Welcome to Microsoft Mechanics.
Coming up on the show, 
we take a look at the latest advances
in how you can directly apply Microsoft security intelligence to protect your organization
with Azure AD identity protection
for continuous real-time assessment 
of logins and users
to prevent against threats 
and the point of authentication.
And, how you can reduce your attack
surface by managing or restricting
the exposure of privilege identity
with privileged identity management.
Microsoft Mechanics
I'm joined by Alex Weinert, group program 
manager on the Azure AD identity team.
Welcome to the studio.
Great to be here.
So we've had Azure AD directory for a while now
and it's a fundamental technology 
that manages user identity for access
to corporate resources and it's central to our user
authentication across Microsoft services.
How has Asure AD evolved to help protect users?
I think there's three major innovations that we've done to help protect users in the last little bit.
One is conditional access
which allows us to really frame how resources are accessed under the conditions that they come in.
So things like, if you come in from off corporate network
you can challenge with multi-factor auth, 
that sort of thing.
Identity protection which really
uses the intelligence security graph
to look at all the kinds of signals 
we have from across the industry
and across Microsoft's researchers 
to look at threats in the environment
and then interrupt those threats 
before they can get into your environment.
And then finally, privilege identity management
which ensures that if there is any kind of an account takeover there's a much lower chance
that that's an admin that's being taken over.
Very good, so we've already seen a lot of 
conditional access on this show in the past.
Can you show some of this with identity protection?
Sure, I'd be happy to walk you 
through some identity protection.
To start off, I'll just point out 
that to get to identity protection
you would just go to the marketplace 
and within the marketplace
if you search the word identity or protection 
or any part of it, that would come right up.
And there's Azure AD identity protection.
Just select that and that will enable
it in your tenant.
Once you've done that then you would see
Azure AD identity protection.
And as we get into it we see that 
there's three major areas we're dealing with.
The first is around users who 
are at risk in the environment.
And it looks like we believe the credentials for that user have been leaked onto the internet.
or other ways need to be addressed.
Second is risk events which is where
 we look at things like sessions
that are anomalous that maybe are coming 
in from environment we don't like.
We can use the BCU's data to tell us 
that it's coming in from a Botnet.
We can look at Tor signal
we have a very good track of 
which machines are tor involved.
And all those things allow us to to give a very good picture of what's a risky session.
And then finally is configuration 
vulnerabilities in the environment.
Places where you can improve your security posture 
by addressing configuration issues.
And just a pause for a second, 
this is a big change for when we have to wade through
lots and lots of reports to get to this kind of information.
Yeah that's right, what we're trying to do now is give you you know for the identity security professional
make sure they have will serve a one-stop shop
where they go and manage all that from one place and really understand what's going on in their environment.
You can see here in the environment
that we have, for example, users flagged for risk
and as we drill into that
we can see that
we have some number of users here 
that have risk scores.
That just indicates that there's a possibility that their credentials have been compromised.
And if we drilled into any one of these
we can see that in some cases 
we have users with a high risk level.
We really want to be extra
concerned about that.
And so for example, picking on Mike Lee here,
we can drill it and see that Mike, 
among other things has had a leaked credential.
And so how do we know that his 
credentials have actually been leaked?
We have a couple of different sources to look at.
One very common source for us is that we run consumer identity system in Microsoft account.
And as well as running the enterprise at any 
system and Azure Active Directory.
Between the two we see over 14 billion logins a day.
We score all those logins and 
we're looking at attack patterns.
There are certain attack patterns that show up
where we can tell that for example a
given IP address has gone bad.
That is only being used by an attacker.
And so in those kinds of cases we can say that any traffic comes in from that IP is bad traffic.
We also work with the industry with
security researchers with our own researchers inside
with law enforcement
when appropriate to get signals.
For example, every time you see the news you know x million, x hundred million accounts
were leaked by some company.
So those various third-party ITPs that have
maybe not as good as security 
posture or have had a leak,
those are places where we can source that data
and then make sure that if your employee has 
reused their username and password
at another site and that site is breached,
then we can protect you from that eventuality.
Excellent, that seems like you got a lot of
protection built-in there.
Yeah, there's a lot going on here that is driven by
that, plus machine learning systems.
A lot of really, really cool stuff.
In this case users of the credentials here, 
this is a pretty strong signal.
This basically means we've 
seen the credential in the wild.
We know that username and 
password has been compromised.
To get that user back to his posture of 
safety want to get that password changed.
So if we wanted to in Mike's case
we can see that with that leaked credential 
we could ask to reset the password right here in flow
and just do a manual password reset.
That seems like having to manually reset them for lots of users at your organization could be a problem.
Right, it's a problem from two perspectives.
One is if you have a large organization 
that's a lot of manual work to do.
The more significant problem is that the time between when the compromise is detected
and the time you can remediate it 
is the time that the bad guy gets to play
And we really want to minimize 
that window of time, right?
And the only real way to do that is to set up a policy
 and let the system act on your behalf
so that the second we see a problem, 
we can react to that problem with policy
and the machine auto remediates the account.
In this case, you could set up a policy?
So we see the user risk policy for automatic mitigation.
And if we drill in here
we have a variety of things we can do.
But one thing we could do is we can just say,
look if we have an account that we know is compromised, let's go ahead and block access.
We could choose if we wanted to and 
have them change their password.
That's another thing we can ask to do.
So there's a variety of things that we can do here.
So how does user risk differ from different risks events that we saw already inside the console?
Well, user risk again is that indication 
that you have a problem
that indicates that a users password 
has actually gotten in the hands of bad guys.
And one way that we see that evolving is that
for example, if the user has logins that are
coming from a Tor network.
I'm a big privacy advocate and
there's valid uses for Tor browsers.
But the fact is that ninety-four percent of the traffic comes from Tor browser's is malicious.
That's what both we
and the industry have seen.
So we have to realize that is a strong signal.
If something's Botnet, 
in fact we know that's a strong signal.
One or two of those things 
we might be making a mistake.
Every algorithm has some amount of false positive.
A set of those together and you start to say
okay we're pretty sure this is compromised account.
This is no accident, right?
So, a series of those together creates a user risk.
An individual event is a session risk, which means that something with that session was wrong.
A set of session risk obviously
 can roll up to a higher user risk
and everything kind
of rolls together.
We use a machine learning algorithm to calculate the
probability that the user is compromised
So over time we adapt that 
and the systems auto adapt to that.
Very good, so it actually really does start to learn around what's happening and what behaviors really look like?
That's right, the system is a learning system 
which is a cool part about it.
So as our bad actors evolve their tactics, the system automatically involves itself.
So, in this particular case we can go down and we
see there's a sign in risk policy you can setup .
The sign in risk policy allows
us to look at a few things.
We can apply it to a certain set of users who are going to do a roll out in the environment.
Then we can set it for different risk levels.
So, if we drill into the conditions here we see that we have it set for a sign in risk of medium and above.
And then in this case we have
different controls we can apply.
We can say we just want to do a multi-factor
out challenge in this case.
Or, for this experiment will say let's 
just block access outright.
So, if you have something coming in from let's say a Tor networking let not have them log in at all.
That's all that is going to be 
informed by your company's policy
and what's appropriate for your environment.
The last thing we give you is the ability to
actually estimate what's happening.
In terms of, what's the impact?
How many challenges can you expect?
What's the help desk impact? 
That sort of thing.
So we know
that policy is turned on.
And, it's all ready to go.
Cool, so I actually just happen to have
Tor browser installed on this machine here.
And I already have Edge open as well.
So I've typed in my username and password.
So if I just hit sign in, this is what should happen
with a regular sign on which is
doing the right thing, I guess.
So I hit sign in.
And that's taking me into a into Office, 
in fact in this case.
I'm just going to changeover into Tor browser.
And from within tor, 
you can see that really is inside of Tor.
And type in exactly the same thing, again.
You can see the sign-in was blocked, 
so that is the policy applying successfully.
That's exactly what we just 
turned on a just a few seconds ago.
And the cool thing about this is that your good user under good circumstances is experiencing no friction.
There's no MFA challenge 
and there's nothing in their way.
But, as soon as there's a risk factor present 
were able to shut down that risk.
So here identity protection is actually
securing the logins as the authentications happen.
Are we doing anything that's going to
harness the signals from other services and devices?
Yeah absolutely, if we go back to the risk events section
we can see that there are multiple different 
types of risks that we detect.
Many of those as we talked about are sourced from outside and from our own researchers.
 
And we talked about other Tor network stuff.
Another interesting signal are sign-ins
from infected devices.
And what that's looking at is Botnet infections.
Microsoft's Digital Crimes Unit does a lot of work 
to track and takedown Botnets.
And as part of that work they have 
to identify nodes that are Botnet infected.
And, they share that information 
with us as they collected it.
And this is actually a very powerful way for you to know that login is coming from an infected device.
So here as we drill in on sign-ins from infected devices
we can see that various folks have been infected
with ZEROACCESS and Dorkbot.
And we can see our old friend Mike Lee again 
showing up with CONFICKER infection.
So we can investigate that a bit
and see what else we can learn about Mike.
We see that he's had quite a few events 
and that's why his user risk is higher.
One of the things that we can also look at 
is what's his role in the organization
And right here
we see something that should make us pause
he's a global administrator.
Yeah, global admin and Azure ID essentially means 
you got the keys to the kingdom.
That's right and that's a serious concern.
This is a place where maybe, what we 
really wish is that we didn't have
global administrators that
 didn't need to be global administrators.
If some number of people are going to have an account
takeover or an infection in the environment,
you'd like the number of people 
in your environment
who are global admins as well 
to be as small as possible.
Yeah, absolutely.
So we talked about the users flagged 
for risk and risk events
and then we have the vulnerabilities.
One of the places where we see the vulnerability is that
privilege identity management is telling us  
that we have too many global administrators.
How does it know that we have to many global admins?
Is it just like if you've got more than four?
Well no, it's a little more clever than that.
It's looking at the size of your organization,
the segment of the industry you're in
and what's normal in that industry.
So we're using a lot of intelligence 
around what we know around how tenants
behave and what's the right number 
for somebody of your size.
So it's not quite as simple as five is bad,
Although you know, 
fewer is kind of always better.
Let's go and look actually at privilege 
identity management
and where we can see all of it's glory.
Privilege identity management 
lets me do several different things.
One of the most important things that allows us is 
what we call, Just-in-time access.
The idea here is that I don't 
need to be an admin all the time, right?
I probably need to be an admin for some
very small amount of my work.
When I go to get that admin privilege
I might want to have something like
 additional auditing to say when I did it.
Or, to talk about who the approver is for that role.
We're just doing something simple 
like multi-factor auth.
And so the idea is that if the bad guy 
does get my credentials
the likelihood that I'm going to admin 
in that moment is extremely small.
That's really what we're after.
So privileged identity management here
is going to give me a kind of a one-stop-shop
of a view of what is the state 
of my admin rights in the organization.
I have admin who aren't using their privileged roles, 
and I have too many global admins.
What I can do in any one of those cases
is I can take an admin who maybe 
is in a permanent role
and I can actually say let's go and change this.
Make them a temporary administrator 
instead of a full-time administrator.
So here's global admin and
I can look and I can actually change that.
And I can say, okay let's make this
permanent or make it temporary
and actually set up the rules under which
admin access is granted in the environment.
So we actually have
technology built into Azure AD
that helps to intelligently analyze and surface 
these kind of threats.
And it even helps IT admins to be able
 to remediate these things
and tells them if they've got too many 
global admins inside of their environments.
What will I see next?
Well we're continuously adding signals 
for detection and prevention
and part of this is bringing in signals from things like advanced threat analytics and cloud app security.
We're also extending the reach of our
enforcement mechanisms
to do better embrace on-prem and hybrid scenarios.
And then finally we're extending 
conditional accesses capabilities
to embrace more scenarios so they can react and give you a richer canvas to work with.
These are really exciting times for identity.
Whereabouts can these folks go
 to learn more?
Well, if your managing your 
directory services on-premises
I encourage you to look at Windows Server 2016.
Which also brings Just-in-time and
just enough access principle to on-prem AD.
If you don't already have Azure
Active Directory set up in your environment
you can sign up for Azure
Active Directory premium trial
which I would recommend you do, 
so you can try these features out that we've shown.
You can go to portal.Azure.com and sign
up for a preview of Azure Active directory,
identity protection, and privilege
identity management.
And, you can learn more at the link below.
Alex this is great stuff, thank you very much 
for joining us on Microsoft Mechanics.
And thank you very much 
for watching Microsoft Mechanics
for latest in tech updates.
We'll see you later.
Microsoft Mechanics
www.microsoftmechanics.com
