Cloud Security, Mobility and Current Threats Tristan Watkins, Head of Research and Innovation

Threat Landscape

Verizon Data Breach Investigations Report

Verizon DBIR: Threat actors and actions

Verizon DBIR: Threat actor motive (2016)

Verizon DBIR: Threat actor method (2016)

Verizon DBIR: Breached assets (2016)

Verizon DBIR: Time to compromise (2016)

Verizon DBIR: Time to discovery (2016)

DLP: Insider risks

“We see individuals abusing the access

they have been entrusted with by their

organization in virtually every industry...

with financial gain and convenience being

the primary motivators (40% of incidents),

whether they plan to monetize stolen data

by selling it to others (such as with

financial data) or by directly competing

with their former employer.”

Why? How?

DLP: accidental and outsider risksUnintended data leaks are very hard to protect against• For every way that data can be lost, we need a specific (often unique) defence

Examples of unintended data loss:• Lost/stolen device

• Credential theft:

Neither file-level protections nor FDE will solve for all of these risks

o Keystroke loggers

o Social engineering

• Wrong recipient

o Bad password practices

• Lost/stolen drives/media

• Memory scraping

Phishing and social engineering"23% of recipients now open phishing messages and

11% click on attachments."

"a campaign of just 10 e-mails yields a greater than

90% chance that at least one person will become the

criminal’s Prey."

"…nearly 50% of users open e-mails and click on

phishing links within the first hour.

…the median time-to-first-click coming in at one

minute, 22 seconds across all campaigns."

Signature Detection Obsolescence

Much of today's malware code is modified so quickly that it will avoid detection• “99% of malware hashes are seen for

only 58 seconds or less. In fact, most malware was seen only once”.• 40 million malware samples

• 3.8 million malware signatures (90%+is found only once in the data)

• 20,000 common signatures across organisations

• 99.95% is organisationally-unique

Signature modification can be trivially automated in PowerShell

Image Courtesy of John Lambert, General Manager of the Microsoft Threat Intelligence Center

Modernising Security

• User chooses apps (unsanctioned, shadow IT)

• User can access resources from anywhere

• Data is shared by user and cloud apps

• IT has limited visibility and protection

• Only sanctioned apps are installed

• Resources accessed via managed devices/networks

• IT had layers of defense protecting internal apps

• IT has a known security perimeter

Life with cloudsLife before clouds

What is driving change?

On-premises

Storage, corp data Users

Identity & Access Management

Easily manage identities

across on-premises and

cloud. Single sign-on &

self-service for any

application.

Manage and protect

corporate apps and data

on almost any device

with MDM & MAM.

Encryption, identity, and

authorisation to secure

corporate files and email

across phones, tablets,

and PCs.

Identify suspicious

activities and advanced

threats in near real time,

with simple, actionable

reporting.

Information Protection

Mobile Device & App Management

User & Entity Behaviour Analytics

Protecting customer data

by providing IT visibility,

control, and security over

cloud applications.

Cloud Access Security Broker

Enterprise Mobility SuiteCloud App

Security

Azure Active

Directory Premium

Azure Rights

Management

Premium

Intune &

Configuration

Manager

Advanced Threat

Analytics

Share Windows

applications and other

resources with users on

almost any device

Windows App Virtualisation

Azure

RemoteApp

Microsoft Enterprise Mobility Management

Users Identity Theft Data Devices & Apps SaaS Apps Windows Apps

Active Directory Problem Spaces

User ExperienceMakes a user's life easier by providing a single sign-on (SSO) for computers, applications and services

IT AdministrationSimplifies system administration by centralising management of users, computers and policies

Platform servicesSimplifies development by providing authentication, users, groups and/or claims

Security/ComplianceLots of complicated non-functional stuff

What would IT be without Active Directory? Sign-on would be a colossal mess

IT administrators' lives would be incredibly repetitive and inefficient

...but we would reclaim simplicity from efficiency

What is Azure AD to a user?The home of my corporate identityHow I prove who I am, including additional factors of authentication

Details about who I am (profiles)

What I belong to (groups)

The service I entrust with my personal data (privacy protections/compliance)

Gateway to my appsA gateway to my apps: Access Panel

A trustworthy face for cloud resources (custom branding/logos)

Gateway to my internal network from the outside worldSelf-Service Password Reset (SSPR)

Application Proxy (Reverse Proxy)

Workplace Join (Device Registration Service)

What is Azure AD to IT?Directory ServiceThe directory is built with Active Directory Lightweight Directory Services (AD LDS)

Sync on-premises Active Directory Domain Services (AD DS) objects with DirSync/AAD Connect

DirSync and AADSync were wrapped up with related tools in a new package called AAD Connect

Security Token ServiceLike AD FS. Enables federated sign-on to Office 365, Azure and Software as a Service providers

Also provides authentication and authorisation services to Azure Websites like SharePoint Apps

Advanced stuffMultiple Factors of Authentication (MFA) AKA “2FA”. Think: PIN verification for sign-on

“Application Proxy (Reverse Proxy): Sign-on to on-premises stuff from outside the network

Device Authentication: restrict sign-on to trusted devices (enables BYOD)

Reporting and Alerts: Detects unusual/sketchy sign-on patterns and alerts administrators

What is Azure AD to a developer?

Common Consent (OAuth 2.0)Secures Apps for Office and SharePoint with or without user authentication

Sometimes Apps will be permitted to authorize on behalf of a user

Graph APIQuerying directory

User Profile sync enhancements may originate here

Directory ExtensionsNew attributes in Azure AD, flowing through to other services eventually

Back to Basics: What is Windows Logon?

{

Username/password

Smart card

PIN/gesture (picture password)

Hello (fingerprint, face, iris)

Azure Active Directory Capabilities

Risk Ranking

Defence-in-Depth