloads, control plane
Fabricmanager
Workloadmanager
Ignite 2015 BRK2482
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Trust plane - isolated from fabric & control plane
Key service
Ignite 2015 BRK2482
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Virtual Secure Mode
•
•
•
•
•
•
•
•
•
VSM
Key service
Ignite 2015 BRK2482
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
VSM
VM protected at rest, in transit
•
•
•
•
3. Deliver vTPM keyencrypted to VSM
TPM
Key service
Workloadmanager
HSM
Ignite 2015 BRK2482
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
VSM
VM protected in execution
•
•
•
•
Key service
Ignite 2015 BRK2482
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
VSM
Key service
Trust in the environment
•
•
•
1. Attestation request:TPM public key, VSM public key,UEFI secure boot log, HVCI policy
2. Deliver attestation certificate
Attestationservice
Ignite 2015 BRK2482
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Admin-trusted attestation– Intended to support existing host hardware (no TPM 2.0 available)
– Guarded hosts that can run Shielded VMs are approved by the Host Guardian Service based on membership in a designated Active Directory Domain Services (AD DS) security group
• TPM-trusted attestation– Offers the strongest possible protections
– Requires more configuration steps
– Host hardware and firmware must include TPM 2.0 and UEFI 2.3.1 with secure boot enabled
– Guarded hosts that can run Shielded VMs are approved based on their TPM identity, measured boot sequence and code integrity policies
Guarded hosts and Shielded VMs attestation
Ignite 2015 BRK2482
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
VSM Overview
Ignite 2015 BRK2325
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Uploading shielded VM
• Uploading secrets
• Bring-your-own-key with HSM
• Retrieving shielded VM
• Live migration
• Live storage migration
• Non-live migration
• Automatic scale-out
• Cluster failover
• Cross-datacenter, cross-trust migration
• Backup, disaster recovery
• Creating shielded VM from tenant’s template
• Creating shielded VM from third-party template
• Protected guest configuration
• Remote administration
• On-boarding and retiring servers
• Servicing host OS, hardware and firmware
• Managing HVCI policy for host software
• Isolating Guardian service in separate forest
• Remediating compromised and evicted host
• Administrator trust, non-attested
• Troubleshooting
All scenarios become secure, scalable & reliable
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
DEVICE GUARD
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
New challenges require a new platform
Ignite 2015 BRK2325
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• (Sort of) an improved version of AppLocker
• Hardware Rooted App Control (runs in VSM)– Enables a Windows desktop to be locked down to only run trusted apps, just like
many mobile OS’s (e.g.: Windows Phone)
– Untrusted apps and executables such as malware are unable to run
– Resistant to tampering by an administrator or malware
– Requires devices specially configured by either the OEM or IT
• Getting Apps into the Circle of Trust– Supports all apps including Universal and Desktop (Win32)
– Trusted apps can be created by IHV, ISV, and Organizations using a Microsoft provided signing service
– Apps must be specially signed using the Microsoft signing service. No additional modification is required
– Signing service will be made available to OEM’s, IHV, ISV’s, and Enterprises
Device Guard
Ignite 2015 BRK2325
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
PROVABLE PC HEALTH (PPCH)
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Today, health is assumed
• Unhealthy clients proliferate malware
1
Important resources
2
Ignite 2015 BRK2325
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Windows Provable PC Health (PPCH)
• Cloud-based service
–Provides remote health attestation
–Can issue health state “claims”
• Blocks unhealthy devices to protect resources and prevent proliferation
• Intune can provide conditional access based on PPCH health state claims
• Available for use by 3rd party network access, security, and management solutions
Ignite 2015 BRK2325
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Provable PC Health overview
1
Important resources
2
3
5
4
Ignite 2015 BRK2325
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
ADVANCED THREAT ANALYTICS
Protecting corporate environments from advanced attacks
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
How Microsoft Advanced Threat Analytics works
Analyze1 After installation:
• Simple, non-intrusive port mirroring
configuration copies all AD-related traffic
• Remains invisible to the attackers
• Analyzes all Active Directory network
traffic
• Collects relevant events from SIEM
(Security Information and Event
Management) and information from AD
(titles, group memberships, and more)
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
How Microsoft Advanced Threat Analytics works
ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities of
the users, devices, and resources
Learn2
What is an entity?
Entity represents users, devices, or resources
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
How Microsoft Advanced Threat Analytics works
Detect3Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities
are contextually aggregated
• Leverages world-class security research to
detect security risks and attacks in near real
time based on attackers Tactics, Techniques
and Procedures (TTPs)
ATA not only compares the entity’s behavior
to its own, but also to the behavior of
entities in its interaction path.
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
How Microsoft Advanced Threat Analytics works
Abnormal Behavior Anomalous logins
Remote execution
Suspicious activity
Security issues and risks
Broken trust
Weak protocols
Known protocol vulnerabilities
Malicious attacks
Pass-the-Ticket (PtT)
Pass-the-Hash (PtH)
Overpass-the-Hash
Forged PAC (MS14-068)
Golden Ticket
Skeleton key malware
Reconnaissance
BruteForce
Unknown threats
Password sharing
Lateral movement
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
ATA Topology - Overview
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Captures and analyzes DC network traffic via port mirroring
Listens to multiple DCs from a single Gateway
Receives events from SIEM
Retrieves data about entities from the domain
Performs resolution of network entities
Transfers relevant data to the ATA Center
ATA Topology - Gateway
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
ATA Topology - Center
Manages ATA Gateway configuration settings
Receives data from ATA Gateways and stores in the database
Detects suspicious activity and abnormal behavior (through Machine Learning)
Provides Web Management Interface
Supports multiple Gateways
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
ATA Interface Overview
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
ATA Interface Overview
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
ATA Interface Overview
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
ATA Interface Overview
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
ATA Interface Overview
Ignite 2015 BRK3870
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
WINDOWS DEFENDER
ADVANCED THREAT PROTECTION
Windows advanced threat detection, investigate and response
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
STRONTIUM attack case study
@ITCAMPRO #ITCAMP16Community Conference for IT ProfessionalsBuild 2016 B890
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
From: <attacker>@<email provider.com>
To: <victim>@<email provider.com>
Subject: Re: Mission In Central African Republic
*Dear Sir!*
Please be advised that The Spanish Army personnel and a large
number of the Spanish Guardia Civil officers currently deployed in
the Central African Republic (CAR) as part of the
European EUFOR RCA mission will return to Spain in early March
as the mission draws to a close.
Visit
for the additional info.
*Best regards,*
*Capt. <omitted>, Defence Adviser, Public Diplomacy Division
NATO, Brussels <attacker>@<email provider.com>
TARGET: Diplomat in the Middle East
hxxp://eurasiaglobalnews.com/90670117-spains-armed-forces-conclude-mission-in-central-african-republic/
Build 2016 B890
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
TARGET: NATO-Themed Spear Phish
hxxp://nato.int -> hxxp://natoint.com
Build 2016 B890
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
ATTACK: Stages of a 0-day Attack
TimeStamp Alert Data
2015/04/08 10:11:54
Unknown URL Report hxxp:militaryadviser.org/hu/press-center/news/426728-ukraine/440136/
Initial Exploit URL (Flash 0day)
TimeStamp Alert Sha1 FileName Parent Process
2015/04/08 10:12:11
Win32/ContextualDropIETemp b22233684bc8aa939629f4cbebb18545c7121548 runrun.exe iexplore.exe
TimeStamp Alert Sha1 FileName Parent Process
2015/04/08 10:12:11
#LowFiContextRundllAppdata ef1a7b1a92b7b00f77786b6a1bffc4e495ccf729 odserv.dll rundll32.exe
TimeStamp Alert Sha1 FileName Parent Process
2015/04/09 06:34:04
#HackTool:Win32/WDigest.A!dha ca709ec79ee0518b77f161bc8bab8847c889cb88 psw.exe rundll32.exe
Kernel Mode Exploit (0day)
Stage 1: Backdoor
Stage 2: Pass-the-Hash Module
1
2
3
4
Build 2016 B890
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Device Health attestation
Device GuardDevice Control
Security policies
Built-in 2FAAccount lockdownCredential Guard
Microsoft PassportWindows Hello ;)
Device protection / Drive encryptionEnterprise Data
ProtectionConditional access
SmartScreenAppLocker
Device GuardWindows DefenderNetwork/Firewall
Windows Defender ATP
Device protection Information protection
Threat resistanceBreach detection
Investigation & Response
Pre breach Post breach
Identity protection
The Windows 10 Defense Stack
Build 2016 B890
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Powered by cloud
Machine Learning Analytics
over the largest sensor array
in the world
Universal end-point
behavioral sensor,
built into Win10,
with no additional
deployment
requirements
Enhanced by the
community of
researchers and
threat intelligence
Windows Defender ATP Overview
Build 2016 B890
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Post breach detection
for advanced attacks
actionable, correlated,
real-time and historical for
known and unknown attacks
Easily investigate & explore
enterprise endpoints to
understand scope of breach
through rich machine
timeline and data pivoting
Self hunting across protected assets
search for current and historical
observables: machines, files, IPs,
or URLs across all endpoints.
Deep file analysis of files
observed on endpoints
Built-in threat intelligence
knowledge base
provides actor and intent
context for threat intel-based
detections, combining 1st and
3rd-party intelligence sources
Windows Defender ATP Features
Build 2016 B890
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Indicators of Compromise (IOCs)
– Monitoring “What (who) we know”
– Threat Intelligence database of known adversary and campaign IOCs
• Indications of Attack (IOAs)
– Monitoring “What (who) we don’t recognize – yet”
– Generic IOA Dictionary of attack-stage behaviors, tools, and techniques
Windows ATP Indicators
Build 2016 B890
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Over 1M Microsoft corporate machines
New code, new products, new files
Most are local admins
Hundreds of labs, malware enclaves
1.2 Billion Windowsmachines reporting
1M files detonated daily
Advanceddetection algorithms
& Statistical modelling
APT hunters –OS Security, Exploit & Malware Researchers, & Threat Intelligence
11M Enterprise machines reporting
2.5T URLs indexed and 600M reputation
look ups
Why Microsoft is in a unique position
Build 2016 B890
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
AZURE SECURITY CENTER
Understand the security state of all of your Azure resources
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Understand the security state of Azure resources
• Use policies that enable you to recommend and monitor security
configurations
• Use DevOps to deploy integrated Microsoft and partner security
solutions
• Identify threats with advanced analysis of your security-related events
• Respond and recover from incidents faster with real-time security
alerts
• Export security events to a SIEM for further analysis
Azure Security Center enables you to:
AzureCon 2015 ACON205
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Azure Security Center interface
AzureCon 2015 ACON205
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Compromised machines
• Failed exploitation attempts
• Brute force attacks
• Data exfiltration
• Web application vulnerabilities
• Advanced malware
• Achieve all this using:– High volume of signals
– Behavioral profiling
– Machine Learning
– Global threat intelligence
• Constantly being expanded with new detection mechanisms
Finds attacks that might go undetected
AzureCon 2015 ACON205
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Rich ecosystem of products and services
AzureCon 2015 ACON205
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
OPERATIONS MANAGEMENT SUITE
Transforming machine data into operational intelligence
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
```
Log Analytics Automation Backup DR and Data Protection Security
Microsoft Operation Management Suite
Simplified Management. Any Cloud, Any OS.
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Gain visibility across your
hybrid enterprise cloud
Log Analytics Automation
Orchestrate complex and
repetitive operations
Availability
Increase data protection
and application
availability
Security
Help secure your
workloads, servers, and
users
OMS Solutions
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Log Analytics
• Gain visibility across your hybrid enterprise cloud
• Easy collection, correlation, and visualization of your machine data
– Log management across physical, virtual, and cloud infrastructure
• Overview of infrastructure health, capacity, and usage
• Proactive operational data analysis
– Faster investigation and resolution of operational issues with deep insights
• Deliver unparalleled insights across your datacenters and public clouds, including
Azure and AWS
• Collect, store, and analyze log data from virtually any Windows Server and Linux
server source
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Integrated search
• Combine and correlate any machine data from multiple sources
– Query, and filter the results by using facet controls.
– Automated data visualization
– Metrics pivoted around a particular problem areas
– Common search queries
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Custom Dashboard
• Visualize all of your saved searches
– Custom or sample searches
– Customizable visual information
– Shareable across teams
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Solution Packs
• Collection of logic, visualization and data acquisition rules
– Powered by search
– Metrics pivoted around a particular problem areas
– Investigate and resolve operational issues
– Can be added/removed and customized
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Alert Management
• Expose your integrated System Center Operations Manager alerts
• Web based Alert visualization
• Integrated search for deeper analysis
• Common alert queries
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Capacity Planning
• Plan for future capacity and trends using historical data
• VM utilization and efficiency
• Compute projection
• Storage utilization
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Active Directory Assessment
• Using best practices and data collection, identify potential issues
• Security and Compliance
• Availability and business continuity
• Performance and security
• Upgrade, migration and deployment
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
SQL Server Assessment
• Security and Compliance
• Availability and business continuity
• Performance and security
• Upgrade, migration and deployment
• Operations and monitoring
• Change and configuration
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Change Tracking
• Track every change on your system across any environment
• Configuration type change
• Software & application changes
• Windows Service changes
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Azure Automation Dashboard
• Quick glance view of runbook health and status
– Active runbooks & total jobs
– Link into Azure Automation portal
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Azure Backup and Recovery Dashboard
• Quick glance view of backup and protection status
– Registered servers
– Backup size & jobs status
– Link into Azure portal for backup and recovery
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
System Update Assessment
• Understand server update and patching status across your environment
• Servers missing security updates
• Servers not updated recently
• Types of updates missing
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Malware Assessment
• Quickly define your servers malware status and potential threats
• Detected threats
• Protection status
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Security and Audit
• Collect security events and perform forensic, audit and breach analysis
– Security posture
– Notable issues
– Summary threats
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Security Posture
– Quick glance showcasing server workload
and server security threats
– Computer growth change
– Account authentication
– Total system activities
– Processes executed
– Change in policy
– Remote IP Tracking
Security Solution Pack
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Notable issues
– Understand notable security issues,
and audit rate of change
– Failed account access
– Security policy and group changes
– Password resets
– Event log cleaning
– Lock-out accounts
Security Solution Pack
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
• Security context
– Quick view of security positon across
your enterprise
– Active threats
– Patch status
– Software changes
– Service changes
– Critical and warning alerts
Security Solution Pack
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
AND THAT’S NOT ALL OF IT…
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Responsibility for Security in the Cloud era
Ignite 2015 BRK2482
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
Some other things to keep in mind
• Start using an “Assume Breach” approach
• UEFI Secure Boot and TPM support on your hardware
• Just-Enough/Just-In-Time Administration (coming in WS 2016)
• Azure Rights Management & Data Loss Prevention
• Azure AD Multi-Factor Authentication
• Windows Hello / Microsoft Passport
• Cloud App Security
• Etc.
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
What to do next?
• Channel 9 - https://channel9.msdn.com/– Ignite 2015 BRK2482 - Platform Vision and Strategy: Security and Assurance Overview
– Ignite 2015 BRK3870 - Microsoft Advanced Threat Analytics
– Ignite 2015 BRK2325 - A New Era of Threat Resistance for the Windows 10 Platform
– AzureCon 2015 ACON205 - New Azure Security Center helps you prevent, detect, and respond to threats
– Ignite New Zealand 2015 M235 - Automating Operational and Management Tasks in Microsoft
Operations Management Suite and Azure
– Build 2016 B890 – Windows Defender ATA
– … & others
• Microsoft Virtual Academy - http://www.microsoftvirtualacademy.com/
• Try out & look at Windows Server 2016 TP5 & System Center 2016
• Look into the latest Azure/Cloud improvements
• Keep up with Security changes in the industry
@ITCAMPRO #ITCAMP16Community Conference for IT Professionals
THANK YOU!
Contact: [email protected] / @tudydamian / tudy.tel