Enhanced Security Admin Environment (ESAE)
24
Transcript of Enhanced Security Admin Environment (ESAE)
How we see malware introduced
• Phishing
• Targeted Phishing
• Water hole
• Download (software (+’free’), music, films, serialz)
DC Client
Domain.Local
DomainAdmin
Attack Operator
Protect RespondDetect
E N G A G E
Advise
Microsoft Confidential
Assessment, Education, MitigationsSecurity Assessments
Securing
Windows
Client
Securing
Windows
Server
Bitlocker
and MBAM
Certificate
Services
Right Management
Services
Forensics (english)
Direct
Access
Endpoint
Protection
Enterprise
Auditing
Workshops
Windows
Active
Directory SQL
Web
Servers Sharepoint
Exchange
PKI
Direct
Access
Mitigations
POP -
Securing
Lateral
Account
Movements
POP -
EMET
POP –
Hardening
AD
Domain
and DC
Premier
Security Advisor
Bulletin
Advisor
Protect
Protection for your
most valuable assets
and accounts to help
prevent compromise
from cyber-attacks
Microsoft Security Risk Assessment (MSRA)Rapid review of customer’s IT security program, tailored to
business and security needs
On-site, in-person interviews and technical examination to
provide a comprehensive look at security technologies and
operational practices
Examination of the program’s business foundations,
including security goals, risk posture, and policies and
standards
Enhanced Security Administration
Environment (ESAE) & Privileged
Administrator Workstation (PAW) The ESAE offering leverages advanced security
technologies and recommended practices to provide
administrative environments and workstations with
enhanced security protection.
Security Development Lifecycle Services (SDL) Microsoft provides an assessment of your software
assurance program, identifies enhancements, and delivers a
roadmap to strengthen and mature your software
development practices.
EMET – Enterprise Reporting (EMET ERS)Pilot deployment of (EMET) to including deployment of Enterprise Reporting Services and dashboard for all EMET mitigated events.
Detect
Continuous
monitoring of your
network for attacks,
vulnerabilities, and
persistent threats
Microsoft Threat Detection Service (MTDS) Allows customers to detect errors and report them to check
for malicious activity. It also helps in deriving intelligence
from the error reports to regulate and manage errors
efficiently.
Persistent Adversary Detection Service
(PADS) Proactively determine whether a system is
under threat via a discreet incident response prior to
an actual emergency and examines high value assets or
a sample of systems for signs of advanced implants not
typically found by commodity anti-virus or intrusion
detection system technologies.
Respond
Investigate and
disrupt suspicious
events to provide a
diagnosis and
potential mitigations
Incident Response Microsoft offers the IR&R service to determine whether a system is under targeted exploitation
via a discreet incident response engagement that examines high value assets or exploited systems for signs of
advanced implants not typically found by commodity anti-virus or intrusion detection system technologies.
Our approach consists of the following strategic assessments to help assess the current environment and processes, and then deliver a roadmap for meeting business goals and objectives:
Assessments
The MSRA was developed by
Microsoft to provide a Risk
Assessment service to help
customers manage risk in their
complex enterprise
environments.
SDL is a software development
process that helps customers
build more secure software and
address security compliance
requirements while reducing
development cost.
The main recommendations concern credential hygiene, security monitoring, and configuration management. All three of these items
should be done as quickly as possible because of the extreme risk of credential theft and of compromise to the CUSTOMER systems…
48 hours - The average time it takes
to get Domain Administrator
credentials once a single machine has
been compromised within the
environment.
Enhanced Security Admin Environment (ESAE) Domain and Forest Administration
Production Domain(s)
Domain and Forest
Security Alerting
Server and System Management
Hardened Hosts
and Accounts
Managed Access
Request System (MARS)
App and Data Management
Privileged Account
Workstation (PAW)
User Assistance and Support
Lateral Traversal
Mitigations
Application &
Service Hardening
Helpdesk and Workstation Management
RDP w/Restricted Admin
Protected
Users
With 8.1/2012 R2 Features
Auth Policies and Silos
EMET Production Pilot
• Assist with your EMET Deployment to pilot group of
workstations
EMET ERS (Enterprise Reporting Services)
Deployment and Configuration
• Provides a Dashboard roll-up view of EMET events
• Top 10 Machines; Hourly EMET mitigation events;
Compliance Reports; Trending and Analysis
Benefits:
• All EMET Agents will act as a sensor on your network
• EMET ERS can be used to help speed tune EMET during
your pilot and deployment and provide basic detection
• EMET will also work in conjunction with MTDS
Technologies
Unique to Microsoft
Unique malware database which
is built up by the worlds largest
sensor network
MTDS On premise
MTDS Hosted
Malware will normally cause
applications or the whole operating
system to crash.
These crashes which include a memory
dump can be collected and analysed.
No agent required – simple
configuration update to point error
logs to a central collector.
Can detect 0-day and custom unique
malware code.
Robust SecurityReporting with
Actionable Data
Worldwide Sensor Network and Ecosystem Insight
Respond - IR/PADS
The Incident Response and Recovery Service (IR&R) is an offering for clients who are
looking to investigate and disrupt today’s determined human adversaries and similar
advanced actors who specialize in targeted exploitation .
The service is an onsite, discreet incident response engagement that involves the
examination of high value assets or known exploited systems for signs of advanced
implants not typically found by commodity AV or IDS technologies.
A team of Microsoft IR&R consultants travel to the customer site and perform
analyses on the affected servers or endpoints as a starting point. The team
utilizes a sophisticated toolset that leverage custom Microsoft capabilities
including specialized detection tools, malware analysis, signature generation,
and custom cyber intelligence.
Typical period of performance is one work week at the customer site, but can
be customized for large clients with multiple geographic sites or organizational
components.
GBS Security
Deep Remote Technical Support
Cybersecurity
IR&R TeamOnsite Security
Incident
Response Team
GBS First
Responder
Global Onsite Support
within 24-hours or less
What if I have a Cybersecurity Incident?
For Incident Response, start using your
existing Microsoft Premier Services
agreement
Any staff member who has been
authorized with access to open Premier
Support cases should do so with a
“Severity A” classification for Cyber
incidents.
Under attack
IR&R
Suspicious of an
attack/needs detection
PADS MTDS
Cybersecurity strategy &
approach
MSRA, ADSA
ESAE
EMET-ERS
PAW
SDL
Massive global
telemetry
Software and
Services
company
Target for cyber
attacks
Malicious Software Removal Tool
• 700 millions monthly
Bing
• +18B pages scans per month
Windows Defender
• 250 millions
Exchange Online
• 35 billion messages scanned
Digital Crimes Unit (CITP)
Builds the software people relies
on
• Security Development Lifecycle
• ISO/IEC 27034-1:2011
Operates major online and cloud
services
• Cloud Security Alliance
Unparalleled visibility into the
threat environment
• MSIT
• ISRM internal experiences
• ACE team
• Global Foundation Services
• Global Business Support
Security
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Massimo Agrelli
CyberSecurity Architect
Microsoft Services – Cybersecurity Global Practice
