IT security is very much in the news again…but for all the wrong reasons. How can Microsoft technologies deter, prevent and detect attacks on our IT infrastructures, information systems and digital assets?
The last few weeks have brought another stream of bad security news: the hacking of a French television network; emails stolen from political sources; athletes’ health details tampered with and stolen; and another Snowden-like insider job at a US federal agency. In addition, the fallout from previous attacks continues, in particular the record £400,000 fine handed down to the UK mobile operator TalkTalk for their security failings.
It needs hardly to be said that this is not good! But it is particularly not good because in several of these cases, policies existed which would have at least increased the difficulty of the attack, and perhaps would have prevented some – but these were ignored or incompletely implemented.
Similarly, technologies exist to prevent or inhibit other attacks. It is these existing mechanisms that are worth mentioning repeatedly – organizations can, and, if they are to avoid fines and reputational damage, must, implement the existing policies and technologies.
Finally, it was vigilance, and a dose of good fortune, which saved the French television network. They were attacked on the day they went live with a new service, and therefore they had technicians on site who were able to disconnect the compromised system which was used to orchestrate the attack on the private network before the attack could be completed.
It is often remarked that the good guys need to win 100% of their games, while the attackers can lose 99% and still have overall success with a single win. This last point leads to a degree of fatalism – the attackers somehow have the upper hand, and those seeking to defend against them are somehow destined to lose. However, by no means all attacks are performed by state-sponsored attackers, where, as they pursue strategic goals, cost is not an issue. Attacks on commercial organizations are increasingly performed on commercial terms – zero-day vulnerabilities, stolen credentials, compromised entry points, and whole compromised networks are traded on the dark web for money, and therefore perfect security is not necessarily required to prevent an attack. Increasing the costs of the attack to make it commercially non-viable is sufficient to deter the attackers, who are likely to seek easier, more lucrative targets.
Therefore, we must seek to use the tools we have to deter, prevent and detect attacks.
Microsoft security and identity
So what do we have? In the remainder of this article I will focus on the tools which we in the Microsoft-focused world have at our disposal – considering in turn the methods we have to manage the key components of the security infrastructure: identity and information, and attack detection.
Identity underpins security. Without a reliable and robust identity platform, incorporating both sound policies and well-implemented and flexible technology solutions, the question “who is doing what in my network” cannot reliably be answered. Defining the types of identity which will be used in your environment, including the processes by which they get created, managed and removed, is fundamental to success. Once defined, the processes can be automated (at least to some extent) and this provides a reliable foundation on which the various access management and content protection services can be built.
Microsoft’s platform for Identity Management encompasses both cloud and on-premises systems, leveraging Azure Active Directory and Microsoft Identity Manager respectively. An environment where these components play well together will avoid having out-of-date accounts (which represent a security threat) and will provide timely and user-friendly creation of new accounts so that a user can be productive on their first day on the job.
Compound Identity and Identity Protection
Traditional on-premises network security tends to be insular and binary – are you inside the network or outside? Are you authenticated or not? The possibility of credential theft means that we know that presenting a valid network credential is not enough, so we have to consider additional factors in deciding whether to grant access or not. Therefore, Identity is no longer seen as binary (authenticated or not) but rather as shades of grey from thoroughly trustworthy to very suspicious.
In modern security systems, in particular those moderated by Microsoft’s Azure Cloud, security becomes (appropriately) cloudier – how trustworthy are you overall, taking into account your current and previous locations, your device, your identity, your behavior? How risky would it be to give you access?
I will not dwell on device management here – suffice it to say that the security of a user’s device is paramount, and signals concerning the status of the device are used in the compound identity. If a user’s device is insufficiently secure for a particular access request, remediation action can be proactively recommended, so that the user can, in many cases, resolve their issues without resorting to the helpdesk. Microsoft’s Intune device management services are described here.
Azure Active Directory’s Identity Protection collects signals and signatures from these various components, and provides us with a Compound Identity – not just “who you say you are”, but the collection of factors that allows us to judge the extent to which we can trust you. Based on this level of trust, you can be granted access, or not, depending on the sensitivity of the data you have requested. In addition, if your previously trustworthy account now looks untrustworthy, remediation actions can be triggered, such as a password reset or a multi-factor authentication, so that identity theft can be ruled out.
Privileged Access Management
Microsoft’s Privileged Access Management (PAM) specifically prevents the theft of Kerberos tokens for Active Directory-based administrative accounts, by segregating such accounts into a small, tightly managed environment and using a trust to reach back into the production environment to perform administration. Thus, kerberos tokens are not exposed to malware-infected workstations which might try to steal them. (If you would like to find our more about PAM have a look at my whitepaper. And OCG Learning runs an excellent one-day course on PAM.) Microsoft Privileged Identity Management (PIM) does a somewhat similar job for the privileged roles in Azure Active Directory.
The idea that not everyone should have access to everything is pretty basic (although it continues to surprise me how many organizations still have extremely open access to many resources). So the foundation of conditional access is that you know who is trying to gain access, the identity. As discussed above, this is much more powerful if the identity contains information about how trustworthy it is, so – coupled with the other factors such as device, location and behavior – a decision can be made to allow or deny access based on real-time factors.
Azure AD Conditional Access, in particular, makes use of this compound identity to control access to Exchange and SharePoint online as well as any AAD-integrated application. In addition, the recently announced cooperation between Microsoft and Ping identity allows the cloud-derived compound identity to be used with PingIdentity on-premises, so that the publication of on-premises web applications and APIs can also be controlled in the same way.
Organizations have detailed inventory of their hardware; and they know who works for them. We make use of this information when we talk about compound identity, as above – we trust “our” people and “our” hardware more than others. This helps us protect ourselves from attackers outside the organization.
Many organizations, however, do not know in detail what information they have. They are aware of classes of information – customer data, design blueprints, accounts, project plans and documents, marketing information – but they often do not keep track of individual documents. This leads to the sorts of problems we saw with Snowden and his colleague at Booz Allen Hamilton who was caught more recently – and these are attackers from within the organization, who were able simply to copy documents from central storage locations. Had the affected organization known what they had (in detail), they could have protected the document specifically for its purpose – the document is then encrypted in place, and even if it is copied to a USB stick, an unauthorized user cannot decrypt it. Access to central storage as an administrator is no longer enough to open the document – the user must specifically be on the list of recipients.
Azure Information Protection
Those organizations that have not yet inventoried their information will often start with a classification process. This involves using content rules, which might recognize an organization’s own security taxonomy like “Internal Only”, “Public”, and “Confidential”, or credit card numbers and social security numbers. Each of these rules would apply a classification to the document – and the inventory starts to be built.
Users can also classify their own documents – either overriding the rules-based classification, or in the absence of rules. The general approach is a mixture of user and rules-based classification, because certain users working with certain types of information can be relied upon to use their judgement to apply the appropriate classification. Others, experience suggests, can’t, and therefore rules support those sorts of users to help them avoid mistakes with information which should be protected.
Microsoft’s acquisition of Secure Islands has given them excellent tools for classification, which put minimum burden on users while giving maximum flexibility – these tools are fully integrated into the Azure Information Protection (Azure IP) functionality. You can find an FAQ on classification here.
Once classification is underway, the organization begins to gain trust in the rules that they have laid down. They gain visibility into the volume and location of information which requires protection, and then the process of Protection can begin.
The protection of information according to the classification of the content involves the encryption of the document, with the encryption keys then being further encrypted specifically for each authorized recipient. The recipient, after appropriate authentication, can request these keys and open the document. As with all encryption systems, the challenge is the seamless distribution of the keys to the recipients – and this task is elegantly performed by the Azure IP services in the cloud.
It is important to note that the cloud component is only required for the distribution of the keys – the content does not have to be in the cloud to be able to be protected by Azure IP. If your organization has specific needs for the protection of the cryptographic keys used to generate the individual document encryption keys, you can either generate the keys yourself and upload them into the Azure cloud (known as “Bring Your Own Keys”, BYOK), or, in extreme cases, you can maintain the key generation in your own private network (known as “Hold Your Own Keys”, HYOK). You can even manage a hybrid scenario where a mixture of these approaches is implemented. In this case, the user does not have to choose between them, they simply choose a classification and the system takes care of the appropriate key generation.
For more information on Azure Information Protection, see here.
Vigilance – Advanced Threat Analytics
I noted in the opening paragraphs that the attack on the French TV station was prevented by the quick response of vigilant technicians who happened to be on site. They were both vigilant and lucky – can we be vigilant, and defend the network without having to rely on luck?
It is an axiom of defence (both military and IT) that the enemy is easiest to detect (and kill) when they are in motion. The initial phase of most attacks against IT infrastructure involves reconnaissance, because the attackers need to understand the nature of the network, the names of servers and users, and they need to get their first foothold by stealing a credential or accessing one workstation from another. It is in this phase that detection is all-important, and these activities do leave tell-tale traces in the network.
Microsoft’s Advanced Threat Analytics (more here) tracks the use of directory access, including authentication and authorization requests. An attacker might use an anonymous LDAP query to enumerate network or user resources – ATA will detect this and raise an event. An attacker might steal a credential from a workstation and resubmit it to another, attempting to move laterally through the network – ATA will detect the resubmission and raise an event. An attacker might use a credential to access a network resource that the user has never accessed before, perhaps at a time of day which is untypical for the user. ATA learns the patterns of user behavior, both as individuals and as groups of similar users, and will detect abnormal behavior and raise an event.
While the stream of reports of successful attacks seems unrelenting, there are approaches to protecting the sensitive data held by an organization from attacks, both from outside and inside the organization. When Microsoft security and identity technologies and new approaches are used together, attacks can be made significantly more difficult, more expensive and less fruitful.
There are, of course, many facets to security which are not specifically addressed by the Microsoft technologies which I have mentioned here – but they are necessary components of overall security for organizations who make use of Microsoft’s products.
Finally, the cloud-mediated world is moving very fast. There are numerous upcoming fascinating features in Microsoft’s security offerings (which I do not have space to talk about here) and particularly in the security space, it is the ability of cloud-mediated offerings to respond quickly to emerging threats that makes them so compelling.
Oxford Computer Group is an award-winning, broad-based consultancy which specializes in securing enterprise environments, providing expertise in the policies and infrastructure underpinning security. We help our customers to increase security while maximizing operational efficiency and user productivity.