Microsoft Work Exposes Magnitude of Botnet Threat Microsoft's Security Intelligence Report sheds light on the expanding threat that bots… Researchers Discover Link Between a Series of Trojans A difficult.

Download Report

Transcript Microsoft Work Exposes Magnitude of Botnet Threat Microsoft's Security Intelligence Report sheds light on the expanding threat that bots… Researchers Discover Link Between a Series of Trojans A difficult.

Microsoft Work Exposes
Magnitude of Botnet
Threat
Microsoft's Security Intelligence
Report sheds light on the
expanding threat that bots…
Researchers Discover Link
Between a Series of
Trojans
A difficult to remove rootkit behind
numerous sophisticated attacks,
appears to have helped spread yet
another Trojan.
Groundbreaking Malware Resistance
Protect and
Manage Threats
Protects the client, data, and corporate
resources by making the client inherently
secure and less vulnerable from the effects
from malware.
Pervasive Device Encryption
Protect Sensitive
Data
Protect Access
to Resources
Simplifies provisioning and compliance
management the of encrypted drives
on the widest variety of PC form
factors and storage technologies
Modernized Access Control
Modernizes access control and data
management while increasing data
security within the enterprise.
Challenges That We Face In Combatting Malware
Secure Hardware
 What is UEFI?
 An interface built on top of and replaces some aspects of traditional BIOS
 Like BIOS it hands control of the pre-boot environment to an OS
 Key Benefits
 architecture-independent
 enables device initialization and operation (mouse, pre-os apps, menus)
 Key Security Benefits:
 Secure Boot
 Encrypted Drive support for BitLocker
 Network unlock support for BitLocker
 A Windows Certification Requirement (UEFI 2.3.1)
Trusted Platform Module 2.0
TPM Value Proposition
Enables commercial-grade security via physical and virtual key isolation from OS
TPM 1.2 spec: mature standard, years of deployment and hardening
Improvements in TPM provisioning lowers deployment barriers
TCG Standard evolution: TPM 2.0*
Algorithm extensibility allows for implementation and deployment in additional countries
Security scenarios are compatible with TPM 1.2 or 2.0
Windows 8: TPM 2.0 support enables implementation choice
Discrete TPM
Firmware-based (ARM TrustZone® ; Intel’s Platform Trust Technology (PTT))
Windows Logo Requirement for AOAC Only
#
Feature
TPM 1.2/2.0
UEFI 2.3.1
1
BitLocker: Volume Encryption
X
2
BitLocker: Volume Network Unlock
X
3
Trusted Boot: Secure Boot
X
4
Trusted Boot: ELAM
X
5
Measured Boot
X
6
Virtual Smart Cards
X
7
Certificate Storage (Hardware Bound)
X
8
Address Space Layout Randomization (ASLR)
X
9
Visual Studio Compiler
X
10
More…
X
Securing the Core
Gains per use
Attacker
Return
=
Cost to acquire vulnerability
-
x
Opportunities to use
????
+
Cost to weaponize
Training
Response
Requirements
Release
Design
Verification
Implementation
Securing the Boot
Legacy Boot
BIOS
OS Loader
(Malware)
OS Start
• BIOS Starts any OS Loader, even malware
• Malware may starts before Windows
Modern Boot
Native UEFI
Verified OS
Loader Only
OS Start
• The firmware enforces policy, only starts signed OS loaders
• OS loader enforces signature verification of Windows components. If
fails Trusted Boot triggers remediation.
• Result - Malware unable to change boot and OS components
Windows 7
• Malware is able to boot before Windows and Anti-malware
• Malware able to hide and remain undetected
• Systems can be compromised before AM starts
Windows 8
• Secure Boot loads Anti-Malware early in the boot process
• Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft
• Windows starts AM software before any 3rd party boot drivers
• Malware can no longer bypass AM inspection
Windows 7
• Measurements of some boot components evaluated as part of boot
• Only enabled when BitLocker has been provisioned
Windows 8
•
•
•
•
Measures all boot components
Measurements are stored in a Trusted Platform Module (TPM)
Remote attestation, if available, can evaluate client state
Enabled when TPM is present. BitLocker not required
Secure Boot
prevents
malicious OS
loader
UEFI Boot
Measurements of components
including AM software are
Client retrieves TPM
stored in the TPM
measurements of client
and sends it to Remote
Attestation Service
Boot Policy
1
TPM
3
Windows
OS Loader
AM Policy
Windows Kernel
and Drivers
AM Software
Remote Resource
(File
Server)
(Fie Server)
5
2
AM software is
started before
all 3rd party
software
Client provides
attempts Client
to access
Health
Claim.
Server
resource.
Server
requests
reviews
and grants
Client Health
Claim.access
to healthy clients.
74
3rd Party
Software
Windows Logon
Client
6
Client Health
Claim
Remote Attestation
Service issues Client Health
Claim to Client
Remote Attestation
Service
Securing After Boot
Devices and Security
http://northamerica.msteched.com
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn