5/30/2018 12:25 AM BRK3016 Shut the door to cybercrime with Azure Active Directory risk-based identity protection Alex Weinert Group Program Manager, Identity Security and Protection Nitika Gupta Program Manager, Identity Security and Protection © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Is the new control plane 5/30/2018 12:25 AM Identity Is the new control plane Microsoft Azure Active Directory On-premises / Private cloud © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 2

Azure Active Directory in the Marketplace Every Office 365 and Microsoft Azure customer uses Azure Active Directory 12 M organizations 950 M users 122 B authentications in August 2017 56 K paid Azure AD / EMS customers 90 % of Fortune 500 companies use Azure AD © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Active Directory Azure AD Connect B2B collaboration Provisioning-Deprovisioning Conditional Access SSO to SaaS Self-Service capabilities Connect Health Multi-Factor Authentication Addition of custom cloud apps Access Panel/MyApps Dynamic Groups Identity Protection Remote Access to on-premises apps Azure AD B2C Group-Based Licensing Privileged Identity Management Azure Active Directory I want to quickly deploy applications to devices, do more with less and automate Join/Move/Leave processes I need my customers, partners, and users to access the apps they need from everywhere and collaborate seamlessly [dev use case] I want to provide my employees secure and easy access to every application from any location and any device I need to comply with industry regulation and national data protection laws I want to protect access to my resources from advanced threats Microsoft Authenticator - Password-less Access Azure AD Join MDM-auto enrollment / Enterprise State Roaming Security Reporting Azure AD DS Office 365 App Launcher HR App Integration Access Reviews

Conditions Controls 10TB On-premises apps Web apps 3 Allow access Users Machine learning Session Risk 3 Require MFA Devices On-premises apps Real time Evaluation Engine ****** Force password reset Policies Location Deny access Effective policy Web apps Apps Limit access

140+ 75%+ $6T $4M Sobering statistics 5/30/2018 12:25 AM Sobering statistics 140+ median # days attackers reside within a victim’s network before detection network intrusions due to compromised user credentials 75%+ $6T annual cost of cybercrime to the global economy $4M average cost of a data breach to a company The frequency and sophistication of cybersecurity attacks are escalating © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Intelligent Security Graph Xbox Live Azure Active Directory Microsoft Accounts Azure Skype Enterprise Mobility + Security Office365 Bing OneDrive Microsoft Intelligent Security Graph Microsoft Digital Crimes Unit Microsoft Cyber Defense Operations Center

Intelligent protection with Azure Active Directory For MSA For Azure AD 6.7M users marked as compromised monthly 230M blocked login attempts or 11M credentials daily 1M users protected by real-time detection and challenges each day 300K users marked as Med/High risk monthly over 48K tenants 3.2M users marked as at risk monthly over 97K tenants 45K users confirmed to be compromised each month

#deathtopasswords PASSWORD SPRAY Try common passwords against known account lists BREACH REPLAY Try stolen passwords from other sites PHISH Trick your users into handing over their passwords IF YOU HAVE PASSWORDS, YOU MUST USE MFA

Demo: Multi Factor AuthN Ready 5/30/2018 12:25 AM Demo: Multi Factor AuthN Ready MFA Registration © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

PASSWORD SPRAY <stats go here>

Password Spray (aka Brute Force, Hammering) 123456 123456789 qwerty 111111 12345678 123123 password 1234567 12345 1234567890 abc123 123 123321 password1 qwertyuiop 666666 a123456 1234 654321 5201314 123456a iloveyou 11111111 159753 123123123 Password Spray (aka Brute Force, Hammering) Mark has an AAD account. His policy is Uppercase, lowercase, numbers and a special, 8 character minimum. His password is . . . P@ssw0rd1 Bad guy runs most common password across all known usernames. Guaranteed to get at least one match (and only needs one).

Microsoft Ignite 2015 5/30/2018 12:25 AM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

1. Password complexity requirements don’t help Microsoft Envision 5/30/2018 12:25 AM 1. Password complexity requirements don’t help Most people use similar patterns (i.e. capital letter in the first position, a symbol in the last, and a number in the last two). Cybercriminals run their dictionary attacks using the common substitutions, such as "$" for "s", "@" for "a," "1" for "l" and so on. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Password expiry does more harm than good Microsoft Envision 5/30/2018 12:25 AM 2. Password expiry does more harm than good Users who are required to change their passwords frequently select weaker passwords to begin with. Users do not choose a new independent password; rather, they choose an update of the old one. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Longer passwords are not necessarily better Microsoft Envision 5/30/2018 12:25 AM 3. Longer passwords are not necessarily better Users who are required to have a 16-character password tend to choose repeating patterns like fourfourfourfour or passwordpassword. Length requirements increase the chance of users: Writing their passwords down Re-using passwords Storing them unencrypted on their PC © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Updated NIST Guidelines Microsoft Envision 5/30/2018 12:25 AM Updated NIST Guidelines Three main changes: No more periodic password changes No more imposed password complexity Validate new passwords against commonly used passwords © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

We Hate (Bad) Rulez. BAD GUIDANCE GOOD GUIDANCE Complexity Rules: Upper, lower, number and special? Password123! Add expiration Rules: Monthly? Sep2017! Quarterly? Fall2017! GOOD GUIDANCE http://aka.ms/passwordguidance Minimum Length Requirements (to defeat brute force hash attacks) Don’t use commonly attacked passwords

In the Meantime Dynamic Banned Password Support Prevent use of commonly attacked passwords Prevent use of common substrings Normalize common substitutions (S=$, 1=l, @=a, etc.) Attack detection and account marking If the attacker guesses the right password, we can tell it is an attacker If you have a sign-in risk policy we can intercept the attempt

PASSWORD SPRAY DEMO Password Writeback Self Service Password Reset 5/30/2018 12:25 AM PASSWORD SPRAY DEMO Password Writeback Self Service Password Reset Banned Passwords © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

BREACH REPLAY Attacker replay: 12M account PER DAY in August List discovery: 266 accounts in August

Breach Replay 1/3: How Creds Leak Mark has his account in AAD, where all is safe . . . But He wants to book a lunch for his team, so he goes to restaurant reservation site. This is for work, right? Just use markxxx@microsoft.com Passwords are hard. Just use your normal one. Too bad the restaurant throws all this in an unencrypted mysql db And the hosting site is hacked. This scales to yahoo, anthem, Ashley Madison . . .

Breach Replay, 2/3: How they are used Bad guy gets big list of username/password pairs Passwords may be encrypted or hashed. This is not really a problem, because of rainbow tables, dictionary attacks, etc. (and common passwords) What shall I do with my giant list? Ooh, lets try running them against twitter, yahoo, google, and yes, MSa (anywhere that allows arbitrary username string) If you reused username and password in one place, you likely reused it in many . . . Let’s put them up for sale!

Microsoft Confidential Microsoft Ignite 2015 5/30/2018 12:25 AM Microsoft Confidential © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Confidential Microsoft Ignite 2015 5/30/2018 12:25 AM Microsoft Confidential © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Envision 5/30/2018 12:25 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Breach Replay, 3/3: How we stop it Usually, we detect the replay Accelerated login rate, lower than average success rate, unusual login target, high anomaly rate Lie to the bad guy (all passwords wrong) Sometimes we get data from researchers, law enforcement, or even hackers

Compromised Accounts in the Wild There are a variety of sources from which we can find lists: “Proof of validity” offers on pastebin Our own research 3d party research Law enforcement/government We are uniquely positioned to validate these lists Effectively, try to login using the leaked credentials If we have a match, we can tell you before the creds are exploited System has processed 2.4B Cred Pairs in 2017 1.26M in August 2017, ~20% match rate (1% new detection) Enterprise: 0.02% match, 0.01% new detection

BREACH REPLAY GO DO’S Enable Password Hash Sync Set a User risk policy So we can tell you if there are matching passwords Set a User risk policy So when we find them, your user can change their password before the bad guys act

BREACH DEMO Password Hash Sync User Risk Policy

PHISH 3.2M Risk Events in Aug 2017

Phishing Send semi-convincing email with embedded link to a bunch of people in the org. 15% click through and give up username/password. Extra credit: use black market graph to make it look legit. Do OTP phishing as well. Collect location, browser, etc. from user login to defeat anomaly detection (or geo-hop)

AAD Phish!

Microsoft Confidential

Azure Active Directory 5/30/2018 12:25 AM Schroedinger's User Azure Active Directory Classifier ? Credentials Learner Seems Good Seems Bad Analysis Deploy 10+ TB Logs Relying parties Self-reporting Threat data Behavior Update True Negative True Positive Label Data Analyze We were right! False Negative False Positive We were wrong! © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

PHISH DEMO Session Risk Policy Admin MFA Policy

Help me . . . Help you 266 Detected leaked creds (but 100k this year, 541 admin) But we can only detect when you have enable PW Hash Sync, or master PW in the cloud Together this is only 16% of tenants True leak numbers likely 1,662/600K Password Spray took down ~45k accounts in August 12k tenants Dynamic Banned Password effectively defangs this but . . . Only 15% of federated users enabling PW writeback from AAD 3.2M Risk events We don’t disrupt login flow unless tenant enables policy so . . . 6.4K risk challenges - because only 800K users configured (0.8%) Only 0.73% of tenant admins are MFA enabled

SUMMARY OF GO-DO’S GENERAL Register ALL users for MFA Watch for reports! Multi-Factor Auth all admins SPRAY Use password writeback Use self service PW reset Set sign in risk policy BREACH Use password hash sync Set user risk policy Set sign in risk policy PHISH

Privileged Identity Management Discover, restrict, and monitor privileged identities User Administrator Administrator privileges expire after a specified interval User Enforce on-demand, just-in-time administrative access when needed Ensure policies are met with alerts, audit reports and access reviews Manage admins access in Azure AD and also in Azure RBAC

GO DEEP ON CONDITIONAL ACCESS! BRK3012 – Secure Access to Office 365, SaaS and on-premises apps with Microsoft Enterprise Mobility and Security

Please evaluate this session Tech Ready 15 5/30/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/30/2018 12:25 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.