Intelligent identity protection with Azure AD

Intelligent identity protection with Azure AD


Welcome to Microsoft Mechanics. Coming up on the show,
we take a look at the latest advances in how you can directly apply Microsoft security intelligence to protect your organization with Azure AD identity protection for continuous real-time assessment
of logins and users to prevent against threats
and the point of authentication. And, how you can reduce your attack
surface by managing or restricting the exposure of privilege identity with privileged identity management. Microsoft Mechanics I’m joined by Alex Weinert, group program
manager on the Azure AD identity team. Welcome to the studio. Great to be here. So we’ve had Azure AD directory for a while now and it’s a fundamental technology
that manages user identity for access to corporate resources and it’s central to our user
authentication across Microsoft services. How has Asure AD evolved to help protect users? I think there’s three major innovations that we’ve done to help protect users in the last little bit. One is conditional access which allows us to really frame how resources are accessed under the conditions that they come in. So things like, if you come in from off corporate network you can challenge with multi-factor auth,
that sort of thing. Identity protection which really
uses the intelligence security graph to look at all the kinds of signals
we have from across the industry and across Microsoft’s researchers
to look at threats in the environment and then interrupt those threats
before they can get into your environment. And then finally, privilege identity management which ensures that if there is any kind of an account takeover there’s a much lower chance that that’s an admin that’s being taken over. Very good, so we’ve already seen a lot of
conditional access on this show in the past. Can you show some of this with identity protection? Sure, I’d be happy to walk you
through some identity protection. To start off, I’ll just point out
that to get to identity protection you would just go to the marketplace
and within the marketplace if you search the word identity or protection
or any part of it, that would come right up. And there’s Azure AD identity protection. Just select that and that will enable
it in your tenant. Once you’ve done that then you would see
Azure AD identity protection. And as we get into it we see that
there’s three major areas we’re dealing with. The first is around users who
are at risk in the environment. And it looks like we believe the credentials for that user have been leaked onto the internet. or other ways need to be addressed. Second is risk events which is where
we look at things like sessions that are anomalous that maybe are coming
in from environment we don’t like. We can use the BCU’s data to tell us
that it’s coming in from a Botnet. We can look at Tor signal we have a very good track of
which machines are tor involved. And all those things allow us to to give a very good picture of what’s a risky session. And then finally is configuration
vulnerabilities in the environment. Places where you can improve your security posture
by addressing configuration issues. And just a pause for a second,
this is a big change for when we have to wade through lots and lots of reports to get to this kind of information. Yeah that’s right, what we’re trying to do now is give you you know for the identity security professional make sure they have will serve a one-stop shop where they go and manage all that from one place and really understand what’s going on in their environment. You can see here in the environment
that we have, for example, users flagged for risk and as we drill into that we can see that we have some number of users here
that have risk scores. That just indicates that there’s a possibility that their credentials have been compromised. And if we drilled into any one of these we can see that in some cases
we have users with a high risk level. We really want to be extra
concerned about that. And so for example, picking on Mike Lee here, we can drill it and see that Mike,
among other things has had a leaked credential. And so how do we know that his
credentials have actually been leaked? We have a couple of different sources to look at. One very common source for us is that we run consumer identity system in Microsoft account. And as well as running the enterprise at any
system and Azure Active Directory. Between the two we see over 14 billion logins a day. We score all those logins and
we’re looking at attack patterns. There are certain attack patterns that show up where we can tell that for example a
given IP address has gone bad. That is only being used by an attacker. And so in those kinds of cases we can say that any traffic comes in from that IP is bad traffic. We also work with the industry with
security researchers with our own researchers inside with law enforcement
when appropriate to get signals. For example, every time you see the news you know x million, x hundred million accounts were leaked by some company. So those various third-party ITPs that have maybe not as good as security
posture or have had a leak, those are places where we can source that data and then make sure that if your employee has
reused their username and password at another site and that site is breached,
then we can protect you from that eventuality. Excellent, that seems like you got a lot of
protection built-in there. Yeah, there’s a lot going on here that is driven by
that, plus machine learning systems. A lot of really, really cool stuff. In this case users of the credentials here,
this is a pretty strong signal. This basically means we’ve
seen the credential in the wild. We know that username and
password has been compromised. To get that user back to his posture of
safety want to get that password changed. So if we wanted to in Mike’s case we can see that with that leaked credential
we could ask to reset the password right here in flow and just do a manual password reset. That seems like having to manually reset them for lots of users at your organization could be a problem. Right, it’s a problem from two perspectives. One is if you have a large organization
that’s a lot of manual work to do. The more significant problem is that the time between when the compromise is detected and the time you can remediate it
is the time that the bad guy gets to play And we really want to minimize
that window of time, right? And the only real way to do that is to set up a policy
and let the system act on your behalf so that the second we see a problem,
we can react to that problem with policy and the machine auto remediates the account. In this case, you could set up a policy? So we see the user risk policy for automatic mitigation. And if we drill in here we have a variety of things we can do. But one thing we could do is we can just say, look if we have an account that we know is compromised, let’s go ahead and block access. We could choose if we wanted to and
have them change their password. That’s another thing we can ask to do. So there’s a variety of things that we can do here. So how does user risk differ from different risks events that we saw already inside the console? Well, user risk again is that indication
that you have a problem that indicates that a users password
has actually gotten in the hands of bad guys. And one way that we see that evolving is that for example, if the user has logins that are
coming from a Tor network. I’m a big privacy advocate and
there’s valid uses for Tor browsers. But the fact is that ninety-four percent of the traffic comes from Tor browser’s is malicious. That’s what both we
and the industry have seen. So we have to realize that is a strong signal. If something’s Botnet,
in fact we know that’s a strong signal. One or two of those things
we might be making a mistake. Every algorithm has some amount of false positive. A set of those together and you start to say okay we’re pretty sure this is compromised account. This is no accident, right? So, a series of those together creates a user risk. An individual event is a session risk, which means that something with that session was wrong. A set of session risk obviously
can roll up to a higher user risk and everything kind
of rolls together. We use a machine learning algorithm to calculate the
probability that the user is compromised So over time we adapt that
and the systems auto adapt to that. Very good, so it actually really does start to learn around what’s happening and what behaviors really look like? That’s right, the system is a learning system
which is a cool part about it. So as our bad actors evolve their tactics, the system automatically involves itself. So, in this particular case we can go down and we
see there’s a sign in risk policy you can setup . The sign in risk policy allows
us to look at a few things. We can apply it to a certain set of users who are going to do a roll out in the environment. Then we can set it for different risk levels. So, if we drill into the conditions here we see that we have it set for a sign in risk of medium and above. And then in this case we have
different controls we can apply. We can say we just want to do a multi-factor
out challenge in this case. Or, for this experiment will say let’s
just block access outright. So, if you have something coming in from let’s say a Tor networking let not have them log in at all. That’s all that is going to be
informed by your company’s policy and what’s appropriate for your environment. The last thing we give you is the ability to
actually estimate what’s happening. In terms of, what’s the impact? How many challenges can you expect? What’s the help desk impact?
That sort of thing. So we know
that policy is turned on. And, it’s all ready to go. Cool, so I actually just happen to have
Tor browser installed on this machine here. And I already have Edge open as well. So I’ve typed in my username and password. So if I just hit sign in, this is what should happen with a regular sign on which is
doing the right thing, I guess. So I hit sign in. And that’s taking me into a into Office,
in fact in this case. I’m just going to changeover into Tor browser. And from within tor,
you can see that really is inside of Tor. And type in exactly the same thing, again. You can see the sign-in was blocked,
so that is the policy applying successfully. That’s exactly what we just
turned on a just a few seconds ago. And the cool thing about this is that your good user under good circumstances is experiencing no friction. There’s no MFA challenge
and there’s nothing in their way. But, as soon as there’s a risk factor present
were able to shut down that risk. So here identity protection is actually
securing the logins as the authentications happen. Are we doing anything that’s going to
harness the signals from other services and devices? Yeah absolutely, if we go back to the risk events section we can see that there are multiple different
types of risks that we detect. Many of those as we talked about are sourced from outside and from our own researchers. And we talked about other Tor network stuff. Another interesting signal are sign-ins
from infected devices. And what that’s looking at is Botnet infections. Microsoft’s Digital Crimes Unit does a lot of work
to track and takedown Botnets. And as part of that work they have
to identify nodes that are Botnet infected. And, they share that information
with us as they collected it. And this is actually a very powerful way for you to know that login is coming from an infected device. So here as we drill in on sign-ins from infected devices we can see that various folks have been infected with ZEROACCESS and Dorkbot. And we can see our old friend Mike Lee again
showing up with CONFICKER infection. So we can investigate that a bit and see what else we can learn about Mike. We see that he’s had quite a few events
and that’s why his user risk is higher. One of the things that we can also look at
is what’s his role in the organization And right here we see something that should make us pause he’s a global administrator. Yeah, global admin and Azure ID essentially means
you got the keys to the kingdom. That’s right and that’s a serious concern. This is a place where maybe, what we
really wish is that we didn’t have global administrators that
didn’t need to be global administrators. If some number of people are going to have an account
takeover or an infection in the environment, you’d like the number of people
in your environment who are global admins as well
to be as small as possible. Yeah, absolutely. So we talked about the users flagged
for risk and risk events and then we have the vulnerabilities. One of the places where we see the vulnerability is that privilege identity management is telling us
that we have too many global administrators. How does it know that we have to many global admins? Is it just like if you’ve got more than four? Well no, it’s a little more clever than that. It’s looking at the size of your organization, the segment of the industry you’re in and what’s normal in that industry. So we’re using a lot of intelligence
around what we know around how tenants behave and what’s the right number
for somebody of your size. So it’s not quite as simple as five is bad, Although you know,
fewer is kind of always better. Let’s go and look actually at privilege
identity management and where we can see all of it’s glory. Privilege identity management
lets me do several different things. One of the most important things that allows us is
what we call, Just-in-time access. The idea here is that I don’t
need to be an admin all the time, right? I probably need to be an admin for some
very small amount of my work. When I go to get that admin privilege I might want to have something like
additional auditing to say when I did it. Or, to talk about who the approver is for that role. We’re just doing something simple
like multi-factor auth. And so the idea is that if the bad guy
does get my credentials the likelihood that I’m going to admin
in that moment is extremely small. That’s really what we’re after. So privileged identity management here
is going to give me a kind of a one-stop-shop of a view of what is the state
of my admin rights in the organization. I have admin who aren’t using their privileged roles,
and I have too many global admins. What I can do in any one of those cases is I can take an admin who maybe
is in a permanent role and I can actually say let’s go and change this. Make them a temporary administrator
instead of a full-time administrator. So here’s global admin and
I can look and I can actually change that. And I can say, okay let’s make this
permanent or make it temporary and actually set up the rules under which
admin access is granted in the environment. So we actually have
technology built into Azure AD that helps to intelligently analyze and surface
these kind of threats. And it even helps IT admins to be able
to remediate these things and tells them if they’ve got too many
global admins inside of their environments. What will I see next? Well we’re continuously adding signals
for detection and prevention and part of this is bringing in signals from things like advanced threat analytics and cloud app security. We’re also extending the reach of our
enforcement mechanisms to do better embrace on-prem and hybrid scenarios. And then finally we’re extending
conditional accesses capabilities to embrace more scenarios so they can react and give you a richer canvas to work with. These are really exciting times for identity. Whereabouts can these folks go
to learn more? Well, if your managing your
directory services on-premises I encourage you to look at Windows Server 2016. Which also brings Just-in-time and
just enough access principle to on-prem AD. If you don’t already have Azure
Active Directory set up in your environment you can sign up for Azure
Active Directory premium trial which I would recommend you do,
so you can try these features out that we’ve shown. You can go to portal.Azure.com and sign
up for a preview of Azure Active directory, identity protection, and privilege
identity management. And, you can learn more at the link below. Alex this is great stuff, thank you very much
for joining us on Microsoft Mechanics. And thank you very much
for watching Microsoft Mechanics for latest in tech updates. We’ll see you later. Microsoft Mechanics www.microsoftmechanics.com

1 Reply to “Intelligent identity protection with Azure AD”

Leave a Reply

Your email address will not be published. Required fields are marked *