nic 2017 azure ad identity protection and conditional access: using the microsoft cloud to protect...

Azure AD Identity Protection andConditional AccessUsing the Microsoft cloud to protect your corporate identities and applications

About Your Speaker: Morgan Simonsen• Cloud Evangelist@Lumagate• P-TSP@Microsoft• MCSE, MCSA, MCT• MVP• Twitter: @msimonsen• Email: [email protected]• Blog: morgansimonsen.com

Agenda• Why are we in this room? - We are all going to the cloud

and becoming mobile• The Story so far - Cloud Identity with Azure Active Directory

101• But I’m worried… - How to protect ourselves in this brave

new world• Skynet to the rescue - Azure AD Identity Protection• IFTTTATAT - Azure AD Conditional Access

Why are we in this room?We are all going to the cloud and becoming mobile

Easy access24x7

connectivity

FlexibilityGlobal reach

Seamless collaboration

AgilityReduced friction 23% greater productivity, 100% higher employee

satisfaction Is mobility the answer to better employee productivity?, Forbes Magazine, 29.3.2016

The Cloud & Mobile Promise

But what about Auditing? Security? Compliance & Assurance?

Enterprise Mobility+Security The Microsoft vision

Identity Driven Security

Managed Mobile Productivity

Comprehensive Solution

AppsDevices DataUsers

Azure Information Protection

Protect your data, everywhere

Microsoft Cloud App Security

Azure Active Directory

Detect threats early with

visibility and threat analytics

Advanced Threat Analytics

Extend enterprise-grade security to your cloud and SaaS apps

Intune

Protect your users, devices,

and apps

Manage identity with hybrid integration to protect

application access from identity attacks

Enterprise Mobility+SecurityThe Microsoft solution

Privileged Identity Management

Identity Protection

ENFORCE MFA

ALLOW

BLOCK

Conditional Access

Windows 10Azure AD Join,

Health Attestation,

Windows Hello, BitLocker

The Story so farCloud Identity with Azure Active Directory 101

• Microsoft “Identity Management as a Service (IDaaS)” for organizations.

• Millions of independent identity systems controlled by enterprise and government “tenants.”

• Information is owned and used by the controlling organization—not by Microsoft.

• Born-as-a-cloud directory for Office 365. Extended to manage across many clouds.

• Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B).


33,000Enterprise Mobility + Security | Azure AD Premium enterprise customers

>110kthird-party applications used with Azure AD each month

>1.3 billion authentications every day on Azure AD

More than

750 Muser accounts on Azure AD

Azure AD Directories>10 M

90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI)

Every Office 365 and Microsoft Azure customer uses Azure Active Directory

Azure AD Trust Fabric

Active Directory

Contoso AD

Contoso Azure AD

Fabrikam AD

Fabrikam Azure AD

…and trust extends to all Azure AD enabled organizations

Business-2-Business (B2B) lets all identities in Azure AD collaborate

We are all in the same boat forest

Hybrid identity components

AD DS

FIM/MIM Sync

On-premises

• Sync engine• Password Sync• Health (Sync, ADFS,

ADDS)• AD FS (optional)• Pass-Through AuthN

SalesforceBoxDropBoxGoogle…

IdentityBridge

Your apps

Office 365

Azure AD Connect

Azure AD

But I’m worried…How to protect ourselves in this brave new world

Sobering statistics

The frequency and sophistication of cybersecurity attacks are escalating

$500Btotal potential

costof cybercrime to

the global economy

$3.5Maverage cost of a data breach to a

company

200+median # days attackers reside within a victim’s network before

detection

network intrusions due to

compromised user credentials

75%+

Industrialized Digital CrimeCybercrime Supply Chain

SDKs & Toolkits SaaS (social graph!)

IaaS (botnets!) Phone support!

Azure Active DirectoryIdentity Protection & Conditional

Access

Cloud-powered protection

WE DRIVE BUSINESS EVOLUTION FORWARD

Adopt Cloud for Better Security• Past: Cloud was security concern• Now: Cloud is security peace of

mind• Economies of Scale Security of

Scale• Division of responsibilities• Compliance and Certifications

• PCI, HIPAA etc.• Security Talent

Why use Azure AD to protect our users and apps?

• Cloud Cadence release schedule for new features• Insights of scale• World Class Protection• Price• Frankly; what are your other options…?

Microsoft Azure

Mission: Protect our users

• World class signal due to massive amount of relevant data• One of the world’s largest consumer identity services (the Microsoft

Account service) • One of the world’s large enterprise identity services (the Azure AD service)• One of the world’s largest consumer email services (Outlook.com)• One of the world’s largest enterprise email services (Office 365)• One of the world’s largest online gaming services (Xbox Live)• Signals from services like SharePoint Online, Skype and OneDrive to

strengthen our analysis• Feeds from Microsoft Digital Crime Unit and Microsoft Security Response

Center• Partnering with Law Enforcement, Security Researchers, Industry further

enhances signal

Analyze> 10 terabytes of data

Deflect 1.5 million attacks

Process> 14B sign-ins

Microsoft Daily Statistics

Source: https://www.microsoft.com/sir

https://www.microsoft.com/sir

Machine

Learning for

security

Credentials



Credentials

Schrödinger'sUser

?

SeemsGood

SeemsBad

Coder

Azure Active DirectorySchrödinger'sUser

?Credentials

Classifier

Rules


Analysis

SeemsGood

SeemsBad

Classifier

Schrödinger'sUser

?Credentials

Self-reporting Threat dataRelying parties Behavior10+ TB Logs


Analysis

SeemsGood

SeemsBad

Classifier

Self-reporting Threat dataRelying parties Behavior10+ TB Logs

Schrödinger'sUser

?Credentials


Analysis

SeemsGood

SeemsBad

True Negative

True Positive

Classifier

Self-reporting Threat dataRelying parties Behavior

Schrödinger'sUser

?

LabelData We were right!

Credentials

10+ TB Logs


Analysis

SeemsGood

SeemsBad

True Negative

True Positive

Classifier


Schrödinger'sUser

?

LabelData

False Negative

False Positive

We were wrong!

Credentials

10+ TB Logs

We were right!


Analysis

SeemsGood

SeemsBad

True Negative

Classifier


Schrödinger'sUser

?

SecurityAnalyst Label

Data

False Negative

We were wrong!

Credentials

10+ TB Logs

True Positive

False Positive

We were right!


Analysis

SeemsGood

SeemsBad

True Negative

Classifier


Schrödinger'sUser

?


Data

Code updatesto Classifier

False Negative

We were wrong!

Credentials

10+ TB Logs

True Positive

False Positive

We were right!

Credentials


Analysis

SeemsGood

SeemsBad

True Negative

Classifier


Schrödinger'sUser

?


Data

Deploy newClassifier

Code updatesto Classifier

False Negative

We were wrong!

10+ TB Logs

True Positive

False Positive

We were right!

Credentials


Analysis

SeemsGood

SeemsBad

True Negative

Classifier


Schrödinger'sUser

?

False Negative

We were wrong!

AnalyzeLabelData

Update

Deploy10+ TB Logs

True Positive

False Positive

We were right!

Learner

Credentials


Analysis

SeemsGood

SeemsBad

True Negative

Classifier


Schrödinger'sUser

?

LabelData

False Negative

We were right!

We were wrong!

Analyze

Update

Deploy10+ TB Logs

True Positive

False Positive

How Identity Protection detects and mitigates cyber attacks

• Sign in Risk• Invoked on each login, evaluating that particular login• 100 data points (signals)• Result sent as input to Conditional Access

• User Risk• Invoked on each login, evaluating accumulated data• Background process• Collects data over time

Identity Protection in Action: EDU Attack

1,750 of 8,000 accounts

compromised

We noticed a sharp increase in password lockouts

Large elevation in user lockouts. Inspection show lockout increase from single org.

UsersLocked Out

Per Day

Suspicious IP activity very different from in-country IPs

Generally lower user volumeGenerally successful

In-Country

TrafficSuspect

IP

Mostly failure trafficSingle UserAgent

Detailed suspicious IP view showed automated attacksInitial bad guy

test runLarge scale account failures/minute

AccountsAccessed

Per-Minute,Suspect IP

The Bad Guys are getting smarter too

• Botnets are bigger, cheaper and more available

• Bad guys are effectively defeating 2nd factor authentication

• Bad guys are feeding our machine learning systems bad data

• The bad guys have machine learning too

Risks Identified by AAD Identity Protection

• Leaked credentials (High)• Impossible travel to atypical locations (Medium)• Sign-ins from infected devices (Low)• Sign-ins from anonymous IP addresses (Medium)• Sign-ins from IP addresses with suspicious activity (Medium)• Signs in from unfamiliar locations (Medium)• Lockout events

Identity Protection APIs• Microsoft Graph API

• https://graph.microsoft.io• IdentityRiskEvents

• Sign-ins and other events that have been analyzed and found to be “risky” by Identity Protection’s machine learning and algorithms

https://graph.microsoft.io/

Enable AAD Identity Protection

• EMS E5/AAD P2 required

• Identity Protection works for any sign-in to Azure AD

Demo: Identity Protection in the Azure Portal

Multi-Factor Authentication (MFA) Registration Policy

• Pre-Canned Conditional Access Policy• Edit: Users• Access: Allow• Access Controls: MFA

registration• Monitor Current Registration

Status• You should enforce this!

Sign-in risk remediation policy• Pre-Canned Conditional Access

Policy• Edit: Users and Conditions• Access: Allow or Block• Access Controls: MFA

Authentication• Monitor Number of Sign-ins

impacted• Do not enforce this unless you

have high number of users registered with MFA!

User risk remediation policy• Pre-Canned Conditional Access

Policy• Edit: Users and Conditions• Access: Allow or Block• Access Controls: Require Password

Change• Monitor Number of users impacted• Should probably be enabled for

High immediately• AADP SSPR is a nice add-on feature

to have enabled

User Experience – Suspicious Sing-In

• Sign-in Risk Policy enforced

User Experience – User at Risk

• User Risk Policy enforced

Licensing• Azure Active Directory Premium P2 required

• Enterprise Mobility+Security E5• If users don’t have it they cannot self-remediate!

Plan featuresEnterprise Mobility + Security E3

Enterprise Mobility + Security E5

Identity and access management

•Microsoft Azure Active Directory Premium P1•Secure single sign-on to cloud and on-premises apps•Multi-factor authentication•Conditional access•Advanced security reporting•Azure Active Directory Premium P2•Risk-based conditional access•Privileged identity management•Includes all P1 capabilities

Using Identity Protection with Conditional Access for Applications

Wide range of Enterprise Mobility Scenarios

Locked Down Device

Managed Device

Personal Device

Unknown Device

Example Point-of-sale or maintenance tablet or

PC

Company provided phone, tablet or PC

Personal phone, tablet or PC

Kiosk at a hotel

Type of user Task Worker Information Worker Information Worker Information Worker

Level of Access Desired by Organization varies across the spectrumLevel of Access Desired by Organization varies across the spectrum

MDM Enabled

ꭕ Won’t Enable MDM

ꭕ Can’t Enable MDM

Conditional Access Building Blocks

• "When this happens" is called condition statement• "Then do this" is called controls

• The combination of a condition statement with your controls represents a conditional access policy

Conditional Access

ApplicationPer app policy Type of client(Web, Rich, mobile)

Cloud andOn-premises applications

User attributesGroup membership

DevicesDomain JoinedcompliantPlatform type (Windows, iOS, Android)

LocationIP Range

Microsoft AzureENFORCE MFA

ALLOW

BLOCK

RiskSession riskUser risk

Demo: Conditional Access for Applications in the Azure Portal

Devices Controls in Conditional Access• Compliant Device:

• Intune Compliance Policy• SCCM

• Domain Joined Device:• Azure AD Registered Device (DRS)

• Windows 10 Domain Joined: Creates object in AD which is synced to cloud by AAD Connect

• (Windows 10 Azure AD Joined: Registers at join)• Windows 7, 8, 8.1 domain joined: ADFS claims configured for DRS

• Windows 8.1 could potentially also enroll in MDM manually and become compliant that way

Azure AD Device Registration Prerequisites

• Device Registration Allowed• USERS MAY WORKPLACE JOIN DEVICES:ALL

• DNS Records:

• Internet Explorer Settings (these are defaults)• Don’t prompt for client certificate selection when only one certificate exists:

Enable• Allow scripting: Enable• Automatic logon only in Intranet zone: Checked

• Group Policy to enforce registration

Entry Type Address

enterpriseregistration.contoso.com CNAME enterpriseregistration.windows.netenterpriseregistration.region.contoso.com CNAME enterpriseregistration.windows.net

ADFS Claims for DRS• Additional Claims:

• http://schemas.microsoft.com/ws/2012/01/accounttype• http://schemas.microsoft.com/identity/claims/

onpremobjectguid• http://schemas.microsoft.com/ws/2008/06/identity/claims/

primarysid• http://schemas.microsoft.com/ws/2008/06/identity/claims/

issuerid

Questions?

Please evaluate the session on your way out…

Hated It! Meh… Best session ever!

nic 2017 azure ad identity protection and conditional access: using the microsoft cloud to protect...

Technology