Articles, Blog

Living in an Assume Breach world: what it means to run a secure Microsoft 365 cloud – BRK2020

August 17, 2019


>>OKAY. LET’S GET TARTED. SO TODAY WE ARE GOING TO TALK ABOUT LIVING IN AN ASSUMED BREACHED WORLD. WHAT IT REALLY MEANS. MY NAME IS RAJI DANI. I’M PRINCIPAL GROUP MANAGER FOR M36 R5 — M365.>>I HAVE WITH ME –>>WHY DO YOU THINK I’M HERE. I THINK YOU’RE HERE TO UNDERSTAND FIRST OF ALL WHY DOES MICROSOFT EVEN BELIEVE IN ASSUMED BREACH. WHY ASSUME BREACH AT ALL, RIGHT. CONSIDERING THAT MICROSOFT BELIEVES IN ASSUME BREACH WHAT ARE THEY REALLY DOING ABOUT IT. WHAT WHAT IS MICROSOFT DOING TO KEEP YOUR DATA SECURED TO PROTECT AGAINST ATTACKERS. PREDICT ON TIME AND INCIDENT RESPONSES. MORE IMPORTANTLY WHAT ARE THE TOOLS AND BEST PRACTION — PRACTIONS PRACTION — PRACTICES. WHAT I HOME — HOPE YOU TAKE AWAY FROM THE PRESENTATION IS YOU HAVE INFORMATION AND A TRUST THAT SECURITY IS IN OUR DNA INFLUENCING ALL THAT WE DO. YOUR DATA IS AS SAFE AS IT CAN BE ON CLOUD. I ALSO HOPE YOU WILL FOLLOW THE BEST PRACTICES WE WILL DISCUSS HERE AND USE THE TOOLS TO PROTECT YOUR FRONT DOOR, YOUR ADMINS AND YOUR USERS. SO BEFORE WE GO DEEP NO THE PRESENTATION . THESE ARE THE MOST NOVICE. THE SCRIPT — DON’T WRITE CODE. THEY USE THE SCRIPTS RETURNED BY MOST SOPHISTICATED ATTACKERS. THEY’RE DANGEROUS. THEY KEEP POKING AROUND THE SYSTEM. THEY POKE AROUND THE THE SYSTEM AND THE SOPHISTICATED ATTACKERS USE SCRIPT KITTIES. THE SCRIPT KITTIES DON’T KNOW THEY’RE BEING LEVERAGED. THE ATTACKERS ATTACK YOUR SYSTEM USING THE SCRIPTED KITTIES AND DANGEROUS.>>AND THE NEXT IS THE HACKERS. THEY GET IN TO STEAL YOUR SECRETS. THAT’S THE NEXT SET OF ATTACKERS TO BE WORRIED ABOUT. THE THIRD SET WE WILL TALK ABOUT MORE ARE THE ROUGE INSIGHTERS. THESE ARE THE USERS IN THE SYSTEM. IN THE MICROSOFT 365 CLOUD THESE ARE OUR MICROSOFT ENGINEERS. YOUR ADMINS OR USERS AND IF THEY GO ROUGE AND HAVE A LOT OF ELEVATED PRIVILEGES AND CAN DO BAD THINGS THIS CAN GO UNDETECTED FOR A LONG TIME. I WILL SHOW DEMO ON WHAT A MALICIOUS INSIDER CAN DO. RIGHT. WE NEED TO BE CAREFUL ABOUT THE ATTACKERS TOO. THEN THE NEXT SET OF ATTACKERS ARE TYPICALLY DO IT FOR INDUSTRY ESPIONAGE. THESE ARE COMPETITORS OUT TO ATTACK AND STEAL YOUR SECRETS TO ADVANCE THEIR BUSINESS INTERESTING. THE NEXT ARE HACKTIVISTT. THEY PUSH THE RULES THEY PUSH BOUNDARIES AND USE FOR PRINCIPLE AND SOCIAL OR POLITICAL CAUSE. THE LAST SET OF ATTACKERS GETTING TO BE MORE PREF LET NOW THE NATION STATE ACTORS. INNOVATE THESE ARE THE ATTACKERS LICENSED TO HACK. THE GOVERNMENT SPONSORS THEM. THE RIFLE — RIVAL GOVERNMENT SPONSORS THEM TO ATTACK RIVAL GOVERNMENT AND BUSINESSES FOR THEIR OWN INNOCENT. THESE ARE THE SET OF ATTACKERS THAT ARE PREF HR-PBT IN THE INDUSTRY. THEY’RE GETTING MORE AND MORE SOPHISTICATED. WE HAVE TO ASSUME BREACH. IN MICROSOFT AND YOU AS A TENANT SHOULDN’T TAKE ANY FOR GRANITE .>>BREACHS ARE VERY COSTLY ABOUT $500 BILLION, RIGHT. LET’S TALK ABOUT HOW MANY HAVE HEARD OF ONE A CRY ATTACK OR NON PITY ATTACK. SO PREVALENT. THEY’RE THE RANSOM ATTACKS TYPICAL LAST YEAR. THE ATTACKERS ENCRYPT WERE YOUR DAT DATA IS STORED AND DEMAND MONEY. ONCE UPON RECEIVING THE HONEY THEY DECRYPT AND LET YOU HAVE ACCESS TO YOUR DATA. THIS YAO UP TO 0 HAFT YEAR. ON AVERAGE ABOUT FOUR THOUSAND ATTACKS A DAY. IF YOU SWITCH GEARS FROM RANSOM ATTACKS TO E-MAILS. ONE IN 31 E-MAILS CONTAIN MALWARE. ABOUT ONE PERCENT. ABOUT 6-POINT R5 — OF .5, 6.5 VICTIMS ARE FOR IDENTITY FRAUD. IF YOU THINK THIS ONLY HAPPENS TO BIG BUSINESS YOU’RE DOPILY MISS MISTAKEN. 43 OF CYBER ATTACKS ARE TARGETED ON SMALL BUSINESS. THIS IS LOGICAL TOO. BIG BUSINESSES PLOY A LOT OF SECURITY ENGINEERING TPHAOERZ AND SOPHISTICATED DATA. THEY DO A LOT OF ANALYSIS. IF YOU RUN A SHAWL BUSINESS YOU ONLY HAVE TIME TO FOCUS ON YOUR BUSINESS. IT’S EASY FOR AN ATTACKER TO TARGET YOU AND YOUR SYSTEM. THAT WAS A GENERAL STATISTICS, RIGHT. WHAT IT REALLY MEANS TO YOU. LET’S TALK ABOUT WHAT IT MEANS TO YOU. SO, IF AN ATTACKER TYPICALLY SENDS ME — E-MAIL TO YOUR ORGANIZATION 30 WILL OPEN THE E-MAIL. 12 WILL CLICK THE MALICIOUS LINK OR ATTACHMENT. THIS WILL ALL HAPPEN WITHIN THE SPAN OF 3:45. THAT’S ALL IT WILL TAKE FOR SOMEONE TO INTRUDE AND GET A FOOT HOLD INTO YOUR SYSTEM. WITHIN THE NEXT 24 TO 48 HOURS THAT IS ONE TO TWO DAYS THEY WILL HAVE A COMPLETE CONTROL OF YOUR NETWORK. THEY WILL HAVE MOVED LATERALLY AND COMPLETELY OWNED YOUR NETWORK. BUT THE AVERAGE TIME IT WILL TAKE YOU TO DETECT, TO DETECT THAT IN INTRUDER BEFORE YOU DETECT HIS PRESENCE IT WILL TAKE YOU 197 DAYS, SIX MONTHS. THE COST IS $3 MILLION. THIS IS THE STATISTICS. YOU SAY I’M NOT GETTING BREACHED. I’M NOT PAYING FOR IT YOU ARE PAYING FOR T YOU PAY FOR THE CYBER INSURANCE. THE COST IS GOING UP SO MUCH AS THE ATTACKERS GET SOPHISTICATED. IT’S EXPECTED TO TRIPLE BY 2050 AND HIT A WHOOPING UP IN OF — NUMBER OF $7.5 BILLION. SO THE SECURITY BREACHS COST YOU. YOU NEED TO ASSUME BREACH AND DO THINGS TO INSURE YOU ACCORDINGLY. WHEN I THINK OF SECURITY I THINK OF IT TWO FOLDS. YOU SHOULD THINK TO. SPECIFICALLY IF YOU ARE PUTTING YOUR DATA IN THE CLOUD. THE FIRST THING TO THINK ABOUT IS YOUR CLOUD PROVIDER SECURE. IN THIS CASE WE TALK MICROSOFT. WHAT IS MICROSOFT 365 WHAT DO WE DO TO KEEP YOUR DATA SECURE. HOW DO WE PROTECT AGAINST INTRUDERS. THE SECOND THING IS HOW ARE YOU KEEPING YOUR FRONT DOOR SECURE. BECAUSE 90 OF THE ATTACKS HAPPENING THROUGH FRONT DOOR. IT’S VERY EASY FOR AN ATTACKER TO COMPROMISE ONE USER IN THE ACCOUNT AND INTRUDE. WE ARE ALSO GOING TO UNDERSTAND TODAY WHAT OTHER KIND OF TOOLS CAN WE PROVIDE TO KEEP THE FRONT DOOR SECURE. ALSO THE, THE BASIC PRINCIPLE OF SECURITY SO THE GROUND BUILDING BLOCKS ARE THE PROTECTION FEATURES. WE WON’T TALK ABOUT IT TODAY. THIS TALK IS ON ASSUMED BREACH. WE WILL SEE THE ATTACK PATTERNS ON GETTING ATTACKED. PROTECTION IS SUPER IMPORTANT. PROTECTION COULD BE THINGS LIKE THE INVESTMENT THAT WE DO IN ANTIVIRUS. OR INVESTMENT IN NETWORK SECURITY OR NETWORKING PRACTICES AND OTHER THINGS. M365 INVESTED HEAVE HOE IN INVESTMENT FEATURES. WHAT WE ARE TALKING ABOUT IS HOW CAN ATTRACTER BREACH THESE THINGS. WHEN HE DOES IT WHAT ARE THE INVESTMENTS WE HAVE TO VERY QUICKLY DETECT IT AND DO INCIDENT RESPONSE. THAT IS WHAT THIS TALK IS FOCUSED ON.>>WE TALK ABOUT ASSUME BREACH AND COSTLY. HOW TO AN ATTACKER MIND. HOW DOES IT HAPPEN. IT’S IMPORTANT TO UNDERSTAND THE ATTACKER KILL CHAIN. WHAT AN A ATTACKER TYPICALLY DOES IS DOES THE INITIAL RECON. HE PLANS HOW TO REALLY ATTACK YOUR SYSTEM HE TRIES TO GET 99 OF THE SYSTEM OF THE ATTACK STARTS WITH THE USER. COMPROMISES ONE USER TO GET IN. THAT’S THE INITIAL COMPROMISE. WHEN THAT HAPPENS THE ATTACKER IS HE’S NOT ABLE TO GET INTO THE DATA YET. HE GETS INTO ONE OF THE SERVERS BY USING A RANDOM USER ACCOUNT WITHOUT A LOT OF PRIVILEGES. HE WILL LOOK. HE WILL ESTABLISH A FOOT HOLD. HE WILL TROY TO FIGURE OUT THE THINGS HE CAN DO THERE. IF BY CHANCE THE USE EAR COUNT HAD SOME PRIVILEGES HE WILL TROY TO INSTALL HIS TOOLS AND ATTACK KITS TO WATCH MORE. MA HE’S LOOKING IS TO GET A HOLD OF AN ACCOUNT WITH A HIGHER PRIVILEGE, AN ESCALATED PREUF LEMMING. HE’S LOOKING FOR AN ADMIN ACCOUNT. HE CAN DO MORE DAMAGES OR TRAVEL A LOT MORE AND MOVE LATERALLY.>>ONCE HE FINDS THIS IS CALLED ELEVATION OF PRIVILEGES AND COULD DO MORE THINGS. HE IS STILL WATCHING WITHOUT HARM. WHEN YOU DESIGN A BIG SYSTEM PARTICULARLY ON PRIM INSURE YOUR BREACH BOUNDARY IS VERY SMALL. SO IF AN ATTACKER IS ABLE TO GET NO THE SYSTEM AND CROW COMPROMISE AND GET A HOLD OF AN ADMIN ACCOUNT HE WON’T BE ABLE TO TRAVEL AS MUCH HE CAN’T GO BEYOND A SET OF BREACH BOUNDARIES . AN ATTACKER CAN’T ENTER THE SYSTEM. OKAY. WE TALKED ABOUT, THE ATTACKER WAITS AND TRIES TO FIND ANOTHER ACCOUNT WITH ELEVATED PRIVILEGE. THEN HE TRIES TO MOVE LATERALLY. ESSENTIALLY HE TRIES TO GET BACK TO THE DA A. THAT IS WHERE THE DAMAGE HAPPENS.>>WE EXPECT THE ATTACK TOGETHER FRONT END. RIGHT. IT’S IMPORTANT IMPORTANT TO DETECT THE ATTACKER THERE AND ELIMINATE THE ATTACKER SO HE WENT GET TO THE CORE DATA. SCALE IS A HUGE ADVANTAGE. HERE MICROSOFT WE OPERATE WITH OVER ONE BILLION WINDOWS DEVICES. WE GET SIGNALS. 450BILLION AZURE ACTIVE DATA LOG ONS. WE GET A LOT OF USER SIGNALS AND 400 BILLION OFFICE E-MAILS ANALYZED. ALL OF THESE THINGS ARE USED FOR SECURITY PURPOSES ONLY. THE SIGNALS WE GET FROM THESE SYSTEMS ARE BE COMPLETELY OFFICE KEEP CUSTOMER DATA FROM IT ALL OF THE SECURITY ENGINEERS ENS — ENGINES WE DON’T EXPOSE CUSTOMER DATA. WE JUST LOOK AT THE PATTERNS AND SIGNALS. WE OPERATE WITH 6.5 TRILLION SIGNALS A DAY. THAT’S A HUGE AMOUNT OF SIGNALS. I DON’T KNOW ANY OTHER COMPANY THAT OPERATES WITH THIS KIND OF SIGNALS. BECAUSE WE GET THIS MUCH AMOUNT OF SIGNALS WE ARE ABLE TO REALLY USE IT TO SPOT AN ATTACK, DETECT AN ATTACK AND TAKE ACTION. JUST OVER LAST MONTH WE BLOCKED 5 BILLION DISTINCT MALWARE USING ATP. THIS IS HAPPENING BECAUSE OF THE SIGNALS WE SELECT. OKAY WE TALK ABOUT WHO THE ATTACKERS ARE. THE KIND OF ATTACK PATTERNS AND LET’S TALK ABOUT THE KILL CHAIN. LET’S GO DEEPER. TALK ABOUT HOW THE ATTACK STARTS. ALL ATTACKS, 99 START WITH AN ACCOUNT. ATTACKER IS ABLE TO GET HOLD OF A MALICIOUS ACCOUNT IN YOUR SYSTEM AND MOVE AROUND. IN MICROSOFT 365 WE HAVE BEEN OPERATING OVER LAST FIVE YEARS WITH THE PRINCIPLE OF ZERO STANDING ACCESS. WE HAVE OVER FIVE THOUSAND ENGINEERS OPERATING IN THE DATA CENTER. NONE OF THEM HAVE ACCOUNTS WITH ELEVATED PRIVILEGES. ANYTIME THEY WANT TO DO ANYTHING IN THE SYSTEM THEY USE WHAT WE CALL LOCK BOX. HOW MANY HAVE HEARD ABOUT LOCK BOX? OKAY. SO WHEN A MICROSOFT ENGINEER WANTS TO DO ANYTHING IN THE DATA CENTER BY DEFAULT HE HAS NO ACCESS.>>THIS IS BIG FORGETTING TO DATA. YOU DON’T GET APPROVAL EASILY. EVEN REBOOTING A SERVE YOU — SERVE SERVER YOU HAVE TO GO THROUGH LOCK BOX. THE ENGINEER GOES THROUGH LOCK BOX. THIS IS TOUCHING THIS IT WILL REJECT YOUR WRITE QUEST THERE IF THE LOCK BOX RECOGNIZES THAT YOU ARE ALLOWED TO REBOOT A SERVER AND THEN IT WILL SEND A MAIL TO THE MICROSOFT A PROVES YOUR MICROSOFT MANAGERS TO DECIDE IF YOU ARE ALLOWED TO DO THE TASK OR NOT. THIS IS TRUE FOR THE MOST PRIMITIVE TASK LIKE REBOTING A SERVER. ONLY AFTER THE APPROVAL CAN YOU DO THE TASK .>>YOU CAN’T DO SOME WITH JUST THE PERMISSION OF A MANAGER. YOU HAVE TO GO TO VP A PROFLDZ. ALL QUESTIONS ARE ASKED WHY YOU NEED THIS ACCESS.>>IS THIS IS JUST THE TASK YOU WANT TO DO. YOU DON’T GET THE BIG ADMIN ACCESS ACROSS THE DATA SERVERS. THE PERMISSION IS JUST IN TIME.>>THIS IS NOTHING MORE. THE ACCESS IS GIVEN AFTER THE DATA APPROVAL CUSTODIAL YUM. THERE IS A STRONG AUDIT LOGGING ON WHAT HAPPENED. WHO ACCESSES WHAT. THIS IS HOW WE HAVE BEEN OPERATED FOR OVER FIVE YEARS IN THE DATA CENTER. EVERY TIME WE TALK ABOUT THIS THE CUSTOMERS SAY WHEN ARE WE GETTING THIS. CUSTOMERS ALSO HAVE A VERY SIMILAR RISK. LET’S UNDERSTAND THE RISK . WE ARE ANNOUNCING PRIVILEGED ACCESS MANAGEMENT. THIS IS ACTUALLY TAKING LOCK BOX WITH PEOPLE WE HAVE BEEN OPERATING DATA CENTER. I TAKE IT TO YOUR TENANT. TODAY I FIND MY TENANT ADMIN. I CAN START A RULE AND SYPHON OFF YOUR CEOs E-MAILS TO A ROUGE E-MAIL ADDRESS TODAY. TODAY I CAN DO THIS. YOU WON’T BE ABLE TO DETECT IT QUICKLY. YOU HAVE TO GO THROUGH LOGS TO GET TO THIS. IMAGINE ME DOING IT IN YOUR CFOs ACCOUNT BEFORE YOUR QUARTERLY RESULTS. DAMAGE IS DONE BEFORE YOU DETECT SOMETHING LIKE THIS. IF YOU ENABLE PRIVILEGE ACCESS MANAGEMENT YOU GO TO OFFICE 365 ADMIN CENTER. YOU CAN GO TO DEFINE A POLICY. OKAY. SO YOU DEFINE A POLICY. IS A FOR NEW GENERAL RULE IT REQUIRES ACCESS APPROVAL. I HAVE PREDEFINED ACCESS A PROVES CALLED ACCESS A PROVES. SET OF A PROVES TO SET THE TASK. I CREATE THE POLICY. AFTER I HAVE CREATED THE POLL GEE IF I’M ASKED AS AN ADMIN TO RUN A NEW RULE IT WILL FAIL OUT. SAY PLEASE RAISE ELEVATED ACCESS REQUEST FOR THE TASK . IF I WANT TO RUN A NEW GENERAL RULE LIKE IN STKAT A CENTER YOU HAVE TO ASK FOR PERMISSION. YOU WILL RUN A NEW ELEVATED ACCESS COMMAND. YOU WILL HAVE TO SAY FOR HOW LONG YOU WANT THE PERMISSION AND FOR DOING EXACTLY WHAT. ONES YOU DO THIS THE LOCK BOX SYSTEM WHICH IS PREUF EDGED ACCESS MANAGEMENT FOR YOU WILL ISN’T E-MAIL TO ALL OF YOUR APPROVALS. THE APPROVALS WILL BE ABLE TO COME TO THE M365 ADMIN CENTER. THEY WILL BE ABLE TO APPROVAL PROVE. THEY CAN ALSO DENY. IF THEY BELIEVE YOU HAVE NO BUSINESS TO RUN THE RULE CORRECT. SPECIFICALLY IF YOU RUN THE CEOs MAIL BOX THEY DENY. ONLY AFTER THEY APPROVE CAN YOU RUN THIS. NOT JUST THAT. IF YOU ARE ENABLED PRIVILEGE ACCESS MANAGEMENT AND HAVE APPROVAL TO RUN SOMETHING LIKE THIS WE HAVE RICH AUDITING. IN OFFICE 365 ADMIN CENTER YOU ARE ABLE TO GO. IT HAS THE RECORDS ON WHO ASKED FOR PERMISSION TO RUN THE GENERAL RULE. WHO APPROVED AND WHO RAN THE RULE WITH THE TIME STAMPED. IT WILL BE VERY DIFFICULT FOR SOME, ONE OF YOUR, SO WE TALKED ABOUT ROUGE INSIDER AS AN ATTACKER IF YOU REMEMBER. IT WILL BE VERY DIFFICULT FOR ONE OF YOUR TENENT ADMINS TO GO ROUGE AND DO BAD THINGS UNDETECTED. WITH PRIVILEGE ACCESS MANAGEMENT. THIS IS A CORE PROTECTION YOU HAVE AGAINST THE ROUGE INSIDER. TO CAPTURE BACK OFFICE 365 MANAGEMENT IF YOU ENABLE THIS THE ADMIN OR USERS WANTING TO DO TASKS THAT ARE VERY CRITICAL AND COMPROMISE DATA THEY WON’T BE ABLE TO DO IT WITH ADMIN PERMISSION. THEY HAVE TO REQUEST ADMIN ACCESS. THEY HAVE TO APPROVE. AFTER THAT THEY CAN RUN THE TASK. THE PRIVILEGE HREBG PIRE AFTER THE TIME PERIOD THEY ASK FOR APPROVAL. THE USER WON’T HAVE ACCESS AFTER THAT. SO IT’S FOLLOWING THE SAME PRINCIPAL ON TASK BASED ACCESS CONTROL. ESSENTIALLY THE PRINCIPAL IS NOBODY HAS A FULL GUARD LIKE ACCESS ANYMORE. THE ACCESS IS JUST IN TIME. JUST ENOUGH ACCESS. THERE IS NO STANDING ADMIN ACCESS BY DEFAULT. THERE IS RICH AUDITING AVAILABLE SO YOU CAN GO BACK AND FIGURE OUT WHAT EXACTLY HAPPENED IN YOUR TENANCY. WITH THE PRINCIPAL OF ASSUMED BREACH, 99 OF THE ATTACKS HAPPEN THROUGH ACCOUNT COMPROMISE IT’S IMPORTANT THAT NOBODY HAS TKPWORD LIKE TENDENCY IN YOUR ACCOUNT TOO. THIS IS USEFUL FOR US AND WE TAKE THE SAME THING TO YOU. ENABLE ACCESS MANAGEMENT AND INSURE NOT ONLY YOUR TENANT ADMINS CAN’T GO ROUGE AND DO BAD THINGS. THEY’RE NOT EASILY COMPROMISED FOR AN ATTACKER TO DO BAD THINGS. IF YOU WANT MORE DETAILED ON THIS WE HAVE A DETAIL PRESENTATION ON THIS TOMORROW. I WILL SHOW YOU AT THE END OF THIS PRESENTATION THE LINKS TO THAT. SO FAR WE HAVE TALKED ABOUT HOW YOU CAN RUN YOUR TENANCY HOW YOU CAN DO MUCH WITH NOT PRUF LEDGED ACCOUNTS. ABILITY TO ASK FOR JUST IN TIME ACCOUNT AND JUST ENOUGH ACCESS. LET’S SWITCH GEARS AND ASSUME AN ATTACKER COMES THAOT SYSTEM. SO WHAT WE ARE THOU GOING TO TALK ABOUT IS HOW ARE YOU ABLE TO QUICKLY DETECT AND END THE ATTACKERS. FIRST I WILL TALK ABOUT M365 CLOUD, RIGHT. WHAT WE’RE DOING. THIS IS SPOERPBT FOR YOU. YOUR DAT DATA IS WITH US. IT’S IMPORTANT TO UNDERSTAND OUR INVESTMENTS IN THIS SPACE. THE FIRST THING WE RUN M365 BY ASSUMING BREACH AND OUR SECURITY IS BEYOND DEFENSE. WE HAVE A TEAM THAT ARE BASICALLY ATTACKERS. THEY JUST ATTACK OUR SYSTEMS WITH THE STRICT RULES OF ENGAGEMENT. THEY A SIMULATE OWL SIDE ATTACKS. THEY USE THE EXTERNAL KNOWN TTPS AND UNKNOWN TTPS AND ATTACK OUR SYSTEM THROUGH ALL POSSIBLE MEANS. WE HAVE — WE HAVE A BLUE TEAM. THE RESPONSIBILITY OF A BLUE TEAM IS AS THE RED TEAM ATTACKS. THE BLUE TEAM DETECTS QUICKLY. THE BLUE TEAM PRABG STATES INCIDENT RESPONSE. WE HAVE BEEN DOING THIS MANUALLY FOR SEVERAL YEARS NOW. WE REALIZE WITH THE SCALE WE HAVE OVER ONE MILLION SERVERS. THAT’S THE SCALE WE HAVE, CORRECT. IT’S NOT POSSIBLE TO DO THIS MANUALLY. WE HEAVILY BELIEVE IN THE PRINCIPAL OF AUTOMATION. QUICKLY WE REALIZED A GOOD DETECTION NEEDS A RICH SET OF SIGNALS. SIGNALS ARE THE ONES THAT WILL TRAIN OUR SYSTEM AND GIVE THE ABILITY TO DETECT. WHY, WHY DO WE WAIT FOR SOMEONE TO ATTACK US. WHY NOT ATTACK OURSELVES. SO WE HAVE THOU A COMPANY CALLED ATTACK BOT. AN ATTACK BOT SO THEY ATTACK M365 THEY PROGRAM THE ATTACKS INTO ATTACK BOT. ATTACK BOT ATTACKS US EVERY HOUR. THEY USE THIS TO EMULATE OUTSIDE ATTACKERS, RIGHT. THEY DO THE COMBINATION OF ATTACKS THE RED TEAM IS KNOWN ON THEM. THEY TRY TO ATTACK EVERY HOUR THIS. GENERATES HUNDREDS OF THOUSANDSES OF SIGNALS SO OUR DETECTION SYSTEM CAN LEARN. THE DETECTION SYSTEM HAS A LOT OF AGO GORE EUGT EUPLZ. THEY’RE MACHINE — ALGORITHMS. THEY NEED TO BE TRAINING THE SYSTEM AND THE ATTACK BOT SIGNALS HELP. SHORTLY ART WILL GIVE YOU A COMPLETE DEMO OF HOW ON A REAL ATTACK ON HOW THE ATTACK BOT ATTACKS THE M365 SYSTEM AND HOW OUR DETECTION SYSTEM CATCH THIS IS. ATTACK BOT IS ATTACKING US ONE EVERY HOUR WITH THOUSANDS OF ATTACKS, CORRECT IT CREATES A LOT OF SIGNALS IN HOW DO WE DETECT THIS. FIRST WE’RE BASED ON A COLLECTION AGENCY INSTEAD ON OUR MILLIONS OF SERVERS. THIS IS CALLED HOST IDEAS. THIS IS THE AGENT ON THE SERVES LOOKING FOR INTERESTING STPHALDZ, RIGHT. THEY CAN BE ETW BASED SIGNALS. THESE ARE THE PROCESSED DETAILS ON EACH BOXES. THEY CAN BE THE WINDOW OPERATING SYSTEM BASED SIGNALS. THE SECURITY SIGNALS. THESE ARE ALL THE CONTEXT DATA. THE DELIGHT HAPPENING, THE INVENTORY MANAGEMENT. MACHINES ARE PUT IN AND OUT. THE HOST IDEA COLLECTS APPLICATION DATA. FOR EXAMPLE EXCHANGE SERVER IS DIFFERENT FROM A SHED POINT SERVER. THE SELECTION OF EVENTS ARE DIFFERENT FROM A SHAREPOINT SERVER. THOSE INTERESTING DATA IS COLLECTING. SO, THE KIND OF SIGNALS THAT THE HOST COLLECTS AND PUMPS IN. I’M TALKING ABOUT THE IN THE ORDEREDER OF MILLIONS PER SECONDS. EACH MACHINE EVERY HOUR. A LOT OF SIGNALS COMING FROM ATTACK BOT TOO. THESE SIGNALS ARE THEN ALL COLLECTED IN THE DETECTION DEPOSITRY. IN THIS DEPOSITRY THE INTERESTING ALGORITHMS RUN. WHEN YOU THINK ABOUT DETECTION A BIG PROBLEM IS NOT ONLY THAT THERE ARE A LOT OF SIGNALS THAT ARE GETTING COLLECTED. THERE IS A LOT OF NOISE TOO. WE ARE TALKING ON THE ORDER OF 00 MILLION SIGNALS, RIGHT. OVER AN HOUR. SO THERE IS A LOT OF THOEUZ. THE INTERESTING THING IS HOW DO WE ACTUALLY READ OUT OF NOISE AND REALLY PICK THE RIGHT ATTACK PATTERN. THAT HAPPENS IN VAN VANQUISH. VANQUISH WE RUN OUR ALGORITHMS TO DETERMINE THE ACTUAL ATTACK IS. FROM THERE THE OUTPUT ON THE ORDER OF A 00 ATTACKS THAT OUR SECURITY ENGINEERS TAKE A LOOK INTO. ALSO THE CRITICAL ONES WHICH ARE THE ATTACK ON HANDFULS. WHERE THE ENGINEERS ACT AS INCIDENT MANAGERS. WE DO THE FULL BLEW TEAM ROUTINE WE WILL SHOW YOU A DEMO OF. SO, IF YOU ARE THINKING ON THE KIND OF SCALE WE ARE TALKING ABOUT WE GET THE ORDER OF 4 MILLIONS PERFECT. THIS IS PUMPED NO VANQUISH. VANQUISH RUNS THE ALGORITHMS. THE SIGNALS OF INTEREST ARE ON THE ORDER AROUND AT THE THOUSAND PER HOUR WHICH THE DETECTIONS ARE. ON THE ORDER OF HUNDREDS A DAY. THIS IS THE ACTUAL DETECTION HEAT MAP I PICKED UP FROM M365 THE HAD YOU SIGNALS ARE THE A TPHOPL ANOMALIES ON THE MACHINE INDIVIDUAL. THEY’RE LESS INTERESTING. IF YOU START TO FOCUS ON EVERY SIGNAL ON THE MACHINE IT’S NOISE. AT THE END OF THE DAY WE’RE CON TRAINED BY A HEUPLTED SET OF EPG SNORES. WHAT ARE MORE INTERESTING ARE THE TRAINING AOU — TRY ANGLES WITH THE RED STHALZ. THEY INDICATE SOMETHING BAD IS HAPPENING IN THE MACHINE. SO IT REQUIRES THE AYES OF THE SECURITY ANALYST AND THE COLLECTION IS CONVERT TODAY PAEUPLGING ALERT . CERTAIN BAD THINGS WHEN THEY HAPPEN SAY THE EX FILTRATION OF THE DATA IS HAPPENING OR SOMEONE IS ABLE TO CONNECT TO A COMMAND AND CONTROL POST OUTSIDE. A WHEN YOU TEAM HAS TO DO A INVESTIGATION. FOR THE SIMPLE THINGS FOR EXAMPLE THE FIREWALL RULE THE RIGHT SET OF FIRE FIREWALL RULE UNDER MIND AND THIS CAN BE FIXED RIGHT AWAY. WE DO THAT TOO. AT THIS MOMENT I WILL HAND IT OVER TO ART. HE CAN WALK YOU THIS A REAL DETECTION AND INCIDENT RESPONSE SAMPLE IN THE DATA CENTER.>>THANK YOU, RAJI. AT THE BEGINNING OF THE TALK RAJI MADE A IMPORTANT POINT. SHE SAID YOU WILL PHAEULTLY ASSUME BREACHED IS ABOUT TAKING NOTHING FOR GRANITE. WE CAN’T TAKE PROTECTION INVESTMENTS FORRIAN IT AND ASSUME NOBODY WILL GET. IN WE HAVE TO INVEST STRONGLY TO PROTECT OUR SYSTEMS. WE HAVE TO ASSUME A SMART RESOURCE FULL ATTACKER CAN MAKE IT IN AND WE NEED A STRATEGY TO DEAL WITH. THAT WE HAVE TO GO FURTHER THEN THAT TOO. WE CAN’T TAKE OUR DETECTION SYSTEMS FORRIAN IT. THAT WE HAVE THIS SYSTEM AND IT WILL AULTS ALWAYS WORK. WE NEED TO VALIDATE THE SYSTEM. MAYOR SURE AEUZ RAISES ALERTS IT NEEDS TO RAISE AND DO WHAT WE NEED, STOPPING ATTACKERS. RAJI REFERENCED ATTACK BOT. I WILL TALK ABOUT ATTACK BOT DOING THAT VALIDATION. TO SHOW OUR DETECTION SYSTEMS ARE FUNCTIONING AND CATCHING ATTACKS AND RAISING ALERTS FOR REAL ATTACKS AND REMEDIATING THE REAL ATTACKS. WITH THE DEMO WE WILL SHOW YOU HOW TO TRIGGER AN ATTACK BOT RUN AND WHAT HAPPENS NEXT. SO WHAT YOU SEE HERE IS ME ACTUALLY TRIGGERING AN ATTACK BOT SCENARIO AGAINST THE SERVICE. THIS EMULATES ATTACKERS. IT’S AS REAL AS YOU CAN GET WITHOUT LETTING THE BAD GUYS IN. THIS ISN’T LOG INJECTION OR DATA INJECTION. THIS IS MALWARE WRITTEN BY OUR RED TEAM. EXPERT TEAM OF HACKERS. WE’RE RUNNING IN SIDE OF OUR SERVICE INFRA STRUCTURES TO SIMULATE WHAT AN ATTACKER WOULD DO IF THEY WERE TO GET IN. IN THIS CASE THIS IS AN ATTACK BOT RUN. YOU CAN IMAGINE IF AN ATTACKER MANAGES TO GET ACCESS OF THE BACK END MACHINES THEY WANT TO STEAL THE CUSTOMER DATA WE STORE THERE. HE THIS WANT TO TAKE THAT DATA AND SYPHON TO A POINT ON THE ENTER NET. THAT’S WHAT ATTACK BOT IS DOING HERE. THIS ATTACK BOT SCENARIO IS RUNNING ON A SPECIFIC MACHINE AND SENDING A HUGE QUANTITY OF DATA TO THE INTERNET SPH-RPL. AGAIN THE ENTIRE GOAL IS TO SIMULATE WHAT DATA THEFT WOULD LOOK LIKE WITH AN ATTACKER IN OUR SERVICE. WE WANT TO ANSWER THE QUESTION, CAN WE DETECT THIS OR DOING ANYTHING ABOUT IT. FIRST LET’S TALK ABOUT SAFETY. RAJI TALKED ABOUT LOCK BOX AND RUNNING DANGEROUS COMMANDS IN THE DATA SENT THRER IS AN APPROVAL REQUIRED, SAFETY MECHANISM IN PLACE AND THIS IS NO EXCEPTION. YOU CAN SEW THE APPROVAL LANGUAGE THERE. WHEN I TRIGGER THIS LOCK BOX REQUEST AD APPROVAL. MY MANAGERS LOOK AT IT AND SAID THIS IS A TEST AND SIMULATED TACTIC. THIS IS THE FIRST IN PLACE. THE SECOND ATTACK BOT DOESN’T TOUCH CUSTOMER DATA. IT’S RUNNING ON THE BACK END MACHINES, THE POW ERINN INFRASTRUCTURE. IT DROPS A FAKE DATA FILE AND SIPHONS THAT TO THE INTERNET. FROM THE PERSPECTIVE OF THE SIGNALS GENERATED IT LOOKS JUST LIKE AN ATTACKING STEALING ACTUAL DATA. YOU WILL SEE A SPIKE IN BANDWIDTH, CONNECTION TO EXTERNAL DOUGH DOMAINS AND THINGS LIKE. THAT WE WANT TO MAKE SURE ALL CUSTOMER DATA IS SAFE AND SECURE WE DON’T ACTUALLY TOUCH THE CUSTOMER DATA RUNNING THE TOOLS. THEY’RE UNREALISTIC AS YOU CAN GET WITHOUT TOUCHING THE CUSTOMER DATA.>>SO NOW I HAVE RUN IT. LET’S SEE WHAT HAPPENS NEXT. THIS SCREEN SHOWS THE ATTACK BOT COMMAND AND CONTROL INTERFACE. IF YOU’RE AN ATTACKER YOU HAVE A CONTROL SERVE SERVES ON THE INTERNET. IT WILL ALLOW TO YOU SEE WHAT THE MALWARE IS DOING. PROG RIS TO THE OBJECTIVE — PROGRESSIVE TO THE OBJECTIVE AND TAKE FURTHER ACTIONS. THAT’S WHAT YOU ARE SEEING HERE. THE IMPORTANT THING TO POINT OUT IS WE’RE TARGETING A REAL MACHINE IN THE INFRASTRUCTURE. THE ATTACK BOT IS TELLING US THE MACHINE IS TARGETED BY THE MALWARE. THE GREEN SECTION INDICATES WHAT ATTACK BOT IS DOING. FOR THE PURPOSES OF THE DEMO IT’S TAKING DATA, SIMULATING DATA AND SENDING TO A EXTERNAL END POINT THIS. IS WHAT AN ATTACK WORE DO IN THE SERVICE STEALING CUSTOMER DATA. THIS IS IMPORTANT SCENARIO TO DETECT AND STOP. THIS SLIDE INDICATES THE SCENARIO WAS SUCCESSFUL. ATTACK BOT LAUNCHED AND TRIED TO STEAL DATA. WHAT HAPPENS NEXT? THE QUESTION IS CAN WE DO SOMETHING ABOUT THIS. THE ANSWER IS YES. THIS IS TO THE BLUE TEAM ENGINEERS ABOUT SECURITY IN THE SERVICE. YOU SHOULD NOTE ABOUT THE ALERT, FIRST THE ALERT INDICATES THE EXACT MACHINE COMPROMISED OR MACHINE WHERE THIS STRANGE BEHAVIOR IS NOTICED. THAT THE EXACT MACHINE TARGETED BY ATTACK BOT. YOU MAY NOT SEE IT BUT IF YOU LOOK AT THE TIME STAMP ON THE ALERT IT HAPPENED WITHIN MINUTES. LESS THAN FIVE MINUTES FROM THE ATTACK BOT SCENARIO THIS. IS A REAL TIME ALERT. TRIGGER WITHIN MINUTES THIS RAISES REAL TIME ALERTS THIS. IS AN EXAMPLE OF. THAT THE THE A OTHER THING TO KEEP IN MIND THE ALERT TELLS YOU IN THE ALERT BODY WHY WE RAISE THE ALERT. WHAT SIGNALS OR COMBINATION OF SIGNALS LEADS US TO CONCLUDE AN ALERT WAS ACTUALLY WARRANTED. IN THIS PARTICULAR CASE A FEW THINGS STOOD OUT ON THIS MACHINE. FIRST OF ALL THE NETWORK BANDWIDTH SIGNAL I MENTIONED. IF AN ATTACKER IS TRYING TO STEAL DATA YOU WILL SEE A SPIKE IN THE BANDWIDTH. THAT’S WHAT YOU SAW HERE. ONE OF THE OTHER THINGS YOU SEE IS AN ATTACKER WILL CONNECT TO AN USUAL EXTERNAL IP. THAT’S WHAT YOU SAW HERE. OUR SYSTEM INTELLIGENTLY DETERMINED THE IP BEING CONTACTED BY ATTACK BOT IS SOMETHING WE HAVEN’T SEEN BEFORE. IT’S UNUSUAL. THAT PIECE OF DATA TAKEN IN CONJUNCTION WITH THE NETWORK BANDWIDTH SIGNAL AND FEW OTHER PIECES OF INFORMATION ALLOWED OUR SYSTEMS TO CONCLUDE THIS IS, THIS IS SOMETHING BAD. THIS IS AN ATTACK GOING ON. TO RAISE THIS ALERT IN REAL TIME ENABLING US TO TAKE REMEDIATION. SO, I WON’T SAY TOO MUCH MORE ABOUT THE ALERT NOW. I DO HAVE A TALK LATE THEY ARE WEEK, THURSDAY MORNING WHERE WE DO A DOPER DIVE INTO HOW THIS TYPE OF ALERT IS RAISESED. THIS IS IS A MACHINE LEARNING ALERT TO COMBINE SIGNALS TO RAISE ALERTS. WE WILL TALK ABOUT THAT MORE THEN. FOR NOW THE IMPORTANT THING TO KEEP IN MIND THIS IS RAISED IN REAL TIME WITHIN MINUTES OF THE ATTACK SCENARIO BEGAN. THE EXACT MACHINE. IT TELLS US WHAT PART OF THE SERVICE WAS COMPROMISED. THE ALERT TELLS US WHY IT WAS RAISED. WHAT ARE THE SPECIFIC THINGS THAT OUR SYSTEM SAW THAT NOT TABLED US TO CONCLUDE SOMETHING BAD IS HAPPENING. THE LAST PART IS REALLY IMPORTANT. IT ALLOWS US TO REMEDIATE. JUST RAISING ALERTS FOR ATTACKS EVEN IF THEY’RE TOTALLY ACCURATE. EVEN IF THEY’RE IN REAL TIME IT’S NOT ENOUGH. IF AN ACTUAL ATTACK OCCURS WE HAVE TO BE ABLE TO CAPTURE IT AND STOP IT BEFORE CUSTOMER DATA IS COMPROMISED AND THE ATTACKER STEALS IT OR DOES DAMAGE TO IT.>>IN ALERT THERE WERE KEY PIECES OF INFORMATION THAT OUR RESPONSE TEAMS GET. SO THEY KNOW WHAT TO DO NEXT. THE FIRST IS THEY KNOW WHAT MACHINE IS TARGETED. THEY ALSO KNOW WHAT THE EXTERNAL IP ADDRESS IS THAT THE ATTACKER IS USING FOR THE COMMAND AND CONTROL AND SAOEUF ONING THE DATA THEY’RE TRYING TO STEAL. WE SAW ATTEMPTS TO THE IP AND RAISED THE A ALRIGHT. THOSE PIECES OF INFORMATION ALLOW US TO TAKE ACTION. THAT’S WHAT YOU SEE HERE. WE RUN A COMMAND. THIS IS A TOOL WE BUILT. THE BLUE TEAM BUILT TO TAKE ACTION AGAINST THE ATTACKS WE SEE. IN THIS PARTICULAR CASE THE ACTION IS TO PREVENT CONNECTIONS TO THAT EXTERNAL IP FROM THIS MACHINE. THAT STOPS THE ATTACK. THAT PREVENTS THE MALWARE FROM CONTACTING THE IN STRA STRUCTURE, PREVENTS THE MALWARE FROM SIPHONING OFF DATA. IT KEEPS THE DATA SECURE. THIS ALL HAPPENS IN THE ORDER OF MINUTES. THIS REMEDIATION ACTION CAN BE TRIGGERED OUGHT AUTOMATICALLY WITHOUT HOW MAN INTERVENTION. IF PEOPLE INTERVENE IT CAN TAKE AFFECT WITHIN A MINUTE OR TO. SO THE MAIN THING HERE TO TIE IT ALL TOGETHER IS THAT ATTACK BOT ALLOWS US TO SIMULATE ATTACKS. IT’S A HIGH FIDELITY REPRESENTATION OF WHAT ATTACKERS MIGHT DO. OUR DETECTION SYSTEMS CAN RAISE ACCURATE ALERTS IN REAL TIME FOR THAT BEHAVIOR. WE HAVERY R. HE IMMEDIATE KWRAEUGS TOOLING TO STOP THE ATTACKS AND MITIGATE THEM IN REL TIME IN RESPONSE TO THE ALERTS IDENTIFIED. BEFORE I GO I WILL SAY ONE MORE THING. THAT IS SCALE. RAJI MENTIONED WE HAVE A HUGE SERVICE. HUNDREDS OF THOUSANDS OF MACHINES. THIS PARTICULAR EXAMPLE SHOWS HOW WE CAN TAKE ACTION AGAINST ONE MACHINE. WE CAN DO THIS AT SCALE AS WELL. WE HAVE INFRASTRUCTURE TO ALLOW THIS ACTION AGAINST A SET OF MACHINES IN THE SERVICE. WHEREVER WE DETECT THE OFFENDING BEHAVIOR. WE SHOW YOU HOW TO TAKE ACTION AND MITIGATE AN ATTACK ON ONE MACHINE FOR THIS DEMO. IN REAL LIFE WE’RE PREPARED FOR A SITUATION TO ACT AT SCALE. WHERE WE HAVE TO ACT AGAINST ENTIRE SETS OF MACHINES. ENTIRE PIECES OF INFRASTRUCTURE AND TO DO SO VERY QUICKLY AND PREHAVEN’T THESE THINGS FROM PROPAGATING YOU THIS THE SERVICE. SO WITH THAT I WILL HAND IT BACK TO RAJI.>>GREAT. YOU LEARNED FROM ART ON HOW EXACTLY WE ASSUME BREACH. WE DO THE DETECTION TEXT. WE CREATE THE ATTACK BOT AND HOW WE DO INCIDENT RESPONSE. SO THE NEXT THING IS WHAT DO WE HAVE FOR YOU. AS I SAID WE TAKE THE SAME PRINCIPALS OF THE DATA CENTER AND GIVE IT TO YOU.>>ATTACK YOURSELF BEFORE SOMEONE ELSE DOES. SOMEONE IS LOOKING TO ATTACK YOU. HOW DO YOU DO THAT. THE PRINCIPAL IS US WITH THE ATTACK SIMULATOR OUT THERE. ATTACKERS USE THE SAME PATTERN TO ATTACK YOU. PARTICULARLY THE FRONT DOOR AND SUCCEED EVERY TIME. THEY USE SIMPLE PHILOSOPHY. THEY USE PHISHING. THEY SEND A PHISHING E-MAIL. EX EXPECT IF IT’S SENT TO A HUNDRED 30 WILL OPEN IT, 12 WILL CLICK IT. THEY LEVERAGE THAT. THEY USE PASSWORD SPROE. THEY WILL TROY TO SPRAY ONE PASSWORD ACROSS MANY PEOPLE IN THE COMPANY AND TRY TO GET A HIT. THEY DO THINGS LIKE SPOF SPOF — SPOOF’ing. IT’S SIMILAR AND USE THIS TO ATTACK YOURSELF. FIND OUT HOW VULNERABLE YOUR USERS ARE AND IMPROVE THE SECURITY PROFILE THIS. TOOL HELPS YOU PROVE TO THE SENIOR MANAGEMENT THE IMPROVEMENT THAT PEOPLE ARE SETTING UP BETTER PASSWORDS AND EVEN MORE IN THIS IGNITE WE ANNOUNCED PASSWORD LESS ACCESS. GO PASSWORD LESS. YOU SHOULD ACCESS YOUR ACCOUNTS WITHOUT PASSWORDS . ALSO THIS IS HOW WELL YOU’RE DOING YOUR YOUR JOB. PROVIDING THIS ON YOUR COMPANY. LET’S TROY TO DO A QUICK DEMO OF ATTACK SIMULATOR. HOW DO THIS OKAY. GO TO OFFICE 365 SECURITY AND COMPLIANCE CENTER. TODAY WE HAVE PUBLISHED THREE TIMES OF ATTACKS THIS. IS A FAST GROWING A LIFT LIST. WE SEE MORE ATTACKS THE IN THE INDUSTRY. WE WILL ORCHESTRATE THAT TOO. TODAY WE HAVE A PHISHING ATTACK OR WE HAVE A GROUP FORCE PASSWORD ATTACK THIS. IS THE DICTIONARY ATTACK. YOU ASSUME YOU GET ONE HIT OR DO A PASSWORD SPRAY ATTACK. YOU HIT A SET OF USERS. THE USERS IN THE COMPANY WITH A PASSWORD AND HOPE YOU GET SOME HIT. RIGHT. YOU I MEAN YOU DO THIS AS A TENENT TO IMPROVE THE SECURITY PROFILE. REMEMBER ATTACKERS OUTSIDE HAVE WAYS 0 DO THIS. LET’S LAUNCH A PASSWORD SPRAY ATTACK. WE’RE A COMPANY LOCATED IN SEATTLE. WE PASSIONATELY LOVE SEAHAWKS. HOW MANY ARE SEAHAWK FANS. ANYTHING — ANYBODY? YES. DOUBLE HANDS TOO. SEAHAWKS DID GREAT A FEW YEARS AGO AND WON THE SUPER BOWL. UNFORTUNATELY THIS SEASON IS NOT GOING TOO WELL. THE FIRST WAS BAD. THE THIRD WAS ALREADY — ALRIGHT. WE’RE AN AVERAGE SEAHAWKS FAN. IF YOU WANT TO DO A PASSWORD SPRAY WITH A COMBINATION OF SEAHAWKS AND YOU’RE AN ATTACKER YOU’RE IN LUCK. WILL YOU FIND AT LEAST ONE USER WITH SOME COMBINATION OF SEAHAWKS. HERE WHAT I’M SHOWING YOU AS A TENANT ADMIN OR SECURITY ADMINISTRATOR IN THE ORG YOU WILL ASSUME AOU LATE AN ATTACK TO SEE THE SECURITY PROFILE. SO YOU WILL RUN A PASSWORD SPRAY ATTACK FOR SEAHAWKS TO — SEAHAWKS 201. I WILL RUN THIS ON JOHN SMITH AND JANE DOUGH. YOU CAN RUN THIS AT SCALE ACROSS ANY. YOU CAN CHOOSE UP TO FIVE HUNDRED MEMBERS. IF YOU PICK MORE THAN FIVE HUNDRED MEMBERS IT ATTACKS THE FIRST FIVE HUNDRED. THAT’S THE LIMITATION NOW. I DO NEXT AND I ORDER THEY ARE ATTACK. I FINISH. ONCE I ORDER THE ATTACK I LAUNCH THE ATTACK. WHEN THIS ATTACK RAN WHAT YOU REALLY IS YOU GOT A HUNDRED PERCENT SUCCESS RACE RATE — RATE. I CREATED THE TENTEDDENT SEE AND TWO USERS. JOHN SMITH AND JANE DOE. I SET THE PASSWORD TO THIS. IF YOU RUN IN THE BIG TENDENCY WITH THOUSANDS OF USERS YOU WILL GET A HIT OFF THE PEOPLE WITH THIS PASSWORD. THE SUCCESS RATE IS NOT A GOOD SIGN. IF ARE YOU A SECURITY ADMIN OR TENENT ADMIN YOU WANT THE NUMBER DOWN. YOU WANT LESS AND LESS PEOPLE USING COMMON PASSWORDS. SO THE SUCCESS RATE IS A MISLEADING TERM. SO IN THIS DEMO WHAT I SHOWED YOU, YOU CAN USE THE ATTACK SIMULATOR TO FIND OUT WHO ARE THE PEOPLE USING WEAK PASSWORDS. YOU CAN ALSO FIND OUT DICTIONARY ATTACK. WE LAUNCHED AGAIN WE’RE SEA HAWK FANS. LAST SEASON WE LAUNCHED AN ATTACK AGAINST THE MICROSOFT TENANTS. PHISHING CAMPAIGN. WE LAUNCHED A PHISHING CAMPAIGN TO SAY YOU CAN WIN A MEET AND GREET PARTY TO MEET SAW — SEAHAWKS PLAYERS. IN MICROSOFT WE GOT SO MANY HITS. SO MANY CLICK ON THE LINK. PEOPLE DON’T STOP TO SEE IF THE LINK LOOKS GENUINE OR NOT. WE HAVE DONE A LOT OF IDENTIFICATION — EDUCATION CAMPAIGN ON THIS. IT’S IT’S AMUSING HOW VULNERABLE USERS ARE. EVEN SENIOR EXECUTIVES CLICKED ON. THAT USE THIS TOOL. FIND OUT THE SECURITY PROFILE. SO THIS IS THE TOOL WE USED. NOW I WILL SWITCH GEARS I’M A REAL ATTACKER. I WON’T USE ATTACK SIMULATOR. THAT’S A WAY TO FIGURE OUT AS AN ADMIN. NOW I’M AN ATTACKER. I WILL SHOW YOU AS A REAL ATTACKER HOW I CAN LEVERAGE, EASILY AVAILABLE TOOLS IN THE MARKET TO ATTACK YOU. WHAT YOU CAN DO TO DETECT AND REMEDIATE. THE PURPOSE IS FOR YOU TO UNDERSTAND HOW TO REALLY DETECT. OKAY. SWITCHING GEARS I’M A REAL ATTACKER. I’M USE MAIL SNIPER. IT’S EASILY AVAILABLE. YOU CAN IMPORT AND USE PUBLISHER ANYWHERE IN THE WORLD. I WILL USE MAIL SNIPER AND ATTACK THIS COMPANY. I CREATED THIS TENANCY. THERE ARE TWO WITH THE PASSWORD. ME RANDOMLY PICKED UP THE SIX USERS YOU SEE OVER THIS. I WENT TO LINKED IN. I SAW THE USERS THERE. RANDOMLY PICKED UP SIX NAMES. I WILL DO A PASSWORD SPREE ATTACK ON THE SIX USERS. SEAHAWKS 2018ROCKS. ONE OF THE SIX USERS WAS JOHN SMITH. LET’S ASSUME YOU NEVER RAN ATTACK SIMULATOR OR CAUGHT THIS. ME AS AN ATTACKER CAUGHT THIS. I HAVE JOHN SMITH’S ACCOUNT. JOHN SMITH IS NOT AN ADMIN. IF YOU REMEMBER THE KILL CHAIN THAT I WALKED THROUGH INITIALLY I GOT THE INITIAL COMPROMISE. I DIDN’T GET ADMIN BUT I GOT INITIAL CROW COMPROMISE OF A USER AND I’M ABLE TO GET INTO THE SYSTEM. THIS IS WHAT AN ATTACKER WOULD DO. NOW I HAVE JOHN SMITH’S ACCOUNT I CAN GET THE COMPLETE. I CAN EXPORT YOUR GLOBAL ADDRESS LIST AND GET THE ACCESS TO ALL OF THE EMPLOYEES IN YOUR SYSTEM. WILL FIGURE OUT WHO ARE ALL IN YOUR COMPANY. I RUN THIS. I GOT THE OUTPUT OF ALL EMPLOYEES IN THE. NOW I DON’T HAVE TO GO TO LINK IN. JUST BY COMPROMISING ONE ACCOUNT, USER ACCOUNT, I CAN EXPLOITED LIGHT ALL EMPLOYEES. WITH JOHN SMITH’S ACCOUNT I CAN RUN, GET AZURE DATA MEMBER AND FIGURE OUT WHO AMONG THE EMPLOYEES ARE ADMINS. WHEN I RUN THE COMMAND IT OUTPUTS THE SIX AD MINUTES IN THE ORG. I STARTED MY INITIAL COMPROMISE WITH THE SIMPLE USER ACCOUNT, NOT THE ADMIN JUST THE PASSWORD SPRAY. WITH THAT ACCOUNT I WAS ABLE TO EXPORT OUT AND I CAN ALSO EXPORT OUT WHO ARE THE ADMINS. BINGO WHAT DO YOU SEE IN THE ADMIN LIST. OF THE LIST YOU SEE JANE JOE. INCIDENTALLY JANE DOUGH HAD THE SAME PASSWORD. NOW ANIELLO ATTACKER THE NEXT STEP FOR ME TO DO IS AGAIN USE THE MAIL SNIPER. RUN THE PASSWORD SPRAY ON THESE AD MINUTES AND SEE IF THEY HAVE THE PASSWORD SEAHAWKSTO 18ROCKS. YES, ONE HIT. JANE DOE HAD A WEAK PASSWORD. NOW AS AN ATTACKER I GOT THE LOTTERY. NOW I HAVE AN ADMIN’S ACCOUNT. I CAN DO A LOT OF BAD THINGS. THINK OF WHAT I CAN DO. I CAN SET A GENERAL YOU’LL ON THE CEO MAIL AND SAOEUF ON — SEND THEM ALL TO A ROUGE E-MAIL ADDRESS. I CAN DO A FORWARDED TO JOHN SMITH. I HAVE JOHN SMITH’S ACCOUNT WITH ME. I KNOW HIS PASSWORD. I CAN DO FULL SET UPS AND SET ALL KINDS OF OWNER ACCESS RIGHT FOR JOHN SMITH ON YOUR COs MAIL BOX. IF YOU’RE PAYING ATTENTION YOU WOULD REMEMBER THAT I TALKED ABOUT THE PRODUCT CALLED PRIVILEGED ACCESS MANAGEMENT INITIALLY. I TALKED ABOUT ELEVATED PRIVILEGES. IF YOU SET UP PRIVILEGE ACCESS MANAGEMENT I WOULD NOT BE ABLE TO DO IT. BECAUSE IF I WAS RUNNING A NEW IN BOX RULE OR IF I WAS RUNNING A NEW JOURNAL RULE I WOULD OF HAD AN ERROR TO SAY THIS REQUIRES APPROVAL. I HAVE TO ASK FOR ELEVATED RIGHTS. WHAT ESSENTIALLY MEANS I NEED TO COMPROMISE THE ADMIN WHO HAS TO APPROVE THE ELEVATED RIGHTS. NOT ONLY THAT, ANOTHER ADMIN ALL OF THOSE RECORDS SHOW UP. IT’S EASY BREECH INVESTIGATION. I HIGHLY ENCOURAGE YOU SET THIS ON SO IF YOUR ADMINS ARE COMPROMISED THEY’RE NOT ABLE TO DO THESE THINGS. IT’S SUPER EASY. YOU SAW HOW EASY IT WAS TO SPROE HIGHS — COMPROMISE. OFTEN TIME TENETS DON’T SET THIS AND IT’S AN EASY COMPROMISE. THIS DEMO ISN’T ABOUT HOW EASY IT IS TO COMPROMISE. IT’S HOW EASY IT IS TO DETECT IT RIGHT. LET’S UNDERSTAND HOW TO DETECT THIS, RIGHT. OVER THE LAST YEAR I WORKED CHOSELY WITH THE EXCHANGE TEAM. I WILL TALK WITH EXCHANGE. WE HAVE INVESTED DOPILY ON OUR TELLMENTERY TO DO BREACH INVESTIGATIONS EASILY AND DETECT CERTAIN PATTERNS. WE LOG THE IP ADDRESSES. WE LOGGED THE ACTION THAT’S HAPPEN WHEN IT HAPPENS TO THE OFFICE KHROEUPT AND YOU THIS ALL KIND OF PROTOCOLS. PREVIOUSLY THE LOG IN WAS THROUGH POWER SHELL. NOW WE ARE INVESTING HEAVILY IN LOGGING. IF YOU DON’T FIND THE EVENTS YOU WANT MAYS TALK TO US. WE DO PLAN TO INVEST HEAVILY IN THIS SPACE. SO JOHN, JANE DOE WAS COMPROMISED AND A PAD ACTION WAS TAKEN. YOU HAD AGAIN AN ALERT NOW. YOU GET AN E-MAIL. YOU CAN CLICK ON INVESTIGATE. YOU GO INTO THE OFFICE, 36 ARE 5 SECURITY AND COMPLIANCE CENTER. FROM HERE YOU CHOOSE TO DISSOLVE THE ACCOUNT OR SUPPRESS THE ACCOUNT. IF THIS TYPICALLY HAPPENS IN THE COMPANY. OR YOU CAN NOTIFY THE USERS. THESE ARE THE REMEDIATION ACTION YOU CAN TAKE WHEN THE ALERT FIRES. MORE DEEPLY IF YOU HAVE MCAST, ARE YOU FAMILIAR WITH MCAST? THAT IS ALSO A BREACH INVESTIGATION ASK REMEDIATION TOOL. IF YOU HAVE MCAST WE SHOW YOU MORE INFORMATION. FOR EXAMPLE WE SHOW YOU THE LOCATION FROM WHERE THE ACTIONS ARE HAPPENING. JANE DOE IS DOING MAIL FORWARD FORWARDING RULE SETTING FROM RUSSIA. THIS IS AN ALERT TO YOU. WHY IS THE ACTION HAPPENING FROM RUSSIA? IF YOU WANT TO EXPANDED ON THE ACTION FOR EXAMPLE IN THE MAIL FORWARDING IN BOX RULE IF YOU EXPAND YOU WILL SEE THE ISP FROM WHICH THIS CALL IS COMING IS 000 PHISHNET COMMUNICATIONS. THAT WILL TRIGGER. WHAT IS THIS, I DON’T RECOGNIZE THIS COMPANY. RIGHT. OR YOU CAN GO TO THE USERS AND TRY TO UNDERSTAND THE USAGE PATTERN. REMEMBER ONE SIGNAL IS BAD. I SHOWED YOU THE DETENTION TEXT HEAT MAP. THE SELECTION OF SIGNALS CALLS THE REAL ATTACK. IF YOU SEE HERE JANE DOE IS OPERATING FROM TWO COUNTRIES. THAT SHOULD SOUND STRANGE TO YOU. IF YOU SEE HERE HER TYPICAL FREQUENT LOCATION IS THE UNITED STATES. BUT IF YOU LOCK AT THE IP ADDRESS FROM WHERE THE CALLS ARE COMING THEY’RE ACTUALLY COMING FROM RUSSIA MOSCOW FROM THIS IP ADDRESS YOU ARE NOT FAMILIAR FROM. ON THOSE ARE THE SIGNALS THAT WE WRITE NO TO REALLY USE TO DO THE BREACH INVESTIGATION ON YOUR SIDE. THIS DETECTION IS ONE THING. IT IS SUPER IMPORTANT FOR YOU TO DETECT. IT IS ALSO REALLY IMPORTANT FOR YOU TO SET THE REMEDIATION POLICIES WHEN SUCH THINGS HAPPEN. AGAIN USING M CAST YOU SET THE POLICIES. FOR EXAMPLE IF A JOURNAL RULE IS HAPPENING YOU CAN ACTUALLY EITHER THOET PHI THE USER OR YOU CAN EVEN SUSPEND PENNED THE UTILITIES ERA COUNT OR REQUIRE THE USER TO RESIGN ON. YOU CAN SET ALL KINDS OF REMEDIATION POLICIES FROM MCAST. SO WE, OVER THIS SESSION WE TALKED ABOUT THAT WE ARE ALWAYS ASSUME BREECH. SO WE ALSO BELIEVE IN THE PRINCIPAL THAT ATTACK OURSELVES BEFORE SOMEONE ELSE ATTACKS. WE DO THAT WITH ATTACK BOT WELL. HAVE A TOOL FOR TO YOU DO THAT WITH ATTACK SIMULATOR. WE HAVE HEAVY INVESTMENT IN DETECTION AND INCIDENT RESPONSE. WE ARE INVESTING IN IMPROVING THE TELLMENTERY TO DO THE SAME. THOSE ARE, THOSE ARE ALL THE INVESTMENTS THAT WE DO. AS ART SAID IN THE ASSUME BREACH WORLD YOU CAN NEVER TAKE SECURITY FOR GRANTED. FOR THAT PRINCIPLE I WANT TO TALK ABOUT SECURITY ASSESSMENT. HOW DO WE KNOW IN M365 OUR WORK LOAD IS SECURE AT. Announcer: ACROSS THESE CONTROLS, ALL OF THEM. AGAIN WITH THE PRINCIPLE OF AUTOMATION WE HAVE BUILT SOMETHING CALLED VALIDATION ENGINEER WHICH ACTUALLY GOES THROUGH ALL OF OF THIS ACROSS THE WORK LOADS USES ATTACK BOT TO ATTACK THEN FIGURES OUT WHAT IS THE EXACT STKAOURT PROFILE. THEN WE SCORE ON IT. WE BELIEVE SCORING IS VERY USEFUL BECAUSE SCORING TRIGGERS THE KIND OF RESPONSE THAT WE NEED FROM TO UP LEVEL SECURITY AND GET MORE SECURITY INVESTMENT. WE TAKE THE SAME PRINCIPLE TO YOU. MICROSOFT M365 SECURE SCORE IS SOMEWHERE YOU SHOULD BE GOING. THAT SHOULD BE ONE SPOT FOR YOU TO FIGURE OUT WHAT IS YOUR SECURITY PROFILE. RIGHT. HOW SECURE YOU ARE. THIS HAS BEEN LIVE FOR AROUND TWO YEARS. IT HAS BEEN SCORING YOU ON OFFICE 365 CONTROLS. RECENTLY WE HAVE EXPANDED THIS TO INCLUDE 80 CONTROLS AS WELL AS EMS. IT’S CLOSELY PUB LUBED INTO — PLUGGED INTO WINDOWS OFFICE SECURITY. YOU ASK 0 GO — YOU CAN GO TO OF 5 AND SEE YOUR SCORE AND OTHERS IN YOUR INDUSTRY. FROM M365 SCORE YOU CAN TAKE ACTION. FOR EXAMPLE IT WILL TELL YOU, HEY, SET UP MFA TO GET OTHER MORE POINTS. YOU CAN CLICK THAT AND ENFORCE MFA FOR THE ORGANIZATION. WE HAVE — ON SECURE SCORE. I WILL GIVE YOU A LINK TO. THAT YOU SHOULD ATTEND THAT AND LEVERAGE SECURE SCORE FOR YOUR SECURITY PROFILE. WE CALL IT A ONE-STOP PLACE TO GO AND BE ABLE TO DRIVE YOUR SECURITY NEEDS. SO WHAT WE REALLY TALKED ABOUT IN THIS PRESENTATION IS WHEN YOU OPERATE ON A CLOUD SECURITY IS TWO-FOLD. THE FIRST THING IS HOW SKEWER IS YOUR CLOUD SERVICE PROVIDER. IN THIS CASE MICRO SOEFT 365 WE DIDN’T TALK ABOUT OUR PROTECT FEATURES. THAT IS ANOTHER PRESENTATION. WE TALKED ABOUT OUR INVESTMENTS IN DETECTION AND INCIDENT RESPONSE. THE FACT WE DON’T OPERATE WITH PRIVILEGED ACCOUNTS. WE TALKED ABOUT THE TAOLDZ FOR TO YOU DO THE SAME THING TO KEEP THE FRONT DOOR SECURE. PLEASE FOLLOW THE PRACTICES. 90 OF THE ATTACKS START WITH FRONT DOOR. IT’S EASY FOR AN ATTACKER TO COMPROMISE YOUR TENDENCY AND ATTACK YOU RATHER THAN LOOK FOR DATA IN THE DATA CENTER. WE OPERATE WITH 3500 DATA CENTERS AND HAVE A LOT OF INVESTMENTS. KEEP YOUR FRONT DOOR SAFE. WITH THAT WE ARE OPEN FOR QUESTIONS. YES.>>DO YOU MIND COMING TO THE MIC, PLEASE. SORRY.>>WE HAVE ADMINISTRATIVE ACCOUNTS RUNNING SCHEDULED TASKS HOW WOULD YOU MAKE PAM WORK WITH THAT.>>TODAY THAT DOESN’T WORK WITH SCHEDULED TASKS YET. IT’S FOR THE RUNNING COMMAND INDIVIDUALLY. THAT’S THE NEXT VERSION WE ARE TALKING ABOUT. ACTUALLY WHEN WE PILOTED THIS WITH MSID THAT’S WHAT THEY CAME UP WITH. IT’S COMING VERY SOON.>>YES.>>WITH PASSWORD SPRAY DOES THAT GET NULLIFIED WITH MULTI FACTOR AUTHENTICATION ON OR IS IT IN THE BACK. WITH MFA ON –>>WITH MFA ON YOU WOULD NOT BE ABLE TO DO PASSWORD SPRAY EASILY. IS THAT CORRECT?>>THEY HIT OKAY AND GO BY.>>THAT HAS HAPPENED BUT MFA IS GOOD. IT’S A LEVEL OF PROTECTION. PLEASE SET IT SOMETIMES THE USERS DON’T DO THIS AND THEY’RE CAUTIOUS.>>WHAT BRANDON SAID IS MFA IS GOOD AND PROMPT THE USER. OFTEN TIME THE USERS CLICK IT AND IGNORE THE PROMPT. MFA IS GOOD. IT’S ALL GOODNESS. PLEASE SET. YES THAT’S A PROTECTION YOU. HAVE>>CAN YOU EXPLAIN THE DIFFERENCE BETWEEN PIM AND PAM.>>YES PIM IS PRIVILEGED IDENTITY MANAGEMENT AT THE ROUGE LEVEL. PAM OPERATES IN A TASK LEVEL. PIM YOU WANT TO BE AN ADMIN FOR EXAMPLE, THAT IS JUST INFORMATION. YOU GO AND ASKED PIM. PIM AND PAM WORK CLOSELY TOGETHER. IT WILL BE ONE PRODUCT SOON. THINK OF PIM AS YOU’RE JUST IN TIME ADMIN WITH BROADER RIGHTS. IN PAM YOU ASK FOR RIGHTS FOR EXECUTING EXACTLY THE TASK THAT YOU WANT AND NOT MORE. PAM TODAY IS AVAILABLE WITH EXCHANGE. PIM AND PAM ARE A INTEGRATED PRODUCT.>>SO FOR YEARS I HAVE HARPED THAT OUR ADMINISTRATORS NODE SEPARATE ADMINISTRATE EAR COUNTS. IT MADE SENSE. DO YOU SEE WITH PRIVILEGE ACCESS MANAGEMENT MOVING AWAY FROM THAT SO REGULAR ME, I REQUEST A RIGHT TO DO SOMETHING AND IT’S FULLY AUTOED.>>NO WE WANT TO GET AWAY FROM THE SEPARATE ADMINISTRATOR ACCOUNT. THE SEPARATE ADMINISTRATOR ACCOUNT BE, CAN BE EASILY COMPROMISED. WE WANT TO PROVISION PERMISSION. A LIMITED SCOPE FOR THE ADMINISTRATIVE TASKS YOU WANT TO DO AND NOTHING MORE. WE WANT TO GET NO SPACE AND GET AWAY FROM FIXED ACCOUNT.>>THANK YOU.>>YOU SHOWED A BUNCH OF TOOLS. CAN YOU TELL US WHAT, WHAT LICENSES WE NEED TO GET THE TOOLS.>>CAROLYN, YOU WANT TO TAKE THE QUESTION.>>I THINK ATTACK SIMULATOR IS PART OF E5 SKEW. I DON’T KNOW IS THERE A STAND ALONE AVAILABLE?>>OKAY. I’M NOT SURE. MCAST IS PART OF E5 TOO THAT LICENSE. IF I’M NOT WRONG, I THINK SO.>>OH ATTACK SIMULATOR IS AVAILABLE IN AN INTELLIGENCE ADD ON.>>SAY THAT AGAIN, PLEASE.>>SO IF OFTEN TIMES, I MEAN RARELY IT HAPPENS THAT ATTACKERS. THE EXTERNAL ATTACKERS ARE ABLE TO GET TO YOUR DATA. MY EXPERIENCE WE IDENTIFY IT EARLY ON AND TAKE ACTION. WE HAVEN’T HAD AN EXTERNAL ATTACK WE ARE THE ABILITY TO GET INTO THE DATA. IF WE FIGURE OUT A CUSTOMER IS BEING ATTACKS IT CAN BE THE FRONT DOOR ATTACK. WE RUN DETECTION AGAINST THAT. WE FIGURE OUT AND HAVE A STANDARD PROCEDURE FOR THE CUSTOMER. I DON’T REMEMBER HOW LONG. I DON’T REMEMBER HOW LONG. THAT STIMULATED PERIOD OF SECURITY ENGINEERS. THE BLUE TEAM CONTACT YOU.>>AS RAJI SAID THERE IS A SPECIFIC TIME PERIOD WE NOTIFY CUSTOMERS IF WE DETECT THAT SCENARIO. CUSTOMERS AGAIN GENERALLY GIVE US A FEW MODES OF CONTACT. GENERALLY SECURITY GENERATED CONTACTS AND ROLLS. WE REACH OUT TO THEM. WE USE SUPPORT AGENTS TO REACH OUT VIA PHONE IF NEEDED. THERE ARE ESTABLISHESED PROCEDURES FOR THAT. ANY OTHER QUESTIONS? OKAY. THANK YOU. [ APPLAUSE ]>>WE SHOULD GO FORWARD ONE SLIDE.>>IF YOU’RE INTERESTED IN ANY OF THESE TALKS THAT I REFERENCED TO THE FIRST ONE IS TALK ON PAM. HOW TO CONFIGURE THIS AND WHAT IT COVERS. THE NEXT IS IF YOU WANT TO UNDERSTAND THE ALGORITHM ASK TO THE — GO TO THE SECOND TALK ART WILL DO THAT. THE NEXT ARE ON SECURE SCORE. THE LAST IS ON THE BREACH INVESTIGATION AND UNDERSTANDING THREATS AND TAKING ACTION.

No Comments

Leave a Reply