Azure Active Directory security insights with Conditional Access Identity Protection – BRK3401

September 11, 2019 posted by


>>YES.>>GOOD AFTERNOON. WAKE UP, EVERYONE. HOW’S IGNITE GOING FOR YOU? NICE? WELL, IT IS AFTERNOON, AND IT IS THE MIDDLE DAY OF IGNITE, SO WE THOUGHT COFFEE THEME IS APPROPRIATE. NOW, IF YOU ATTENDED ALL OF THE IDENTITY SESSIONS AT IGNITE, YOU’VE SEEN THE SLIDE OR A VARIANT OF THE SLIDE A DOZEN TIMES BY NOW. ON MONDAY, EVERYBODY TALKED ABOUT IT YESTERDAY. SO BY NOW, WE ALL KNOW THAT PROTECTING IDENTITIES IS ONE OF THE MOST IMPORTANT THINGS WE CAN DO FOR OUR ORGANIZATION. COMPROMISED IDENTITIES HAVE LED TO HUGE LOSSES OF TRUST, EARNINGS, DATA, AND SOMETIMES LIVES. HOW CAN WE ALL STOP THIS? MY NAME IS RAJAT LUTHRA. I’M A SENIOR PROGRAM MANAGER AT THE MICROSOFT IDENTITY SECURITY PROTECTION TEAM. AND BY THE END OF THE SESSION, I’D LIKE FOR YOU TO BE ABLE TO USE ALL OF THE AMAZING SECURITY FEATURES OF AZURE TO BETTER PROTECT THE IDENTITIES OF YOUR EMPLOYEES SO THEY CAN FOCUS ON THEIR WORK. NOW, THIS SESSION IS IN A SLIGHTLY DIFFERENT FORMAT GIVEN THE TIME, WE CHANGED THE FORMAT OF THE SESSION. IT’S ABOUT A STORY OF AN IDENTITY SECURITY PROFESSIONAL JUST LIKE ALL OF US. NOW, QUICK DISCLOSURE, NO ADD MINUTE STRAYLIGHTERS WERE HARMED IN THE MAKING OF THE STORY. — ADMINISTRATORS WERE HARMED IN THE MAKING OF THE STORY. LEGAL WANTED US TO DO THAT. LET’S MEET WES. WES IS AN ARIZONA-BASED IT COMPANY CALLED THE FORT COFFEE INC. THERE’S THE COFFEE THEME. JUST LIKE ALL OF YOU, WES IS AN EXPERT. AND AZURE SECURITY FEATURES. COFFEE INC. IS A ARTISAN COFFEE RETAILER BECAUSE WHY NOT? THEY’RE IN THREE-COUNTRIES, THE U.S., JAPAN, AND BRAZIL. THE QUICK THING THE WAY THEY SET UP THE IDENTITIES IS THE U.S. AND JAPAN EMPLOYEES ARE A ALL CLOUD SYNCED WHEREAS BRAZIL EMPLOYEES ARE COMPLETELY ON PREM. NOW, LET’S STEP INTO WES’S LIFE. THIS IS LAST WEDNESDAY, SEPTEMBER 19, JUST LAST WEEK. WES COMES INTO WORK AND DOES HIS MONTHLY SECURITY REVIEW, JUST LIKE ALL OF US, WE ALL DO THAT, RIGHT? YES. HE FIRST GOES IN. HE FINDS 100 OF HIS EMPLOYEES ARE ALL AZURE REGISTERED. AMAZING. I KNOW. HE GOES INTO THE GROUPS. THE GROUPS ARE ALL LIT OUT. THIS WAS NOT SUPPOSED TO BE THE HUMOROUS PART OF THIS PRESENTATION. BUT STILL. SO HE ENABLED THE PASS WORD RESET FOR ALL OF HIS EMPLOYEES BECAUSE HE UNDERSTAND THE IMPORTANCE BECAUSE NOW HIS EMPLOYEES CAN AUTOMATICALLY REMEDIATE THEMSELVES 24-BY-7 WITHOUT USING ANY HELP THIS TIME, BRINGING DOWN THE COST AND THE TIME TO REACT. THEN, HE LOOKS AT THE CONDITIONAL AXIS, EVERYBODY’S FAVORITE. HE HAS THE BASIC POLICIES ALREADY IN PLACE. NOW, BY THE WAY, HE GOT ALL OF THESE FROM THE SECURE CORE, SO HE’S GOT A POLICY THAT SAYS WHEN EVER MY U.S. EMPLOYEES TRAVEL OUTSIDE OF THE U.S., I WANT THEM TO BE — SAME GOES FOR THE JAPANESE EMPLOYEES. HE’S GOT THE BASELINE PROTECTION IN PLACE. ALL I.T. ADMINISTRATORS ARE ALWAYS CHALLENGED. AND LOOK — HE’S ALSO USING THIS NEW FEATURE TO BLOCK LEGACY AUTHENTICATION IN THE ORGANIZATION. FOR ALL CLOUD EMPLOYEES BECAUSE WE KNOW THE LEGACY OF VINDICATION IS NOT ONE OF THE MOST SECURE AUTHENTICATIONS BECAUSE YOU CANNOT CHALLENGE THEM IN REALTIME. ALL GOOD, NOW BECAUSE WES IS AN EXPERT, HE USES THE TOOL WITH CONDITIONAL ACCESS TO UNDERSTAND THE IMPACT OF EACH AND EVERY POLICY HE HAS ON A SINGLE ORGAN. HE TRIES ON HIMSELF AND HE FINDS HE WILL ALWAYS HIT THE BASELINE PROTECTION POLICY BECAUSE HE’S AN IDEAL ADMINISTRATOR. AMAZING. LET’S TALK ABOUT IDENTITY PROTECTION. THAT’S MY FAVORITE. WES HAS THE POLICY IN PLACE. WHAT IT MEANS IS, REMEMBER, ANY CLOUD EMPLOYEES AGAIN WITH HIGH RISK THAT WOULD AUTOMATICALLY BE REMEDIATED WITH A SECURE PASSWORD CHANGE. THIS HELPS TREMENDOUSLY. THIS HELPS TO KEEP THE HIGH RESCUES ACCOUNT TO ZERO IN HIS ORGANIZATION. HE ALSO HAS THE POLICY IN PLACE. REMEMBER, HE GETS MEDIUM OR HIGHER-RISK SIGN-IN, THEY ARE AWED MATTICLY MFA CHALLENGED AND STRIKING THE BALANCE BETWEEN SECURITY AND USABILITY. THE EMPLOYEES ARE NOT MFA CHALLENGED ALL THE TIME, BUT WHEN THEY HAVE RISK, THEY ARE MFA CHALLENGED. AMAZING. WES ALSO HAD AN ALERT SET UP. EVERY TIME A USER MOVES TO HIGH-RISK IN HIS ORGANIZATION, ALL OF THE I.T. ADMINISTRATORS GET A NOTIFICATION. NOW, THERE’S A GAP HERE. THE ALERTS ARE ONLY GOING TO THE WHAT IF THE WES WANTED THESE ALERTS TO GO TO THE DISTRIBUTION LIST WHICH IS NOT AN IT ADMINISTRATOR, HOPEFULLY. NOW STARTING THIS WEEK, YOU HAD THE ABILITY TO ADD DISTRIBUTION LISTS AND CUSTOM I.D.s IN THE DEVELOPMENT. THESE ARE IN THE PREVIEW, PLEASE GO AHEAD AND SET IT UP. WEEKLY NOTICE E-MAILS ARE ALSO ENABLED. EVERYTHING IS GOING GOOD SO FAR. SEEMS LIKE A HAPPY STORY, RIGHT? WELL, WES IS AN ADMINISTRATOR, SO YOU KNOW IT CANNOT BE ALL A HAPPY STORY. NOW, WES UNDERSTANDS THE IMPORTANCE OF TRUSTED IPs. HE’S MINIMIZING THE SIGNAL NOISE BY PINNING AZURE ACTIVE THE IDENTITY TOOL HE TRUSTS WHICH ARE PART OF HIS INFRASTRUCTURE. HE’S GOING BACK ALONG WITH THE IP RANGES FOR COUNTRIES, JAPAN AND THE U.S. EVERYTHING LOOKS GOOD. LET’S SEE WHAT HAPPENS. NOW, WHILE WES WAS REVIEWING THE SECURITY BROCHURE, GOING ON RIGHT NEXT DOOR. IN THAT MEETING, IT WAS DECIDED THAT ON PREM ONLY BRAZIL EMPLOYEES WILL FINALLY MOVE TO THE CLOUD. THE GOOD NEWS. THE SAD NEWS IS, WES WASN’T THERE IN THAT MEETING. WES’S COLLEAGUE CALVIN WAS THERE. NOW, CALVIN WAS ENTRUSTED WITH THE SCHEDULING OF THIS JOB TO MOVE ALL OF THESE EMPLOYEES TO THE CLOUD AND ANY LINKED ACTIVITIES AROUND IT. NOW, SPEAKING OF BEING ENTRUSTED, A LITTLE BIT ABOUT CALVIN. CALVIN IS THAT COLLEAGUE WHO DOES NOT FOLLOW A CHANGE CONTROL PROCESS. WE ALL HAVE A CALVIN IN OUR TEAM, RIGHT? AND IF YOU DON’T THINK YOU HAVE A CALVIN, YOU MIGHT BE THE CALVIN. [ APPLAUSE ] [LAUGHTER] WELCOME, WEEKEND, SUNDAY STARTS, WES PICKS UP HIS CAR KEYS AND GOES TO THE BEAUTIFUL ARIZONA HORSESHOE BEND TO HAVE A WEEKEND OF HIKING AND PHOTOGRAPHY. TRUSTWORTHY CALVIN IS ONLY AT THE AIRPORT ON THE WAY TO EUROPE FOR HIS VACATION. WHAT COULD GO WRONG? IT’S SATURDAY EVENING. 7:00 P.M., WES IS OUTSIDE HAVING FUN. BUT AT THE SAME TIME, CALVIN’S SCHEDULED PROCESS TO MOVE ALL OF THE BRAZIL EMPLOYEES TO THE CLOUD HAS KICKED IN. ALL BRAZIL EMPLOYEES ARE GETTING SYNCED TO THE CLOUD. WES IS LITERALLY IN THE DARK RIGHT NOW. WHAT COULD GO WRONG? SUNDAY NIGHT. WES COMES BACK HOME AFTER A LOT OF HIKING. HE’S TIRED. HE IMMEDIATELY GOES TO BED. 2:00 A.M. AT NIGHT, MONDAY EARLY MORNING, HE GETS A NOTIFICATION ON HIS PHONE, YES, HE LOVES HIS PHONE. HE’S AWAKENED BY THIS NOTIFICATION WITH THE SUBJECT, “USER AT RISK DETECTED.” WES WAKES UP IN PANIC. NOW, THE FIRST QUESTION WES HAS IS, HOW BAD IS THIS? NOW BEING THE TRUSTWORTHY EXPORT IN THE SECURITY HE DID GO TO THE AZURE PORTAL AND UNDERSTAND WHAT’S GOING ON. HE FIRES UP THE AZURE PORTAL, AND CLICKS ON SECURITY. NOW, THIS IS LIVE DEMO, BY THE WAY. THIS IS NOT SCREEN SHOTS. HE SEE THIS IS BEAUTIFUL OVERVIEW WHICH NONE OF YOU HAVE SEEN THIS BEFORE. THIS IS SOMETHING BRAND NEW WHICH COMES WITH THE REFRESH IDENTITY PROTECTION. WES LOOKS INTO THE NEW RISK USERS DETECTED. HE SEES THAT OVER THE WEEKEND, SEPTEMBER 23 AND SEPTEMBER 24, MORE AND MORE HIGH RISKS WERE DETECTED. EIGHT HIGH RISKS ARE DETECTED OVER THE WEEKEND. THAT SEEMS SCARY. THE CURRENT HIGH RISK USER COUNT IS HIGH, THERE ARE SIX USERS. IN THE NEW RISK ASSIGNMENTS TREND LINE, WES SEES THAT THE NUMBER OF RISKY SIGN-INS HAS DROPPED. NOW, THE BARS YOU SEE AT THE BOTTOM ARE THE SIGN-INS WHICH WERE SUCCESSFUL, RISKY, AND MFA CHALLENGED, THESE ARE THE SIGN-INS THAT YOU LIKE. BE UH THE BLUE ONES ARE THE SIGN-INS THAT WERE RISKY, SUCCESSFUL, BUT NOT MFA CHALLENGED. SO OVER THE WEEKEND, MORE BLUES HAVE POPPED UP, ADDING BLUES TO WES’S LIFE. NOT JUST THAT, THE UNPROTECTED RISKY SIGN-INS IN THE LAST ONE WEEK IS NOW 673 OUT OF 5,500. THE LATEST COUNT IS 359 IN THE LAST ONE WEEK. HOW COULD THIS BE POSSIBLE. THAT’S WHAT WES IS WONDERING, BECAUSE HE HAS THE POLICIES TO BLOCK LEGACY AUTHENTICATIONS ALREADY. WHAT HAPPENED IN THE LAST TWO, THREE DAYS. WELL, NOW LET’S GO BACK TO THE SLIDES. WES GOT HIS ANSWER. IT’S PRETTY BAD. NOW, THE NEXT QUESTION IS, OKAY, HOW MANY USERS, WHICH USERS WERE AFFECTED? WHAT’S GOING ON IN MY ENVIRONMENT? I WANT TO DIG IN MORE. HE CLICKS ON THE NEW RISK USERS TREND LINE OR LETS US CLICK ON THE HIGHEST USERS COUNT. HE’S TAKEN OUT, TAKEN TO THE NEW RISKY USERS REPORT WHICH COMES WITH THE REFRESH AND PROTECTION, WHICH LISTS THEM ALL OF THE HIGH-RISK USERS. SO THIS IS CURIOUS. HE CLICKS ON LENA. BRAZIL. AND SHE WORKS IN OPERATIONS. YOU WANT ME TO ZOO ZOOM IN A BIT? OKAY. THANK YOU. OKAY. SO HE CLICKS ON LENA. AND HER RECENT RISKY SIGN-INS ARE SEPTEMBER 23, 329, 325. NOW, WHAT MOVED LENA TO HIGH RISK? WOW, LENA ALSO HAD LEAK CREDENTIAL PROTECTION. NOW WES IS CURIOUS, WHY IS LENA NOT COVERED IN THIS POLICY ALREADY? HE CLICKS ON LENA. HE GETS TAKEN TO THE USER’S VIEW OF LENA, AND HE CLICKS ON THE GROUPS. LOOKS LIKE LENA BELONGS TO A GROUP CALLED BRAZIL EMPLOYEES SYNCED FROM ON PREM, 9:23, THANK YOU, CALVIN. WES GOES BACK. HE THEN LOOKS UP ANOTHER HIGH-RISK USER, CLARA. NOW, CLARA, AGAIN, WORKS AT THE HUMAN RESOURCES DEPARTMENT IN CLARA IS ALSO IN THE SAME GROUP. OKAY. THAT’S INTERESTING. NOW, IF YOU CAN LOOK AT THIS VIEW, THIS IS A COMPLETELY REFRESHED RISKY USERS’ VIEW WHERE YOU CAN HAVE SEARCHING AND SORTING SO THE YOU CAN LOOK INTO YOUR USERS WITH RISK LEVEL HIGH, RISK STATE, AT RISK, WHICH ARE MEMBERS OR GUESTS IN YOUR ORGANIZATION. THEN YOU CAN SORT THEM BASED ON THE RISK LEVEL BECAUSE LUCKILY FOR US, THERE ARE ONLY SIX USERS AT HIGH RISK, BUT FOR YOU, IT COULD BE MORE. SO YOU HAVE THE ABILITY TO SEARCH AND SORT WITHIN THE SUPPORT. BUT LET’S GO RIGHT TO THE SLIDES. OH WES UNDERSTOOD THERE IS SOMETHING GOING WRONG WITH THE USERS IN BRAZIL. THE USER GROUP HAS POPPED UP. NOW, HE LOOKS — HE THINKS A BIT MORE AND UNDERSTANDS, OKAY, THE ROOT CAUSE IS THAT THE EMPLOYEES HAVE BEEN SYNCED TO THE CLOUD. NOT REALLY. THE ROOT CAUSE IS NOT BECAUSE BRAZIL EMPLOYEES SYNCED TO THE CLOUD, BUT BECAUSE THE CLOUD IS MAKING THE VISIBLE WHICH IS ALREADY LYING IN THIS ENVIRONMENT. SO, THE COLLECTIVE CLOUD INTELLIGENCE IS AT WES’S RISK NOW BECAUSE HE CAN SEE THE BADNESS GOING ON WITH THE BRAZIL EMPLOYEES BECAUSE THEY SYNCED TO THE CLOUD. NOW, MY BOSS, ALEX, HAS AN ANALOGY HERE. HE SAYS THIS IS LIKE YOUR KITCHEN, ROACHES, AND LIGHT. IF YOU TURN ON THE LIGHT AND YOU SEE THE ROACHES, THE LIGHT DID NOT BRING THE ROACHES. THE LIGHT IS OFF, THERE ARE NO ROACHES, BUT THE LIGHT IS ON, THERE ARE ROACHES. THE CLOUD TURNED ON THE LIGHT. I TRIED TO GET THE ROACHES, BUT WE DID NOT HAVE ANY. I GOT A CALL FROM THE HR DEPARTMENT WHAT’S GOING ON? WHY ARE YOU LOOKING FOR ROACHES? THEY GAVE ME THE EMPLOYEE ASSISTANCE PROGRAM PHONE NUMBER. YOU MIGHT NEED HELP. SO, NOW WE KNOW THAT IDENTITY PROTECTION HAS MADE ALL OF THESE THINGS VISIBLE AND POSSIBLE. WE COULD FIGURE OUT THAT LENA AND CLARA HAD RISKY SIGN-INS, WHICH WAS SUCCESSFUL AND WHAT WAS GOING ON WITH THESE SIGN-INS? THEY WERE COMING IN FROM THE MALWARE LINK IP ADDRESSES, OR THIS SIGN-IN CAME IN FROM A — LET’S SEE, AN ANONYMOUS IP ADDRESS. NOW, BECAUSE WES HAD THIS ENABLED, WHEN EVER THE USERS MOVED TO THE CLOUD, EVEN THE LEAD CREDENTIAL PROTECTION WAS MADE POSSIBLE FOR CLARA. SO THE PROTECTED CREDENTIALS BECAUSE THE CREDENTIALS WERE ALREADY ALL THERE. OKAY. OKAY, WES, IT’S NOW 2:20 A.M., 20 MINUTES SINCE THE LAST E-MAIL LANDED AND WES NOW SEES THE PROBLEM, BUT THE RESIDENT EMPLOYEES ARE NOT MFA REGISTERED. SO WHAT DOES WES DO NO HE GOES TO THE INTERFERENCE ADMINISTRATION POLICY WITHIN THE SECURITY VIEW OF AZURE AND ADDS THE EMPLOYEE’S GROUP HERE. DONE. WHAT THIS MEANS IS EVERY TIME A NEW BRAZIL EMPLOYEE WOULD LOG IN WITH NO RISK ON THE SIGN-IN, THEY WILL BE ASKED TO DO AN MFA REGISTRATION. WHILE WES IS SLEEPING. NOW, THE USERS WHO ARE ALREADY REGISTERED IN BRAZIL, FOR THOSE GOING INTO THE USER’S POLICIES AND ADDS THOSE USERS INTO THE USERS POLICY HERE, THAT WAY EVERY TIME LENA OR CLARA LOG IN NEXT, THEY WILL BE ASKED TO DO A SECURED PASSWORD CHANGE, AS FOR THIS POLICY. AS SOON AS THEY DO A SECURED PASSWORD CHANGE, WE KNOW THE IDENTITIED IS BACK IN THE HANDS OF THE GOOD EMPLOYEE BECAUSE THEY DID THE MFA AND WE WILL IMMEDIATELY REDUCE THE RISK BACK TO ZERO FOR THESE EMPLOYEES. THEREBY LETTING YOU AUTOMATICALLY REMEDIATE YOUR USERS. WES HAS ANOTHER QUESTION. I PROTECTED MY EMPLOYEES, MADE THEM DO THE MFA REGISTRATION BY NOW, WHAT ABOUT THE SIGN-INS? CAN I LOOK UP RISKY SIGN-INS THAT CAME IN OVER THE WEEKEND? WES GOES BACK TO THE SECURITY INTERVIEW. CLICKS ON THE NEW RISKY SIGN-INS DETECTED TRENDLINE. AND HE’S TAKE ON THE THE NEW SIGN-INS REPORT. BEAR IN MIND, THE SIGN-INS REPORT WAS NEVER AVAILABLE TO YOU BEFORE WITH THE RISK INFORMATION IN THERE. YOU HAD RISKY USERS AND RISKY EVENTS. BUT NOW WITH THE REFRESH OF IDENTITY PROTECTION, WHICH IS IN PRIVATE PREVIEW TODAY, YOU CAN LOOK AT ALL OF THE RISKY SIGN-INS. NOW, WES SAYS, OKAY, LET ME LOOK AT THE SIGN-INS WHICH WERE MEDIUM OR HIGH. REALTIME RISK. I HAVE SOMETHING NEW HERE. I HAVE REALTIME RISK AGGREGATE. HAVE YOU SEEN THIS BEFORE? THIS IS SOMETHING NEW AS WELL. WHAT THIS DOES IS MACHINE LEARNING LOOKS INTO ALL FOR A SIGN-IN, NOT JUST THE REALTIME ONES, BUT ALSO THE NONREALTIME DETECTIONS AND OTHER FEATURES OF THE SIGN-IN TO COME UP WITH THE NEW RISK LEVEL, SO YOU CAN DO PRIORITIZING INVESTIGATION BASED ON THIS RISK LEVEL WHICH ENCOMPASSES EVERYTHING WE KNOW ABOUT THAT SIGN-IN. AND HE SAYS, OKAY, I WON’T DO IT IN THE LAST SEVEN DAYS, AND THEN SORTS IT BY THE DATE. NOW ALL THESE RISKY SIGN-INS WERE SADLY NOT REQUIRING MFA. BECAUSE THESE USERS WERE NOT MFA REGISTERED. THAT MEANS BAD ACTORS, POTENTIALLY BAD ACTORS HAVE ALREADY GONE INTO THIS ENVIRONMENT. NOW, WES DOES A QUICK CHECK ON THE SIGN-INS, HE GOES INTO LET’S SAY LENA. AND HE CAN SEE ALL OF THE SIGN-IN INFORMATION HERE. HE CAN SEE THE BASIC SIGN-IN INFORMATION STARTING WITH THE — TO CORRELATION I.D., TO THE LOCATION TIME STAMP OR THE APPLICATION HE WAS TRYING TO ACCESS. HE CAN LOOK INTO THE DEVICE INFORMATION. HE CAN FIGURE OUT WHY THE SIGN-IN IS RISKY, OR THE SIGN-INS. HE CAN LOOK INTO THE MFA SIGN-INS, SADLY, NO MFA HERE. AND THEN FIND THE SIGN-IN. THIS GIVES HIM A COMPLETE PICTURE ON FIGURING OUT WHETHER THE SIGN-IN WAS ACTUALLY COMPROMISED OR COMING IN FROM THE RIGHT USER OR NOT. NOW, WES HAS FOUND OUT THAT THESE SIGN-INS WERE ACTUALLY COMPROMISED BUT PRETTY EVIDENT. NOW WES SAYS, OKAY, HOW CAN I PROTECT THESE SIGN-INS? THAT’S WHERE THE FANTASY COMES IN, JUST LIKE WHAT HE DID FOR THE USERS’ POLICY AND THE MFA ADMINISTRATION POLICY. HE ADDS THE USERS IN THE SIGN-IN RISK POLICY BY ADDING THE BRAZIL GROUP HERE. IT’S 2:45 A.M. WES IS DONE WITH THE USER’S POLICY SETUP. SETUP AND MFA SETUP FOR THE BRAZIL EMPLOYEES. HE’D DUB THE ROOT CAUSE ANALYSIS. SO, IN THE LAST 45 MINUTES, WES TURNED THE LIGHTS ON TO THE BADNESS THAT WAS ALREADY THERE IN THE ENVIRONMENT, INCLUDING THE IDENTITY PROTECTION. HE USED THE SECURITY OVERVIEW. HE REVIEWED THE EFFECTIVENESS OF HIS POLICIES AND FIGURED OUT THAT THERE WERE MORE AND MORE BLUES COMING UP BECAUSE THE SIGN-INS WERE UNPREDICTED. — UNPROTECTED. HE WENT TO THE RISKY USERS AND RISKY SIGN-INS REPORT TO GET DEEPER IN TO FIND WHAT’S GOING ON IN THE ENVIRONMENT. HE COULD GO TO THE USER TO USERS’ GROUP, THE USER’S MEMBERSHIP, THE PROFILE, AND HE COULD GO FROM THE RISKY SIGN-INS REPORT, THE MFA INFORMATION, DEVICE INFORMATION, RISK INFORMATION, AND THE BASIC SIGN-IN INFORMATION. HE STARTED THE AUTOMATED USER AND THE AUTOMATED SIGN-IN RISK USING THE SIGN-IN RISK POLICY. BUT THERE’S A PROBLEM STILL. ANY GUESSES?>>[INAUDIBLE]. >>I’M SORRY?>>[INAUDIBLE]. >>YOU’RE RIGHT, LEGACY AUTHENTICATION. WE MAY COME TO THAT AS WELL. WHAT ABOUT THE SIGN-INS, WHICH WERE SUCCESSFUL BUT WERE COMPROMISED. CAN WES DO ANYTHING ABOUT IT? ALL OF THESE ARE FUTURE FOCUSED, WHICH IS GREAT. BUT WHAT ABOUT THE COMPROMISES THAT ALREADY HAPPENED? HAVE YOU EVER WISHED TO BE ABLE TO KICK BAD GUYS OUT BECAUSE YOU KNOW THEY’RE IN, THEY LOGGED IN. YOU HAD A COMPROMISED SIGN-IN. WITH THE RESOURCE IDENTITY PROTECTION, YOU CAN DO IT. SO NOW, LET ME GIVE YOU A DEMO. WES GOES BACK TO THE — IS THIS CLEAR ENOUGH TO THE BACK? SO HE’S BACK TO THE RISKY SIGN-INS REPORT. HE LOOKS INTO RISK, RISK HIGH OR MEDIUM FOR AGGREGATE AND REALTIME. AND HITS APPLY. HE GETS ALL OF THESE SIGN-INS, AND SEES THEM ALL COMING IN FROM BRAZIL EMPLOYEES. HE SELECTS ALL OF THEM. AND CONFORMS THESE AS COMPROMISED. DONE. WHAT HE’S DONE JUST NOW IS HE’S STOLEN IDENTITY PROTECTION — REFRESHED THE IDENTITY PROTECTION THAT ALL OF THE SIGN-INS ARE COMPROMISED. WHEN YOU GET THIS FEEDBACK, THE OVE THE USERS TO HIGH-RISK, THEREBY, THESE EMPLOW IEES WILL BE CAUGHT IN THE USER RISK POLICY THAT HE SET UP. NOT JUST THAT, HE WOULD GO FOR THESE EMPLOYEES AND PAD THEM WITH CONFORMED COMPROMISE. THE SIGN-INS WILL BE TAGGED CONFORM COMPROMISE SO YOU CAN FIGURE THEM OUT OR FIGURE THEM IN. AND YOU CAN LOOK AT THESE — THE PROTECTIONS WILL ALL BE FROM COMPROMISED. YOU UH DON’T STOP THERE. THESE ARE ALL IMMEDIATE PROTECTIONS MECHANISMS FOR YOU. BUT WE ALSO TAKE THAT FEEDBACK, WHICH IS PRECIOUS DATA FOR US AND APPLY IT TO THE SUPERVISED MACHINE LEARNING BEHIND THE SIGN-IN RISK AGGREGATE AND THE USER RISK CALCULATION. SO YOUR CALCULATION RISK ASSESSMENT WILL GET MORE AND MORE ACCURATE. IT’S NOT JUST YOURS BUT THE ENTIRE CUSTOMER BASE OF AZURE ACTIVE IS NOW GIVING YOU FEEDBACK THAT IS HELPING YOUR RISK ASSESSMENT. SO, THAT’S THE IMMEDIATE AND INDIRECT PROTECTION THAT YOU CAN DO FOR YOUR EMPLOYEES BY USING THESE CONFORMED COMPROMISE AND CONFORM SAFE. YOU CAN DO THE EXACT SAME THING FOR CONFORMED SAFE SIGN-INS. WAS THAT SOMETHING THAT YOU WERE LOOKING FORWARD TO? BECAUSE NOW YOU CAN INCREASE YOUR USER RISK, USER RISK YOURSELF BASED ON WHATEVER SITE YOU GET TO KNOW BASED ON THE ORGANIZATION AND TAG THEM TO BE MARKED AT HIGH RISK TO BE MARKED THE NEXT TIME THE USERS WILL LOG IN. WHAT ABOUT THE SIGN-INS, LOG IN THOSE WERE BAD. WE COVERED THIS PIECE. NOW, THE FLIP SIDE IS, SOMETIMES YOU LOG IN AND YOU SEE THAT, HEY, I HAVE 100,000 USERS AT RISK. I CANNOT RECALL EACH ONE OF THEM AND CLEAR THEM OUT. ANYBODY THAT’S FACED THIS PROBLEM BEFORE? THAT’S LOW. WE GET SO MUCH FEEDBACK. ALL RIGHT, SO — NOW, YOU CAN GO INTO YOUR RISKY USERS. FOR EXAMPLE, HERE, WES LOOKS AND GOES TO THE RISK USERS REPORT. AND LOOKS INTO THE HIGH — LOW-RISK USERS. HE SAID NICK IS ALREADY THERE. NICK IS A PART OF THE IT SECURITY TEAM WHICH WORKS WITH WES. AND WES KNOWS THAT NICK WERE TESTING — LAST WEEK. SO NICK’S SIGN-IN, WHICH WAS RISKY BECAUSE OF MALWARE LINKED IP ADDRESS MAY MAKE IT GO TO LOW RISK. WHAT WES WILL DO IS GO BACK TO TINA AND NICK’S PROFILE. THIS IS A RISK FOR ALL OF THEM. HE CAN DO IT FOR ALL USERS HERE, BUT LET’S JUST DO IT FOR TWO. HE TAKES THIS BACK. CLOSES IT, SO YOU DON’T HAVE TO DEAL WITH THE NOISE ANYMORE. WHAT ABOUT THE SIGN-INS ARE GOOD? YOU CAN CONFORM SAFE THE SIGN-INS USING THE REFRESH IDENTITY PROTECTION. NOW, IT’S 2:55 A.M., AND THIS IS DONE WITH NOT JUST SPOTTING AN ATTACK, BUT ALSO FIXING IT, NOT JUST FOR FUTURE, BUT ALSO FOR PAST. WITHIN 55 MINUTES OF GETTING THAT DREADFUL E-MAIL. THAT’S THE VALUE OF THE NEW IDENTITY PROTECTION WHICH IS THE PRIVATE PREVIEW. BUT HERE’S THE QUICK RECAP OF THE FEATURES THAT WE TOUCHED ON. FIRST OF ALL, EVERYBODY’S FAVORITE CONDITIONAL ACCESS. IT GIVES YOU TO DEFINE YOUR USER EXPERIENCE BASED ON THE CLIENT, APP, PLATFORM, LOCATION, TIME, AND SO MANY OTHER CHARACTERISTICS SO THAT YOUR EMPLOYEE — YOU CAN CHOOSE WHAT KIND OF EXPERIENCE YOU WANT TO DELIVER TO YOUR EMPLOYEES. WITHIN CONDITIONAL ACCESS, YOU CAN USE CUSTOM CONTROLS TO USE FOREIGN BODIES FOR VALIDATION AND ASSESS THE IMPACT OF EACH POLICY THAT YOU CREATED. THE LOCATIONS LETS YOU SET UP CUSTOM OR IP RANGES THAT YOU CAN SAVE WHEN A LOG-IN COMES FROM COUNTRIES THAT YOU HAVE NO BUSINESS IN, YOU CAN BLOCK THEM OR MFA CHALLENGE THEM. YOU CAN EVEN HAVE TRUSTED IP RANGES TO MINIMIZE THE NOISE OF SIGNALS BECAUSE YOU TELL US THAT WHAT SIGN-INS, WHAT IPs YOU TRUST ALREADY. THE NEXT ONE IS PASSWORD. IT ENABLES RISKS TO FIGURE OUT LENA AND CLARA HAD LEAK CREDENTIALS BECAUSE THEY MOVED TO THE CLOUD. THAT’S THE VALUE OF THAT AND THERE’S A HIGH ACCURACY PROTECTION BECAUSE WE KNOW THEY’RE OUT THERE IN NO TIME WHAT WE JUST SAW THE LOG-IN COMING IN FOR THESE EMPLOYEES. THE PASS WORD RESET HELPS YOU DO AUTOMATIC USER RISK REMEDIATION BY 24/7 WITHOUT AFFECTING YOUR HELP DESK. YOU NEED PASSWORD WRITE BACK ENABLED. MAKE SURE IT’S ENABLED AND YOU CAN CONTINUE WITH THE RESET JUST LIKE WHAT WES WAS DOING. THE SIGN-INS REPORT GIVES YOU INFORMATION ABOUT THE SIGN-IN, NOT JUST THE BASICS, BUT ALSO THE DEVICE INFORMATION, RISK INFORMATION, MFA INFORMATION, AND ACCESS POLICIES FOR THAT SIGN-IN. BUT IT DOESN’T STOP THERE. THERE’S IDENTITY PROTECTION TO HELP YOU OUT AS WELL. RISKY USERS REPORT JUST SHOWED US ALL OF THE USERS THAT HAVE ADDRESS IN YOUR ENVIRONMENT. YOU CAN DO SEARCHING, SORTING, FIGURING THE ACTIONS ON THEM AND GIVE US FEEDBACK BY PROTECTING YOUR USERS. RISKY EVENTS REPORT, YOU ALREADY HAVE IT. YOU CAN KNOW ALL OF THE PROTECTION THAT ARE COMING IN FOR YOUR ORGANIZATION. USERS LETS YOU AUTOMATICALLY REMEDIATE USERS. SIGN-IN POLICIES LETS YOU AUTOMATIC ELIMINATE RISKY SIGN-INS AND THE ADMINISTRATION POLICY LETS YOU ENABLE OR REGISTER USERS FOR MFA. THAT GIVES YOU THE HAPPY NEWS ON MONDAY MORNING SAYING HOW MUCH RISK WAS PROTECTED IN THE LAST WEEK. ALERTS LET YOU GET ALERTED WHEN EVER USERS MOVE TO YOUR CHOSEN RISK LEVEL, JUST LIKE WES CAUGHT THE ALERT AT 3:00 A.M. WITH THE RISK IDENTITY PROTECTION, YOU CAN GET THE CUSTOMIZED ALERTS, SO THAT MEANS YOU CAN SET UP THE AUDIENCE YOURSELF AND MAKE THEM GO TO THE DISTRIBUTION LIST. SECURITY OVERVIEW WITH SPOT AN ONGOING ATTACK OR AN UPCOMING ATTACK BY LOOKING AT THE NEW RISKY USER OR THE NEW RISKY SIGN-INS DETECTED TREND LINE. REVIEW LETS YOU REVIEW THE EFFECTIVENESS OF YOUR RISK POLICIES. RISKY SIGN-INS REPORT GIVE YOU EVERYTHING THAT YOU WANTED TO KNOW ABOUT THE RISKY SIGN-IN, RANGING FROM ALL OF THAT INFORMATION. SMART FEEDBACK LETS YOU IMMEDIATELY PROTECT YOUR USERS BY CONFORMING THEM AS COMPROMISE OR SAFE. THEREBY IMPROVING YOUR DETECTIONS EVEN FOR THE FUTURE. AND THE NEW SIGN AND AGGREGATE LIST LETS YOU DO PRIORITIZED INVESTIGATIONS IN YOUR ORGANIZATION. THE IMPROVED USER RISK WHICH IS A HUGE — WE MADE HUGE IMPROVEMENT IN OUR USER RISK ASSESSMENT USING ALL OF THE MACHINE LEARNING BEHIND THE SCENES. SO YOUR USER RISK POLICY BECOMES MORE AND MORE ACCURATE AS WE GET MORE AND MORE FEEDBACK USING THESE SMART FEEDBACK HUBS. FINALLY, GIVE YOU THE BUNK ACTIONS, SEARCHING, SORTING, FIGURING, AND SMART DOWNLOADS WITH AN IDENTITY PROTECTION. SMART DOWNLOADS, WHAT IT DOES IS WHEN EVER YOU DOWNLOADED A PORT, WHAT YOU GET IS WHAT YOU’VE SEEN IN THE SCREEN SO THE PRINTERS AND SORTS ARE RESPECTED WHEN YOU DOWNLOAD THE DATA. JUST A SMALL THING, BUT IT’S AN EXPERIENCE, YOU DON’T HAVE TO CLEAN UP THE DATA AFTER YOU FILE. NOW, LET’S TIME TRAVEL TO NEXT WEEK. AND LOOK AT THE RESULTS OF WHAT WES DID. THIS IS OPTIMAL FIRST, NEXT MONDAY. THE RISKY USERS TREND LINE SHOWS THAT THE HIGH RISK USERS ARE BACK IN CONTROL, NORMAL USERS ARE GOING TO HIGH RISK. THE RISKY SIGN-IN STREAMLINE AND THE UNPROTECTED SIGNINS COUNT IS BACK TO ZERO. THE POLICY THAT WES SET UP ARE ALREADY HELPING TO MAKE ALL OF THOSE BARS COMPLETE. THERE ARE NO BLUES THERE. HIGH RISK USER TO ZERO BECAUSE EVERY TIME A USER MOVES TO HIGH RISK WHICH WILL HAPPEN, THEY WILL BE AUTOMATICALLY REMEDIATED BECAUSE OF THE USER’S POLICY YOU SET UP. LEGACY AUTHENTICATION IS BACK IN PLACE BECAUSE WHAT WES DOES IS HE ALWAYS ADDS THE USER GROUP IN THE CONDITIONAL ACCESS POLICY TO BLOCK LEGACY AUTHENTICATION. THAT’S WHAT WES DOES AND THAN BROUGHT THE LEGACY AUTHENTICATION BACK TO ZERO. SO THESE ARE SOME OF THE COOL FEATURES THAT ARE COMING WITH THE REFRESHED. WE’RE IN PRIVATE PREVIEW RIGHT NOW. AND WE HAVE COVERED ALL OF THESE FEATURES ALREADY, I’LL SKIP THROUGH THIS. WE ALSO ALIGNED THE APT TIES THAT ARE MOST RELEVANT TO YOU, RISKY USERS AND RISKY SIGN-INS ACROSS THE PRODUCT. YOU HAVE RISK POLICY FOR YOUR RISKY USERS AND SIGN-INS, SECURITY REPORT FOR RISKY USERS AND SIGN-INS, YOU HAVE CUSTOMERS FACING APIs AND CERTAIN LEARNING ML BEHIND THE TWO ENTITIES. SO WE’VE TAKEN THE FOCUS AWAY FROM RISK EVENTS AND MOVED THE FOCUS TO RISKY SIGN-INS BECAUSE THAT’S WHERE THE COMPROMISE IS HAPPENING. QUICK IS WE WANT YOU TO USE ALL OF THE FEATURES WITHIN THE AZURE ACTIVITY. PLEASE FOLLOW TO HAVE MORE ANNOUNCEMENTS ABOUT THE REFRESHED IDENTITY PROTECTION. AND THEN FINALLY ATTEND THESE TWO SESSIONS WHICH WILL GIVE YOU MORE INSIGHT ON THE FEATURE THAT WE JUST DISCUSSED AND HOW YOU CAN PROTECT THE IDENTITIES OF YOUR EMPLOYEES. THANK YOU SO MUCH. YOU’VE BEEN AN AMAZING AUDIENCE. WE LOOK FORWARD TO SEEING YOU USING ALL OF THESE FEATURES.

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *