Trustno1: Protecting Your Data in a Zero Trust World

all right so name this presentation is trust no one protecting your data in a zero trust world my name is David Raskin I'm a senior security architect at Microsoft this is me I'm based out of Raleigh North Carolina had been with Microsoft going into my thirteenth year and 20 years in the industry multiple jobs in Microsoft Microsoft consulting services premier and now I work with Microsoft partners bunch of certifications and I would love to be at the beach now if this this pandemic would ease up a little bit but in any case here's where I show you how tragically old I actually am so how many of you remember 1998 what is it you remember

about 1998 West Bailey's raisins can anybody remember these two that doesn't look like Hillary Clinton I wonder who that was I remember having one of these so many discman walkman depending on what flavor you got some of you might remember this game where Michael Jordan was playing with the flu and one in the last couple seconds and a little company named Google got started in 1998 only other things that happened this is one of the things I remember from 1998 so at the time I was working in the stock exchange in San Francisco when there was a stock exchange in San Francisco and I was in the networking department and Novell was ruling the day

at the time we managed GroupWise system and yes and it was rock solid we loved it it was fantastic and this little upstart Windows NT in Windows 2000 we were told start learning it and started wondering what Active Directory was and how could used in the in the network so I started learning that I was actually in charge of one of the security departments there at the Stock Exchange and at the time I had what I thought was a pretty and guessable password trust no one now what's funny about this is that on July 16 1998 cert reported there was an incident where an attacker had found a hundred eighty six thousand encrypted passwords and at the time that the the

attacker was discovered forty-seven thousand of those passwords had already been cracked and sometimes I wondered you know looking back now if one of my passwords had actually been in that Metcash and the reason I wonder that is because if we fast forward 15 years to the year 2013 by this point that was working at Microsoft and my security practices I think were moderately better than they were back in 2001 or 1998 actually is when I originally started but I had kind of gotten into security in a much bigger way and you know I liked nosing around on the dark web and taking a look at different things and one of the things that I like to

look for is password caches and there was one on paste bin and I was looking through it and as you can see here there was my password at number nine on the password guessing text file that was there on paste bin so that was a little unnerving I wasn't real happy about that but my password was slightly better than letting me in and a little bit worse than dragon and a little bit better than 1 2 3 4 5 6 7 so that was that was a little bit of an eye-opener some of you may be familiar with a website called if information is beautiful and they do word clouds and this is a word cloud

that they did for common passwords and if you notice there's my password again trust no one there's some other ones in there that are pretty obvious you see NCC 1701 that's a reference obviously to Star Trek rush 2112 and ou812 or rush and Van Halen records and then a whole bunch of other ones Jordan 23 bond double-oh-seven whole bunch of just common names and phrases that people like but this was you know again the higher up you are and the bigger you are means that the the more targeted that password was so trust no one was no longer a password that I could reliably use in any sense let's move forward a couple more years to 2019

so we're looking back on 2019 now Microsoft did some research and one of the things that they found is that by 2021 25 percent of the world's personal data will be compromised and housed in a data Lake that can be analyzed and utilized by consortiums and threat actors so things like passwords Social Security numbers credit card numbers all this kind of stuff about 25 percent of everybody in the world's personal data will be available in this massive data repository that will be shared by these threat actors we've seen 750 percent growth in the number of ransomware families I just in 2016 now if you think about this 2016 predates the petty had not Petya ransomware attack the samsam attack some

of the more prominent ones that have come out in the last two or three years and we saw 700 percent growth back then so we can reliably assume that the growth has been just not comparable or even faster in the years since 2016 and the third thing is that by 2022 a third of successful attacks experienced by enterprises will be on their shadow IT resources now when we talk about shadow IT resources we'll be talking about our services or applications or cloud applications that departments within an organization may acquire for their own use without the knowledge of central IT and the reason that's a threat is because that if central IT is and securing them then it's very likely

that nobody is securing them so so what these things all put together lead us to is my password trust no one we really can't trust anybody to protect our personal data you have to be able to to trust our own machines we have to be able to trust the reliability and safety of our cloud app resources so let's take a look at it what we can do to fix this problem now this is kind of a metaphor for what security used to look like right he had a firewall people would try to get in there was a door it was mostly closed traffic was right you could get right in no problem like that but that's no longer the way

things work we now have this concept of zero trust and and I recognize that Microsoft isn't the one that came up with the phrase zero trust we're not the only ones that have a methodology around zero trust the way that Microsoft views implementing zero trust is outlined in this URL at the bottom a kms slash zero trust and so what we're going to try to do over the next couple of minutes and with some demos is show what zero trust is the three principles behind how Microsoft looks at zero trust and if you're running a Microsoft network what are some ways that you can implement zero trust on that network as well so first of all what is zero trust me

the principle behind zero trust from a microsoft perspective is that we don't trust anybody to access data unless they have explicitly proven themselves to be who they say they are that they're connecting from a trusted device and that they have a right to know or right to that data so in other words I've got a user that's logging in on a machine and they're trying to access to a set of data so what what are zero trust model is going to do is look at things like what is the workload that they're trying to access are they using exchange are they using SharePoint are they using teams are they connecting to G suite are they using Salesforce

what is the workload that they're trying to get to are they allowed to use that workload at all and and if so what permissions do they have on that workload then we look at the person themselves in other words their their identity is their is the identity that they're using one that has potentially been compromised are they logging in from a location that is considered to be untrustworthy are they logging in using a pattern that doesn't match their typical login pattern a time of day or a physical location that doesn't look right what is the device that they're connecting from if most of the time I log in using my Windows surface book and then all of a sudden they see me trying

to log in using a MacBook you know that's that's out of character for me and it's going to raise the risk factor doesn't mean they're necessarily going to block me but it is going to raise questions about whether I am who I say I am now if all these factors start to raise risks then we get to the point of saying okay let's look at the elegance around this what's what's going on with all these anomalies you know each each one individually might not be such a red flag but if you put all three of them together and you put it together with you know what is it they're trying to do is David trying to access the HR

system which never tries to connect you on a normal basis is that something that we want to allow that's the concept behind zero trust is putting all these pieces together and and starting to make decisions and and forcing users to prove who they say they are and prove that they are reliable this is true even within Microsoft depending on on what workload you're trying to access you may even be prompted for multi-factor authentication inside Microsoft's corporate network so it isn't just considered zero trust outside the corporate network it's zero Trustee inside the corporate network and that's an element of or a factor of the assumed breach mentality that Microsoft has we assume that there has been a breach

inside the network and that there is a malicious actor inside the network and so nobody can be trusted no network can be trusted implicitly you still have to prove who you are now a lot of you have seen the attack kill chain and so I'm gonna just build this out real quickly but what I want to do is kind of walk through some of the steps here and discuss how Microsoft tools can help you to protect your data against different phases of the kill chain now we know that it only takes about 24 to 48 hours for a threat actor to get access to domain admin privileges after a successful phishing attack and that's usually where we see these types

of attacks taking place first whether it's a URL that drops some sort of malware onto a victim's machine and then they're able to exploit the Machine and get command and control or if they're able to you know open attachment which does the same thing exploits the machine or maybe they can steal credentials through a password spray attack a brute force password attack whatever it might be in some way way shape or form they get control either to a machine and then credentials or they can get access to credentials through a some other method now we try to cover every single phase of the attack kill chain so if you have office 365 or Microsoft 365 is now

called there is office ATP advanced threat protection for email which can protect against malicious links in an email malicious attachments we have different tools that can prevent the compromised of user accounts use of stolen credentials I'll show you these tools as we go through the demos once a user account has been compromised then the attacker is typically going to do a couple things if they've compromised just a standard user account they're gonna try to move laterally on the machines in the network and try to find a machine that gives them credentials that are useful to them whether it's to some simple database with HR data or credit card data or if it gets them to

domain admin privileges they're able to elevate the privileges to the to the level that they need to get the stuff that they want and really the important thing to remember here is that getting domain admin is not the end goal right the the the the end goal is to get enough privileges to get the data that they want domain admin typically does that but if they just need access to a file that has credit card numbers that's all the privileges they need they don't necessarily need the main admin they just need enough privileges to do what they want to do so while they're going through this process of compromising accounts they start looking around and

figuring out where the data is that they can most effectively use and so here's where things like a surety privileged Identity Management making sure that those privileged accounts are only used for the the time period that they're needed there's no standing privileged account access in other words a person doesn't have standing domain admin privileges or standing exchange admin privileges they request those privileges are granted those privileges for a period of time and then those privileges are revoked so that even if an attacker is able to get on that users machine those privileges no longer exist and they can't be utilized once they establish domain presence and persistence you know things are kind of bad at that point but but one of the

things that that we often see is that once the attacker gets access to the data that they want they start exfiltrating it through one form or another and so we have the tool called Microsoft cloud app security that allows you to protect different workloads even non-microsoft workloads from being from the data being exfiltrated to other locations so let's take a look at the different ways that we secure this so the the third way really is the identity protecting the identity so identity is really the core of the zero trust methodology if you can't protect the identities of the users then really the game is over it before it's even started and so that's why Microsoft is looking

at Azure Active Directory as being the core security element of not just Microsoft products but of thousands of other applications that can leverage Azure ad for its authentication and so we build really really powerful security controls into Azure ad to make sure that those identities are protected to the greatest extent possible if you're using Azure ad to authenticate to your CRM system to Salesforce to box or Dropbox or Google suite or Amazon or whatever it is you have to make sure that that identity is protected very well the next concept is assume every resources on the open end internet in other words this is the assumed breach thought process so again if we see a user logging into a

machine whether it's a laptop a mobile device or a standard desktop we're looking at intent right this is not meant to dispel internet we're looking at their intent and and we derive that intent from this set of scoring criteria what is their identity what is the device that they're try to connect from what is the location what's the workload they're trying to get to and pulling all that data together we come up with a risk score that helps us to determine whether this person trying to use this device to access this workload is a valid combination and so we're left with this concept again of never trust always verify and so that brings us back to trust no one

right that's what the concept of zero trust means now what I'm going to do here is drop out of the PowerPoint presentation and we're going to go through several of tools that Microsoft has available in the entry 65 suite that you can use to secure your environment so what I've done here is I've kind of pre staged some of my my tabs just so things are quicker and move about mm-hmm but once you get into Azure Active Directory one of the first things that you can do is leverage identity secure score now many of you are probably familiar with Microsoft secure score or maybe office 365 secures for this methodology of scoring is becoming common across most of the the workloads

in the cloud for Microsoft and and a lot of vendors are also following the same methodology the idea is that there is a value that you potentially could get to in this case it's 203 and then the controls that I have implemented add up to 93 so I'm a little bit less than halfway to where I should be as far as securing the identities in Azure ad if you notice here this is my tenant this shows that my score is 93 compared to the industry average for the industry that I've identified this tenant to be I'm doing better right so so they typically are about 43 they so so 93 is is much better than the industry average

and then for your typical 0 to 5 person company 16 so significantly better than that now what does identity secure score give me first of all it shows me my score for the last however many days right so the last week last 30 days because there's not much change going on this is what you see I don't think in the last 90 days much has really changed well we'll see what actually looks yeah so so it's been pretty steady the whole last three months I haven't made any significant changes to my environment in the last three months but what this tells me down here what are the actions I could perform in my environment to

improve the security level of my identities and it shows me what the impact would be of each of the of these actions so for example if I forced all my admins to use MFA when they log in that would increase my score by 25 points so I bump it up from 93 to whatever that is 118 something like that it tells me also that the user impact is going to be low and if the implementation cost is low so let's take a look at this I click on the the bar it tells me about the information or about about the the implementation the improvement what the score impact is going to be it gives me a description of

the requested action how is it that you're going to change it what is you actually have to change how is it going to affect your users and and how long it will take for this secure score update to be reflected in your secure score I can go in here and say my status of this is I'm already doing MFA with you know I might be doing RSA right so I can say third party or I can say ignore I don't really care about that it doesn't mean that that it's going to drop out of my list of recommendations it's just not high on the the priority list for right now so the more I go through this list

and and implement these controls the better my security score becomes and we have these secure scores for Azure or sequel for Microsoft 365 for endpoint security and and they're really all rolling up into Microsoft secure or which is shown here so here I went to the security admin Center or the admin portal security Microsoft comm and this is this is showing an all up Microsoft secure score so I've got the element of identity here how am i protecting the data in my office 365 tenant how am i protecting my devices not very well in this case the applications and then even the infrastructure in Azure so it's pulling all the data from those properties together into a comprehensive

score and and the idea is that we don't want you to have to look at so many different portals in order to understand what your security posture is but if I go over here and and start looking at the improvement actions here there's also a tab here that gives me more information mm-hmm you'll see that the data is being pulled from different locations so if I go to the product or the category I can see that the category for a lot of these things is identity but as I scroll down if I filter actually I can look at all the different types of categories right and so some of them are related to device security improvements some to

identity some to applications and and on and on so I can maybe assign different tasks to different groups of people in my organization so I may have an identity group that manages identity is exclusively so I can click on this and and this gives me a little bit more detail that I can work with so I can say that the the action plan for implementing user risk policy is planned or I've accepted that risk or I resolved it through some other method so this allows me to to make a lot of more granular and specific things available to my security organization so one of the things I clicked on there was the user risk policy so if we take a look at

the user risk policy what this is doing once you turn it on and start enforcing it is it takes a look at the users and you can specify which users I've just decided decided to look at all users in this case mm-hmm but it says what is the user risk so Microsoft as I described before assigns a level of user risk based on a variety of factors now we are able to see billions of authentications every month against many many properties that we manage you know as you're an office 365 and Xbox and hotmail and whatever so so we understand what what is it anomaly and and what is a normal login for any given user really and so

if we see the user risk level rise medium or above maybe we want to take an action on that I'm gonna leave it at high right and if I go here what I'm saying is if any user hits a user risk level of high then what I'm gonna ask is that this shows up I'm going to ask that the user be forced to change their password it's just taking a minute to pull up so I can force them to change their password or I can just block access altogether I can say if their user risk level is high just block access and then the user calls it helpdesk you verified who they are and you restore their access but maybe I

just want to force a password change on them now so that's the user risk policy turn this on for different groups different people might have different policy making policies applied to them so maybe either the the c-level executives have one level of policy applied to them the finance people have another policy applied to them the IT people have a different policy apply to them you can do that however you want mm-hmm if I go back here and one of the things I'm going to look at is is take this concept of a Dre the identity protection look at the risky users so I mentioned the idea of how we categorize risk so I've got a bunch of users here

that have had some sort of risk level assigned to them some of them have lo some of them have high and some of the risks have been remediated for for whatever reason they were you know discounted as being not really a risk false positive or maybe we were able to fix the problem but let's go in here and take a look at Alan to young because his risk level is high if I click on him and ice hold this oops David just to let you know we just got a few minutes left he'll be wrapping up ok oh ok Wow sorry yeah yeah that's fine so if I scroll down here I see some basic

information about Alan's account I see that he's at risk he's at high and then I want to find out what exactly caused that risk so I go to risk history see if I can scroll this up a little bit it's not letting me write so the risk history it shows me that at 7 o'clock in the morning on February 16th his account logged in from a malicious IP address so maybe this is my net maybe this is you know you won't logged in from a node on the Tor network whatever it is that's what caused his address or his ID to be labeled as risky so I can go in and I can say I confirm that he's been

compromised I can dismiss it I can block him I can force a password reset there's a lot of different options I've got available to me let's see what else I can show in just another minute conditional access so conditional access we can set up policies that require users to perform a different level of authentication depending on the workload that they're accessing so for example what I've done here is set up a session control for teams so what this is saying is that for all my users who are accessing teams I can apply conditions don't you know depending of what the sign-in risk is what device platform they're logging in with and different locations that they're logging in from

if they meet this set of criteria then I will grant them access but maybe I require a multi-factor authentication or maybe I require them to accept the Terms of Use okay so so what actually happens in this case is I'm going to enforce conditional access application control when they try to access teams through the browser so let me show you what that looks like so I log in and I try to go to teams in the browser and you'll see me get prompted right so it tells me that my access to teams is being monitored and I just need to verify that that's what I want to do so I didn't require multi-factor authentication in this play in this case

I'm just notifying people that the access is being monitored and they can get into teams I didn't have time to show you cloud app security the cloud app security is one of the most powerful tools that we have for maintaining the security of your data in a variety of locations so for example I'm able to see the different types of data that are that's being accessed not just in Microsoft workloads everything just got reset here let me fix this you so I'm able to see the stuff that's that my users are connecting to these different workloads in my network so they're getting not just the office stuff but they're going to Amazon they're going to Google they're going to

and a plan ESPN dolly drive and I can make decisions about whether I sanction that or market is unsanctioned then one of the things I can do here is connect different applications to cloud app security so in this case I've got the ability to connect my Salesforce my AWS instance G suite Dropbox Azure and this way I'm monitoring the access and able to audit the access to all these properties and several others that are listed here so you can monitor when users are connecting to their AWS machines what are they doing are they shutting down machines or they deleting machines you're able to track that auditing with cloud trail so apologizin get to show you all the stuff that was

in my my plan there we ran out of time but again the the key that we want to make sure that everybody remembers is that protecting your data requires you to protect your identities and so where that leads us with is you'd have to trust no one so thank you for your time I appreciate you taking time to listen that's my email address and my blog if you want to access my blog and thank you for your time