Cyber Security & Defense is the emerging topic of the IT industry these days. A secure environment is no longer just a well-maintained firewall or a well-managed network. Rather, it is made up of several layers. However, most companies are „reactive“ instead of „proactive“, or neither, when it comes to securing their IT environments and detecting security breaches. In addition to this, the product portfolio and the security market is changing rapidly, and these changes make our jobs as IT Professionals significantly more difficult. But how can we deal with this challenge? In my session I will take a look into supposed “obvious“ security threats and how the Microsoft Cyber security stack can help to detect attackers and threats that have evaded our defenses.
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
ExpertsLiveEurope The New Era Of Endpoint Security
1. The new era of endpoint security
Alexander Benoit
Microsoft MVP Enterprise Security | Certified Ethical Hacker
@ITPirate
2. Alex Benoit
Lead Security Analyst
Modern Secure Workplace
Microsoft Threat Protection
Alexander.Benoit@sepago.de
@ITPirate | @TrustInTechCGN | @GeekZeugs
https://it-pirate.com/
7. protect your data
Sandboxing
and detonation
• anonymous links
• companywide sharing
• explicit sharing
• guest user activity
collaboration signals
• malware in email + SPO
• Windows Defender
• Windows Defender ATP
• suspicious logins
• risky IP addresses
• irregular file activity
threat feeds
• users
• IPs
• On-demand patterns
(e.g. WannaCry)
activity watch lists
Leverage Signals
Apply Smart Heuristics
Files in SPO, ODB
and Teams
1st and 3rd
party reputation
Multiple AV
engines
SharePoint OneDrive Microsoft Teams
19. pass-the-ticket
1. krbtgt user’s NTLM hash (e.g. from a previous NTDS.DIT dump)
2. Domain name
3. Domain’s SID
4. Username that we’d like to impersonate
27. protection against identity theft
Abnormalresourceaccess
Account enumeration
Net Sessionenumeration
DNS enumeration
SAM-R Enumeration
Abnormalworking hours
Brute force using NTLM, Kerberos, or LDAP
Sensitiveaccountsexposed in plain text
authentication
Serviceaccountsexposed in plaintext
authentication
Honey Tokenaccountsuspicious activities
Unusualprotocol implementation
MaliciousDataProtectionPrivateInformation
(DPAPI) Request
AbnormalVPN
Abnormalauthenticationrequests
Abnormalresourceaccess
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
Maliciousservicecreation
MS14-068exploit
(Forged PAC)
MS11-013exploit (Silver
PAC)
Skeletonkey malware
Goldenticket
Remoteexecution
Maliciousreplicationrequests
AbnormalModificationof
SensitiveGroups
Reconnaissance
!
!
!
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance
28. protection against cloud threats
Malicious Insider
Protect against disgruntled
employees before they cause
damage
Ransomware
Identify ransomware using sophisticated
behavioral analytics technology
Rogue Application
Identify rouge applications that
access your data
Compromised Accounts
Combat advanced attackers that
leverage compromise user credentials
Malware
Detect malware in cloud storage
as soon as it’s uploaded
Data exfiltration
Detect unusual flow of data outside
of your organization
29. detection across cloud apps
Unusualfile shareactivity
Unusualfile download
Unusualfile deletionactivity
Ransomwareactivity
Data exfiltrationto unsanctionedapps
Activityby a terminatedemployee
Indicators of a
compromised session
Malicious use of
an end-user account
Threat delivery
and persistence
!
!
!
Malicious use of
a privileged user
Activityfrom suspicious IP addresses
Activityfrom anonymousIP addresses
Activityfrom an infrequentcountry
Impossible travelbetweensessions
Logon attempt from a suspicious user agent
Malwareimplantedin cloud apps
MaliciousOAuthapplication
Multiplefailed login attempts to app
Suspicious inbox rules (delete,forward)
Unusualimpersonatedactivity
Unusualadministrativeactivity
Unusualmultiple deleteVM activity