nic 2017 azure ad identity protection and conditional access: using the microsoft cloud to protect...
TRANSCRIPT
Azure AD Identity Protection andConditional AccessUsing the Microsoft cloud to protect your corporate identities and applications
About Your Speaker: Morgan Simonsen• Cloud Evangelist@Lumagate• P-TSP@Microsoft• MCSE, MCSA, MCT• MVP• Twitter: @msimonsen• Email: [email protected]• Blog: morgansimonsen.com
Agenda• Why are we in this room? - We are all going to the cloud
and becoming mobile• The Story so far - Cloud Identity with Azure Active Directory
101• But I’m worried… - How to protect ourselves in this brave
new world• Skynet to the rescue - Azure AD Identity Protection• IFTTTATAT - Azure AD Conditional Access
Why are we in this room?We are all going to the cloud and becoming mobile
Easy access24x7
connectivity
FlexibilityGlobal reach
Seamless collaboration
AgilityReduced friction 23% greater productivity, 100% higher employee
satisfaction Is mobility the answer to better employee productivity?, Forbes Magazine, 29.3.2016
The Cloud & Mobile Promise
But what about Auditing? Security? Compliance & Assurance?
Enterprise Mobility+Security The Microsoft vision
Identity Driven Security
Managed Mobile Productivity
Comprehensive Solution
AppsDevices DataUsers
Azure Information Protection
Protect your data, everywhere
Microsoft Cloud App Security
Azure Active Directory
Detect threats early with
visibility and threat analytics
Advanced Threat Analytics
Extend enterprise-grade security to your cloud and SaaS apps
Intune
Protect your users, devices,
and apps
Manage identity with hybrid integration to protect
application access from identity attacks
Enterprise Mobility+SecurityThe Microsoft solution
Privileged Identity Management
Identity Protection
ENFORCE MFA
ALLOW
BLOCK
Conditional Access
Windows 10Azure AD Join,
Health Attestation,
Windows Hello, BitLocker
The Story so farCloud Identity with Azure Active Directory 101
• Microsoft “Identity Management as a Service (IDaaS)” for organizations.
• Millions of independent identity systems controlled by enterprise and government “tenants.”
• Information is owned and used by the controlling organization—not by Microsoft.
• Born-as-a-cloud directory for Office 365. Extended to manage across many clouds.
• Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B).
Azure Active Directory
33,000Enterprise Mobility + Security | Azure AD Premium enterprise customers
>110kthird-party applications used with Azure AD each month
>1.3 billion authentications every day on Azure AD
More than
750 Muser accounts on Azure AD
Azure AD Directories>10 M
90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI)
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
Azure AD Trust Fabric
Active Directory
Contoso AD
Contoso Azure AD
Fabrikam AD
Fabrikam Azure AD
…and trust extends to all Azure AD enabled organizations
Business-2-Business (B2B) lets all identities in Azure AD collaborate
We are all in the same boat forest
Hybrid identity components
AD DS
FIM/MIM Sync
On-premises
• Sync engine• Password Sync• Health (Sync, ADFS,
ADDS)• AD FS (optional)• Pass-Through AuthN
SalesforceBoxDropBoxGoogle…
IdentityBridge
Your apps
Office 365
Azure AD Connect
Azure AD
But I’m worried…How to protect ourselves in this brave new world
Sobering statistics
The frequency and sophistication of cybersecurity attacks are escalating
$500Btotal potential
costof cybercrime to
the global economy
$3.5Maverage cost of a data breach to a
company
200+median # days attackers reside within a victim’s network before
detection
network intrusions due to
compromised user credentials
75%+
Industrialized Digital CrimeCybercrime Supply Chain
SDKs & Toolkits SaaS (social graph!)
IaaS (botnets!) Phone support!
Azure Active DirectoryIdentity Protection & Conditional
Access
Cloud-powered protection
WE DRIVE BUSINESS EVOLUTION FORWARD
Adopt Cloud for Better Security• Past: Cloud was security concern• Now: Cloud is security peace of
mind• Economies of Scale Security of
Scale• Division of responsibilities• Compliance and Certifications
• PCI, HIPAA etc.• Security Talent
Why use Azure AD to protect our users and apps?
• Cloud Cadence release schedule for new features• Insights of scale• World Class Protection• Price• Frankly; what are your other options…?
Microsoft Azure
Mission: Protect our users
• World class signal due to massive amount of relevant data• One of the world’s largest consumer identity services (the Microsoft
Account service) • One of the world’s large enterprise identity services (the Azure AD service)• One of the world’s largest consumer email services (Outlook.com)• One of the world’s largest enterprise email services (Office 365)• One of the world’s largest online gaming services (Xbox Live)• Signals from services like SharePoint Online, Skype and OneDrive to
strengthen our analysis• Feeds from Microsoft Digital Crime Unit and Microsoft Security Response
Center• Partnering with Law Enforcement, Security Researchers, Industry further
enhances signal
Analyze> 10 terabytes of data
Deflect 1.5 million attacks
Process> 14B sign-ins
Microsoft Daily Statistics
Source: https://www.microsoft.com/sir
Machine
Learning for
security
Credentials
Azure Active Directory
Azure Active Directory
Credentials
Schrödinger'sUser
?
SeemsGood
SeemsBad
Coder
Azure Active DirectorySchrödinger'sUser
?Credentials
Classifier
Rules
Azure Active Directory
Analysis
SeemsGood
SeemsBad
Classifier
Schrödinger'sUser
?Credentials
Self-reporting Threat dataRelying parties Behavior10+ TB Logs
Azure Active Directory
Analysis
SeemsGood
SeemsBad
Classifier
Self-reporting Threat dataRelying parties Behavior10+ TB Logs
Schrödinger'sUser
?Credentials
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
True Positive
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
LabelData We were right!
Credentials
10+ TB Logs
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
True Positive
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
LabelData
False Negative
False Positive
We were wrong!
Credentials
10+ TB Logs
We were right!
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
SecurityAnalyst Label
Data
False Negative
We were wrong!
Credentials
10+ TB Logs
True Positive
False Positive
We were right!
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
SecurityAnalyst Label
Data
Code updatesto Classifier
False Negative
We were wrong!
Credentials
10+ TB Logs
True Positive
False Positive
We were right!
Credentials
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
SecurityAnalyst Label
Data
Deploy newClassifier
Code updatesto Classifier
False Negative
We were wrong!
10+ TB Logs
True Positive
False Positive
We were right!
Credentials
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
False Negative
We were wrong!
AnalyzeLabelData
Update
Deploy10+ TB Logs
True Positive
False Positive
We were right!
Learner
Credentials
Azure Active Directory
Analysis
SeemsGood
SeemsBad
True Negative
Classifier
Self-reporting Threat dataRelying parties Behavior
Schrödinger'sUser
?
LabelData
False Negative
We were right!
We were wrong!
Analyze
Update
Deploy10+ TB Logs
True Positive
False Positive
How Identity Protection detects and mitigates cyber attacks
• Sign in Risk• Invoked on each login, evaluating that particular login• 100 data points (signals)• Result sent as input to Conditional Access
• User Risk• Invoked on each login, evaluating accumulated data• Background process• Collects data over time
Identity Protection in Action: EDU Attack
1,750 of 8,000 accounts
compromised
We noticed a sharp increase in password lockouts
Large elevation in user lockouts. Inspection show lockout increase from single org.
UsersLocked Out
Per Day
Suspicious IP activity very different from in-country IPs
Generally lower user volumeGenerally successful
In-Country
TrafficSuspect
IP
Mostly failure trafficSingle UserAgent
Detailed suspicious IP view showed automated attacksInitial bad guy
test runLarge scale account failures/minute
AccountsAccessed
Per-Minute,Suspect IP
The Bad Guys are getting smarter too
• Botnets are bigger, cheaper and more available
• Bad guys are effectively defeating 2nd factor authentication
• Bad guys are feeding our machine learning systems bad data
• The bad guys have machine learning too
Risks Identified by AAD Identity Protection
• Leaked credentials (High)• Impossible travel to atypical locations (Medium)• Sign-ins from infected devices (Low)• Sign-ins from anonymous IP addresses (Medium)• Sign-ins from IP addresses with suspicious activity (Medium)• Signs in from unfamiliar locations (Medium)• Lockout events
Identity Protection APIs• Microsoft Graph API
• https://graph.microsoft.io• IdentityRiskEvents
• Sign-ins and other events that have been analyzed and found to be “risky” by Identity Protection’s machine learning and algorithms
Enable AAD Identity Protection
• EMS E5/AAD P2 required
• Identity Protection works for any sign-in to Azure AD
Demo: Identity Protection in the Azure Portal
Multi-Factor Authentication (MFA) Registration Policy
• Pre-Canned Conditional Access Policy• Edit: Users• Access: Allow• Access Controls: MFA
registration• Monitor Current Registration
Status• You should enforce this!
Sign-in risk remediation policy• Pre-Canned Conditional Access
Policy• Edit: Users and Conditions• Access: Allow or Block• Access Controls: MFA
Authentication• Monitor Number of Sign-ins
impacted• Do not enforce this unless you
have high number of users registered with MFA!
User risk remediation policy• Pre-Canned Conditional Access
Policy• Edit: Users and Conditions• Access: Allow or Block• Access Controls: Require Password
Change• Monitor Number of users impacted• Should probably be enabled for
High immediately• AADP SSPR is a nice add-on feature
to have enabled
User Experience – Suspicious Sing-In
• Sign-in Risk Policy enforced
User Experience – User at Risk
• User Risk Policy enforced
Licensing• Azure Active Directory Premium P2 required
• Enterprise Mobility+Security E5• If users don’t have it they cannot self-remediate!
Plan featuresEnterprise Mobility + Security E3
Enterprise Mobility + Security E5
Identity and access management
•Microsoft Azure Active Directory Premium P1•Secure single sign-on to cloud and on-premises apps•Multi-factor authentication•Conditional access•Advanced security reporting•Azure Active Directory Premium P2•Risk-based conditional access•Privileged identity management•Includes all P1 capabilities
Using Identity Protection with Conditional Access for Applications
Wide range of Enterprise Mobility Scenarios
Locked Down Device
Managed Device
Personal Device
Unknown Device
Example Point-of-sale or maintenance tablet or
PC
Company provided phone, tablet or PC
Personal phone, tablet or PC
Kiosk at a hotel
Type of user Task Worker Information Worker Information Worker Information Worker
Level of Access Desired by Organization varies across the spectrumLevel of Access Desired by Organization varies across the spectrum
MDM Enabled
ꭕ Won’t Enable MDM
ꭕ Can’t Enable MDM
Conditional Access Building Blocks
• "When this happens" is called condition statement• "Then do this" is called controls
• The combination of a condition statement with your controls represents a conditional access policy
Conditional Access
ApplicationPer app policy Type of client(Web, Rich, mobile)
Cloud andOn-premises applications
User attributesGroup membership
DevicesDomain JoinedcompliantPlatform type (Windows, iOS, Android)
LocationIP Range
Microsoft AzureENFORCE MFA
ALLOW
BLOCK
RiskSession riskUser risk
Demo: Conditional Access for Applications in the Azure Portal
Devices Controls in Conditional Access• Compliant Device:
• Intune Compliance Policy• SCCM
• Domain Joined Device:• Azure AD Registered Device (DRS)
• Windows 10 Domain Joined: Creates object in AD which is synced to cloud by AAD Connect
• (Windows 10 Azure AD Joined: Registers at join)• Windows 7, 8, 8.1 domain joined: ADFS claims configured for DRS
• Windows 8.1 could potentially also enroll in MDM manually and become compliant that way
Azure AD Device Registration Prerequisites
• Device Registration Allowed• USERS MAY WORKPLACE JOIN DEVICES:ALL
• DNS Records:
• Internet Explorer Settings (these are defaults)• Don’t prompt for client certificate selection when only one certificate exists:
Enable• Allow scripting: Enable• Automatic logon only in Intranet zone: Checked
• Group Policy to enforce registration
Entry Type Address
enterpriseregistration.contoso.com CNAME enterpriseregistration.windows.netenterpriseregistration.region.contoso.com CNAME enterpriseregistration.windows.net
ADFS Claims for DRS• Additional Claims:
• http://schemas.microsoft.com/ws/2012/01/accounttype• http://schemas.microsoft.com/identity/claims/
onpremobjectguid• http://schemas.microsoft.com/ws/2008/06/identity/claims/
primarysid• http://schemas.microsoft.com/ws/2008/06/identity/claims/
issuerid
Questions?
Please evaluate the session on your way out…
Hated It! Meh… Best session ever!