Protection against modern security threats

Addressing today’s threats requires a new approach. Windows 10 offers architectural changes that protect from the inside out and go well beyond perimeter defense and building bigger walls.

Read more...

If you look back at how security threats have evolved over time, you’ll find some disturbing trends. Enterprises that are used to attacks from individuals and small groups that were out for mischief or personal notoriety have been replaced by well-funded criminal organizations seeking profit. More recently these criminal organizations have been joined by highly clandestine organizations with ulterior motives and whose attacks appear to succeed at will.

The harsh reality is that the attackers have acquired the advantage, and if your organization is in the crosshairs, it’s not a question of whether the attackers can get access to your network, it’s a question of how fast they can do it and how long will it take you to find out. It often takes months to detect and almost as long to remediate.

Read less...

Windows 10

In Windows 10, we have made significant architectural changes to the platform, many of which address tactics used in the attacks that you have been reading about or have personally experienced. These changes are not just defensive measures that present steeper walls for attackers to climb; they are improvements that take critical tactics off the table, in some cases entirely. To achieve this goal, Windows 10 takes full advantage of state-of-the-art hardware technologies to help protect user identities, information, and devices against hacking and malware threats.

Secured Devices

In Windows 7, we took important steps to help keep our customers more secure, but the reality is that in some cases we were only able to make it more difficult for the attackers. To truly address the security challenges that you're facing, Windows would need to take advantage of new hardware technologies that have just recently started to ship in modern devices. With these technologies now becoming pervasive, we have taken the opportunity in Windows 10 to make significant architectural changes to the platform.

Device Integrity

The fight against malware and hacking requires the ability to maintain the integrity of the hardware and the operating system's boot process. Until Windows 8, this proved to be a significant challenge. Boot and rootkit malware could infect the device before any of the system defenses had started and thereby render those defenses inoperable. Windows 8–certified or more recent devices include a new hardware component called UEFI Secure Boot, which helps maintain the integrity of the system firmware and operating system from power on to power off.

Cryptographic processing

In a world where we have to assume that breaches attempts are likely, we need hardware to help provide the highest level of assurance when it comes to protecting highly sensitive information such as encryption keys and user identities. Windows uses the standards-based technology in a Trusted Platform Module (TPM) to generate this type of information. It performs operations within a hardware-based environment that is isolated from the operating system. Windows 10 can also use a TPM as a means to verify that device integrity and security capabilities from UEFI, Trusted Boot, and other features are in their desired state and have not been tampered with. This makes the Windows 10 TPM useful for remote health attestation and conditional access scenarios. It is becoming pervasive in both consumer and commercial devices, and it is now a worldwide standard that can be used in countries such as China and Russia, where restrictions may have formerly been in place.

Virtualization

Hardware-based security and isolation are central to our platform security strategy. With Windows 10, we are using virtualization technologies that we formerly just used in Windows server scenarios. Using them in the client provides an unparalleled level of protection. By taking advantage of virtualization-based security (VBS) powered by Hypervisor technology, we can move some of the most sensitive Windows processes into a secure execution environment to help prevent tampering and when the Windows kernel itself has been fully compromised. In Windows 10, VBS powers features such as Device Guard and Credential Guard, which greatly deter malware, hacking tools, and breaches.

Biometric sensors

Biometrics has been available on the Windows platform and devices for generations, but until Windows 10 it was only a feature offering convenience. Its use of a user name and password under the hood just provided users with a more personal way of engaging with the logon experience, and the potential level of authentication that biometrics could offer was never achieved. All of that changes with Windows 10 and the delivery of Microsoft Passport and Windows Hello. These enterprise-grade technologies provide strong multifactor authentication capabilities that are similar to smartcards but are more flexible in their ability to take advantage of fingerprint, facial, and iris-based biometric technologies.

Existing Windows devices with fingerprint and facial biometric sensors such as Intel® RealSense Technology can take full advantage of Microsoft Passport and Windows Hello right now. An OEM pipeline full of new devices for both consumers and business users will make the use of biometrics pervasive on Windows.

Secured Devices

In Windows 7, we took important steps to help keep our customers more secure, but the reality is that in some cases we were only able to make it more difficult for the attackers. To truly address the security challenges that you're facing, Windows would need to take advantage of new hardware technologies that have just recently started to ship in modern devices. With these technologies now becoming pervasive, we have taken the opportunity in Windows 10 to make significant architectural changes to the platform.


Device Integrity

The fight against malware and hacking requires the ability to maintain the integrity of the hardware and the operating system's boot process. Until Windows 8, this proved to be a significant challenge. Boot and rootkit malware could infect the device before any of the system defenses had started and thereby render those defenses inoperable. Windows 8–certified or more recent devices include a new hardware component called UEFI Secure Boot, which helps maintain the integrity of the system firmware and operating system from power on to power off.

Cryptographic processing

In a world where we have to assume that breaches attempts are likely, we need hardware to help provide the highest level of assurance when it comes to protecting highly sensitive information such as encryption keys and user identities. Windows uses the standards-based technology in a Trusted Platform Module (TPM) to generate this type of information. It performs operations within a hardware-based environment that is isolated from the operating system. Windows 10 can also use a TPM as a means to verify that device integrity and security capabilities from UEFI, Trusted Boot, and other features are in their desired state and have not been tampered with. This makes the Windows 10 TPM useful for remote health attestation and conditional access scenarios. It is becoming pervasive in both consumer and commercial devices, and it is now a worldwide standard that can be used in countries such as China and Russia, where restrictions may have formerly been in place.

Virtualization

Hardware-based security and isolation are central to our platform security strategy. With Windows 10, we are using virtualization technologies that we formerly just used in Windows server scenarios. Using them in the client provides an unparalleled level of protection. By taking advantage of virtualization-based security (VBS) powered by Hypervisor technology, we can move some of the most sensitive Windows processes into a secure execution environment to help prevent tampering and when the Windows kernel itself has been fully compromised. In Windows 10, VBS powers features such as Device Guard and Credential Guard, which greatly deter malware, hacking tools, and breaches.

Biometric sensors

Biometrics has been available on the Windows platform and devices for generations, but until Windows 10 it was only a feature offering convenience. Its use of a user name and password under the hood just provided users with a more personal way of engaging with the logon experience, and the potential level of authentication that biometrics could offer was never achieved. All of that changes with Windows 10 and the delivery of Microsoft Passport and Windows Hello. These enterprise-grade technologies provide strong multifactor authentication capabilities that are similar to smartcards but are more flexible in their ability to take advantage of fingerprint, facial, and iris-based biometric technologies.

Existing Windows devices with fingerprint and facial biometric sensors such as Intel® RealSense Technology can take full advantage of Microsoft Passport and Windows Hello right now. An OEM pipeline full of new devices for both consumers and business users will make the use of biometrics pervasive on Windows.

Identity Protection

When it comes to network breaches, the theft of user credentials and malware—and more times a combination of both—are often central to a hacker’s success. If you don't address the attack vectors in both of these areas, you will remain exposed in ways that are increasingly easy for attackers to exploit.

When it comes to identity protection, first you must change your user's credentials from single-factor options like passwords to multifactor solutions. Second, the derived credentials that you will use for single sign-on must be protected with hardware-based solutions that until Windows 10 have been unavailable in the marketplace.

Windows 10 provides identity protection solutions that are easy to use, deploy, and manage. Rarely do decisive security solutions come with such attributes, but with Microsoft Passport, Windows Hello, and Credential Guard you can have your cake and eat it to.


Microsoft Passport

It's no secret that single-factor authentication is no longer up to the task and that passwords are unacceptable because they can now easily be phished, guessed, and stolen. In fact, one criminal organization in 2014 claimed to have gained access to 1.2 billion stolen user names and password combinations. Think about that in the context of how many people in the world are actually online!

The solution to this problem is a multifactor authentication solution like a smartcard, but such a solution is frequently too expensive to deploy, cumbersome to use, and increasingly incompatible with the modern devices we want to use (e.g., ultra mobile, light, phones). Another challenge is a dependency on a public key infrastructure (PKI), which add tremendous complexity to the end-to-end solution.

With Windows 10, we address the key challenges of today's multifactor identity solutions with Microsoft Passport, which shares all of the best attributes of a smartcard but without its drawbacks. For example, with Microsoft Passport you can use the devices that you already have, like your PC or Windows Phone, as one of the two factors. There is no need to extra devices like token, cards, and readers. Microsoft Passport can be used with a PKI, but it can also be used without one, making it an ideal solution for consumers, small and medium-size business, and even enterprises that want to simply the infrastructure requirements for user identities.

Windows Hello

Microsoft Passport is your new two-factor authentication solution, but the credential it uses only represents one of the two that you'll need. The other factor can be a PIN or, on modern devices with biometrics sensors, you can use your fingerprint, face, or even your iris as the second. We call this biometrics-based experience Windows Hello.

Windows Hello is a more personal way to sign in to your Windows 10 devices, apps, and online services. With just a quick look or a touch, your users can be authenticated and gain access to everything that they need. Unlike many of the biometric solutions of the past, Windows Hello offers enterprise-grade security and anti-spoofing capabilities to protect your user's biometric data and privacy. Existing devices with fingerprint sensors can work with Windows Hello, and new devices with facial and iris recognition technology (e.g., an infrared camera) are already in the marketplace. The stage is truly set for Windows Hello and biometric authentication to become mainstream on Windows devices.

Credential Guard

Moving your users to a multifactor authentication solution like Microsoft Passport is a critical first step toward protecting their identities. The equally important next step is to protect your users’ derived credentials, which are used for single sign-on. This sensitive information can easily be stolen and used to impersonate someone without knowing the person’s user name and password or gaining access to the user’s multifactor device (e.g., smartcard and PIN). All an attacker needs to do is gain administrative access to a device, possibly by exploiting a vulnerability or using malware, and they can begin what is often referred to as a Pass the Hash or Ticket attack.

Prior to Windows 10, a series of capabilities were released to help prevent such an attack, but none of them were decisive. Windows 10 changes that by introducing Credential Guard, which uses virtualization-based security (VBS) to isolate your user's derived credentials so it is separate from the Windows operating system. This way, even if the operating system itself is fully compromised, the sensitive information with the VBS environment can remain secure.

Information Protection

When it comes to security, it's all about protecting information. However, even a good solution can be circumvented if you don't take a holistic approach. This means that you must factor in identity protection and threat resistance capabilities when devising your information protection strategy. Windows 10 includes new, highly impactful capabilities across each of these areas. And when it comes to information protection, you'll find that Windows 10 now provides capabilities that previously you would have gone to third parties for.

Windows has a long history of delivering information protection capabilities, and when combined with services from Office 365 such as Rights Management Services, it has offered customers a broad set of capabilities. But of course “broad” isn't enough in today's world, so with Windows 10 we've added new information protection features that will give you the comprehensive protection that you need to address today's challenging world of BYOD, the cloud, and many other trends.


BitLocker and Windows Information Protection

BitLocker is a great solution for protecting data when a device is lost or stolen, but how can you protect your data from your users who may accidentally leak data. This is where a brand new capability designed for Windows Information Protection can help by providing organizations file-level data separation, containment, app control, and leak protection.

Unlike many data loss prevention solutions, particularly those on mobile devices that use container-based solutions, WIP helps safeguard business data wherever it is on your device—and it does so without getting in the way of the user experience. WIP's capability is fully integrated in the Windows experience your users are already familiar with. It enables them to continue using the apps they love rather than requiring them to switch modes or even apps just to protect business data. Your users will love the fact that WIP works almost entirely behind the scenes and yet also provides simple visual cues that help them to differentiate between personal and business data and apps. They’ll also rest assured that WIP will help prevent them from leaking sensitive information from business documents and websites by accidentally copying and pasting to unauthorized locations such as personal documents or even public websites.

Rights Management Services

Windows Information Protection provides a strong foundation for some of the key data loss prevention capabilities that organizations need. In isolation, it provides a great deal of value; however, its capabilities can be extended with the Right Management Services (RMS) that comes with Office 365. By using both WIP and RMS, organizations can strengthen leak protection by combining WIP’s app control and its basic copy-and-paste accident protection with RMS controls such as the ability to prevent printing and forwarding of documents without authorization. In addition, with Office 365, organizations can enable users to restrict access to emails and documents so they can decide who within their organization, or even outside of it, will have access. Together, WIP and the rights management capabilities from Office 365 can provide the end-to-end data loss prevention you've been looking for. And with the interoperability of Windows 10 and Office 365, deploying this capability couldn't be any easier.

Windows Information Protection provides a strong foundation and some of the key data loss prevention capabilities that organizations need, and in isolation it provides a great deal of standalone value, however its capabilities can be extended with the right management services that comes from Office 365. When used together organizations can add advanced leak protection that can take WIP’s app control and basic copy and paste leak protection and add additional controls to it such as the ability to prevent printing, forwarding, etc of documents. In addition Office 365 will enable organizations to enable their users to restrict access to emails and documents such that they can decide who within their organization, or even outside of their organization, will have access. Together WIP and the rights management capabilities from Office 365 can provide the end to end data loss prevention capabilities you've been looking for and with their deep integration within Windows 10 and Office 365 deploying this capability couldn't be any easier.

Threat Resistance

This week you've almost certainly learned about yet another Fortune 500 or government institution being breached, so it's never been more clear that the battle against malware and hacking threats remains a great challenge. These large organizations have huge security budgets, some of the best talent, the latest and greatest technology—and yet they often still get breached. The reality is that most organizations are fighting the battle with an approach that can never win, one based almost solely on identifying the bad guys and keeping them out. This type of model doesn't scale in a world where hundreds of thousands of new malware instances are unleashed daily, and polymorphic and just-in-time malware are the new norm.

Windows 10 is designed to obstruct the malware and hacking industry by moving the playing field to a completely new one where malware and hackers are easier to defeat.


SmartScreen

Security starts with a strong outer perimeter, and as you connect to the Internet through a browser, mail client, or other app, that perimeter will be tested at scale. One of the unsung heroes in Windows 10 is its SmartScreen technology, which is designed to help keep threats off the device, rather than just removing or quarantining them. This is what you want—threats never get a chance to even touch the device. SmartScreen protects users of Edge and Internet Explorer using its cloud-based intelligence to determine whether a website is safe before giving users access. Malicious and suspicious websites and even application downloads can be blocked. The same cloud-based intelligence that powers SmartScreen is used for Office 365 Advanced Threat Protection (ATP) to help prevent emails with malicious links and binaries from landing in your user's inboxes.

Microsoft Edge and Internet Explorer

The vast majority of attacks on endpoints use a browser, any browser, as a means to execute the attack. Your users can be lured in various ways to malicious websites in an attempt to exploit vulnerabilities or trick users into installing malicious apps. When they are using Microsoft Edge or Internet Explorer, SmartScreen technology can help block most threats, but not all. For this reason, Microsoft Edge and Internet Explorer include a deep bench of technologies to defend against threats that may get access to the device. Some of the most impactful security capabilities in Edge and Internet Explorer are AppContainer technology to sandbox and isolate the browser from the rest of the operating system and memory management techniques to help prevent detected vulnerabilities from being exploitable. Microsoft Edge also addresses one of the biggest exploit paths that attackers have used in the past by providing a safer browser extension model and by removing support for VML, VBScript, toolbars, Browser Helper Objects (BHOs), and ActiveX—all of which have been superseded by the capabilities of HTML5 and the modern web.

Device Guard

With the Windows 7 operating system, threats are primarily addressed using antivirus software and other detection-based systems. But when there are hundreds of thousands of new threats a day, there is no way for the antivirus community to keep up with the latest threats. There will always be a patient zero and many more users affected until someone from the community takes notice and issues an update to block the threat. There are also advanced persistent threats (APTs), attacks in which the malicious apps are often custom-built for a specific job, meaning the antivirus community may never know about them. In some cases, an attack can be run without using any malicious apps at all.

The solution to this challenge is to re-index your threat resistance approach to focus on vulnerability mitigation and app control—rather than just detection-based means—as your primary defense. The Windows 10 Device Guard feature is designed with this approach in mind. It provides the most advanced zero-day and app control capabilities that Windows has ever offered. To protect the system core (kernel mode), Device Guard uses virtualization-based security (VSB) and hardware to help ensure that the exploitation of vulnerabilities discovered in the system core is strongly mitigated against. Device Guard then uses policy-based controls that prevent unauthorized software from being able to execute on the device.

Although Device Guard represents one of our most important strategic pathways to addressing malware threats, it's not a complete replacement for traditional antimalware solutions like Windows Defender. Windows Defender adds protection by covering threats that Device Guard can't, such as in-memory attacks. Together, these features help organizations raise their game against hacking and malicious software to a very high levels.

With the Windows 7 operating system, threats are primarily addressed using antivirus software and other detection-based systems. But when there are hundreds of thousands of new threats a day, there is no way for the antivirus community to keep up with the latest threats. There will always be a patient zero and many more users affected until someone from the community takes notice and issues an update to block the threat. There are also advanced persistent threats (APTs), attacks in which the malicious apps are often custom-built for a specific job, meaning the antivirus community may never know about them. In some cases, an attack can be run without using any malicious apps at all.

The solution to this challenge is to re-index your threat resistance approach to focus on vulnerability mitigation and app control—rather than just detection-based means—as your primary defense. The Windows 10 Device Guard feature is designed with this approach in mind. It provides the most advanced zero-day and app control capabilities that Windows has ever offered. To protect the system core (kernel mode), Device Guard uses virtualization-based security (VSB) and hardware to help ensure that the exploitation of vulnerabilities discovered in the system core is strongly mitigated against. Device Guard then uses policy-based controls that prevent unauthorized software from being able to execute on the device.

Although Device Guard represents one of our most important strategic pathways to addressing malware threats, it's not a complete replacement for traditional antimalware solutions like Windows Defender. Windows Defender adds protection by covering threats that Device Guard can't, such as in-memory attacks. Together, these features help organizations raise their game against hacking and malicious software to a very high levels.

Windows Defender

When customers think about threat resistance, one of the first things that often comes to mind is an antimalware solution designed to detect viruses and spyware. To address these types of threats, Windows 10 includes Windows Defender, a robust enterprise-grade antimalware solution, which has been improved substantially to address a threat landscape that has increased in both volume and effectiveness.

Windows Defender uses the hyper-scale power of Windows cloud services, machine learning, and a world-class research team to provide rapid response to the hundreds of thousands of new threats that are emerging daily. New to Windows Defender is the ability to use rich local context and behavior monitoring to trigger inspection of potentially suspicious activities, such as privilege elevation, the ability detect vulnerability exploit techniques and in-memory attacks, and extensive hardening of the solution itself to prevent tampering and bypass. Another new opt-in feature for enterprises is the detection of Potential Unwanted Application (PUA). PUA refers to unwanted application bundlers or their bundled applications, and these applications can increase the risk of your network being infected with malware. Windows Defender can protect your users from PUA at download and install time.

Windows Defender Advanced Threat Protection

Windows 10 is the most secure enterprise platform today, but cyberattacks are getting more sophisticated as they are using social engineering, zero-day vulnerabilities, or even misconfiguration to break into corporate networks. Thousands of such attacks were reported in 2015 alone.

Building on the existing pre-breach security defenses built into Windows 10, we have released a new service, Windows Defender Advanced Threat Protection (ATP), which provides a post-breach layer of protection.

Windows Defender Advanced Threat Protection (ATP) enables Windows Enterprise customers to detect, investigate, and remediate advanced persistent threats and data breaches on their networks. Windows Defender ATP combines Windows next-generation endpoint behavioral sensors with Microsoft's cloud-powered threat intelligence, security, Machine Learning analytics, and expert human advanced persistent threat (APT) hunters to provide enterprises with correlated, actionable attack detection and remediation. Running alongside any anti-virus (AV) solution, Windows Defender ATP is continuously up-to-date and can help lower costs.

Trusted Boot

When it comes to malware, the attacker’s goal is to embed malware at the lowest possible level on the system, because the deeper it’s deployed, the more privilege it can gain and the more likely it can evade detection. For this reason, it’s critical to maintain the integrity of the system, particularly at the system core (e.g., boot process, kernel, drivers, and platform services). Windows 10 uses hardware-based technologies such as UEFI Secure Boot that became standard equipment with Windows 8–certified devices to help provide the root of trust necessary to help Windows maintain its integrity and to prevent bootkits and rootkits from compromising the system. UEFI Secure Boot will help ensure that a device's firmware-based components are secure and that the preferred operating system will start first on the device, rather than malware. Once Windows is securely started, Windows Trusted Boot will help ensure that the Windows system core starts with integrity, and in the event that anomalies are detected, Windows Trusted Boot will self-remediate and restore its integrity. Although possibly not the most interesting feature in the threat resistance stack, it's one of the most important for user confidence. The ability for any security feature running on top of Windows to perform its job is dependent on the integrity of the system core, and UEFI Secure Boot and Trusted Boot can help give users that assurance.

Device Health Attestation and Conditional Access

Windows 10 was designed to be the most secure operating system that we have ever released, but the reality is that as long as there are tenacious attackers out there, we have to assume our systems defenses will be tested and one day compromised. With that assumption in mind, we also have to come to terms with the fact that the health states asserted by a device are no longer trustworthy once it has been compromised. In other words, just because your latest virus scan detected nothing and your firewall looks like its running, that doesn't mean everything is fine. It may be just the opposite.

In this era of modern and highly evasive threats, we can't trust a device to self-report its own health, so you need to add remote validation into your strategy. With Windows 10, the integrity of the device can be remotely validated using a combination of Windows cloud services and a management system to evaluate the results. In 2015, mobile device management (MDM) systems such as Intune are shipping this functionality, which is available for any management system to implement. This capability can also be used to perform conditional access services so that only healthy devices are able to access resources such as the corporate VPN, email, and SharePoint.