trustno1: Protecting your Data in a Zero Trust World

welcome everyone my name is Dave Brandt skom title of this session is trust no one protecting your data in a zero trust world so this is me I am a partner technical security architect for Microsoft I'm based out of Raleigh North Carolina I've been with Microsoft for about 12 years about 20 years in the industry I worked in Microsoft consulting services in their premier organization and now I work with the partner organization helping Microsoft partners understand how to implement and secure Microsoft products so I've got a couple certifications and I would always rather be at the beach maybe not in the water today but definitely would rather be at the beach that's just kind of

where we're I'm happy how many of you are running off the 365 Microsoft 365 EMS that sort of thing whew ok all right so here's the part of the session where I show you how very very old I am ok so what do you guys remember about 1998 anybody working back in 1998 a couple people all right any of you remember this guy doesn't that doesn't Hillary look weird that's not her anybody have one of those still hold discman this is what the ipods used to look like kids anybody remember this game where Michael Jordan was sick the last game of the the championship and still hit the game-winning shot and this one is for Matty stone although she left

this was the year that Google started 1998 so a lot of things happen back in 1998 this is one of the things I remember from 1998 and how many of you remember Novell yeah so Novell and NT for that was a big fight going on right there and as you can see Novell look pretty shiny and good and they were beating the pants off of nt4 for a little while but things changed very quickly now the time that I was working in 1998 I was working at the Pacific Stock Exchange in San Francisco that was when San Francisco had a stock exchange they no longer do but one of the things that was happening was they were

converting the trading floor for the stock exchange from a mainframe based system over to Windows 2000 and Active Directory and they were using change and sequel 2000 and all that everything Microsoft that was bright and shiny and new was going into the the trading system that has nothing to do with why there's no longer a stock exchange in San Francisco but that was that was what we were doing and at that point I became the Windows 2000 admin for the stock exchange and that was my absolutely unguessable password trust no one I was certain nobody would guess that thing okay so it's fast forward 15 years to 2013 so I'm working at Microsoft by this point I've got a

little bit better grasp on what a secure password looks like and I'm rummaging around on pastebin and what do I see number nine right so so trust no one was slightly less guessable than one two three four five six seven so so I was doing somewhat better right then we fast forward to today and how many of you seen these information is beautiful word clouds anybody seen these so these are the the most popular passwords right so the the height determines the popularity of the password and where it is on on the horizontal axis determines the complexity I believe what they were doing so it was fairly non complex and easily guessable so I was disappointing

let's fast forward to today these are some pretty scary statistics and these are statistics that I got out of Microsoft's database of information not too long ago a couple months ago this one's pretty fascinating by 2021 just two years from now 25 percent of the world's personal data will be compromised and housed in a data Lake to be analyzed and utilized by consortiums of threat actors 25 percent of the world's personal data so that tells us two things right it tells us first of all that our data is not as secure as we would like it to be but secondly that the threat actors are collaborating on these things right if they're putting together these data lakes that they all

share from that tells us that that they've got a some kind of deal going on there's been a 750 percent growth in the number of ransomware families just since 2016 or in 2016 and that's been growing incrementally over the last couple years as well I actually submitted a session to different b-sides dealing with ransomware and they sent me a response back saying no thanks we don't feel that ransomware is a relevant issue anymore with with Pecha and not Pecha being being done I was like ok how many of you think that's true that ransomware is done not even close yeah it's all over the place then this last one by 2022 a third of successful

attacks experienced by enterprises will be on their shadow IT resources so when we fertilize resources we're talking about implementations of software within an organization that the IT department doesn't know about or doesn't control right so somebody doesn't want to use you know Microsoft Office or whatever it is and so they buy you know a subscription to Google suite or to whatever right it's just a software that's controlled outside of the IT organization we see this happening a lot in education because typically departments have their own budgets and they'll buy things that they want or that they're familiar with and those don't fall under the control of the central IT department how many of you have to deal with that kind of situation

it's difficult right so so when we take these these three ideas together you know the the lack of control of identity the the compromise of devices and the compromise of data I wasn't so far off right we can't trust anyone we have to be in this mental model of trusting no one on our network the fact is though security used to be what we thought was simple right it kind of looked like this we had a gigantic firewall and we opened some ports and everything was great right but that's that's no longer the way the world works today we have people that have mobile devices they bring their own devices there's many different cloud providers and that that results in

significant challenges for the IT department to me so we have this concept called zero trust and this isn't a new concept it's not a concept that is exclusive to Microsoft Google has their version of zero trust called beyond Corp and if if you want to see how Microsoft implement zero trust go to that URL that's that's our thinking on how to implement a zero trust model but but if you if you narrow it down there's there's really three steps to implementing zero trust and I'll show you how that can be done in some demos here in just a few minutes but at its root what does zero trust mean it means basically that we take a

look at workloads that users are trying to access whether it be exchange or an HR application or Salesforce or Google suite or box or Dropbox or whatever we see who the user is that's trying to access it what device they're trying to access it from and we wrap some intelligence around that and we grant them access or deny access to that data based on the sum total of those values right if you think about the attack kill chain and and most of you are probably familiar with how the attack killed chain works typically in a Microsoft network mean this is applicable and in most environments but since most environments involve Microsoft networks or Microsoft hosts and endpoints at some

level this is kind of how it works most of the exploits and most of the compromises of a an endpoint will happen because the user goes to a website or they click on a phishing email there are statistics that say 4% of users will always always click on an email that they get they will always click on a link in an email that's not that's not good right so so 4% of people will always click on a URL that if you're an attacker that's pretty decent odds right if you send 100 emails four people are gonna click on it and you've got possible ownership of the box right that's that's pretty decent odds so the

phishing email either they click on a URL they open an attachment and the user account has been exploited and maybe they install some malware now within Microsoft and I'm not I'm not going to try to get into a lot of you know salesy kind of thing I'm just illustrating if you have a Microsoft network there are controls in place that you can use to mitigate some of these issues so office ATP advanced email threat protection we have the concept of safe attachments and safe links so with safe attachments what we do is if an attachment comes in and we're unsure of it we we can disconnect that attachment from the email open it in a sandboxed virtual VM in our data

centers see what the behavior of that attachment is whether it's you know dropping some code if it's trying to establish connection out to serve rather the internet whatever it is and if we determine that behavior to be malicious then we won't deliver that attachment similarly with the safe URLs what happens is if an email gets sent we look at the URL if the URL looks to be malicious then of course we won't allow people to click on it but the thing that makes it unique is that it's always at the point of time when the user clicks on it so what we've seen in some cases is a threat actor will send a link to a

bunch of users in an organization and there will be nothing malicious behind the link at the time that they deliver it so it gets through gets to the mailboxes everybody has access to this thing and then once they're confident that it's gotten to everybody's mailbox then they'll activate something behind the link right so that then when you click on the link it does something bad so safe links will check it every time the user clicks whether it's 20 minutes after they get the email or 20 days after they get the email whatever we're always gonna go check and see what that URL is trying to do so those are a couple things that we do that help mitigate these two issues

there's also the possibility that an attacker will try to brute force an account or you stolen account credentials and then we have things like azure ad identity protection which I'll show you in just a few minutes they establish command and control they've compromised the user account they establish persistent persistence and then from there then they can start making lateral movements across the network right so then they can start doing past the hash attacks or golden ticket or whatever it might be and until they finally find a privileged account compromised that account and can elevate their privileges and start doing bad stuff and one of the things that they typically want to do is establish domain

persistence and with that we have this Asher ATP or Azure advanced advanced threat analytics is anybody use advanced threat analytics in their environment Azure advanced threat analytics oh so the basic idea behind this is we look at the traffic that's going from any endpoint to a domain controller and if we see behavior that for example is a pass the hash attack or a golden ticket attack or an RDP brute-force attack or whatever it might be we understand what that looks like and so we'll alert you to that and we'll also give you a map of how this attack has taken place so as r8 a is a pretty pretty cool tool as Raby privileged Identity Management

this is the the concept of just-in-time access and just enough access so rather than having standing global admin privileges on something we give you the access when you need it for the time that you need it and only the amount of privilege or the amount of access that you need so those type of things help to limit the the opportunities for attackers to establish this type of persistence on your network and then of course one of the things that the the attackers want to do is access your data and exfiltrate your data and one of the tools that we have there is Microsoft cloud app security is anybody using that you're using it one person all right when when I show this

to you I hope that you'll change your mind about that because it is one of the best tools that we've got out there and it's getting better so that's the attack kill chain those are some of the tools that Microsoft gives you to to to mitigate these attacks but again getting back to the idea of a zero trust network what are the elements of this zero trust network so the first is that identity becomes the control plane so we used to have things like Ackles on documentation you know if you if you had a Windows server and you had a file server and you establish NTFS permissions on those documents and so forth that was kind of

how you controlled access to that hmm but let me ask you a question let's say I build an NT or a Windows server and I put NTFS permissions on a document and I lock that document down so that I am the only human on earth that has permissions to that document so if I try to send that to you within my network can you open that document No within the network you can't what if I send it to your Gmail account can you open that document sure can right so we have to have something that where the identity is linked to your permissions mm-hmm and so that's where the idea of Azure information protection comes in

where your identity is majeure and whether I sent it to you in Gmail or whatever it's gonna validate whether you have permissions to open that document to do things with that document and if you're not validated then you simply have no no permissions to that document assume every resource is on the open Internet this is not a misspelling that is not supposed to say Internet it is actually supposed to say intent right so so what we're doing is we're taking the sum total of the behaviors here on the right-hand side from from your perspective we're looking at the identity we're looking at the device we're looking at the location that they're logging in from what workload

are they trying to get to and then we do some risk scoring and then that's going to add that all up and it's going to equal what we believe to be the intent of the user and if we think that the intent of the user is malicious then we'll look it so that's what's going on there so this is true even within Microsoft so if I am trying to access our HR system and I'm inside Microsoft's corporate network I still have to be authenticated I still have to sometimes verify my identity by by doing a multi-factor authentication things like that but when I come here and I log into the network here I'm absolutely going to

be prompted for MFA if I'm at home and it knows that that's an established trusted location for me that I log in there from on a regular basis then it might only prompt me every 30 day is there every 60 days for multi-factor authentication but we're assuming that everything is the wide open Internet and then this idea of never trusting always verifying so prove to me who you are show me that you are who you claim to be whether that be with a password or some kind of a token or a password or a code that's sent to Microsoft Authenticator app or to your text via text to your phone whatever it is you have to verify

who you are so again we come back to this idea of never trust so again trust no one so I'm still on track right all right let's take a look at some of these things incidentally how many of you have seen this feature in PowerPoint right now it's translating live into Danish anybody speak Danish so I speak Danish and that is a pretty good translation of English into Danish and there's a whole bunch of different languages that you can you can translate into so if you go here to slide show always use subtitles subtitle settings you can define come on click well eventually it'll click and it'll show me the different languages that it can translate into as well as

what it what it believes to be the spoken language or what it's expecting the spoken language to be locked up here

come on

try this real quick

sure why it's locked up on me

try again

all right Murray start real quick so how many of you have some form of a zero trust network established in your environment okay what's what's the the the mechanism that you're using to us to create that that

cool cool

how do you manage mobile devices like our users allowed to bring mobile devices from home or they manage by the corporate okay got a managed browser yep well oh there we go looks like I got connection now okay let's try this again so login to my demo tenant nice it only gets better

that's not trust no one the password by the way okay so it's prompted me career

all right mm-hmm sorry about the delay there okay so if I go to my admin portal in office 365 and this is actually an M 365 tenant so MVC everybody better understand that ever between office 365 and Microsoft 365 so office 365 is your outlook Word PowerPoint you know teams that kind of stuff Microsoft 365 is office 365 plus Windows 10 plus enterprise mobility and security ok let's open up the admin portal and if I go to Azure Active Directory this a little bit bigger anybody following the the announcements from ignite this week there's some pretty cool stuff that came out from Microsoft this week one of the the big ones that's getting a lot of buzz is

Azure Ark where we can manage multiple cloud environments so your AWS environment your Google environment and all that stuff from from one location all right go to Azure Active Directory

all right hmm so I'm here my azure active directory and if I go to the conditional access area I'll show you how easy it is to set up a zero trust network policy in an environment okay so one of the first things that I want to do is established a named location so a named location is a set of IP addresses that I trust so maybe my internal network or maybe not that I trust but that I have a higher level of confidence in that subnet for example so I go here to named locations and I've created one here called Charleston b-sides but I'll show you how easy it is all right so I can

call it Charleston besides - and what it is is it's looking at IP ranges or countries or regions so maybe I don't trust North Korea maybe I don't trust Iran right so I can establish you know network blocks for for those IP ranges but let's say I want to mark one of these as a trusted location and then I just say when I - one sixty eight dot zero dot 0 slash 24 I think that's how it wants it yep I know and I misspelled Charleston but anyway you get the idea so so now I've established that that is a trusted location I can establish custom controls - this is something that is relatively new but what this requires is you have

to edit this JSON file that's gonna pop up here and your you can add things like duo and you know other third-party authentication providers in here as being a requirement for the conditional access setup you can require Terms of Use to be accepted when people log in that kind of thing VPN connectivity if you're still using VPN Microsoft used to use a VPN we don't use it anymore because the the concept of zero trust means there's there's nobody that you trust even if they VPN in so we just don't use it and then there's some classic policies here that you can use but let's go ahead and create a policy so I'll call this Charleston and I'll

spell it right trust box okay so what I'm going to do here is say that if a user is logging in from the Charleston 'besides subnet which is a 192 168 subnet and they're a member of a certain group and they're trying to access box then I'm going to require multi-factor authentication okay so let's say that the group of users let's say all users oh wait even better let's say all guests and external users okay so so what this means is if you have partners or organizations that you work with you can say sure you can access my network you're going to be subject to a set of policies that may be different than what

my internal people have so you may require your external vendors or external partners to always use multi-factor authentication you may require that those devices are never jailbroken you may require that those devices are always encrypted whereas you don't require the same thing of your internal users let's go ahead and do this so we're saying all guest users now it's gonna look at the cloud apps that I've got defined mm-hmm and notice this isn't just Microsoft applications right so I got box so I can control access to box a corporate and installation a box I can establish the same thing for Salesforce right whatever applications I'm integrating my Adger ad logins with so I can use Azure ad to log into Salesforce

I can use Azure ad to login to box when I establish that as the authentication mechanism member identity is the control plane if I establish that as the the authentication mechanism then I'm able to use that as I'm allowed to control the applications that use that alright so I'm using box and then what are the conditions under which a user will be granted access so as your ad identity protection looks at different factors of a user's login where they logging in from when was the last time they logged in from this place are they logging in with a browser or they log in with an application what kind of browser are they logging in with

are they using Chrome is that their typical browser right so if I all of a sudden start logging in with a browser that Microsoft has never seen me logging in with that's gonna raise my risk it's gonna say this isn't typically how he logs in so maybe this is a problem it's not gonna stop me but it's it's gonna raise the list of the risk factor so I'm gonna say yes if I'm at a medium risk device platform so which applicator which devices are am I allowed to login with so I've got external users I'm gonna say they're gonna login with Android devices iOS devices nobody has Windows Phone any more windows and os locations and I'm gonna say not

trusted locations because external users not going to be in my trusted locations so I will exclude trusted locations and then depending on what application they're using so if they're logging with a browser or a mobile app or whatever and then what's the state of the device is the device as radiant is it marked as compliant so have ID marked that devices as complying with the policies so if this is an external user a guest user I probably don't have the ability to control whether the device is compliant so I'm not going to configure that okay and now so I've established the conditions for the access now I'm gonna stablish the access so I can say if they

meet all these conditions then I'm going to require multi-factor authentication and I can require more than one right but for for an external user I think that's a reasonable amount and I can also establish session control so session control means a browser session how am I going to control the browser session all right so I'm not gonna change anything there and then I create the policy and just like that what's gonna happen now is if an external user tries to login to my corporate installation of box right I want to grant them access to box they're going to have to provide multi-factor authentication in order to get that access so that's the concept of zero

trust right now I can establish the same policies for my internal people right I can say as it does you know that one of the baseline policies that we've established here is require MFA for admins require MFA for end users block legacy authentication so it's blocking some of the older protocols that are usually compromised these are going to be defaults by the way starting I think this month or next month I can remember what the what the the timing on that was but for all new tenants it's going to turn on with those policies activated because people just don't turn them on so in this case for example I've got a policy setup for Salesforce and what I've done is say if

you're a member of the sales and marketing group and you want to access Salesforce then I am going to use a conditional access application control okay so so let's let's look at this what this is saying is if you're inside my network and you're trying to get to Salesforce I'm going to establish a set of controls on your browser session okay now let's find out where that actually gets implemented if I go to cloud app security which I think you were the only one that said that you're using cloud app security but if we go to cloud app security what this is is a cloud app security broker right so any cloud applications that you're trying to

access from inside my corporate network I'm going to watch your access to that and I'm going to allow disallow based on the criteria that you have there are more resources cloud app this is one of the one of the best tools that we have in my opinion because it just makes so much sense when you look at it it's a it's a very logical tool and it does a whole lot let me make this a little bit bigger all right so what this is showing me here is these are the applications that I am controlling with cloud app security so notice I'm managing ServiceNow Salesforce a corporate installation of box which we knew already right and what

it's doing is its watching the the traffic who it's coming from what IP address is coming from what the behavior is what is it you're trying to do when you get there so we have api's that connect to for example g suite right so if i see a user moving a file from sharepoint to a corporate installation of g drive right Google Drive and and I'm managing it with cloud app security I watch as that file gets moved over there and if I look in that file alright I can establish up a policy that says look in that file and if you see PII data if you see credit cards if you see a bank routing number whatever then

encrypt that file and and go ahead and store it on Google Drive so even though it's stored outside of Microsoft's you know or our services we can still establish control over that data so let's take a look go to connected apps so this is the the set of connectors that I've got right now the this one just my instance of ServiceNow just spun down it's a virtual machine so there's no connection but you see I'm established I've established connections to box and Salesforce but I can also make connections to these other services so cisco webex Amazon Web Services so if you want to monitor what people are doing in AWS if you want to see who spun up a machine who deleted a

virtual machine who created a certain service in AWS we have the api's or we use the API is that AWS it exposes and we can tell you this is what's happening so this is what it looks like they go into the alerts mm-hmm here's an example a file containing PCI was detected in the cloud okay so what this shows me is let's see there so it tells me the exact file right where it's located who the user was right so this is you know bad guy is the name of the the directory that I created tells me who was opening it when they opened it why it triggered a policy any kind of information about you know who else has

access to this file so collaborators so I get information there one of the the great tools that's available here is we track breaches of cloud applications so here for example a discovered app security breach so in this case the breach was for sprint nextel they were breached on July 15th 2019 it asked me you know if if users on my network we're going to sprint nextel they could potentially be subject to this breach or have been compromised in this breach so I can go back and look and see which users went to sprint nextel and then tell them you know did you know that this data was compromised maybe reset your password or do whatever

kind of remediation we need to do I can also see things like activity from an infrequent country now this is where it gets interesting so I haven't been to any external countries recently right I've been logging in from the United States as this user on a regular basis but notice how granular it's looking at my behavior it's saying this is the first time that office 365 was accessed in 83 days by this user the first time they accessed it in 40 days from the United States the United States was visited for the first time in 90 days by this user this is the first time a double device was used in 135 days this is the first time

this IP address was accessed in 135 days first time 18 T wireless was used to access this so I mean these are all the things that go into that risk scoring that we talked about right so if it's been

manectric its gonna say this has never happened before something's different right tells me that I was logging with an Android device that I was logging in with Chrome and that this was the first time I used Chrome in 90 days mm-hmm so all this type of stuff gives me visibility into who's accessing the data and what they what they're trying to do with it if I go also to my Asscher ad identity protection which is one of the things I talked about how many of you are familiar with the secure score tool that we have in office 365 so how do you like it and and be honest

yeah yeah and I think part of the problem is that the scoring doesn't change until it's like overnight or a couple days after sometimes so so it's not immediate but one of the things that Microsoft is doing is going to the score based security so we know or we feel we know what what constitutes good security controls in office 365 in Azure ad in Azure and so we're saying if you implement NFA that's good so here's 50 points if you are protecting your files using onedrive and SharePoint we feel that's good here's 20 points so so the higher your score goes that's a way of measuring the level of security you've got for your data for your identities

and so on so as we look at as rady Identity Protection one of the things that I had mentioned was this idea of risky sign ins right so these are the users that have been tagged as being at risk so an Rico Captain EO is considered at risk so let's take a look at why potentially that's the case not easy to see it with let me just scrunch it down a little bit okay so hopefully you can see this what it's looking at here is you know when they logged in what the office location was no risky sign ins no problems their risk history though anonymous IP address so maybe somebody logged in with a tor browser okay

so a tor browser from our perspective if you're logging in with the tor browser that by itself is a little sketchy there's there's no legitimate reason why somebody would need to be logging in with the tor browser other than to hide themselves which is kind of silly when you think about it because it's pretty well known like the CIA and FBI and NSA put nodes all across the Tor network so that they can watch what's going on on the Tor network it's not it's not as secure as you think it is right anyway so so we can look at this type of behavior and then we can say things like if this type of behavior happens force

him to change his password or force him next time to login with that with MFA right so these are types of things that that we can put controls around one last thing and and then then I'll be just about done here's the the secure score thing that I was telling you about so in this case my secure score is 28% which is pretty abysmal because I don't really do a whole lot in this tenant to lock it down but you notice I can control things if you can read it I can control things by identity by the data protection mechanisms that I'm using the devices how I'm protecting the devices the applications on my network and then even

the infrastructure so you can put controls around your azure infrastructure and say I see that the azure virtual machine the the the drives are not BitLocker there's no endpoint protection on these virtual machines or they aren't being backed up or there's no redundancy things like that that would would secure your environment and there's also now a compliance score okay so if you're subject to compliance regulations in your environment there's a compliance score that allows you to measure how you're doing against various compliance regulations so that's something that was announced this week all right so let's kind of wrap things up here to open up my PowerPoint Hubble will crash again

just speak English alright yeah I'm not sure what would cause that

so there it is see if it speaks Danish there it is okay so protecting your data in your corporate environment requires that you have to you have to protect your identities right we have to secure the identity first and that's the control plane that we talked about that's going to grant access to all these other things so we come back to the original point trust no one so if you have any questions about the zero trust network that's again Microsoft's implementation of zero trust that's my blog cloudy happy people who gets that and it's gonna be the old people raising their hand anybody get the reference cloudy happy people that's REM they were shiny happy people feel

free to email me I'll I'll be happy to connect with you on LinkedIn and whatever so any questions yes sir

yes

for for which which control

so okay I'm just doing me dead am I done oh well sorry yeah so the question was how do we secure score doesn't necessarily tell you what licensing level you need to get to a certain control so I'm not sure that that's entirely true because the the way it's set up is that it's supposed to look at the applications and licensing that you have and provide recommendations based on that so if there's if there's a specific control that you're seeing maybe like for example MFA you can implement MFA without having like an azure ad premium SKU there's there's other ways to do MFA it's not you know the the most flexible way to do MFA but but you can't do it

with other SKUs so I if mundane that by any chance cuz because the idea is we're only going to score you against what you're licensed for and and what you've enabled I mean we're not going to score you negatively if you're you know because you have zero in Azure infrastructure but you have no no virtual machines right but I mean it's worth feel free to email me if you have a question any other questions all right trust knowing everybody [Applause]