big data and cybersecurity · big data and cybersecurity microsoft digital crimes unit cristina...
TRANSCRIPT
Microsoft Confidential
Big Data and Cybersecurity Microsoft Digital Crimes Unit
Cristina Metea Microsoft Romania 10 June 2016
Microsoft Confidential
Cybersecurity is a Boardroom-level Issue
160M Data records compromised
from top 8 breaches in 2015
556M victims of cybercrime
per year
$400B cost of cyberattacks to
companies each year
71% of companies admit they
fell victim to a successful
cyber attack the prior year
$3 Trillion estimated cost in economic
value from cybercrime
industry by 2020
140+ Median # of days between
infiltration and detection
Microsoft Confidential
MICROSOFT’S UNIQUE PERSPECTIVE
300B user authentications each month
1B Windows devices updated
200B emails analyzed for spam and malware
Microsoft Confidential
A Layered Approach to Security
Helping to protect our customers, our company, and our world
These growing threats demand a coordinated response:
• Cyber Security Services Engineering
• Digital Crimes Unit
• Information Security & Risk Management
• Microsoft Azure
• Microsoft Security Response Center
• Microsoft Threat Intelligence Center
• Office 365
• Windows & Devices Group
Cyber Defense Operations Center
Microsoft Confidential
A safer digital experience for
every person and organization
on the planet
The Microsoft Digital Crimes Unit
Public and private partnerships to fight
technology facilitated crimes
.
Combining novel legal strategies, cutting-
edge forensics, cloud and big data
analytics
Microsoft Confidential
Malware
Disruptions DCU acquires targets,
investigates, and orchestrates
global partnerships to take
action Working with Law Enforcement and others to disrupt the criminal infrastructure
Our malware intelligence is
embedded into Microsoft’s
products and services
We enable CERTs/ISPs globally
to notify and remediate
Microsoft Confidential
Public and Private Partnerships
Public - private cooperation lead to international malware
disruptions
Driving scale and impact
OPERATION Conficker
Botnet Takedowns and Malware Disruption Operations OPERATION
Waledac OPERATION
Rustock OPERATION
Kelihos OPERATION
Zeus OPERATION
Nitol OPERATION
Bamital OPERATION
Citadel OPERATION
Sirefef
OPERATION Game over
Zeus
OPERATION Bladabindi &
Jenxcus
OPERATION Simda
OPERATION Ramnit
OPERATION Caphaw
OPERATION Dorkbot
Feb 2010 First MS takedown operation, proving the model of industry-led efforts Disconnected70,000-90,000 infected devices from the botnet Botnet Worm sending SPAM,
March 2011 Supported by stakeholders across industry sectors Involved US and Dutch law enforcement, and CN-CERT SPAM, in average 192 spam messages per compromised machine per minute
Sep 2011 Partnership between Microsoft and security software vendors First operation with named defendant SPAM, Bitcoin Mining, DDoS attacks
March 2012 Cross-sector partnership with financial services Focused on disruption because of technical complexity Identity Theft / Financial Fraud
Sep 2012 Nitol was introduced in the supply chain relied on by Chinese consumers settled with operator of malicious domain Malware Spreading, DDoS attacks
Feb 2013 Bamital hijacked people’s search results, took victims to dangerous sites Takedown in collaboration with Symantec, proactive notification and cleanup process Advertising Click Fraud
June 2013 Citadel committed online financial fraud responsible for more than $500Min losses Coordinated disruption with public-private sector Identity Theft / Financial Fraud
Dec 2013 ZeroAccess hijacked search results, taking victims to dangerous sites It cost online advertisers upwards of $2.7 million each month Advertising Click Fraud
June 2014 Malware using Dynamic DNS for command. It involved password and identity theft, webcam, etc. Over 200 different types of malware impacted. Identity Theft / Financial Fraud / Privacy Invasion
June 2014 GameoverZeus (GOZ) was a banking Trojan Worked in partnership with LE providing Technical Remediation Identity Theft / Financial Fraud
July 2014 Caphaw was focused on online financial fraud responsible for more than $250M in losses Coordinated disruption with public-private sector Identity Theft / Financial Fraud
Feb 2010 Microsoft-lead model of industry-wide efforts to counter the threat Botnet Worm sending SPAM and attempting to steal confidential data and passwords
Feb 2015 Module-based malware, stealing credential information from banking websites. Configured to hide itself. Credential Information Theft/Disabling Security Defenses
April 2015
Theft of personal information, including banking passwords, as well as installing and spreading other malicious malware.
Theft personal data/Install and spread other malware
December 2015
Used for Cybercriminal activities such as credential harvesting for financial fraud DDoS attacks and the downloading of malicious payloads.
Financial Fraud, DDoS Attacks
Microsoft Confidential
Actionable Intelligence from Malware Disruptions
Dorkbot 61 424
Used for cyber criminal
activities such as credential
harvesting for financial fraud,
DDoS attacks, and the
downloading of malicious
payloads. Disrupted in
cooperation with FBI and
international law
enforcement.
June 2014
Malware using Dynamic DNS
for command. It involved
password and identity theft,
webcam and other privacy
invasions.
Over 200 different types of
malware impacted by the take
down.
Identity Theft /
Financial Fraud /
Privacy Invasion
Bladabindi & Jenxcus
66 430
Conficker 84 452
February 2010
Botnet Worm
Ramnit 79 810
Feb 2015
Credential Information
Theft/Disable Security
Defenses
Most Common Malware Threats in Romania, 1-31 March 2016
Microsoft Confidential
Strategic Enforcement
“Criminal target 1”
Identifying criminal activity by building a smart detection system that uses Machine Learning
Abuse in the Reseller Channel Using known criminal data model to identify similar crimes
0
0,2
0,4
0,6
0,8
1
050
100150200250300350400450
0-1
00
10
0-2
00
20
0-3
00
30
0-4
00
40
0-5
00
50
0-6
00
60
0-7
00
70
0-8
00
80
0-9
00
90
0-1
00
0
10
00
-11
00
11
00
-12
00
12
00
-13
00
13
00
-14
00
14
00
-15
00
15
00
-16
00
16
00
-17
00
17
00
-18
00
18
00
-19
00
19
00
-20
00
20
00
-21
00
22
00
-23
00
25
00
-26
00
26
00
-27
00
30
00
-31
00
37
00
-38
00
44
00
-45
00
Average distance between customer address and activation location in miles
Number of Resellers % of resellers
Criminal target 2
Criminal target 3
Criminal target 4 Criminal target 5
Microsoft Confidential
The Microsoft SECURITY PLATFORM
Microsoft Confidential
Microsoft is committed to building trust with governments and sharing security information
Government Security
Program objectives
Help protect
governments and their
citizens
Build trust and
transparency
Strengthen public-
private partnerships
Direct access to Microsoft
product and security resources
Access to Transparency Centers
to work with source code
Remote access to online source
code
Technical data, including
Microsoft Azure and O365
Information sharing about
threats and vulnerabilities
leveraging CTIP
Microsoft Confidential
Protect Your Environment
Best practices
Invest in your platform Invest in your
instrumentation
Invest in your people
Maintain a well-
documented inventory of
your assets
Acquire/build the tools
needed to fully monitor
your network, hosts, and
logs
Establish relationships and
communication between
incident response team
and other groups
Define your security policy
with clear
standards and guidance
Proactively maintain
controls and measures,
and regularly test them for
accuracy and effectiveness
Adopt least privilege
admin principles; eliminate
persistent
admin rights
Use proper hygiene—
most attacks can be
prevented with timely
patches and antivirus
Maintain tight control over
change
management policies
Use the lessons learned to
gain value from every
major incident
Employ multi-factor
authentication to
strengthen protection of
accounts and devices
Monitor for abnormal
account and credential
activity to prevent abuse
Educate, empower, and
enlist users to recognize
likely threats and their
role in protecting business
data
www.microsoft.com/sir www.microsoft.com/sdl www.microsoft.com/twc blogs.technet.com/security www.microsoft.com/ trustedcloud