![Page 1: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/1.jpg)
Cloud Security, Mobility and Current Threats Tristan Watkins, Head of Research and Innovation
![Page 2: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/2.jpg)
Threat Landscape
![Page 3: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/3.jpg)
![Page 4: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/4.jpg)
Verizon Data Breach Investigations Report
![Page 5: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/5.jpg)
Verizon DBIR: Threat actors and actions
![Page 6: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/6.jpg)
Verizon DBIR: Threat actor motive (2016)
![Page 7: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/7.jpg)
Verizon DBIR: Threat actor method (2016)
![Page 8: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/8.jpg)
Verizon DBIR: Breached assets (2016)
![Page 9: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/9.jpg)
Verizon DBIR: Time to compromise (2016)
![Page 10: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/10.jpg)
Verizon DBIR: Time to discovery (2016)
![Page 11: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/11.jpg)
DLP: Insider risks
“We see individuals abusing the access
they have been entrusted with by their
organization in virtually every industry...
with financial gain and convenience being
the primary motivators (40% of incidents),
whether they plan to monetize stolen data
by selling it to others (such as with
financial data) or by directly competing
with their former employer.”
Why? How?
![Page 12: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/12.jpg)
DLP: accidental and outsider risksUnintended data leaks are very hard to protect against• For every way that data can be lost, we need a specific (often unique) defence
Examples of unintended data loss:• Lost/stolen device
• Credential theft:
Neither file-level protections nor FDE will solve for all of these risks
o Keystroke loggers
o Social engineering
• Wrong recipient
o Bad password practices
• Lost/stolen drives/media
• Memory scraping
![Page 13: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/13.jpg)
Phishing and social engineering"23% of recipients now open phishing messages and
11% click on attachments."
"a campaign of just 10 e-mails yields a greater than
90% chance that at least one person will become the
criminal’s Prey."
"…nearly 50% of users open e-mails and click on
phishing links within the first hour.
…the median time-to-first-click coming in at one
minute, 22 seconds across all campaigns."
![Page 14: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/14.jpg)
Signature Detection Obsolescence
Much of today's malware code is modified so quickly that it will avoid detection• “99% of malware hashes are seen for
only 58 seconds or less. In fact, most malware was seen only once”.• 40 million malware samples
• 3.8 million malware signatures (90%+is found only once in the data)
• 20,000 common signatures across organisations
• 99.95% is organisationally-unique
Signature modification can be trivially automated in PowerShell
![Page 15: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/15.jpg)
Image Courtesy of John Lambert, General Manager of the Microsoft Threat Intelligence Center
![Page 16: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/16.jpg)
Modernising Security
![Page 17: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/17.jpg)
• User chooses apps (unsanctioned, shadow IT)
• User can access resources from anywhere
• Data is shared by user and cloud apps
• IT has limited visibility and protection
• Only sanctioned apps are installed
• Resources accessed via managed devices/networks
• IT had layers of defense protecting internal apps
• IT has a known security perimeter
Life with cloudsLife before clouds
What is driving change?
On-premises
Storage, corp data Users
![Page 18: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/18.jpg)
Identity & Access Management
Easily manage identities
across on-premises and
cloud. Single sign-on &
self-service for any
application.
Manage and protect
corporate apps and data
on almost any device
with MDM & MAM.
Encryption, identity, and
authorisation to secure
corporate files and email
across phones, tablets,
and PCs.
Identify suspicious
activities and advanced
threats in near real time,
with simple, actionable
reporting.
Information Protection
Mobile Device & App Management
User & Entity Behaviour Analytics
Protecting customer data
by providing IT visibility,
control, and security over
cloud applications.
Cloud Access Security Broker
Enterprise Mobility SuiteCloud App
Security
Azure Active
Directory Premium
Azure Rights
Management
Premium
Intune &
Configuration
Manager
Advanced Threat
Analytics
Share Windows
applications and other
resources with users on
almost any device
Windows App Virtualisation
Azure
RemoteApp
Microsoft Enterprise Mobility Management
Users Identity Theft Data Devices & Apps SaaS Apps Windows Apps
![Page 19: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/19.jpg)
Active Directory Problem Spaces
User ExperienceMakes a user's life easier by providing a single sign-on (SSO) for computers, applications and services
IT AdministrationSimplifies system administration by centralising management of users, computers and policies
Platform servicesSimplifies development by providing authentication, users, groups and/or claims
Security/ComplianceLots of complicated non-functional stuff
![Page 20: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/20.jpg)
What would IT be without Active Directory? Sign-on would be a colossal mess
IT administrators' lives would be incredibly repetitive and inefficient
...but we would reclaim simplicity from efficiency
![Page 21: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/21.jpg)
What is Azure AD to a user?The home of my corporate identityHow I prove who I am, including additional factors of authentication
Details about who I am (profiles)
What I belong to (groups)
The service I entrust with my personal data (privacy protections/compliance)
Gateway to my appsA gateway to my apps: Access Panel
A trustworthy face for cloud resources (custom branding/logos)
Gateway to my internal network from the outside worldSelf-Service Password Reset (SSPR)
Application Proxy (Reverse Proxy)
Workplace Join (Device Registration Service)
![Page 22: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/22.jpg)
What is Azure AD to IT?Directory ServiceThe directory is built with Active Directory Lightweight Directory Services (AD LDS)
Sync on-premises Active Directory Domain Services (AD DS) objects with DirSync/AAD Connect
DirSync and AADSync were wrapped up with related tools in a new package called AAD Connect
Security Token ServiceLike AD FS. Enables federated sign-on to Office 365, Azure and Software as a Service providers
Also provides authentication and authorisation services to Azure Websites like SharePoint Apps
Advanced stuffMultiple Factors of Authentication (MFA) AKA “2FA”. Think: PIN verification for sign-on
“Application Proxy (Reverse Proxy): Sign-on to on-premises stuff from outside the network
Device Authentication: restrict sign-on to trusted devices (enables BYOD)
Reporting and Alerts: Detects unusual/sketchy sign-on patterns and alerts administrators
![Page 23: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/23.jpg)
What is Azure AD to a developer?
Common Consent (OAuth 2.0)Secures Apps for Office and SharePoint with or without user authentication
Sometimes Apps will be permitted to authorize on behalf of a user
Graph APIQuerying directory
User Profile sync enhancements may originate here
Directory ExtensionsNew attributes in Azure AD, flowing through to other services eventually
![Page 24: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/24.jpg)
Back to Basics: What is Windows Logon?
{
Username/password
Smart card
PIN/gesture (picture password)
Hello (fingerprint, face, iris)
![Page 25: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/25.jpg)
Azure Active Directory Capabilities
![Page 26: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/26.jpg)
Risk Ranking
![Page 27: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/27.jpg)
Defence-in-Depth
![Page 28: Cloud Security, Mobility and Current Threats...Verizon DBIR: Breached assets (2016) Verizon DBIR: Time to compromise (2016) Verizon DBIR: Time to discovery (2016) DLP: Insider risks](https://reader034.vdocuments.site/reader034/viewer/2022052106/60412256e4b8f7339a2245fc/html5/thumbnails/28.jpg)