Presentation is loading. Please wait.

Presentation is loading. Please wait.

5/30/2018 12:25 AM BRK3016 Shut the door to cybercrime with Azure Active Directory risk-based identity protection Alex Weinert Group Program Manager, Identity.

Published byMarilynn Booker Modified over 6 years ago

Similar presentations

Presentation on theme: "5/30/2018 12:25 AM BRK3016 Shut the door to cybercrime with Azure Active Directory risk-based identity protection Alex Weinert Group Program Manager, Identity."— Presentation transcript:

1 5/30/ :25 AM BRK3016 Shut the door to cybercrime with Azure Active Directory risk-based identity protection Alex Weinert Group Program Manager, Identity Security and Protection Nitika Gupta Program Manager, Identity Security and Protection © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Is the new control plane
5/30/ :25 AM Identity Is the new control plane Microsoft Azure Active Directory On-premises / Private cloud © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 2

3 Azure Active Directory in the Marketplace Every Office 365 and Microsoft Azure customer uses Azure Active Directory 12 M organizations 950 M users 122 B authentications in August 2017 56 K paid Azure AD / EMS customers 90 % of Fortune 500 companies use Azure AD © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Azure Active Directory
Azure AD Connect B2B collaboration Provisioning-Deprovisioning Conditional Access SSO to SaaS Self-Service capabilities Connect Health Multi-Factor Authentication Addition of custom cloud apps Access Panel/MyApps Dynamic Groups Identity Protection Remote Access to on-premises apps Azure AD B2C Group-Based Licensing Privileged Identity Management Azure Active Directory I want to quickly deploy applications to devices, do more with less and automate Join/Move/Leave processes I need my customers, partners, and users to access the apps they need from everywhere and collaborate seamlessly [dev use case] I want to provide my employees secure and easy access to every application from any location and any device I need to comply with industry regulation and national data protection laws I want to protect access to my resources from advanced threats Microsoft Authenticator - Password-less Access Azure AD Join MDM-auto enrollment / Enterprise State Roaming Security Reporting Azure AD DS Office 365 App Launcher HR App Integration Access Reviews

5 Conditions Controls 10TB On-premises apps Web apps 3 Allow access
Users Machine learning Session Risk 3 Require MFA Devices On-premises apps Real time Evaluation Engine ****** Force password reset Policies Location Deny access Effective policy Web apps Apps Limit access

6 140+ 75%+ $6T $4M Sobering statistics
5/30/ :25 AM Sobering statistics 140+ median # days attackers reside within a victim’s network before detection network intrusions due to compromised user credentials 75%+ $6T annual cost of cybercrime to the global economy $4M average cost of a data breach to a company The frequency and sophistication of cybersecurity attacks are escalating © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Microsoft Intelligent Security Graph
Xbox Live Azure Active Directory Microsoft Accounts Azure Skype Enterprise Mobility + Security Office365 Bing OneDrive Microsoft Intelligent Security Graph Microsoft Digital Crimes Unit Microsoft Cyber Defense Operations Center

8 Intelligent protection with Azure Active Directory
For MSA For Azure AD 6.7M users marked as compromised monthly 230M blocked login attempts or 11M credentials daily 1M users protected by real-time detection and challenges each day 300K users marked as Med/High risk monthly over 48K tenants 3.2M users marked as at risk monthly over 97K tenants 45K users confirmed to be compromised each month

9 #deathtopasswords PASSWORD SPRAY
Try common passwords against known account lists BREACH REPLAY Try stolen passwords from other sites PHISH Trick your users into handing over their passwords IF YOU HAVE PASSWORDS, YOU MUST USE MFA

10 Demo: Multi Factor AuthN Ready
5/30/ :25 AM Demo: Multi Factor AuthN Ready MFA Registration © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 PASSWORD SPRAY <stats go here>

12 Password Spray (aka Brute Force, Hammering)
123456 qwerty 111111 123123 password 12345 abc123 123 123321 password1 qwertyuiop 666666 a123456 1234 654321 123456a iloveyou 159753 Password Spray (aka Brute Force, Hammering) Mark has an AAD account. His policy is Uppercase, lowercase, numbers and a special, 8 character minimum. His password is Bad guy runs most common password across all known usernames. Guaranteed to get at least one match (and only needs one).

13 Microsoft Ignite 2015 5/30/2018 12:25 AM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 1. Password complexity requirements don’t help
Microsoft Envision 5/30/ :25 AM 1. Password complexity requirements don’t help Most people use similar patterns (i.e. capital letter in the first position, a symbol in the last, and a number in the last two). Cybercriminals run their dictionary attacks using the common substitutions, such as "$" for "s", for "a," "1" for "l" and so on. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 2. Password expiry does more harm than good
Microsoft Envision 5/30/ :25 AM 2. Password expiry does more harm than good Users who are required to change their passwords frequently select weaker passwords to begin with. Users do not choose a new independent password; rather, they choose an update of the old one. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 3. Longer passwords are not necessarily better
Microsoft Envision 5/30/ :25 AM 3. Longer passwords are not necessarily better Users who are required to have a 16-character password tend to choose repeating patterns like fourfourfourfour or passwordpassword. Length requirements increase the chance of users: Writing their passwords down Re-using passwords Storing them unencrypted on their PC © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Updated NIST Guidelines
Microsoft Envision 5/30/ :25 AM Updated NIST Guidelines Three main changes: No more periodic password changes No more imposed password complexity Validate new passwords against commonly used passwords © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 We Hate (Bad) Rulez. BAD GUIDANCE GOOD GUIDANCE
Complexity Rules: Upper, lower, number and special? Password123! Add expiration Rules: Monthly? Sep2017! Quarterly? Fall2017! GOOD GUIDANCE Minimum Length Requirements (to defeat brute force hash attacks) Don’t use commonly attacked passwords

19 In the Meantime Dynamic Banned Password Support
Prevent use of commonly attacked passwords Prevent use of common substrings Normalize common substitutions (S=$, etc.) Attack detection and account marking If the attacker guesses the right password, we can tell it is an attacker If you have a sign-in risk policy we can intercept the attempt

20 PASSWORD SPRAY DEMO Password Writeback Self Service Password Reset
5/30/ :25 AM PASSWORD SPRAY DEMO Password Writeback Self Service Password Reset Banned Passwords © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 BREACH REPLAY Attacker replay: 12M account PER DAY in August
List discovery: 266 accounts in August

22 Breach Replay 1/3: How Creds Leak
Mark has his account in AAD, where all is safe But He wants to book a lunch for his team, so he goes to restaurant reservation site. This is for work, right? Just use Passwords are hard. Just use your normal one. Too bad the restaurant throws all this in an unencrypted mysql db And the hosting site is hacked. This scales to yahoo, anthem, Ashley Madison . . .

23

24 Breach Replay, 2/3: How they are used
Bad guy gets big list of username/password pairs Passwords may be encrypted or hashed. This is not really a problem, because of rainbow tables, dictionary attacks, etc. (and common passwords) What shall I do with my giant list? Ooh, lets try running them against twitter, yahoo, google, and yes, MSa (anywhere that allows arbitrary username string) If you reused username and password in one place, you likely reused it in many . . . Let’s put them up for sale!

25 Microsoft Confidential
Microsoft Ignite 2015 5/30/ :25 AM Microsoft Confidential © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 Microsoft Confidential
Microsoft Ignite 2015 5/30/ :25 AM Microsoft Confidential © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Microsoft Envision 5/30/2018 12:25 AM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Breach Replay, 3/3: How we stop it
Usually, we detect the replay Accelerated login rate, lower than average success rate, unusual login target, high anomaly rate Lie to the bad guy (all passwords wrong) Sometimes we get data from researchers, law enforcement, or even hackers

29 Compromised Accounts in the Wild
There are a variety of sources from which we can find lists: “Proof of validity” offers on pastebin Our own research 3d party research Law enforcement/government We are uniquely positioned to validate these lists Effectively, try to login using the leaked credentials If we have a match, we can tell you before the creds are exploited System has processed 2.4B Cred Pairs in 2017 1.26M in August 2017, ~20% match rate (1% new detection) Enterprise: 0.02% match, 0.01% new detection

30 BREACH REPLAY GO DO’S Enable Password Hash Sync Set a User risk policy
So we can tell you if there are matching passwords Set a User risk policy So when we find them, your user can change their password before the bad guys act

31 BREACH DEMO Password Hash Sync User Risk Policy

32 PHISH 3.2M Risk Events in Aug 2017

33 Phishing Send semi-convincing with embedded link to a bunch of people in the org. 15% click through and give up username/password. Extra credit: use black market graph to make it look legit. Do OTP phishing as well. Collect location, browser, etc. from user login to defeat anomaly detection (or geo-hop)

34 AAD Phish!

35

36 Microsoft Confidential

37 Azure Active Directory
5/30/ :25 AM Schroedinger's User Azure Active Directory Classifier ? Credentials Learner Seems Good Seems Bad Analysis Deploy 10+ TB Logs Relying parties Self-reporting Threat data Behavior Update True Negative True Positive Label Data Analyze We were right! False Negative False Positive We were wrong! © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 PHISH DEMO Session Risk Policy Admin MFA Policy

39 Help me Help you 266 Detected leaked creds (but 100k this year, 541 admin) But we can only detect when you have enable PW Hash Sync, or master PW in the cloud Together this is only 16% of tenants True leak numbers likely 1,662/600K Password Spray took down ~45k accounts in August 12k tenants Dynamic Banned Password effectively defangs this but . . . Only 15% of federated users enabling PW writeback from AAD 3.2M Risk events We don’t disrupt login flow unless tenant enables policy so 6.4K risk challenges - because only 800K users configured (0.8%) Only 0.73% of tenant admins are MFA enabled

40 SUMMARY OF GO-DO’S GENERAL Register ALL users for MFA
Watch for reports! Multi-Factor Auth all admins SPRAY Use password writeback Use self service PW reset Set sign in risk policy BREACH Use password hash sync Set user risk policy Set sign in risk policy PHISH

41 Privileged Identity Management
Discover, restrict, and monitor privileged identities User Administrator Administrator privileges expire after a specified interval User Enforce on-demand, just-in-time administrative access when needed Ensure policies are met with alerts, audit reports and access reviews Manage admins access in Azure AD and also in Azure RBAC

42 GO DEEP ON CONDITIONAL ACCESS!
BRK3012 – Secure Access to Office 365, SaaS and on-premises apps with Microsoft Enterprise Mobility and Security

43 Please evaluate this session
Tech Ready 15 5/30/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 5/30/ :25 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "5/30/2018 12:25 AM BRK3016 Shut the door to cybercrime with Azure Active Directory risk-based identity protection Alex Weinert Group Program Manager, Identity."

Similar presentations

Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Active Directory Modernization Technical competitive comparison

Active Directory Modernization Technical competitive comparison
Deployment Planning Services

Deployment Planning Services
A lap around Azure Active Directory Business to Consumer (B2C)

A lap around Azure Active Directory Business to Consumer (B2C)
Deployment Planning Services

Deployment Planning Services
Make your app a native part of Office with Add-ins

Make your app a native part of Office with Add-ins
Enterprise Security in Practice

Enterprise Security in Practice
From IT Pros to IT Heroes - with Azure DevTest Labs

From IT Pros to IT Heroes - with Azure DevTest Labs
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Identity & Access Management for a cloud-first, mobile-first world

Identity & Access Management for a cloud-first, mobile-first world
Azure Information Protection Strategy and Roadmap

Azure Information Protection Strategy and Roadmap
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
SaaS Application Deep Dive

SaaS Application Deep Dive
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Office 365 Groups Governance and Compliance

Office 365 Groups Governance and Compliance
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Microsoft Virtual Academy

Microsoft Virtual Academy
Decoding audit events in Microsoft Office 365

Decoding audit events in Microsoft Office 365
Optimizing Microsoft OneDrive for the enterprise

Optimizing Microsoft OneDrive for the enterprise

Similar presentations

Ads by Google