Add to collection(s) Add to saved
  1. No category

Cybersecurity - Microsoft Cyber Capabilities

Percent of non-domain computers reporting infections
2.5%
2.0%
1.5%
1.0%
0.5%
0.0%
Enabled
No protection
Off
Expired
Out of date
1,800
1,600
M edium (4–6.9)
1,600
Low complexity
(highest risk)
M edium complexity
(medium risk)
1,200
1,000
High (7–10)
800
600
400
Low (0–3.9)
200
0
Industrywide vulnerability disclosures
Industrywide vulnerability disclosures
1,400
1,400
1,200
1,000
800
600
400
200
High complexity
(lowest risk)
0
2H11
1H12
2H12
1H13
2H13
1H14
2H11
1H12
2H12
1H13
2H13
1H14
14%
12.6%
Pecent of all vulnerability disclosures
12%
11.4%
11.3%
10.6%
10%
8.0%
8%
7.1%
5.9%
6%
4.6%
4%
3.1%
2.5%
2%
0%
Oracle
Debian
Red Hat
Canonical
Cisco
IBM
Microsoft
Apple
Google
Mozilla
Encounter rate (percent of all reporting computers)
3.0%
Exploit kits and
other HTM L/ JS
2.5%
2.0%
1.5%
1.0%
Java
Operating system
0.5%
0.0%
3Q13
4Q13
1Q14
2Q14
Other
Documents
Adobe Flash (SWF)
Browser
Encounter rate (percent of all reporting computers)
30%
25%
Nondomain
20%
15%
10%
Domain
5%
0%
3Q13
4Q13
1Q14
2Q14
Encounter rate (percent of all reporting computers)
9%
8%
7%
6%
5%
4%
Domain
Non-domain
3%
2%
1%
0%
Trojans
Worms &
Viruses
Adware
Exploits
Downloaders Obfuscators & Backdoors
& Droppers Injectors
Password
Stealers &
Monitoring
Tools
Other
Malware
Browser
Modifiers
Ransomware
Metric
3Q13
4Q13
1Q14
2Q14
Encounter rate, Australia
16.5 %
13.5%
13.0 %
11.7 %
Worldwide encounter rate
24.0%
21.4%
21.3%
19.1%
CCM, Australia
4.3
5.7
5.2
3.6
Worldwide CCM
7.5
9.7
10.8
7.2
Percent of all reporting computers (encounter
rate)
1
2
Infection rate
25%
10
20%
8
15%
6
10%
4
5%
2
0%
0
3
Australia
4
1
Worldwide
2
3
4
Computers cleaned per 1,000 scanned (CCM)
30%
Encounter rate
12
Percent of all reporting computers (encounter rate)
8%
7%
6%
5%
4%
3%
2%
1%
0%
1
2
3
4
Series1
Series2
5
6
7
8
9
10
Massive Shift
In Thinking
“Not a target” or “We’re Secure”
To
Assume Breach
Typical Attack
Timeline &
Observations
Profile of an
attack
% Degradation of
Operational
Effectiveness
Recon
Escalation
Detection
Recovery
Recovery
Initiated
Penetration
Attacker Work Factor
Protect
Protect. Detect. Contain. Recover.
% Degradation of
Operational
Effectiveness
Effect of Protective
controls increasing
the work factor for the
attacker
Attacker Work Factor
Detect
Protect. Detect. Contain. Recover.
% Degradation of
Operational
Effectiveness
Effect of
detective
controls
enabling a
more rapid
response
Attacker Work Factor
Contain
Protect. Detect. Contain. Recover.
% Degradation of
Operational
Effectiveness
Effect of containment
controls reducing the
impact of an attack
Attacker Work Factor
Recover
Protect. Detect. Contain. Recover.
% Degradation of
Operational
Effectiveness
Effect of recovery
controls decreasing
the time to initiate
recovery and
improving the rate of
recovery
Attacker Work Factor
Putting it All
Together
Protect. Detect. Contain. Recover.
% Degradation of
Operational
Effectiveness
Contain
Protect
Attacker Work Factor
What’s Hot
and Relevant
•
•
•
•
Initial Exploitation - EMET
Escalation - Credential Theft
Detection – Needles in the haystack
Exec Scorecards – Top 4 ASD
EMET
2013 0-day Vulnerabilities mitigated
2014 0-day Vulnerabilities mitigated
Vulnerability
Affected
Software/component
Security
Bulletin
EMET Mitigated
CVE-2014-1776
Internet Explorer
MS14-021
Yes
CVE-2014-1761
Microsoft Word
MS14-017
Yes
Credential
Theft
Administrative Model and Security Model
• Administrative model
• Control subjects should have over objects
• Uses normal/authorized tools
• Security model
• Control subjects actually have over objects
Control Restrictions
Tier 0
Same Tier
Control
Tier 1
Lower Tier
Control
Higher Tier
Control
Tier 2
Blocked
Only as required
by role
Tier Model Logon Restrictions
Tier 0
Same Tier
Logon
Tier 1
Higher Tier
Logon
Lower Tier
Logon
Tier 2
Blocked
Only as required
by role
Detect
Must Use On
Windows
Summary and
Take Away
• Leverage the SIR v17
• Focus on Increasing the workload of the attacker –
continue to focus refine the basics
• Do you have the right balance across Protect/ Detect/
Contain and Recover?
• Think “Agile security” – incremental improvement
• Always start any activity with “Assume breach”
scotde@microsoft.com
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Internet Explorer, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Related documents
LTL 4F Notes Template DOC
LTL 4F Notes Template DOC
RTI Tier_Exit_Parent_Letter ENG
RTI Tier_Exit_Parent_Letter ENG
3 Tier Vocabulary Words
3 Tier Vocabulary Words
Tier 2 Classroom Teacher Input
Tier 2 Classroom Teacher Input
TIER 1 INTERVENTION CHECKLIST
TIER 1 INTERVENTION CHECKLIST
Three Tiers of Vocabulary
Three Tiers of Vocabulary
document
document
Download