Today’s Identity Security Challenge
The identities of your users are under constant risk of attack. The threats are continually evolving and are becoming more sophisticated every day. Most security breaches occur when attackers gain access to a network by stealing a user’s identity. Attackers have become increasingly skilled at leveraging third-party breaches using sophisticated phishing attacks.
Once an attacker gains access to a user account (even a relatively unprivileged one), it is relatively easy for them to gain access to important data through lateral movement. From there, loss of data security is virtually assured. It is therefore essential to protect all of your identities, not just the highly privileged ones that most organizations concentrate their efforts on. When an identity is detected as being compromised, you must both actively prevent the compromised identity from being abused and remediate the affected account.
Real-Time Identity Security
Azure AD Identity Protection service can identify threats (such as brute force attacks, anonymized and known hostile IP ranges, etc.) in real time by assigning each user and authentication a ‘risk score.’ At defined levels of risk, you can block access, prompt for multi-factor authentication, force password changes, etc. – providing advanced threat security for your identities. These capabilities are in addition to other conditional access controls provided by Azure Active Directory.
The determination of risk is based on several factors, including:
- Use of known leaked credentials
- Sign-ins from infected machines
- Improbable travel/relocation activities
- Sign-ins from anonymous IP addresses
- Sign-ins from IP addresses with suspicious activity
- Sign-ins from unfamiliar locations
Further details of what these risks entail, and how they are applied to determine overall risk, is detailed here.
In addition to actively defending your users, Azure AD Identity Protection also provides a consolidated view into risk events and potential vulnerabilities affecting your entire organization’s identities.
Advanced Threat Security
Microsoft has been securing cloud-based identities in their consumer identity offerings (Windows Live ID / Microsoft Account) with this technology for over a decade, and now, Microsoft is bringing these same protection capabilities to enterprise customers. Azure AD previously made threat information available through various on-demand reports. Identity Protection leverages these existing Azure AD anomaly detection capabilities and adds new risk event types that detect anomalies in real-time. The real-time aspect of Azure Identity protection provides the ability to act on threat detection to provide a level of active advanced threat security to repel attempts to compromise user identities.
This capability was announced and made available in a public preview release in March 2016. Even in its initial release, the service capabilities are comprehensive and feature-rich. This blog doesn’t cover every detail on the offering or its implementation and configuration, but endeavors to inform the reader of the basic concepts of the Azure AD Identity protection service and encourage the reader to apply this advanced capability to their Azure AD tenant.
For more information on configuration and operation of this service, start with the Azure documentation site.
Frank Drewes is a Senior Architect at Oxford Computer Group. He’s being doing Microsoft Identity as long as Microsoft has had identity products. Frank’s on Twitter @frankdrewes.