Stefan van der Wiele | Protect users identities and control access to valuable resources based on risk level
1 like245 views
This document summarizes a presentation on machine learning-based identity protection in Azure Active Directory. The key points are: 1. Azure AD uses machine learning to analyze over 10TB of logs and data from various sources to classify users as "seems good" or "seems bad" in real time. 2. The machine learning classifier is continually improved by analyzing outcomes when users are later determined to be malicious or legitimate. Code updates are deployed to improve classification accuracy. 3. A case study example describes how Azure AD detected an education sector attack through anomalous password lockout activity and suspicious IP patterns that differed from normal in-country traffic.
Stefan van der Wiele | Protect users identities and control access to valuable resources based on risk level
- 8. Hello, I would like to read this document. First, tell me who you are Let me check if I can trust you
- 9. Azure AD MFA Require MFA Allow access Deny access Force password reset****** Limit access Controls Users Devices Location Apps Conditions Machine learning Policies Real time Evaluation Engine Session Risk 3 10TB Effective policy
- 10. Identity Protection at its best Risk severity calculation Remediation recommendations Risk-based conditional access automatically protects against suspicious logins and compromised credentials Gain insights from a consolidated view of machine learning based threat detection Leaked credentials Infected devices Configuration vulnerabilities Risk-based policies MFA Challenge Risky Logins Block attacks Change bad credentials Machine-Learning Engine Suspicious sign- in activities Brute force attacks
- 12. Every day we:
- 19. Azure Active Directory Analysis Seems Good Seems Bad Classifier Schroedinger's User ? Credentials Self-reporting Threat dataRelying parties Behavior10+ TB Logs
- 20. Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting Threat dataRelying parties Behavior10+ TB Logs Schroedinger's User ? Credentials
- 21. Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting Threat dataRelying parties Behavior Schroedinger's User ? Label Data We were right! Credentials 10+ TB Logs
- 22. Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting Threat dataRelying parties Behavior Schroedinger's User ? Label Data We were wrong! Credentials 10+ TB Logs We were right!
- 23. Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting Threat dataRelying parties Behavior Schroedinger's User ? Security Analyst Label Data We were wrong! Credentials 10+ TB Logs We were right!
- 24. Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting Threat dataRelying parties Behavior Schroedinger's User ? Security Analyst Label Data Code updates to Classifier We were wrong! Credentials 10+ TB Logs We were right!
- 25. Credentials Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting Threat dataRelying parties Behavior Schroedinger's User ? Security Analyst Label Data Deploy new Classifier Code updates to Classifier We were wrong! 10+ TB Logs We were right!
- 26. Credentials Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting Threat dataRelying parties Behavior Schroedinger's User ? We were wrong! Analyze Label Data Update Deploy 10+ TB Logs We were right!
- 27. Learner Credentials Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting Threat dataRelying parties Behavior Schroedinger's User ? Label Data We were right! We were wrong! Analyze Update Deploy 10+ TB Logs
- 28. Identity Protection in Action: EDU Attack
- 29. We noticed a sharp increase in password lockouts Large elevation in user lockouts. Inspection show lockout increase from single org. Users Locked Out Per Day
- 30. Suspicious IP activity very different from in-country IPs Generally lower user volume Generally successful In- Country Traffic Suspect IP Mostly failure traffic Single UserAgent
- 31. Detailed suspicious IP view showed automated attacks Initial bad guy test run Large scale account failures/minuteAccounts Accessed Per-Minute, Suspect IP
- 33. Microsoft Security Days 18.Oktober 2017 Axel Ciml Oxford Computer Group GmbH 10.2017
- 34. Unternehmen • Fokussiert auf Identity and Security Management inkl. organisatorischer Unterstützung seit 1999 • 8 Niederlassungen weltweit, ca. 180 Consultants • Büro am MS Campus in Redmond • Erstellen Webcast für MS und OCG (eigener Youtube Kanal) • Erstellen offizielle Microsoft Trainingsunterlagen (ADFS, PKI, IdM etc)
- 35. User Story Herausforderung Wirtschaftsprüfer Hinweise: Probleme bei MA Austritt Probleme bei Verwaltung externe Mitarbeiter Mangelhaftes Reporting Einführung Azure Dienste Office 365 Azure RMS(AIP) Azure MFA Rechtekonzept in Azure Hybridszenario und Anbindung weiterer SAS Dienste (z.B. Salesforce) Lösung • Anbindung HR, externe MA Verwaltung • Userselfservice, Zutrittskontrolle, • Rollenmanagement, Smartcardverwaltung • Zentrales Reporting über “alle” Systeme • Synchronisation OrgDaten mit Azure • Implementierung von Azure RMS • inkl. Datenklassifizierung • Automatische Lizenzzuweisung (intern/extern) • Rechtevergabe auf Zeit (PIM) • Integration Salesforce in bestehende Umgebung • Hybrid da Vorgabe durch Kunden Mehrwert Kostenersparnis, Servicelevel wurde erhöht Hohe Dezentralisierung der administrativen Tätigkeiten Sicherheitsvorgaben des Kunden erfüllen Schutz des geistigen Eigentums Flexibilität bei Produktauswahl (Cloud – on Prem) Erhöhung der Sicherheit durch gezielte Lizenzvergabe Vereinfachung der Benutzerverwaltung Rasche Erweiterung ohne Änderung bestehender Infrastruktur Nutzung unserer Expertise
- 36. • ½ tägiger Workshop: Einführung in ein IdM Projekt • Zugriff auf fast 20 Jahre Expertise in der Umsetzung von IdM Projekten • Wie bereit ist Ihr Unternehmen? • Worauf ist zu achten? • Wen benötigt man in einem IdM Projektteam? • Welche sind die nächsten Schritte? • Beantwortung Ihrer Fragen zu diesem Thema • Ziel: • Persönlicher Fahrplan wie Sie in ein IdM Projekt starten können Offering