Drop the hammer down on malware threats with Windows 10's ...

Drop the hammer down on malware threats with Windows 10's ...

BRK2129 Drop the hammer down on malware threats with Windows 10s Device Guard Scott Anderson Program Manager OS Security The Malware threat 200 + Median number of days attackers are

present on a victims network before detection 80 $3Trillion $3.5Million Days after detection to full recovery Impact of lost productivity and

growth Average cost of a data breach (15% YoY increase) There are two kinds of companies, those whove been hacked, and those who dont know theyve been hacked. -James Comey, FBI Director Device Guard Achieving PC lockdown for enterprise Enterprise-grade application whitelisting

Virtualization-based security protections Hardware and UEFI bios lockdown Device Guard ready and Device Guard capable options from OEMs Code Integrity Whitelisting is a top security recommendation Australian Signals Directorate top 4 Strategies to Mitigate Targeted Cyber Intrusion 1) 2) 3) 4)

Application Whitelisting Application patching Operating System patching Minimise administrative privileges ASD TOP 4 PREVENTS OVER 85% OF INTRUSTIONS Application Whitelisting is the most effective strategy in the Australian Signal Ensuring the Integrity of Windows Secure Boot Includes Secure Firmware Updates and Platform Secure Boot Kernel Mode Code Integrity (KMCI)

User Mode Code Integrity (UMCI) Device Guards configurable code integrity AppLocker Device Guards configurable code integrity Platform Secure Boot ROM/ Fuses Bootloade rs

UEFI Secure Boot Native UEFI Windows OS Loader KMCI Windows Kernel and Drivers UMCI 3rd Party Drivers

AppLocker User mode code (apps, etc.) But Whitelisting is Hard IT codesigning is not pervasive Best option for strong app identity and integrity validation Decentralized LOB app development Lack of code signing expertise Enterprises dont want to (and shouldnt) blindly trust all software from an ISV, even if signed Too darned many existing LOB apps

Getting Apps in to the Circle of Trust Adopting Code Signing Make codesigning part of the LOB app development process OR app deployment workflows Create catalogs for legacy and ISV apps with Windows 10s Package Inspector tool No need to repackage/rebuild apps Easily deployed with SCCM Device Guard signing in the Windows Store for Business Download default Device Guard configurable CI policy Demo: Deploying

Policies and Applications Secured Scripts with Config CI Windows Script Host will be limited Require signed scripts for full functionality WSH is the scripting host for VBScript (.vbs), Jscript (.js), Windows script file (.wsf) and Windows script component (.wsc) scripts Beware unenlightened 3rd party script hosts MSIs must be signed PowerShell runs in ConstrainedLanguage mode Only signed PowerShell scripts runs in full language mode .bat & .cmd scripts are not restricted

Configurable Code Integrity and AppLocker Complementary features to whitelist application/code execution on Windows Configurable Code Integrity (CCI) sets machine policy AppLocker for user role-specific policies, managing UWP apps, and managing .bat/.cmd Signed Device Guard CI policy protects from local admin Signed policy stored in pre-OS secure variable Requires a newer signed policy to update cannot be deleted by admin Becomes a machine level policy which means boot from media must be compliant Measured into the TPM and part of device health attestation

That all sounds great. But whitelisting is still too hard! Every IT Pro in the World Demo: Introducing Trusted Managed Installers Simplifying Whitelist Management Managed Installer Automatically trust software installed by your IT app deployment solution (e.g. SCCM) Available in RS1 as custom AppLocker policy with configurable CI support coming soon Enable enterprises to better balance security

and manageability Virtualization Based Protection of Code Integrity Virtualization based security (VBS) A new trust boundary for Windows Secure execution environment isolated from the high-level OS Enhanced OS protection against attacks (including attacks from kernel mode) Protection of secrets (e.g. derived user credentials) Protection of guest VM secrets from the host

OS KMCI protected by VBS Code integrity (CI) rules enforced even if a vulnerability allows unauthorized kernel mode memory access Memory pages are only marked executable when CI validation succeeds Kernel memory cannot be marked both writable and executable BUT not all drivers will be compatible KMCI in Windows 8.1 Host OS Normal World Howdy Peer!

User Kern el Malwar e KMCI Firmware (UEFI) Hardware (TPM, virtualization extensions, IOMMU) KMCI with Windowswith

10 VBS Secure Trustlets Windows I thought we could be friends 10 VBS Host OS Measured Secure World

User Kernel LSAIs o Secur e App 2 LSASS Normal World Normal App 2 Malwar

e KMCI Hardened Boundary Hypervisor Firmware (UEFI) Hardware (TPM, virtualization extensions, IOMMU) INTRODUCING Device Guard and Credential Guard Readiness Tool Verify device compatibility with Device Guard

and Credential Guard Hardware and virtualization support Driver compatibility with HVCI Audit status of DG/CG on systems Use SCCM or other management solutions to automate end-to-end deployment of DG/CG Can use the tool to automate enablement of DG/CG Demo: Readiness Tool Preparing for Device Guard

Planning for Device Guard Considerations Configurable CI works on any Windows 10 PC Choose the right policy options based on scenarios/machine configurations and maturity of IT Policy management can be complicated by the diversity of hardware and software VBS and HVCI have specific hardware requirements Virtualization and IOMMU Microsoft Hyper-V hypervisor Driver compatibility! New or existing systems?

Device Guard Scenarios and Recommendations Tightly managed Turn on VBS protection of Kernel Very well-defined software and hardware configurations Low churn

No user or standard user only Mode Code Integrity Fixed workloads Deploy configurable code integrity policy with both kernel and user mode generated from golden system(s)

Device Guard Scenarios and Recommendations Tightly managed Turn on VBS protection of Kernel Well-defined hardware configurations Managed software only

Ideally standard user only Mode Code Integrity Deploy configurable code integrity policy with both kernel and user mode created from golden system(s) or based on DGSP default policy Fully managed Optionally, use Managed Installer to

simplify policy management Fixed workloads Device Guard Scenarios and Recommendations Multiple and varied Turn on VBS protection of hardware configurations

User can install unmanaged software Kernel Mode Code Integrity Deploy configurable code integrity in audit mode OR KMCI enforced only Optionally, use Managed Installer to simplify policy

management Lightly managed Standard or Admin users Fully managed Fixed workloads Device Guard Scenarios and Recommendations Personally owned devices

Device Guard not appropriate Highly-variable hardware and software BYOD Lightly managed Fully managed Fixed workloads Deploying Device Guard Buy Device Guard ready machines from

OEMs -- OR -- Use Device Guard and Credential Guard Readiness tool to identify Device Guard capable devices Use Windows Store for Business to create default code integrity policy and catalog sign LOB apps -- OR -- Resources Device Guard and Credential Guard Readiness Tool - https://www.microsoft.com/en-us/download/details.aspx?id=53337

Device Guard signing in Business Store Portal https://businessstore.microsoft.com/en-us/DeviceGuard/ Managing Device Guard with SCCM blog https://blogs.technet.microsoft.com/configmgrteam/2015/10/30/managin g-windows-10-device-guard-with-configuration-manager/ SCCM as a Managed Installer blog - https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/config mgr-as-a-managed-installer-with-win10/ Device Guard deployment guide - https://technet.microsoft.com/en-us/library/mt463091.aspx Ignite 2015 Device Guard session https://channel9.msdn.com/Events/Ignite/2015/BRK2336 Windows 10 Device Guard Overview en Franais - Please evaluate this session

Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp 2016 Microsoft Corporation. All rights reserved.

Recently Viewed Presentations

  • Do Now - Long Branch Public Schools

    Do Now - Long Branch Public Schools

    An object traveling in a circular motion is always changing its direction. Therefore, its velocity is always changing, so it is accelerating. The acceleration that occurs in circular motion is known as . centripetal acceleration.
  • Day 42-Shakespearean and Elizabethan background; Sonnet study

    Day 42-Shakespearean and Elizabethan background; Sonnet study

    Warm-up: Sonnet Part IV. English Sonnets feature the following structural conventions: 14 Lines composed of 3 . quatrains (4 line stanza and a . couplet. at the conclusion). The last . couplet. is used to pull the sonnet together. This...
  • Technologia spisowa - UNECE

    Technologia spisowa - UNECE

    Director of Central Census Bureau - Poland Geneva, 30.09.2013 Key results the UNECE Survey on National Census Practices, and first proposals about the CES Recommendations for the 2020 census round
  • Sec. 2 Background - Identifying Asbestos Materials

    Sec. 2 Background - Identifying Asbestos Materials

    Ancient oil lamp. Humans have been using asbestos for 2,000 years. ... Used as an insulator in attics of homes prior to the fiberglass home insulation era, as soundproofing in walls, and in the hollow space of exterior block walls....
  • SOCIETY society SOCIETY  Web of a social relations,

    SOCIETY society SOCIETY Web of a social relations,

    Lapiere " Society is web of social relationships". All types of social agencies come in society. Every individual is dependent upon every other individual. There should be harmony in the relationships. By - R.M.MacIver
  • Additive Modeling

    Additive Modeling

    Additive Manufacturing Process. Definition: the process of joining materials to make objects from 3D models, usually layer upon layer, with a 3D printer.Subtractive manufacturing use techniques such as milling, cutting, or turning to create an object from a single piece...
  • Rocks and Weathering - Weebly

    Rocks and Weathering - Weebly

    Describe what you did here… When rocks are transported by a river they are eroded: When rocks are broken off they can form "scree slopes" Rock shape up here Rock shape down here "Sediment" Weathering by ice "Onion skin" weathering...
  • Valvular heart disease

    Valvular heart disease

    Ischemic mitral regurgitation due to myocardial ischemia may be evidenced by the development of new cardiac murmur. Dysrhythmias due to myocardial hypoperfusion require vigilant continuous cardiac monitoring. Ventricular aneurysms/rupture due to myocardial necrosis may present as sudden chest pain, dysrhythmias,...