Articles

Ensure comprehensive identity protection with Microsoft 365 – BRK2157

October 10, 2019


GOOD MORNING. MY NAME’S ALEX WEINERT. I AM THE GROUP PROGRAM MANAGER FOR THE MICROSOFT IDENTITY AND SECURITY PROTECTION TEAM SO WE’RE THE TEAM THAT’S CHARGED WITH KEEPING BASICALLY KEEPING BAD GUYS OUT OF YOUR ACCOUNT. SO YOU’RE AN ACTIVE DIRECTORY, ACTIVE AZURE DIRECTORY, OFFICE 365, SKY POP MAIL, OUR TEAM IS ON POINT TO TRY TO MAKE SURE WHEN YOU LOG IN IT’S ACTUALLY NOW AND NOT SOMEBODY WHO REALLY WANTS TO BE YOU. I’M JOINED BY MY FRIEND YINON.>>HI, GUYS, I’M YINON COSTICA, THE DIRECTOR OF PROGRAM MANAGEMENT FOR THE CLOUD SECURITY. WE HAVE AZURE ATP, CLOUD UP SECURITY THAT WILL BE DISCUSSED BOTH IN THIS SESSION AND AZURE SECURITY CENTER THAT IS DISCUSSED IN THE OTHER ROOM. AND THESE OTHER THREE PRODUCTS.>>RIGHT, SO ON MY TEAM, THE THINGS YOU MIGHT USE AND I’D LOVE TO KIND OF GET A POLL HERE SO WE KNOW WHO WE’RE TALKING TO AND WE CAN LEVEL SET. MY TEAM IS RESPONSIBLE FOR CONDITIONAL ACCESS. ANYBODY USING AZURE — MULTIFACTOR AUTHENTICATION IN AZURE 80? AND THEN IDENTITY PROTECTION, SO THE THREAT SIGNALS. COOL, SO LOTS OF PEOPLE WITH SOME FAMILIARITY. ALL RIGHT AND THEN –>>CLOUDUP SECURITY. WHO’S USING IT? AZURE ATP. AND ATA? OKAY.>>ALL RIGHT, COOL. ALL RIGHT, SO NOW HERE’S A GREAT QUESTION: WHO EASE USING BOTH AZURE ACTIVE DIRECTORY IDENTITY PROTECTION AND SAY ATP OR ATA TOGETHER? ALL RIGHT, GOOD. I THINK YOU WILL PARTICULARLY LIKE THIS. OKAY, SO BY WAY OF HISTORY WE’VE BEEN REALLY FOCUSED ON TRYING TO GET VALUE TO MARKET, AND YINON’S TEAM HAS DONE A BUNCH OF GREAT WORK. OUR TEAM HAS BEEN WORKING HARD TOO. UNFORTUNATELY THE BAD GUYS DON’T RESPECT WHICH PRODUCTS YOU’RE LOOKING AT AND THEY TRAVEL BACK AND FORTH SO WE’VE DONE SOME WORK TO TRY TO MAKE THIS MORE COMPREHENSIVE AND WE’D LIKE TO INTRODUCE YOU TO THAT NOW AND IMPORTANTLY I THINK FRAME THE PROBLEM A LITTLE BIT. THIS IS THE MANDATORY MARKETING SLIDE THAT SAYS, IT’S SCARY OUT THERE. DO YOU BELIEVE IT? IT’S SCARY, RIGHT? OKAY, SO WE CAN KIND OF GO OVER THAT, BUT IT IS THE CASE WE’RE SEEING ABOUT A 300 INCREASE YEAR OVER YEAR RIGHT NOW OVER THE ATTACK VOLUMES FROM LAST YEAR. SO THINGS ARE RAMPING UP. OUR FRIENDS IN NATION STATE ATTACK TYPE THINGS ARE MAKING IT MORE ENTERTAINING SO THERE IS, THE REASON TO STAY ON YOUR TOES BUT I DON’T THINK ANYONE IN THIS ROOM NEEDS A TON OF CONVINCING ON THAT. THE THING I WANT TO TALK TO YOU ABOUT FIRST IS KIND OF THE FRAMEWORK WE’RE THINKING ABOUT AND SO AS WE GO BACK AND WE THINK ABOUT HOW IN MICROSOFT 365 DO WE WANT TO STRUCTURE THE PRODUCT, STRUCTURE THE CONVERSATION, AND ALL THE DEMOS YOU SAW IN THE KEYNOTES, THE SECURITY KEYNOTES, ALL KIND OF DRIVE FROM THIS, IS THAT THERE ARE A SET OF ASSETS THAT ARE IMPORTANT TO THINK ABOUT SECURING IN YOUR ENVIRONMENT. AND OF COURSE AS IDENTITY PEOPLE WE TENT TO BIAS SAYING OF COURSE IDENTITY IS ONE OF THE FIRST AND MOST ASSETS YOU’LL FOCUS ON AND WE’LL TALK MOSTLY ABOUT THAT BUT THERE ARE OTHER KEY ASSETS. WHAT ARE THE DEVICES THOSE USERS ARE USING? ARE THERE ANY IN TUNE USERS IN THE ROOM? AWESOME. THE OTHER THING TO THINK ABOUT IS WHAT APPS AND DATA ARE THESE PEOPLE GETTING TO? IF WE THINK ABOUT DATA CLASSIFICATION AND ENCRYPTION, HOW DOES THAT DATA STAY SECURE ONCE IT’S IN TRANSIT AND GETTING MAILED AROUND? THE APPLICATIONS THEMSELVES HAVE TO BE SECURED SO IN A LOT OF ORGANIZATIONS THE PERSON FOR EXAMPLE ADMINISTERS EXCHANGE AND SETS THOSE SETTINGS IS NOT THE SAME PERSON THAT WORRIES ABOUT PROVISIONING OF APPS, AND THEN OF COURSE INFRASTRUCTURE, WHEN WE THINK ABOUT EITHER RUNNING VMs IN AZURE OR DEPLOYING INFRASTRUCTURE ON PREM OR WORKING ON NETWORK CONFIGURATION THAT’S ANOTHER KIND OF JOB. ACROSS EACH OF THESE THINGS THERE ARE SPECIALISTS. THERE’S SPECIALISTS IN YOUR ORGANIZATION, SPECIALISTS IN OUR ORGANIZATION. WE HAVE PEOPLE VERY, VERY FOCUSED ON DETECTING THREATS, ACTUALLY THIS GENTLEMAN RIGHT HERE, DETECTING THREATS IN THE AZURE ENVIRONMENT AND MAKING THOSE VISIBLE TO YOU IN A WAY YOU CAN TAKE ACTION ON THAT AS THE ADMINISTRATOR FOR THAT INFRASTRUCTURE. IN THE IDENTITY SPACE, ADIP WAS BORN OUT OF THE SAME MODELS. FOR THE IDENTITY ADMINISTRATORS WE NEED TO DETECT THREATS AND NEED TO MAKE SURE THEY’RE AVAILABLE TO YOU TO WORK THROUGH. WHEN WE LOOK AT THIS, THIS KIND OF MODEL OF THESE FIVE PILLAR RESOURCES THAT WE’RE WORRIED ABOUT, THE, WHILE EACH OF THOSE RESOURCES IS VERY DIFFERENT, IT IS ADMINISTERED IN A DIFFERENT WAY AND YOU WANT DIFFERENT EXPERTISE ON THAT. AS AN ADMINISTRATOR YOU HAVE COMMON TASKS ACROSS THEM AND SO YOU THINK ABOUT EVERY ONE OF THESE PEOPLE HAS TO FIGURE OUT, HOW DO I CONFIGURE THIS THING IN A SECURE WAY? THERE WAS A BRIEF DISCUSSION WHICH WAS, THERE WILL BE SECURITY ADMINISTRATORS AND THEY’LL TAKE CARE OF THE SECURITY FOR EXCHANGE. I WOULD POSIT FOR WHICHEVER, INFRASTRUCTURE OR DENT TISSUES IF YOU’RE AN IDENTITY ADMINISTRATOR AND YOU’RE DEPLOYING WITHOUT THINKING ABOUT SECURITY YOU’RE NOT LONG LIVED IN YOUR JOB. EVERY ONE OF THESE ADMINISTRATORS, EVERY ONE OF THESE PEOPLE ARE FOCUSED ON DOING THEIR JOB IN THE RIGHT WAY WHICH INCLUDES DEPLOYING IN A SECURE WAY SO THERE MR. VERTICALNESS IN THESE STACKS B UT THE TASKS ARE SIMILAR. SO MONITORING, UNDERSTANDING HOW YOU’RE HITTING THE USER BASE, PROVIDING INSIGHTS TO YOUR MANAGEMENT ABOUT WHAT NEEDS TO HAPPEN, UNDERSTANDING HOW THE IMPACT ON THE BUSINESS GOES, ALL THAT IS COMMON ACROSS EACH OF THESE RESOURCE TYPES. AND THEN THERE’S ANOTHER THING THAT’S COMMON WHICH IS OCCASIONALLY YOU’LL BE THE ONE WHO NOTICES TROUBLE, AND THAT’S WHEN WE SHIFT FROM SORT OF THIS VERTICAL MODEL TO MORE OF A HORIZONTAL MODEL BECAUSE ONCE HAND OFF TO SEC OPS, AGAIN WE HAVE TO REALIZE BAD GUYS DON’T RESPECT THE BOUNDARIES SO WE BETTER LISTEN TO YINON.>>EXACTLY, SO WHEN WE’RE LOOKING AT THESE SILOS WE TALKED ABOUT, SO WE HAVE DEDICATED TEAMS TO MANAGE IDENTITY, MANAGE APPS, ATTACKERS OBVIOUSLY ARE USING EVERYTHING END TO END. THEY WILL USE WHATEVER THEY CAN TO ACHIEVE THEIR TARGETS, AS SEC OPS WHEN YOU’RE GOING TO INVESTIGATE YOU WANT TO HAVE FULL VISIBILITY END TO END ACROSS THESE RESOURCES. THIS IS WHERE THESE SILOS NEEDS TO BREAK AND THIS IS WHERE YOU WANT TO HAVE A SINGLE PANE OF GLASS TO SEE ALL THE DIFFERENT FORENSICS THAT ARE THERE AS MUCH AS POSSIBLE IN ORDER TO UNDERSTAND THE BREADTH AND DEPTH OF THE ATTACK AND YOU WANT TO PROVISION ALL OF THEM TO THE SAME SECURITY TOOLING YOU’RE USING SO YOU’RE SEEING THE RESPONSE MECHANISMS ET CETERA AND YOU WANT TO HAVE ONE LAYER IN ORDER TO UNDERSTAND WHAT ARE THE RECOMMENDATIONS YOU WILL BE MAKING TO THESE TEAMS THAT ADMINISTER YOUR RESOURCES IN ORDER TO IMPROVE THE SECURITY POSTURE AND MITIGATE THE SPECIFIC THREAT OR ATTACK THAT YOU HAVE IDENTIFIED. SO AS SEC OPS, YOU COMPLETELY LOOK AT IT IN AN INVERSE METRICS, WHEN YOU’RE LOOKING AT THE ATTACK LEVEL AND YOU WANT TO SEE END TO END VIEW ACROSS ALL THESE RESOURCES AND THIS IS AGAIN WHEN YOU GO BACK TO THE ADMINISTRATIVE TEAMS AND YOU WANT TO GIVE THEM HAND OVER RECOMMENDATIONS. THIS IS WHERE IT ALL FITS TOGETHER. ALEX?>>SO AGAIN WE HAVE ADMINISTRATOR CENTRIC LENS ON THIS PROPER AND AS AN ADMINISTRATOR IN IDENTITY YOU’LL BE THINKING A LOT ABOUT SORT OF HEALTH POLICY. ESPECIALLY WHEN YOU GET TO THE SCALE OF A VERY LARGE ORGANIZATION, FOR EXAMPLE MICROSOFT, IT’S REALLY NOT A QUESTION OF NOBODY WILL EVER GET PHISHED. WE HAVE TO THINK HOW TO MINIMIZE THE PROBLEM, HOW DO WE MINIMIZE THE EXPOSURE AT A CONFIGURATION LEVEL AND HOW DO WE ENHANCE THE WAY WE DO THE INVESTIGATION. THAT’S HOW THESE PLAY TOGETHER. I WOULD LOVE TO HEAR FROM YOU AS WE SORT OF CHARGE DOWN THIS PATH, DOES THIS SORT OF MAKE SENSE IN TERMS OF WHAT WE’RE SAYING THAT WE WANT TO BE ABLE TO DO A CLEAN HANDOFF INTO SEC OPS BUT THAT’S NOT NECESSARILY THE SAME ROLE, THE PERSON FOR EXAMPLE IDENTITY ADMINISTRATOR IS NOT THE SAME PERSON DOING THE INVESTIGATION IN ALL CASES. DOES THAT MAKE SENSE WHAT WE’RE TALKING ABOUT? SO AS WE GO FORWARD FROM HERE, IT IS, AND WE CAN HAVE A LITTLE BIT OF FUN NOW, IN THAT FRAMEWORK, YINON AND I ESSENTIALLY WE LOOK AT SORT OF DIFFERENT LENSES, RIGHT, IN TERMS OF WHAT WE SEE, BECAUSE YINON’S TEAM DOES A LOT OF THINGS AROUND MONITORING THE APPLICATION SESSION, AND WE’LL TALK TO THIS MODEL A LITTLE BIT MORE LATER, AND MONITOR ON-PREMISES, WHAT’S HAPPENING AROUND THE DOMAIN CONTROLLERS, WHEREAS MY TEAM IS PRIMARILY LOOKING AT LOGINS IN THE CLOUD SO IT’S USEFUL AT SOME LEVEL TO UNDERSTAND THE KINDS OF ATTACKS YOU’RE SEEING AND THE M.O. OF THE ATTACKERS AS WE GO INTO THIS MODEL SO WE’LL HAVE A LITTLE FUN TALKING ABOUT SOME SCARY STORIES.>>OKAY, SO THIS IS WHERE WE ARE LOOKING AT THE NEWS AND EVERY OTHER WEEK WE HEAR ABOUT ANOTHER COMPANY THAT WAS COMPROMISED BY AN ATTACKER, SENSITIVE DATA WAS LEAKED AND THEN OF COURSE IT HAS A LARGE IMPACT ON THE BUSINESS. WE WON’T GET INTO THE NUMBERS AND THE MILLIONS OF DOLLARS WE ACTUALLY LOSE TO THAT BUT IT’S OBVIOUS THAT WE WANT TO AVOID THAT AS MUCH AS POSSIBLE, AND THIS IS WHERE MICROSOFT IN MANY CASES IS BEING CALLED AS PART OF THE INCIDENT RESPONSE TEAM TO THE CUSTOMERS IN ORDER TO LEARN WHAT HAPPENED, HOW TO RECOVER, HOW TO RESPOND, AND THEN NEXT HOW TO BETTER SET UP THE ENVIRONMENT IN ORDER TO AVOID THIS CASE IN THE FUTURE. SO I WANT TO START WITH GIVING YOU, LIKE, THE TYPICAL REALLY THE TYPICAL ADVANCED ATTACK THAT WE’RE SEEING, THE TIME LINE THAT WE’RE SEEING, AND THERE ARE SOME KEY OBSERVATIONS I WANTED TO SHARE BEFORE WE DEEP DIVE AND TAKE THE ATTACKER PERSPECTIVE FOR A SECOND. SO FIRST, AND THIS IS WHAT ALEX WILL SHOW YOU AND EVERY TIME AGAIN IT SURPRISED ME. IT SURPRISES ME HOW EASY IT IS TO GET THE FIRST HOLD OF THE NETWORK, OR IN THE NETWORK. SO THE FIRST HOLD, THE FIRST ACCOUNT THAT IS COMPROMISED AND THIS IS DONE BY A VERY SHALLOW RESEARCH THAT YOU CAN DO. YOU CAN DO IT ON EVERY COMPANY YOURSELVES, JUST GO AND FIGURE OUT A FEW EMAIL ACCOUNTS THAT ARE OUT THERE, THE EMAIL ACCOUNTS THAT ARE ON YOUR DEMAINS. EVERYTHING IS OUT THERE. THESE ARE THE FIRST ACTUALLY ACCOUNTS THAT YOU CAN TARGET AS AN ATTACKER. ONCE YOU GET, AND ALEX WILL SHOW YOU HOW IT’S ACTUALLY DONE BY ATTACKERS. ONCE YOU GET ONE ACCOUNT LIKE THAT, THE STATISTICS SAY THAT IT TAKES 1 TO 2 DAYS TO ACHIEVE DOMAIN DOMINANCE OVER YOUR NETWORK. THIS IS — IF YOU UNDERSTAND WHAT THIS MEANS OBVIOUSLY THIS IS INSANE. IT MEANS THAT FROM ANY ACCOUNT OUT THERE, ON AVERAGE, IT TAKES 2 DAYS TO GAIN DOMAIN DOMINANCE. THE ATTACKER CAN ACCESS ANY RESOURCE AND THE OTHER NUMBER THAT IS INSANE IS THAT ON AVERAGE, IT TAKES A LITTLE BIT MORE THAN 100 DAYS BEFORE WE ACTUALLY DISCOVER THESE TYPE OF ATTACKS ONCE THEY HAPPEN SO THIS IS THE ATTACK TIME LINE. SOME OBSERVATIONS ON THIS THAT ARE COMMON MISCONCEPTIONS, ATTACKERS ARE SUPER SOPHISTICATED NOT BECAUSE THEY’RE SUPER SMART JUST BECAUSE TOOLS ARE AVAILABLE FOR THEM OUT THERE SO THERE ARE MANY TOOLS THAT ARE AVAILABLE. YOU CAN DOWNLOAD THEM. YOU CAN USE THEM FOR ATTACKING AND YOU CAN GET THE BEST TECHNIQUES OUT THERE VERY QUICKLY AND ACTUALLY EMPLOY THEM IN YOUR ATTACK CAMPAIGN. THIS IS ONE THING THAT IS IMPORTANT TO UNDERSTAND. THE SECOND THING IS THAT ALTHOUGH IN MOST CASES WHAT WE SEE IS THE DATA THAT IS BEING STOLEN AND LEAKED, THE TARGETS IN MOST CASES, I MEAN, THE ROUTE THERE, IS GOING THROUGH ACTIVE DIRECTORY AND IDENTITIES, SO YOU’RE TAKING DEPTHS AND USE THEM IN ORDER TO MOVE FROM ONE PLACE TO THE OTHER UNTIL YOU GET TO THE DATA YOU NEED AND THIS IS SUPER IMPORTANT TO UNDERSTAND, WHEN PROTECTING AGAINST THESE TYPE OF ATTACKS. THIRD, ASSUME BREACH, YOU PROBABLY FROM THE ATTACK TIME LINE YOU UNDERSTAND WHY. EVEN IF IT WAS COMPROMISED YOU STILL HAVE A LONG PERIOD OF TIME WHERE THE ATTACKER IS ACTIVE AND YOU WANT TO HAVE DEFENSE TECHNIQUES THAT WILL IDENTIFY AS SOON AS ATTACKER DOES SOMETHING THAT YOU CAN IDENTIFY, AND WE’LL SEE A BUNCH OF EXAMPLES FOR HOW WE ACTUALLY DO THAT AND PROVIDE YOU TOOLS TO IDENTIFY THAT AFTER THE ACCOUNT WAS COMPROMISED, TO IDENTIFY AS EARLY ON IN THE ATTACK STAGE. AND LASTLY, THE RESPONSE AND RECOVERY. THIS IS A COMPLEX PART. IT TAKES A LOT OF RESOURCES TO UNDERSTAND EXACTLY WHO WERE IMPACTED BY THE ATTACK AND HOW TO RECOVER FROM IT. AND WE’LL SEE HOW WE CAN HELP WITH THAT, AS WELL. SO TAKING THE ATTACKER’S HEAD FOR A SECOND, JUST TO GIVE YOU HOW IT LOOKS LIKE FROM AN ATTACKER PERSPECTIVE. WE ALL KNOW THAT MANY CAMPAIGNS ARE COMING, STARTING WITH ACTUALLY PHISHING, WITH EMAIL. THAT’S THE PRIMARY WAY TO ACTUALLY START THE CAMPAIGN, BUT ALEX WILL SHOW YOU HOW YOU CAN ACTUALLY START WITH BRUTE FORCING AND TRYING TO ACCESS AN ACCOUNT WITHOUT ANY EMAIL, WITHOUT ANY ENGAGEMENT WITH THE USERS THEMSELVES. SO THAT’S THE FIRST PHASE IN ORDER TO GET A COMPROMISED ACCOUNT. WHATEVER, ONCE I HAVE A COMPROMISED ACCOUNT, I WILL TRY TO ESTABLISH PERSISTENCE ON THAT SPECIFIC ACCOUNT, AND THEN I WILL DO TWO THINGS. FIRST I WILL USE WHATEVER IS ACCESSIBLE TO ME AS THAT USER IN ORDER TO COLLECT INFORMATION, RECONNAISSANCE AND CONFIGURATION DATA, SO I CAN THEN PROCEED WITH THE ATTACK, AND THEN WHAT I WILL DO, I WILL TRY TO MOVE LATERALLY IN THE ORGANIZATION, SO TO OTHER USERS, TO OTHER LOCATIONS, TO OTHER SERVERS AND I WILL GET ANY OTHER IDENTITY I CAN USE IN ORDER TO GET IN THE END TO HIGHER PRIVILEGES THAT WILL ALLOW ME TO GET TO THE TARGET OF MY ATTACK SO TO THE SENSITIVE DATA AND THEN LEAK IT, EX FILL TRAIT IT AND ACHIEVE MY GOALS BUT BEFORE I LEAK THIS SENSITIVE DATA ONE THING WE SEE ATTACKERS DO AND IS VERY IMPORTANT TO UNDERSTAND, THEY GO AND ESTABLISH — THEY PRO MIZE A DOMAIN AS A WHOLE. THEY ESTABLISH DOMAIN DOMINANCE SO THEY CAN PERSIST IN YOUR NETWORK EVEN IF THEY LOST THIS ACCOUNT OR THIS ACCOUNT THAT WAS COMPROMISED BY COMPROMISING THE DOMAIN, THEY CAN CONTINUE AND PREVAIL IN YOUR NETWORK, ACCESSING ANY RESOURCE. THEY CAN PERSIST AND REGAIN ACCESS AGAIN AND AGAIN EVEN IF YOU REMEDIATE ONLY ONE ACCOUNT THAT THEY HACKED. SO THIS IS VERY IMPORTANT TO UNDERSTAND. WE HAVE THREE PRODUCTS THAT WE’LL COVER IN THIS SESSION THAT HELP YOU COUNTER THESE ATTACKS. AZURE AD IDENTITY PROTECTION, AZURE ATP AND CLOUD-UP SECURITY.>>ALL RIGHT, I WANTED TO SPEND A MOMENT TALKING ABOUT THOSE THREE PRODUCTS AND THE LENS WE HAVE ON THIS. IF YOU’RE USING MORE THAN ONE OF THESE, WE — I EXPECT YOUR HAND WOULD GO UP IF YOU USE MORE THAN ONE OF THESE AND YOU SAID GEE I WISH I UNDERSTOOD WHY THINGS WILL TRIGGER IN ONE BUT NOT IN THE OTHER AND WHY RISK SHOWS UP IN ONE PLACE OR NOT THE OTHER. THIS SESSION IS ABOUT THE WORK WE’VE BEEN DOING TO SHARE THE SIGNALS AND MAKE SURE THEY SHOW UP BUT I WANT YOU TO UNDERSTAND THE UNIQUE VALUE OF THESE THINGS. THE KEY THING HERE IS THAT YOU CAN THINK OF THIS IF YOU HAVE A HOME SECURITY SYSTEM, WHERE YOU HAVE MOTION SENSORS IS WHAT YOU CAN SEE. THE MORE SENSORS YOU HAVE, THE MORE THREATS YOU CAN DETECT AND REACT TO. ALL RIGHT? SO IN THE CASE OF AZURE ACTIVE DIRECTORY WHERE THAT CODE IS RUNNING, WHERE THINGS ARE HAPPENING, IS IN OUR LOG-IN SERVER. WE DO PRIMARILY WE DO RISK ASSESSMENTS EITHER IN THE LOG IN SERVER OR BASED ON THE LOGS GENERATED FROM IT. THERE’S A TON WE CAN LEARN ABOUT THAT. WE CAN SAY THAT A USER IS COMING FROM A PLACE WE’VE NEVER SEEN THEM BEFORE OR WE CAN SAY THEY’RE COMING IN AS PART OF AN ATTACK. I’LL SHOW YOU IN A MINUTE HOW WE CAN SEE BECAUSE OF THE SCALE WE OPERATE AT, WE CAN SEE ATTACKS NOT DETECTABLE AT AN INDIVIDUAL ORGANIZATION’S VIEWPOINT BUT WE CAN SEE THEM GLOBALLY. BUT THAT IS THE INFORMATION WE’RE LOOKING AT. WE’RE LOOKING AT THE LOG-IN INFORMATION, ALMOST EXCLUSIVELY. THAT’S THE KEY THING. WHEN WE LOOK AT AZURE ATP, WE’RE NOW INTO YOUR NETWORK, YOUR ON-PREM NETWORK, AND WE’RE LOOKING AT THE TRAFFIC AROUND THE DOMAIN. WHAT’S THE USER’S BEHAVIOR ON THE NETWORK? WHAT MACHINES ARE THEY GOING TO? WHAT’S THE LOG-IN PATTERN? ARE WE SEEING USERS POP UP IN PLACES THEY NEVER POPPED UP BEFORE IN THE NETWORK? IN BOTH CASES THERE’S A BUNCH OF MACHINE LEARNING GOING ON TO TRY TO HELP WHAT’S NORMAL IN THE ENVIRONMENT AND TO SIGNAL ON ANOMALIES BECAUSE AT THE END IF THE DAY BECAUSE ATTACKERS’ M.O.s CHANGE FAST ANOMALIES ARE THE THING. WE’RE LOOKING FOR ANYTHING STRANGE BUT IT’S A VERY DIFFERENT SIGNAL SOURCE SO IF YOU HAVE AZURE ACTIVE DIRECTORY AND YOU’RE SEEING SIGNAL OVER HERE AND YOU DON’T HAVE ATP THERE’S SIGNAL YOU’RE MISSING IN YOUR ON-PREMISES ENVIRONMENT BECAUSE IF AN ATTACKER PENETRATES YOUR VPN OR GETS RESIDENCE ON YOUR NETWORK IT’S PARTY TIME. THEY GET TO HAVE A GOOD TIME. I’M GOING TO INSERT A THING, THAT 24 TO 48 HOURS TO DOMAIN DOMINANCE, RIGHT, THE OTHER THING THAT’S AN INTERESTING STAT IS ON AVERAGE, IT’S ABOUT 15 MINUTES FROM ACCOUNT COMPROMISE TO UTILIZATION. SO WHAT YOU’RE LOOKING AT IS FROM THE TIME THAT YOUR USER’S ACCOUNT HAS BEEN BROKEN TO THE TIME YOUR DOMAIN IS COMPROMISED IS ESSENTIALLY 48 HOURS PLUS 15 MINUTES. THE REASON I’M GOING TO POINT THAT OUT IS I’LL TALK ABOUT PASSWORDS AND WHY THEY’RE SO EASY TO BREAK. PART OF THE REASON IS EXPIRATION RULES AND I WANT TO ENCOURAGE YOU TO RETHINK THE VALUE OF AN EXPIRATION RULE BECAUSE THEY CREATE A VERY PREDICTABLE PASSWORD PATTERN BUT THEY HAVE ZERO VALUE IN TERMS OF SECURITY UNLESS YOU’RE EXPIRING PASSWORDS EVERY 5 MINUTES IN WAY CASE GOOD LUCK WITH THE USABILITY ON THAT. SO IN GENERAL, EXPIRATION RULES HAVE NO VALUE. I’D BE HAPPY, SERIOUSLY, TO TALK TO ANYONE WHO IS A SKEPTIC ON THIS ONE AND WE HAVE SUCH RESEARCH PAPERS TO POINT YOU TO AND SUCH. SO THE THIRD THING, IF YOU LOOK AT THE BAKES OF HOW THE PATTERN WORKS, HOW BASICALLY THE AUTHENTICATION PATTERNS WORK, IS THAT AS PAM ACTUALLY TALKED ABOUT IN HER TALK ON STANDARDS YESTERDAY IS WE WANT TO GET TO A PLACE WHERE WE’RE NOT PASSING THE CREDENTIALS TO EVERY SINGLE APP, THAT WE’RE PASSING AS A TICKET FROM SOMEBODY WHO HANDLES THE CREDENTIALS FOR YOU. THAT’S OUR JOB AS AZURE ACTIVE DIRECTORY. WHAT WE PASS THAT TICKET TO THE CLIENT TO THEN HAND TO THE SERVICE IS LIKE A CARNE NALL TICKET. YOU CAN WALK UP TO THE RIDE AND YOU SAY I HAVE THIS THING. YOU DON’T GO BACK TO THE IDP ON EVERY VISIT. YOU GO FROM THE CLIENT TO THE SERVICE CARRYING A TICKET. THAT’S IMPORTANT HERE BECAUSE THAT MEANS THAT THE THREAT SIGNALING THAT WE HAVE GOES AWAY, RIGHT, ON AZURE ACTIVE DIRECTORY SIDE AFTER WE’VE ISSUED THAT TICKET. THE NEXT HOUR IT’S ENTIRELY BETWEEN WHATEVER SERVICE YOU’RE GOING TO AND YOUR CLIENT. AND THAT TRAFFIC IS PASSING BACK AND FORTH. THERE ARE CASES WHERE YOU WANT TO HAVE A LEVEL OF SECURITY THAT’S HIGH ENOUGH YOU CAN ACTUALLY SEE WHAT’S HAPPENING IN THAT SESSION, SO FOR EXAMPLE SOMEBODY STARTS DOWNLOADING A TON OF DATA THEY’VE NEVER DONE BEFORE OR THEY START PASSING USERMENT PII AROUND. THESE ARE THINGS YOU WANT TO BE ABLE TO GET IN THE WAY OF AND THINK ABOUT IS THIS ACTUALLY A SAFE PATTERN. THE OTHER THING THAT HAPPENS IS THERE ARE THREAT TYPES THAT SHOW UP IN THAT BEHAVIOR. ONE THING ATTACKERS LOVE TO DO IS THEY’LL GET INTO EXCHANGE, THE FIRST THING THEY DO, IT’S PART OF ESTABLISHING PERMANENCE IS THEY SET A FORWARDING RULE. IF I’M TRYING TO GET YOUR DATA ONE OF THE COOL THINGS I CAN DO IS SET A FORWARDING RULE IN YOUR ACCOUNT. YOU CHANGE YOUR PASSWORD FINE, I’M STILL GETTING YOUR MAIL SO THAT’S THE KIND OF ATTACK SIGNAL WE CAN PICK UP IF WE’RE IN THE SESSION. THAT’S THE THIRD THING WHICH IS MICROSOFT CLOUD UP SECURITY ALLOWS YOU TO GET INTO THAT PIPE. YOU HAVE THREE SIGNAL SOURCES, THE LOG-IN TRAFFIC, THE TRAFFIC AROUND THE ATTACKERS ON-PREM AND YOU HAVE THE ACTUAL SESSION PIPE SO THOSE ARE THE THREE SIGNAL SOURCES WE’RE TALKING ABOUT TODAY. SO MOVING ON TO SORT OF THE FIRST ONE, RIGHT, WE CAN LOOK AT, WHAT ARE OUR TOP ATTACKS AGAINST AZURE DIRECTORY. THERE’S A COMMONALITY IN ALL THREE OF THESE ATTACKS. WHAT’S COMMON IN ALL OF THE HACKS? [ OFF MICROPHONE ] PASSWORDS. SOMEBODY WAS BRAVE ENOUGH TO WHISPER IT AT ME. SO THE PASSWORD IS THE COMMON VEIN HERE, AND WE ARE DOING A TON OF WORK AS YOU’VE HEARD ABOUT AT THIS CONFERENCE HOPEFULLY TO ELIMINATE THE NEED FOR PASSWORDS AS A PRIME AREA GESTURE FOR SIGN-IN AND THE REASON HERE IS BECAUSE, OF THIS, IT’S THE FACT THAT THE PASSWORD IS JUST THE VECTOR THAT WE’VE BEEN PRACTICING OUR ATTACKS AGAINST FOR 20 YEARS, 30 YEARS. I WAS QUITE SERIOUSLY WHEN I WAS 8 YEARS OLD I WAS BREAKING PASSWORDS FOR FUN, YOU KNOW, SO I STARTED ON THE OTHER SIDE OF THIS EQUATION. [ LAUGHTER ] SORT OF SWITCHED TEAMS. BUT THE THING IS THAT THEY WERE EASY TO BREAK THEN, THEY’RE EASIER TO BREAK NOW BECAUSE PATTERNS ARE EVOLVING. OUR ADVERSARIES, THEY’RE DATA SCIENTISTS TOO. THEY’RE BUILDING HISTOGRAMS, WHEN SOMEBODY BREAKS THE YAHOO! DATABASE FROM THE BREACH THEY’LL LOOK AT WHAT ARE THE STATISTICALLY MOST COMMON PASSWORDS. A GOOD EXAMPLE IF I WERE TO SAY IN IN ROOM RIGHT NOW, EVERYBODY THINK OF A WORD I’D GET A PRETTY GOOD DIVERSE SET OF WORDS. IF I THINK OF A SPORTS TEAM, IT’S LESS DIVERSE. A SPORTS TEAM THAT WAS A CHAMPIONSHIP TEAM IN 2016 IT GETS LESS DIVERSE. I WILL STILL GET SOME DIVERSITY OF PASSWORDS BUT IT GETS EASIER TO GUESS. THE MORE RULES YOU APPLY THE EASIER TO BREAK IT. ANOTHER WAY THEY’RE PREDICTABLE IS THEY LIKE TO REUSE PASSWORDS. THE VOLUMES ARE SIGNIFICANT, RIGHT? WE DO 18 BILLION LOG-INS A DAY AND SO WHEN I SAY THAT WE SEE SOMETIMES 3 TO 400 MILLION ATTACKS IN A DAY WHICH IS NOT UNCOMMON FOR US, THAT’S A PRETTY AVERAGE NUMBER, THEN IT’S NOT A HUGE PERCENTAGE OF THE TRAFFIC, BUT IT’S A SIGNIFICANT AMOUNT. AND SO WE SEE A LOT OF MOVEMENT IN THE BLACK MARKET ON THESE THINGS SO I’LL GO INTO EACH OF THESE ATTACKS IN TURN. BUT PASSWORDS ARE A PROBLEM, RIGHT? WE’RE GOING TO GO SEE OTHER SESSIONS ABOUT HOW WE’RE GETTING RID OF THEM. ALL RIGHT, SO LET’S TALK ABOUT BREACH REPLAY FOR A MINUTE. BREACH REPLAY BASES ITSELF ON THIS, IS THAT PASSWORDS ARE HARD TO REMEMBER SO MOST USERS HAVE 3 OR 4 AND USE THEM ACROSS 30 OR 40 SITES. AND SO — BY THE WAY THAT’S TRUE FOR PEOPLE IN THE ROOM, TOO, I’M QUITE SURE, RIGHT? AND SO IT’S JUST THE NATURE OF THESE THINGS SO IT DOESN’T MATTER HOW GOOD YOUR PASSWORD IS, IT DOESN’T MATTER HOW ENTROPIC OR HOW BIG YOUR KEY SPACE IS, IF YOU USE IT ON A SITE THAN HAS BAD DATA ARREST POLICIES. THERE’S LOTS OF EXAMPLES. IF YOU HAVE A SMALL BUSINESS USING MySQL TO STORE PASSWORDS IN PLAIN TEXT THE FACT WE’RE DOING SALT AND 1,000 ITERATIONS DOESN’T HELP YOU ANYMORE BECAUSE YOU’VE PUT THAT PASSWORD IN STORAGE IN A WAY THAT ANYBODY CAN READ IT. WHAT HAPPENS NEXT IS PEOPLE COME ALONG AND SCRAPE UP THOSE SITES, BECAUSE USING LAMPS AS AN EXAMPLE, IT’S A WELL KNOWN STACK SO THERE ARE WELL KNOWN ATTACKS. IF I’M USING A HOSTED ENVIRONMENT OR SETTING UP SOMETHING LIKE ANY ONE OF I DON’T WANT TO NAME ANY BRANDS BUT ANY ONE OF THE WEBSITE HOSTING BRANDS, THEY HAVE KNOWN ATTACKS AND IT’S PRETTY EASY TO GET IN SO I CAN SCRAPE UP THESE CREDENTIALS OR WAIT FOR A YAHOO! BREACH OR AN ANTHEM BREACH OR A, PICK THE BREACH OF THE DAY AND THESE COME OUT IN TENS OF MILLIONS, HUNDREDS OF MILLIONS OF ACCOUNTS AT A TIME SO THE VOLUMES ARE SUPER HIGH. AS AN ATTACKER I DON’T HAVE TO BE VERY SMART, BECAUSE AS ANTIQUE I CAN GO THROUGH AND SAY LOOK, GET A TOOL OFF THE WEB AND YINON MENTIONED THIS. OUR ADVERSARIES ARE USING ADVANCED TECHNIQUES NOT BECAUSE THEY’RE ADVANCED PEOPLE BUT BECAUSE THEY ARE PEOPLE WHO HAVE 50 DOLLARS IN BITCOIN TO SPEND AND THESE TOOLS IT’S HILARIOUS. WE DO RESEARCH ON THIS STUFF. AND YOU’LL GET PHONE SUPPORT ON SOME OF THESE TOOLS. THEY HAVE VoIP NUMBERS TO CALL TO SAY HOW CAN I CONFIGURE THIS? IT’S PRETTY REMARKABLE. SO IT’S AN INDUSTRY. AND THE VOLUMES OF THESE KINDS OF THINGS GENERATE ARE SIGNIFICANT, AND THEY YEP RATE THEM NOT NECESSARILY FROM ONE IP, ALTHOUGH IP SIG THAT IS VALUABLE TO US BUZZ THEIR PUSH INTO BOTNETS AND A SINGLE ATTACK MIGHT COME FROM 10,000 IPS, AND WE’LL TYPICALLY SHUT DOWN 10,000 IPs A DAY FOR A COUPLE HOURS. PEOPLE OFTEN ASK US CAN I HAVE THE LIST? THE ANSWER IS GENERALLY NO AND THE REASON IS THE ATTACKERS MOVE ON TO A GOOD PERSON’S IP ADDRESS AND DO THE ATTACK AND MOVE OFF. BY THE TIME WE SIGNAL YOU IT’S NOT A BAD IP ANYMORE FOR THE MOST PART. THERE ARE SOME PERSISTENTLY BAD I.S AND WE SHARE THOSE. NOW I HAVE BREACH. BREACH IS GOOD AT GETTING ME LUCK OF THE DRAW STUFF AND IT’S EASY TO RUN THE ATTACKS. ANOTHER THING WE CAN DO IS PASSWORD SPRAY. THIS IS ACTUALLY A CUSTOMER THAT HAD THIS EXACT PATTERN HAPPEN. THEY HAD A USER SHOW UP ON A BREACH LIST, THEN THAT USER WAS USED — THEY ATTACHED OUTLOOK 2016, GOT THE ENTIRE ADDRESS BOOK FOR THE ORGANIZATION AND THREW THAT INTO A LIST SO THESE LISTS OF USER NAMES BY THEMSELVES ARE VALUABLE. IF YOU HAVE A COMPANY DIRECTORY IT’S SUPER VALUABLE. IF I CAN GET ONE PERSON’S EMAIL ADDRESS I CAN SEE WHO THEY SEND EMAIL TO. BY THE WAY IT’S OFTEN YOU GET A SPAM MAIL THAT SAYS OPT OUT JUST VALIDATING YOUR EMAIL. SO SOMETIMES YOU HAVE TO BE THOUGHTFUL ABOUT ANY RESPONSE IS A BAD RESPONSE, RIGHT? SO YOU GET THE EMAIL ADDRESS WHICH ACTS AS A SIGN IN ADDRESS AND PICK SOMETHING SUPER COMMON SO IF YOU WERE IN BOSTON AND YOU’RE A BASEBALL COMPANY RIGHT, WE CAN PICK SOMETHING LIKE THIS. THAT’S A VERY TARGETED VIEW. THE THINGS THAT WE ACTUALLY SEE IN TERMS OF ATTACKS, THE BAD GUYS ARE ACTUALLY DOING AT SCALE ARE ON THE RIGHT. ATTACK LIKE THIS ONE ON THE RIGHT, WE ITERATE THROUGH 15, 20 PASSWORDS AND THEY KNOW WHAT OUR RULES ARE UP TO A POINT SO THEY WON’T DO SUPER SIMPLE ONES BUT YOU GET 1, SO IF YOU HAVE 100 PEOPLE IN YOUR ORGANIZATION YOU’RE LOOKING AT A 1 PENETRATION RATE. IF SOMEBODY IS DOING SOMETHING TARGETED AND THOUGHTFUL THEY KNOW YOU MAKE WIDGET, THEY MIGHT PUT WIDGETS 2018, THEY KNOW YOU EXPIRE YOUR PASSWORDS EVERY QUARTER, WE’LL SAY WIDGET SPRING 2018. YOU’RE GIVING THEM THE RULES THEY NEED TO FOLLOW SO YOU REDUCE ENTROPY BY ADDING RULES. THERE’S A PAPER WE HAVE ON LIVE, I ENCOURAGE YOU TO READ IT, JUST SAYS PASSWORD GUIDANCE, AND I’D SAY LIKE JUST TAKE THE RULES OFF. YOU NEED A CHECKER THAT SAYS, BY THE WAY ANYBODY WHO’S USING AZURE ACTIVE DIRECTORY YOU’VE ALREADY GOT IT. WE LOOK AT THE INCOMING ATTACKS AND WE PUT THESE ON A BAND LIST AND THEN WE DO ANY PERMUTATION OF THAT WORD IS ALSO BANNED AND WE CAN TALK ABOUT ALGORITHMS LATER. THERE’S BEEN TALKS ALREADY AT THIS CONFERENCE. ALL RIGHT, SO PASSWORD SPRAY LOOKS LIKE THIS. THIS IS A FUN GRAPHIC. THIS IS WHAT IT LOOKS LIKE ON OUR END. IF THIS PASSWORD SPRAY WERE INVOLVING YOUR ORGANIZATION THIS IS ONLY ABOUT 6,000 REQUESTS AN HOUR SO IT’S NOT A HUGE VOLUME ON THIS ATTACK AND IT’S, AND YOUR ORGANIZATION MIGHT HAVE ONE ACCOUNT IN THERE SO WE’RE LOOKING THIS AS ACROSS MANY ORGANIZATIONS BUT THE PASSWORD, THE BLUE HILL, THE FIRST MOUND THAT’S ONE SINGLE PASSWORD AND THAT’S FAILED PASSWORDS SO WHAT WE’RE LOGGING HERE IS WE’RE LOGGING INDIVIDUAL PASSWORDS THAT ARE FAILING, RIGHT, AND WHEN IT SPIKES UP LIKE THAT NORMALLY THIS THING WOULD LOOK FLAT. THERE’S A HUGE DIVERSITY OF THEM SO THERE’S NO BIG MOUNTAINS. SO THE MOUNTAINS LIKE THIS ARE AN ATTACK IN PROGRESS, A PASSWORD SPRAY ATTACK IN PROGRESS AND YOU’RE SEEING THE ATTACKER GO THROUGH PASSWORD 13 AND CAPITAL P PASSWORD 123 AND THEN I LOVE YOU AND QWERTY AND THEY’RE GOING THROUGH THESE THINGS. AGAIN USING 8 OR 10 PASSWORDS YOU CAN GET 1 OF THE ACCOUNTS. ALL RIGHT, SO LET ME GO INTO PHISHING. AND WE ALL KNOW THIS IS AWESOME THAT IT DOESN’T REALLY MATTER WHAT URL IT COMES FROM OR WHAT THE MAIL SAYS AS LONG AS IT SAYS, THERE’S SOMETHING INTERESTING IF YOU LOG IN AND YOUR USER WILL PRETTY RELIABLY LOG IN. THIS IS A FUN AND STUPID PHISHING ATTACK, RIGHT? IT DOESN’T COME FROM OUR DOMAIN. THE WHOLE THING IS OBVIOUSLY PHISH. AND ONE LIKE THIS YOU’LL STILL SEE SOMETHING LIKE 15 PENETRATION. PEOPLE ARE SUPER CURIOUS. THEY GO TO A PAGE THAT THIS FOLLOWS THEM TO A PAGE LIKE THIS, AND IT DOESN’T LOOK REALLY ANYTHING LIKE THE CURRENT LOG-IN SCREEN. THAT’S OKAY. I’M STILL CURIOUS I’M GOING TO LOG IN AND I’M GOING TO GIVE YOU THE PASSWORD. WE SHOULD BE CLEAR THAT THE ONLY TIME PASSWORD RULES MATTER IS ON PASSWORD SPRAY. YOUR USER IS GIVING AWAY THE PASSWORD SO IT DOESN’T MATTER HOW COMPLEX IT IS. AND THEN BEHIND THAT PAGE IS SOMETHING LIKE THIS. IT’S A PHP FAIL AND AGAIN THE THING TO NOTICE ON THIS IS ABOUT H ALFWAY DOWN THE SCREEN IT SAYS: CHANGE YOUR EMAIL HERE. THAT’S ANOTHER TOOL THAT WAS DOWNLOADED OFF THE WEB. THERE’S NO GENIUS IN THE ATTACKERS, IT’S JUST A JOB. AND FOR PHISH REALLY OUR BEST TOOL IS OUR ANOMALY DETECTION, SO YOU CAN SEE THE RISKY SIGN-INS HERE IN MAY RUNNING AROUND 300,000 A DAY. AND THAT’S BASICALLY THINGS THAT THERE’S ENOUGH OF A DIFFERENCE BETWEEN THE WAY THE USER NORMALLY BEHAVES AND WHAT THEY’RE DOING HERE THAT WE CAN WORRY THAT IT MIGHT BE PHISH. NOW, SO HOPEFULLY THAT CONVINCED YOU THAT IT’S GOING TO HAPPEN, IT’S TRIFLELY EASY FOR USERS’ PASSWORDS TO GET OUT IN YOUR ORGANIZATION. IF YOU HAVE MORE THAN 100 PEOPLE IN YOUR ORGANIZATION YOU HAVE A BRIEF SOMEWHERE, AT LEAST CREDENTIALS. IF YOU’RE USING AZURE ACTIVE DIRECTORY THERE’S A REPORT CALLED LEAKED CREDENTIALS. IF YOUR E MSP3 OR P1, A LOT OF PEOPLE SAID THEY WERE USING CONDITIONAL ACCESS SO THAT’S ALL OF YOU, PLEASE LOOK AT THE REPORTS, SUPER IMPORTANT. NOW, NOW I HAVE YOUR CREDENTIALS, WHAT DO I DO NEXT?>>OKAY, THANK YOU, ALEX, AND WE TALKED ABOUT CLOUD-UP SECURITY THAT CAN SEE THROUGH THE SESSION. IT’S ALSO EXACTLY ONCE I COMPROMISED AN ACCOUNT, I HAVE CERTAIN PRIVILEGES AND I’M GOING TO USE THEM IN ORDER TO PURSUE MY TARGETS AND THIS IS WHERE WE STAY IN THE CLOUD. I WANT TO HAVE A DEEP DIVE AND MANY OF YOU FROM THE HANDS EARLIER I SAW ARE NOT FAMILIAR WITH CLOUD-UP SECURITY SO I’LL TAKE A DEEPER DIVE. CLOUD-UP SECURITY IS A PRODUCT THAT ALLOWS YOU TO MONITOR SESSIONS OF CLOUD APPLICATIONS BY EITHER CONNECTING IT THROUGH A PROXY OR AN API CONNECTIVITY SO IT’S A VERY SIMPLE DEPLOYMENT THAT ALLOWS YOU TO HAVE FULL VISIBILITY INTO WHAT’S HAPPENING AFTER THAT LOG-IN THAT WE TALKED ABOUT. IF IT’S A COMPROMISED ONE, IT’S A SUPER VALUABLE DATA AND THIS IS THE TYPE OF CUSTOMER INVESTIGATION WE KEEP SEEING, SO THIS USER WAS COMPROMISED. WHAT HAPPENED? WELL, YOU’VE GOT CLOUD-UP SECURITY TO GIVE YOU EXACTLY THE DETAILS OF WHAT THE ATTACKER DID. NOW, LET’S SEPARATE THE TYPES OF DETECTIONS THAT WE CAN GIVE YOU IN CLOUD-UP SECURITY FOR AN ATTACK. THE FIRST ONE IS CONTINUING THE SAME INDICATOR THAT ALEX MENTIONED THAT WE PERFORM ON THE RISKY LOG-INS ACROSS THE SESSION, SO ON EVERY TRANSACTION, YOU CAN STILL SEE THAT. A VERY IMPORTANT THING TO REMEMBER, THE CLOUD-UP SECURITY DOES IT CROSS-APPLICATION, SO IF YOU HAVE A SESSION LET’S SAY IN SHAREPOINT THAT IS BENIGN BUT IN PARALLEL YOU HAVE AN AWS ACCOUNT THAT WAS COMPROMISED AND WAS USED BY AN ATTACKER, WE CAN USE THIS CROSS-CORRELATION BETWEEN THE APPS IN ORDER TO BASE LINE THE USER BECAUSE WE KNOW THE USER IS A PERSON. WE KNOW HOW TO BASELINE AND WE CAN CROSS-CORRELATE THESE TRANSACTIONS SO IT’S NOT ONLY THE LOG-IN. WE CAN SEE THE ENTIRE SESSION AND CROSS-CORRELATE IT ACROSS THE APPS. WE TAKE THINGS LIKE SUSPICIOUS IP ADDRESSES AND ANONYMOUS ONES, WITH USER AGENTS THAT ARE NOT TYPICAL AND THIS IS ON THE META LEVEL OF THE SESSION. THE NEXT THAT WE DO WE’RE LOOKING INTO SPECIFIC ACTIVITIES WITHIN THE SESSION THAT WE DEVELOPED FOR THEM INDICATORS OF COMPROMISE SO WHILE LOOKING AT THE SPECTRUM OF THE MICROSOFT CUSTOMERS, WE DEVELOPED SOME VERY GOOD INSTINCTS AND DETECTIONS TO TELL YOU WHEN A CERTAIN ACTION THAT IS USUALLY BENIGN DOESN’T LOOK SO NORMAL NOW AND IS PROBABLY AN INDICATION OF A COMPROMISE. THIS IS WHERE YOU GET DIFFERENT DETECTIONS, FOR INSTANCE ON THREAT DELIVERY SO WE CAN IDENTIFY MY WORD THAT IS BEING PLANTED IN DIFFERENT STORAGE ACCOUNTS AND ALERT YOU ABOUT THAT. WE CAN IDENTIFY AN MALICIOUS OATH APPLICATION INSTALLED BY THE ATTACKER ON THE ACCOUNT THAT WAS COMPROMISED IN ORDER TO PERSIST WITH ACCESS. IN ADDITION AS ALEX MENTIONED WE HAVE DONE A DETECTION TO IDENTIFY SUSPICIOUS INBOX RULES WHICH IS A VERY COMMON TECHNIQUES WE SEE ATTACKER DOING ON COMPROMISE MARYLAND MAILBOXES. NO MALWARE WHATSOEVER, THEY CAN JUST GET HOLD OF AN ACCOUNT MAILBOX, USE IT IN ORDER TO MOVE LATERALLY AND INSTALL INBOX RULES THAT ALLOW THEM TO REMAIN UNDETECTED. WE’LL GET A DEEP DIVE ON THIS IN A SECOND. THE NEXT TYPE OF DETECTIONS IS ON MALICIOUS USE OF AN END USER PRIVILEGES. I’M AN END USER, I UPLOAD AND DELETE AND EDIT FILES, THESE ARE BENIGN ACTIONS BUT IF IT’S COMING EN HAS MASS, IF IT’S UNUSUAL WE KNOW TO IDENTIFIES THESE INDICATORS AND ALERT YOU SOMETHING FISHY HAPPENED. SO THE NEXT DOWNLOAD BECOMES EX FILTRATION OF DATA. IT MIGHT BE SHARING WITH AN UNWANTED PARTY AND RANSOM WEAR, IT’S JUST EDIT AND UPLOAD FILES BUT WE KNOW THERE ARE SOME INDICATORS WE TRIGGER AND WE SAY THIS IS RANSOMWARE, NOT A USER ACTIVITY. THE LAST PHASE IS WHERE WE HAVE A SPECIAL PLACE IN OUR HEART FOR PRIVILEGED USERS. IF THEY WERE COMPROMISED THEN WE MONITOR EVERY SINGLE ADMIN ACTIVITY THAT WAS DONE ON THEIR BEHALF AND WE BASELINE ON A PER USER SO IS THIS USER TYPICALLY DOING THIS ADMINISTRATIVE ACTIONS? IS THIS IMPERSONATION ACTIVITIES BENIGN? IS IT NORMAL FOR THIS ADMIN TO IMPERSONATE ONE USER? WELL MAYBE. IS IT NORMAL TO IMPERSONATE 100 USERS, THIS LOOKS SUSPICIOUS AND WE TRIGGER AN ALERT. ONE DETECTION WE DID MENTION IS A SUSPICIOUS MAILBOX RULE. THIS IS WHERE WE CAN IDENTIFY THAT A FORWARD RULE WAS ESTABLISHED TO NOT SO VALID ACCOUNT, NOT A REALLY ACCOUNT THAT WE THINK THAT BELONGS TO THE SAME USER, SO OUT OF ALL THE EMAIL MY MAILBOX RULES WE ACTUALLY DEVELOPED THESE INDICATORS THAT ALLOWS US TO DISTINGUISH SUSPICIOUS RULES WE WANT TO TELL YOU HEY, THIS LOOKS LIKE A GOOD INDICATOR OF COMPROMISE. YOU SHOULD LOOK AT THAT ACCOUNT, EVEN IF IT WAS COMPROMISED THIS IS A VERY EARLY STAGE OF THE CAMPAIGN THAT ALLOWS YOU TO REIMMEDIATE QUITE IT EARLY ON AND NOT TO WAIT UNTIL THEY SEND PHISHING EMAILS ACROSS THE NETWORK AND THE ORIGINAL USER CANNOT SEE THAT BECAUSE THERE IS A FORWARDING RULE THAT IS ALSO DELETING THE EMAILS THAT WERE SENT, WHY ARE YOU SENDING ME THESE EMAIL. THE ORIGINAL USER WILL NOT SEE IT BECAUSE THE ATTACKER DELETED IT USING THE RULES. ANOTHER DETECTION THAT IS KIND OF UNIQUE AND I THINK I’D LIKE TO PRESENT IT BECAUSE IT HAS TWO MORALS, ONE, WHAT WE’RE DOING HERE AND YOU CAN SEE THAT THIS IS AN ACTIVITY BY A TERMINATED EMPLOYEE SO WE ALL HAVE AZURE AD AND WE PROVISION USERS AND AN EMPLOYEE LEAVES THE ORGANIZATION AND WE DEPROVISION IT SO EVERYTHING IS BENIGN. THEY CANNOT LOG IN. HOWEVER IN CLOUD APPLICATIONS THAT WHAT WE’RE SEEING MANY TIMES NOT ALL APPLICATIONS ARE MANAGED WITH THE SAME USER IDENTITY SOLUTION. WE HAVE ALL THESE SHADOW ACCOUNTS OF USERS THAT HAVE LEFT THE COMPANY, BUT THE ACCOUNTS ARE STILL THERE. SO THIS CHART HAS AN ACCOUNT ON AZURE AD THAT IS REPROVISIONED AN ACCOUNT ON AWS THAT IS STILL PROVISIONED AND ACTIVE. WE CROSS-CORRELATE IT. WE SAID CLOUD-UP SECURITY CAN CROSS-CORRELATE THE SIGNAL FOR THE APPLICATIONS. AS SOON AS THERE IS ACTIVITY ON AWS WE’RE SAYING THIS IS WRONG AND WE ALERT YOU TO TAKE ACTION ON THIS ACCOUNT EVEN IF IT IS NOT MANAGED IN AZURE AD BECAUSE IT WAS DEPROVISIONED. TWO MORALS HERE, ONE ON BOARD ALL THE APPLICATIONS YOU CAN TO CLOUD-UP SECURITY. TWO, ON BOARD ALL OF THE APPLICATIONS YOU CAN INTO AZURE AD SO YOU CAN HAVE ONE SINGLE IDENTITY MANAGEMENT SOLUTION ACROSS ALL OF YOUR APPLICATIONS, FIRST AND THIRD PARTY SO NOT ONLY EVERY APPLICATION YOU ACTUALLY USE. NOW SWITCHING AND WE SAID AGAIN ATTACKERS DON’T DIFFERENTIATE BETWEEN THE CLOUD AND THE OVEN PREMISES. MANY TIMES THEY WANT TO GO INTO ON-PREMISES TO GO TO THE CROWN JEWELS TO GET DOMAIN DOMINANCE. THIS IS A HAPPY LAND FOR ATTACKERS SO WE HAVE AZURE ATP. IT’S A VERY SIMPLE SENSOR THAT YOU ACTUALLY CAN DEPLOY ON YOUR ACTIVE DIRECTORY, AND THEN WE GET THE VISIBILITY INTO THE DIFFERENT STEPS OF THE ATTACKS THAT WE TALKED EARLIER. STARTING WITH RECONNAISSANCE. IT’S HOW AN ATTACKER CAN REALLY EASILY GET A LOT OF DATA JUST BY BEING IN YOUR NETWORK, AND JUST BY HAVING ONE IDENTITY IN YOUR NETWORK, AND HAVE FULL VISIBILITY INTO HOW DOES YOUR NETWORK LOOK LIKE. SO IT IS DONE BY TWO PRIMARILY METHODS. ONE REALLY DOING LIKE QUERIES AGAINST YOUR ACTIVE DIRECTORY AND GATHERING LISTS OF USERS’ GROUPS, GROUPS MEMBERSHIP DETAILS AND SO ON AND THE OTHER WAY IS ACTUALLY CREATING A NETWORK MET BY HARVESTING YOUR DNS SO THESE ARE TWO VERY COMMON DETECTIONS WE HAVE AND HELP YOU SEE AN ATTACK AS IT IS BEING ACTUALLY FORMED BEFORE IT IS TAKEN AN ACTION SO THIS IS A REALLY INTERESTING WAY TO HAVE EARLY INDICATORS FOR AN ATTACK. THE COMPROMISED PRE-DEN SHALES, ON-PREMISES, ATTACKERS ARE USING BRUTE FORCE AND WE CAN OBVIOUSLY DETECT AND TWO NEW ALERTS WE ADDED RECENTLY THAT ALLOWS US TO UNDERSTAND THAT AN ACCOUNT MIGHT BE COMPROMISED AS WELL IS WE, AZURE INFORMATION PROTECTION. HOW MANY OF YOU ARE USING AZURE INFORMATION PROTECTION? GREAT, SO BY USING AZURE INFORMATION PROTECTION, ONE OF THE BIG BENEFITS YOU GET IS AN AUDIT TRAIL ON WHO ACCESSED WHICH PILE AND SO ON. YOU HAVE AUTHENTICATION. SO ONCE YOU HAVE DATA THAT IS PROTECTED BY AZURE INFORMATION PROTECTION, IN AZURE ATP WE CAN BASELINE THE BEHAVIOR OF THE USERS ON ACCESSING THE PROTECTIONED DATA, THE SENSITIVE DATA AND WE CAN ALERT TO YOU WHEN THERE IS A NEW UNUSUAL BEHAVIOR BY ACCESSING THIS SENSITIVE DATA AND THIS IS A VERY GOOD WAY TO KNOW IF THERE’S IS AN ATTACKER POKING ON SENSITIVE DATA TRYING TO ACCESS IT. NEXT WE HAVE SUSPICIOUS VPN CONNECTION, WE’LL GET TO THAT LATER AND THEN LATERAL MOVEMENT. LATERAL MOVEMENT, VERY COMMON TECHNIQUE, PASS THE TICKET AND PASS THE HASH. HOW MANY OF YOU ARE FAMILIAR WITH PASS THE TICKET? WE’LL HAVE A QUICK OVERVIEW FOR THOSE OF YOU WHO DO NOT. THIS IS A VERY EASY WAY TO GET THE TOKEN THAT ALEX MENTIONED EARLIER THE CARNIVAL TICKET AND YOU CAN GO TO ANYWHERE. AND LASTLY DOMAIN DOMINANCE, A BUNCH OF TECHNIQUES THAT ALLOWS ATTACKERS TO GAIN DOMINANCE. THESE ARE THE ALERTS THAT SHOULD TRIGGER YOU THE MOST QUICKLY. THIS MEANS THE ATTACKER ARE ALREADY POINTING YOU. THIS IS WHERE YOU WANT TO GET THIS AND THIS IS WORST CASE SCENARIO AND THIS IS WHERE YOU OBVIOUSLY WANT TO TAKE AN ACTION. SO VPN ACTIVITY, IT IS ACHIEVED BY INTEGRATING YOUR DETECTIONS INTO AZURE AT INTO VPN ACTIVITY INTO AZURE AT P AND THIS SHOWS YOU THE VERY UNIQUE WAY OF MOVING FROM THE CLOUD INTO THE ON-PREMISES USING THE VPN SO THIS IS A VERY UNIQUE PLACE YOU REALLY DO WANT TO MONITOR FOR DETECTIONS AND THIS YOU CAN ACHIEVE NOW WITH AZURE ATP. PASS THE TICKET, I WILL SKIP THIS BUT I WANT TO SAY THIS IS A VERY COMMON WAY TO TAKE A TICKET THAT WAS GRANTED TO A USER, IF YOU HAVE A HOLD OF A MACHINE AND THEN USE IT TO IMPERSONATE TO OTHER RESOURCES. I REALLY ENCOURAGE YOU TO LEARN MORE ABOUT THE HOW, BECAUSE IT’S INTERESTING TO UNDERSTAND HOW MECHANISMS THAT WE DO TO MAKE OUR USERS MORE PRODUCTIVE OF BEING ACTUALLY ABUSED BY THE USERS, BY THE ATTACKERS, AND THIS IS WHY YOU NEED MORE MECHANISMS TO DETECT WHERE THERE IS SUCH BENIGN — NOT BENIGN — MALICIOUS ABUSE OF THAT, AND I’LL JUST SHOW YOU THE ALERT THAT YOU GET WITH PASS THE TICKET. YOU CAN SEE A USER ON A SERVER LIKE SHAREPOINT AND WE CAN IDENTIFY USING AZURE ATP THAT WOULD THE SAME TICKET THAT WAS ISSUED TO SHAREPOINT WAS ACTUALLY MOVED INTO ANOTHER MACHINE, IN ORDER TO ACCESS TO RESOURCE BY IMPERSONATING THE ORIGINAL USER SO THESE ARE THE TYPE OF IDENTITY THEFT OF LATERAL MOVEMENT THAT YOU WANT DETECTIONS THAT YOU WANT TO RESPOND TO. NOW, ALL OF THIS GOODNESS WEAVE SHOWN YOU IN THREE DIFFERENT LIKE PRODUCTS, RIGHT? ONE WAS AZURE ATP. THE OTHER WAS MICROSOFT CLOUD-UP SECURITY AND THE THIRD ONE IS AZURE AD. IN THE END WE WERE TALKING ABOUT THE SAME PERSON, SO IF IT WAS MY USER, IT IS ME THAT’S CREATING THREE ALERTS ACROSS THESE THREE PRODUCTS AND IN SECURITY OPERATIONS YOU DIDN’T NEED TO GO TO EACH ONE OF THESE PORTALS IN ORDER TO UNDERSTAND THAT SOMEONE COMPROMISED MY ACCOUNT. MY LOG-IN DID SOMETHING SUSPICIOUS IN MY MAILBOX AND THEN DID SOMETHING BAD IN THE INTERNAL NETWORK BY CONNECTING THROUGH IS VPN. THREE PORTALS. WHAT WE DID TOGETHER WITH ALEX’S TEAM IS WE WORKED ON UNIFYING THIS. WHAT WE ARE VERY HAPPY TO SHOW YOU TODAY IS HOW THE NEW EXPERIENCE WILL BE. THIS IS AN EXPERIENCE THAT WILL COMBINE ALL OF THIS SIGNAL TO A SINGLE SEC OPS EXPERIENCE AND WILL BE — AND BUILT IN THE PROCESS THAT WE TALKED ABOUT BETWEEN THE ADMINISTRATIVE TEAM AND THE SEC OPS TEAM IN ORDER TO HAND OFF THE INVESTIGATION BACK AND FORTH, AND REMEDIATE. SO THIS IS EXACTLY WHAT WE ARE REALLY HAPPY TO DEMO TO YOU TODAY. THIS WILL BE IN PUBLIC PREVIEW IN THE UP COMING MONTHS. AND I WILL LET ALEX KICK OFF THE DEMO.>>SWITCHING TECHNOLOGY. LET’S SEE IF WE GET IT. HEY, LOOK AT THAT. ALL RIGHT, SO IT’S FUNNY, THIS IS WHAT WE DECIDED WE WOULD DO. HERE’S WHAT WE DID. WE SAID: HEY, WE SHOULD GET TOGETHER AND TALK AT IGNITE AND SHOW OFF HOW COOL OUR INTEGRATION STUFF IS, SO, HEY, DANA AND AYAL, WOULD YOU GUYS GO BUILD THAT? THE GUYS, THE TEAMS WHO PUT IN THE HARD WORK REALLY ARE IN THE ROOM AND WE GET THE PRIVILEGE OF KIND OF SHOWING OFF THEIR GREAT WORK. THIS IS IMMINENT SO IF YOU’RE USING AZURE ACTIVE DIRECTORY, IDENTITY PROTECTION OR AD, NOW WHAT YOU’RE SEEING HERE IS ABOUT TO BE AVAILABLE TO YOU IN PUBLIC PREVIEW. THE THINGS I WOULD LIKE TO SHOW YOU JUST QUICKLY IS THAT IN THE — ON THE AAD IP SIDE, WE REALLY LOOK AT THIS AS, IF WE GO BACK TO THE FRAMEWORK I WAS ESTABLISHING IN THE BEGINNING OF THE TALK, YOU HAVE AN ADMINISTRATOR’S VIEW WHICH IS REALLY ABOUT HEALTH POLICY. IT’S ABOUT HOW DO YOU CREATE AND MAINTAIN A SAFE INFRASTRUCTURE FOR YOUR ORGANIZATION TO DO WORK IN? AND THEN WE HAVE AN INVESTIGATOR’S VIEW WHICH IS HOW DO I GET DOWN TO THE DETAILS OF WHERE DID THIS ATTACK HIT, WHAT WERE ALL THE RESOURCES IMPACTED AND ALL THE USERS AND LOOP THAT BACK INTO A RECOMMENDATION. SO THE VIEW WE’RE TAKING IN AZURE ACTIVE DIRECTORY IS ONE OF THAT HEALTH POLICY, HOW DO WE SUPPORT THAT? HOW DO WE HELP YOU UNDERSTAND STATISTICALLY WHAT’S HAPPENING IN YOUR ORGANIZATION? AND FROM THAT PATTERN, HELP YOU UNDERSTAND WHAT ARE THE THINGS WE WOULD SAY ARE BEST PRACTICES YOU WANT TO USE CONDITIONAL ACCESS FOR AND THAT SORT OF THING. FOR NOW I’M GOING TO SHOW YOU JUST A COUPLE THINGS AND THEN WE’RE GOING TO DIVE INTO THE SHARED INVESTIGATION VIEW. SO ON THE HIGH RISK USER SIDE, WE CAN SEE WE HAVE UNPROTECTED SIGN INS, MEDIUM AND HIGH RISK USERS. AS AN ADMIN YOU WANT TO UNDERSTAND WHAT’S HAPPENING IN THE ORGANIZATION AND MAYBE TEST FOR IS THAT A FALSE OR TRUE POSITIVE, THAT SORT OF THING. WE HAVE A SET OF USERS HERE THAT ARE SHOWING UP AS AT RISK AND WHAT THAT MEANS IS WE BELIEVE THERE’S A SIGNIFICANT INDICATOR THAT THEIR CREDENTIALS HAVE BEEN COMPROMISED SO GENERALLY THAT MEANS THEIR PASSWORD HAS BEEN USED IN A WAY THAT IT GIVES US A STRONG INDICATION BASED ON WHAT I WAS SAYING BEFORE THAT THEY’RE IN THE HANDS OF AN ATTACKER. SO HERE WE HAVE A VIEW OF JEFF LEATHERMAN WHICH IS THE DRAWER VIEW, AND THE THINGS YOU CAN SEE HERE ARE RISK HISTORY, RISKY SIGN-INS AND NON-SESSION LINKED RISK EVENTS. WHAT THAT MEANS IS SOMETHING HAPPENED OUTSIDE OF A LOG-IN THAT INDICATED TO US THAT USER WAS COMPROMISED SO THIS NON-SESSION LINKED RISK EVENT SAYS THE CREDENTIALS WERE LEAKED. THIS IS THAT VIEW. THIS PERSON WAS REUSING THEIR CREDENTIALS ON ANOTHER SITE AND THAT SITE WAS BREACHED, AND NOW THOSE CREDENTIALS HAVE BEEN RETRIED AGAINST US. IF YOU ARE USING MOST FOLKS HERE ARE IN A HYBRID DEPLOYMENT WITH ACTIVE DIRECTORY, JUST STATISTICALLY. THAT’S TRUE. IF YOU’RE DOING PURE ACTIVE DIRECTORY, PURE MANAGED, RAISE YOUR HAND. OH, YEAH, ALL RIGHT. THAT’S GOOD. THAT’S AWESOME. ALL RIGHT, EVERYBODY GO THAT WAY. BUT IN THE MEANTIME IF YOU’RE DOING A HYBRID DEPLOYMENT, THEN ONE OF THE THINGS YOU CAN DO IS USE PASSWORD HARSH SINK. I WOULD BE HAPPY TO SPEND HOWEVER MUCH TIME WE NEED TO AFTER THE TALK TO CONVINCE YOU COULD. THAT’S WHAT ALLOWS US TO DO THINGS LIKE KNOW DURING A PASSWORD SPRAY ATTACK OR DURING A REPLAY ATTACK THAT THE PASSWORDS MATCH. I CAN EXPLAIN WHY IT’S NOT PUTTING YOU IN DANGER TO DO IT BUT IT GIVES YOU A HUGE SAFETY BENEFIT IN TERMS OF UNDERSTANDING WHICH USERS WERE LINKED. AS YOU SAW FROM THE STATS, FROM THE BREACH REPLAY STATS, IT’S HAPPENING AND I’VE NEVER HAD SOMEONE TURN IT ON OVER ABOUT 10,000 USERS AND NOT SEE HITS, RIGHT, WHERE THEY FIND OUT THEY HAVE USERS WHO HAVE BEEN HAVING THEIR PASSWORDS TRADED ON THE BLACK MARKET. SO IF WE DIG IN HERE, WE CAN DO YOUR BASIC MITIGATIONS HEAR. WE COULD RESET THIS PASSWORD WHICH I’M NOT DOING BECAUSE THIS IS A SHARED ENVIRONMENT, WE’RE TRYING TO DO NON-DESTRUCTIVE DEMOS. IT MATTERS WHEN THERE’S 20 PEOPLE HERE USING THE SAME ENVIRONMENT, BUT ONE OF THE THINGS WE’RE GOING TO LOOK AT IS THIS MAGIC LINK, WHICH IS INVESTIGATE WITH AZURE ATP. FOR THOSE OF YOU WHO HAVE BEEN USING THE TWO PRODUCTS TOGETHER YOU’VE KNOWN IT’S IMPOSSIBLE TO GET SIGNAL BACK AND FORT AND WE’RE TRYING TO MAKE THAT SUPER EASY AND WE’LL TALK WHAT’S COMING IN A MINUTE. I’LL LET YINON BLAME THE WIFI, BLAME THE WIFI. YINON SORT OF SHOW OFF SOME OF THE WORK WE’VE DONE HERE.>>THANK YOU. SO WHAT WE ACTUALLY DID IS WE SAID, WE MOVED FROM JEFF LEATHERMAN WHO IS THE USER — JUST GIVE ME A SECOND. SO IF YOU REMEMBER ALEX TALKED ABOUT JEFF LEATHERMAN, LINKED FROM THE — ACTUALLY LINK YOU INTO THE AZURE ATP AND WHAT WE GET NOW IS THE AZURE ATP NEW PAGE FOR JEFF LEATHERMAN THE USER. THIS PAGE, THE THING THAT IS SO COOL IS NOT ONLY AZURE ATP SIGNAL. IT ACTUALLY INCLUDES ALL OF THE SIGNAL FROM THE THREE PRODUCTS WE MENTIONED AND GIVES YOU A VIEW AS SEC OPS ON EVERYTHING YOU NEED TO KNOW RELATED TO SECURITY, INCIDENTS, RELATED TO THAT SPECIFIC USER SO LET’S START ACTUALLY WITH A NEW CONCEPT WE’RE INTRODUCING HERE, IT’S INVESTIGATION PRIORITY. INVESTIGATION PRIORITY TELLS YOU HOW IMPORTANT IT IS FOR THE SEC OPS TO START INVESTIGATING THIS USER NOW AS A PERSON. SOMETHING IS NOT BENIGN WITH THEIR ACCOUNT, WITH THEIR BEHAVIOR IN TOTAL ACROSS THE THREE PRODUCTS. WHAT DO WE PUT INTO THE INVESTIGATION PRIORITY? THREE THINGS: ONE, INFORMATION ABOUT THE USER, SO WHO IS THE USER? IS IT A C LEVEL EXEC? IS IT AN I.T. ADMIN? IS IT SOMEONE WITHOUT ANY PRIVILEGES THAT NOTHING WILL HAPPEN IF IT WAS COMPROMISED? WE KNOW IT’S NEVER TRUE BUT GIVING YOU AN EXAMPLE. SO THIS IS THE FIRST THING WE WANT TO KNOW, HOW IMPORTANT, WHAT’S THE IMPACT OF THIS USER ACTUALLY BEING COMPROMISED. THE SECOND INPUT THAT WE PUT INTO THE INVESTIGATION PRIORITY, OBVIOUSLY ARE ALL THE ALERTS THAT WE COLLECT, AND YOU CAN SEE HERE IN THE EXAMPLE THAT WE HAVE 6 ALERTS, WE’LL IN A SECOND GO INTO A DEEP DIVE ON THEM BUT THE ALERTS ARE COMING FROM THE DIFFERENT SOURCES SO 2 FROM EACH PRODUCT AND THIS IS WHAT ALLOWS YOU ACTUALLY TO SEE ONE HOLISTIC PRIORITY ACROSS ALL OF THESE TO INVESTIGATE THE IDENTITIES THAT ARE MOST COMPROMISED. THE THIRD THING THAT WE ACTUALLY PUT INTO THIS INVESTIGATION SCORE ARE THE ACTIVITIES. SO ACTIVITIES THAT ARE SUSPICIOUS, BUT NOT SUSPICIOUS ENOUGH IN ORDER TO TRIGGER AN ALERT BUT THEY JUST LOOKED, THEY DIDN’T LOOK JUST RIGHT FOR US SO THIS IS WHAT WE CALL LOW FIDELITY ALERTS. LOW FIDELITY ALERTS THAT WE NEVER KNOW HOW TO SURFACE IT TO OUR USERS AND WHAT WE DID, WE ACTUALLY PUT IT ALSO AS ANOTHER INPUT INTO THIS INVESTIGATION SCORE, SO ALL AGGREGATES TO ONE INVESTIGATION PRIORITY THAT ALLOWS YOU TO KNOW WHERE TO START FROM. WE GIVE YOU A SUMMARY OF THE MOST RECENT AND COMMON RESOURCES, DEVICES AND LOCATION FOR THAT SPECIFIC USER. LOOKING AT THE ALERTS WE START BY SEEING THE TWO FIRST ALERTS HERE. THE TWO FIRST ALERTS ARE THE RISKY SIGN IN AND LEAKED CREDENTIALS. THESE ARE THE SAME ALEX JUST SHOWED YOU FROM THE AZURE AD. THE NEXT TWO ALERTS, LET’S LOOK INTO ONE ALERT TO GIVE YOU THE OVERVIEW. SO YOU CAN SEE THAT IN THE ALERT ITSELF, YOU GET EVERYTHING THAT YOU NEED IN ORDER TO INVESTIGATE. SO FIRST WE INVESTED A LOT INTO TELLING YOU EXACTLY WHAT HAPPENED. SO WHAT HAPPENED? WHY DO WE THINK THIS IS SUSPICIOUS? AND SECOND, WHAT DO WE RECOMMEND YOU TO DO NEXT? IN ADDITION, IN THE ACTIVITY LOG FOR THOSE OF YOU WHO ARE FAMILIAR WITH THE PRODUCTS ALREADY, WE ALSO GIVE YOU AN ACTIVITY LOG THAT IS MORE ENDED FOR THE SECURITY OPERATIONS SO WHAT IS RISKY EXACTLY? WHAT DID WE SEE? AND THE ABILITY TO PIVOT ON THE DIFFERENT ENTITIES SO BEYOND THIS, WE ALSO SEE ON THE RIGHT THE INSIGHTS ON THAT SPECIFIC USER, IP ADDRESS AND DEVICE THAT ALLOWS YOU TO DO ALL OF THESE PIVOTS AND UNDERSTAND WHAT IS THE BASELINE, WHAT IS NORMAL. WHY DO YOU THINK THE ACTIVITY IS NOT NORMAL? THIS IS WHAT YOU GET ON EVERY SINGLE ALERT IN THIS DASHBOARD. NOW, THE NEXT — SORRY. THE NEXT ALERT THAT WE SEE IN THE LIST IS A SUSPICIOUS INBOX FORWARDING RULE. WE TALKED ABOUT IT SO I WON’T GO INTO THIS BUT THE NEXT ALERT I DO WANT TO SHOW YOU IS ALERT THAT WE ACTUALLY BUILT ON THE AZURE INFORMATION PROTECTION SIGNAL AND THIS IS A VERY COOL ALERT. THE ALERT SHOWS YOU THAT THERE IS AN ANOMALOUS ACCESS TO PROTECTED DATA, TO SENSITIVE DATA, TO YOUR CROWN JEWELS. WE SEE HERE THERE ARE 50 PROTECTED ITEMS WHALE THE USUAL IS LESS THAN 4. THIS IS SUSPICIOUS AND WE GIVE YOU ADDITIONAL INFO THAT IS IMPORTANT TO KNOW LIKE HOW MANY WERE SUCCESSFULLY ACCESSED OUT OF THESE 55? AND WHERE FROM? SO THIS IS FROM MANILA, THAT IS NOT TYPICAL BECAUSE THE USER IS USUALLY FROM THE U.K. AND SO SO THIS IS THE ALERT THAT YOU GET, AGAIN AND THE RECOMMENDATIONS AND THE INSIGHTS. THE NEXT ALERT THAT WE’RE SEEING IS A SUSPICIOUS VPN CONNECTION. THIS IS WHERE THE ATTACKER ACTUALLY MOVED FROM THE CLOUD TO THE ON-PREMISES. SO YOU’RE SEEING HERE IN THE ATTACK TIME LINE A HYBRID INCIDENT THAT CROSSES THE CROWD CLOUD AND ON-PREM. FINALLY NO BARRIERS, YOU CAN HAVE ONE PANE OF GLASS IN ORDER TO INVESTIGATE BOTH. IT DOESN’T MATTER FOR THE ATTACKER. IT SHOULDN’T MATTER AS SEC OPS AND THIS IS WHAT WE WENT AHEAD AND DID. THE NEXT ALERT WE’RE SEEING IS ACTUALLY THE RECONNAISSANCE. JUST GIVE ME A SECOND. NEXT ALERT THAT WE ARE SEEING IS ACTUALLY THE RECONNAISSANCE. AS I MENTIONED TO YOU, THE TWO MOST COMMON RECONNAISSANCE ACTIONS ARE USING DIRECTORY SERVICES AND DNS. THIS CASE IT IS A DIRECTORY SERVICES ALERT AND WHAT I WANT TO SHOW YOU HERE, VERY QUICKLY IS HOW THIS ALERT LOOKS LIKE. SO WHAT WE ARE SEEING IN THE DETAILS IS THAT THE USER, ONCE COMPROMISED JEFF LEATHERMAN AND CONNECTED THROUGH THE VPN TO OUR DPS RV WE’RE SEEING THAT ACTUALLY THE USER WAS USED IN ORDER TO QUERY THE DOMAIN FOR EUAN HARPER AND THE HELP DESK TEAM. THIS IS INTRIGUING US BECAUSE WHY WOULD SUDDENLY JEFF LEATHERMAN START INQUIRING ABOUT RON HARPER? WE CAN EASILY PIVOT INTO THE RON HARPER PAGE. UNDER RON HARPER WE SEE AGAIN THE SAME INVESTIGATION PANEL BUT NOW IT HAS ANOTHER SET OF ALERTS. IN THIS CASE IT IS IDENTITY THEFT USING PASS THE TICKET ATTACK AND THOSE OF YOU WHO FOLLOWED THE ATTACK PATTERN CAN KNOW WHAT TO EXPECT NOW. WHEN WE GO INTO THIS SPECIFIC ALERT, WE CAN EASILY SEE THAT RON HARPER’S IDENTITY, THE TICKET, WAS ACTUALLY USED TO IMPERSONATE FROM OUR DPS SURVEY AND FINANCE SURVEY AND MOVED FROM THE DPS SURVEY TO FINANCE SURVEY IN ORDER TO ACCESS TWO NEW RESOURCES SO THIS IS EXACTLY THE TYPE OF ATTACKS WE TALKED ABOUT STARTING FROM ANY ACCOUNT, CONNECTING THROUGH THE VPN INTO THE ON-PREMISES, WE HAVE PLENTY OF TOOLS IN ORDER TO EXPLOIT OTHER IDENTITIES, PASS THE TICKET ATTACK ON RON HARPER, WHICH IS A HELP DESK PROBABLY HAS ACCESS TO MANY, MANY, MANY OTHER DEVICES. THIS IS WHY IT WAS TARGETED AND THEN WE CONTINUE WITH THE LATERAL MOVEMENT. WITH THAT, WE GO BACK INTO THE JEFF LEATHERMAN. NOW WE WANT TO MOVE INTO THE RESPONSE. WE UNDERSTOOD WHAT HAPPENED, WE UNDERSTOOD THE SCOPE OF THE ATTACK AND NOW WE WANT TO RESPOND TO IT.>>ALL RIGHT, SO THERE’S A BUNCH OF COOL AND CRAZY STUFF THAT JUST HAPPENED THERE, RIGHT? IF YOU THINK ABOUT IT FROM THE PERSPECTIVE OF YOU’RE AN AAD IP USER, YOU’VE BEEN ABLE TO SEE THE CREDENTIALS WERE LEAKED AND THERE WERE SUSPICIOUS SIGN-INS. THOSE TWO THINGS WERE AVAILABLE TO YOU BEFORE. IF YOU LOOK AT IT FROM THAT AUTHENTICATION TICKET LENS THAT’S AS MUCH AS YOU GET TO KNOW AND I THINK IT’S VALUABLE, BUT THIS IS A VIEW WHERE SUDDENLY WE’VE BEEN ABLE TO GO FROM OKAY I CAN TELL THE WHOLE STORY. THIS GUY HAS USED, HIS CREDENTIALS WERE LEAKED. HE SIGNED IN FROM ANOMALOUS LOCATION. THEY SET UP SOME FORWARDING RULES. THEY PUNCHED THROUGH THE VPN, AND THEN THEY DID A PASS THE TICKET AND STOLE ANOTHER USER. THAT SECOND PART IS SUPER INTERESTING. THAT SAYS WE HAVE A SIGNAL THAT SAYS A USER HAS BEEN COMPROMISED THAT IS SIMPLY UNAVAILABLE IN THE CLOUD. AND BYPASSING THAT INFORMATION BACK UP WE CAN THEN MARK THAT USER AS RISKY SO IT’S A VERY VALUABLE KIND OF ROUND-TRIP THING WE’RE DOING HERE. THE SECOND THING WE LIKE TO DO IN A WAY THAT’S ROUND TRIP IS PASSING INFORMATION BACK AND FORTH FROM THE SEC OPS TEAM INTO THE ADMINISTRATION TEAM SO AS WE GO UP HERE WE CAN NAVIGATE BACK IN TO JEFF, AND OVER TIME WE’LL BE DOING MORE WORK IN TERMS OF TICKETING INTEGRATION, ALL OF THIS STUFF IS SUPPORTING APIs ALREADY SO IF YOU HAVE A TICKETING SYSTEM OR A SEAM SYSTEM THIS IS DATA YOU CAN IMPORT. IF WE WANTED TO, WE CAN LOOK AT JEFF AND JUST GO AHEAD AND RESET HIS PASSWORD NOW. OR DO MORE INVESTIGATION ON THAT END. THE THING I’D LIKE TO SHOW YOU NOW IS ACTUALLY SOMETHING A LITTLE BIT DIFFERENT WHICH IS WE GO BACK TO THAT SECURITY OVERVIEW PAGE, AGAIN FROM THE PERSPECTIVE OF HEALTH POLICY, IF YOU THINK ABOUT THE ZERO TRUST NETWORKS OR IDENTITY AS THE CONTROL PLANE OR ANY OTHER STUFF WE’RE DOING, CONDITIONAL ACCESS IS OUR TOOL KIT, OUR POLICY TOOL KIT FOR HELPING YOU SECURE YOUR ORGANIZATION, TO SET UP THE RULES THAT MAKE IT HARDER FOR ATTACKERS TO PENETRATE. IF YOU ARE NOT YET USING MFA FOR ADMINS IN YOUR ORGANIZATION OR PRIVILEGED USERS, PLEASE START. THESE ARE THE SORTS OF THINGS THAT WE HAVE AN INVESTIGATIONS TEAM ON MY TEAM THAT HANDLES INCIDENTS FOR OUR CUSTOMERS, AND IT’S AMAZING THAT ALMOST EVERY SINGLE INCIDENT WE DEAL WITH, IF PEOPLE HAD FOLLOWED GUIDANCE WE ACTUALLY HAVE BEEN ABLE TO SEE THAT ATTACK NOT GET THROUGH. THERE WILL BE ATTACKERS WHO ARE SUPER SOPHISTICATED AND WILL BE VERY DETERMINED AND ADVANCED PERSISTENT THREATS EXIST BUT FOR THE MOST PART THESE ARE ATTACKS OF OPPORTUNITY. THEY’RE SCANNING LARGE AMOUNTS OF ACCOUNTS AND SEEING WHAT THEY CAN GET INTO SO THERE’S EASY WAYS TO DEFEAT THAT. THIS IS THE OLDEST JOKE, YOU DON’T HAVE TO BE THE FAST PERSON, IF YOU JUST HAVE TO BE FASTER THAN THE SLOWEST PERSON. SOME OF THIS BASIC HYGIENE STUFF WILL REALLY HELP YOU OUT SO WITH THAT I WANT TO SHOW YOU SOME WORK WE’VE BEEN DOING TO TRY TO MAKE THAT A LOT EASIER. SO AS WE LOOK AT SORT OF THE HEALTH POLICY VIEW, THE MAIN THING THAT WE’RE TRYING TO BRING, THIS GRAPHIC IS ENTERTAINING. IT LOOKS A LITTLE BIT LESS INSANE IF YOU BRING IT OUT A LONGER WINDOW. IF YOU LOOK AT THINGS WE CAN DO, ONE OF THE BIG THINGS WE’VE BEEN TRYING TO DO IS LOOK AT STATISTICALLY WHAT ARE THE POLICIES THAT WORK? IF WE THINK ABOUT THE ATTACKS THAT GET THROUGH, WHAT POLICY WOULD HAVE BLOCKED THAT ATTACK AND STILL HAS LOW USER FRICTION? AND THEN HOW CAN WE HELP YOU GET TO A PLACE WHERE IT’S SUPER EASY TO DO THAT? THOSE POLICIES ARE LOTS OF DIFFERENT CONFIGURATION ELEMENTS. IF YOU’RE IN IDENTITY AND CONFIGURATION, SECURE SCORE HAS BEEN AROUND FOR A WHILE AND WE’VE HAD IDENTITY THINGS IN SECURE SCORE FOR A WHILE BUT WITH MICROSOFT 365 WITH THE SECURITY LENS WE’RE DOING WE’RE BREAKING IT UP AGAIN BY INFRASTRUCTURE PILLARS SO YOUR IDENTITY ADMINISTRATOR CAN SAY WHAT’S MY TO DO LIST IN MY AZURE ACTIVE DIRECTORY OR DIRECTORY ENVIRONMENT. SO SECURE SCORE IS HOW WE’RE TRYING TO HELP MOVE PEOPLE TO THIS MORE SECURE POSTURE, IN THE SECURITY KEYNOTE ROB SAID TAKE THE TOP THING OFF THE LIST AND DO IT, RIGHT? THE TOP THING OFF THE LIST IS, PROTECTING YOUR PRIVILEGED ROLES WITH MULTIFACTOR AUTHENTICATION. THERE WAS A PRESENTATION ON SECURE SCORE YESTERDAY AND WAS SAYING, GUESS WHAT THE RATE AT WHICH ADMINISTRATORS AND PRIVILEGED ROLES ARE PROTECTED BY MFA IN OUR USER BASE TODAY, ACROSS THE TENANTS. WHAT PERCENTAGE OF TENANTS HAVE THEIR USER ROLES IN MFA. WHATEVER NUMBER YOU’RE GUESSING RIGHT NOW, GUESS LOWER AND THEN GUESS LOWER AGAIN AND THEN AGAIN. AND I WILL SAY IT’S SO ABYSMAL WE DON’T LIKE TO TALK ABOUT IT. BUT THAT’S NOT LIKE WE’RE BEGGING YOU, RIGHT, PLEASE. ONE OF THE THINGS WE’RE GOING TO BE DOING IS GOING FORWARD FOR NEW TENANTS, WHEN YOU GET AZURE ACTIVE DIRECTORY IT’S JUST ON. WE WON’T LET YOU HAVE ADMINISTRATORS WITHOUT MFA. SO MANY BAD ATTACKS ARE STARTING THAT WAY. ONCE I HAVE YOUR EXCHANGE ADMIN OR I HAVE YOUR A.D. ADMIN ROLE OR YOUR WHOLE AZURE GLOBAL ADMIN, RIGHT, I KIND OF OWN YOU. I CAN CREATE RULES. I CAN CREATE USERS. I CAN DO ALL KINDS OF CRAZY STUFF SO TURNING ON MFA IS A KEY THING SO IDENTITY SECURE SCORE IS ESSENTIALLY A SCORECARD OF HOW ARE YOU DOING VERSUS WHAT WE’RE SEEING AS THE BEST POSSIBLE SECURITY POSTURE? AND IT GIVES YOU A TO-DO LIST THAT’S PRIORITIZED AND IS HOPEFULLY EASY TO EXECUTE SO AN EXAMPLE OF DOING THAT IS, FROM THE IDENTITY SECURE SCORE VIEW, THE TOP THING IS: OH, LOOK, ENABLE AZURE, ENABLE MFA FOR AZURE A.D. PRIVILEGED ROLES. SO IF I CLICK ON THAT, I GET A QUICK DESCRIPTION. PEOPLE LOVE THE SCORES. WHAT’S REALLY WEIRD TO ME IS PEOPLE WILL CHEAT THE SCORES. NO, THEY’LL SAY, OH, I DID THIS AND THEY HAVEN’T DONE IT. AND IT’S LIKE — I MEAN, IT’S JUST A NUMBER, DUDE. [ LAUGHTER ] YOU KNOW? SO DON’T CHEAT. RIGHT? THIS IS SUPPOSED TO HELP YOU GET MORE SECURE NOT JUST GET A BIGGER NUMBER ON THE SCREEN BUT WHAT THIS DOES IS, IT GIVES YOU A DESCRIPTION OF WHAT YOU SHOULD DO. RIGHT? AND THEN AGAIN PRIVILEGE ROLES ARE A SERIOUS ISSUE. USER IMPACT IS LOW. WE EXPECT ADMINS KNOW HOW TO DO MFA. IMPLEMENTATION COST IS ESSENTIALLY ZERO. TELLS YOU WHAT YOU’RE ENABLING AND THEN HOW IT WILL AFFECT YOUR USERS SO ALL THE SECURE SCORE ELEMENTS HAVE THIS BASIC TAXONOMY TO THEM WHERE THEY TRAY TO GIVE YOU A VERY EASY PLAYBOOK TO SAY WHAT DO I NEED TO DO TO GET MORE SECURE SO I’M NOT ONE OF THOSE STATISTICS THAT I’LL SHOW AGAIN NEXT YEAR? DON’T BE MY STORY FOR NEXT YEAR, YOU KNOW? SO BY THE WAY THE STORY THAT I TOLD AROUND THAT SEQUENCE OF PASSWORD SPRAY AND PHISH, THAT WAS MY 4th OF JULY TWO YEARS AGO WAS SITTING ON THE PHONE WITH THOSE GUYS HELPING THEM GET BACK UNDER CONTROL. SO THE OTHER THING I WOULD SAY IS FOLLOW THESE RULES AND GIVE MY TEAM SOME REST. [ LAUGHTER ] SO GETTING STARTED HERE, WHATEVER YOU NEED TO DO TO GO DO THE THING. SO THE THIRD THING WE’D LIKE TO TALK ABOUT REAL QUICK IS BLAME THE WIFI, BLAME THE WIFI, BLAME THE WIFI — IS BASELINE POLICIES. AND SO THE SECOND PIECE OF WORK THAT GOES RIGHT HAND IN HAND WITH SECURE SCORE IS CAN WE GET THIS DOWN TO ONE CLICK? SINCE CONDITIONAL ACCESS IS OUR TOOL KIT WE’RE CREATING POLICIES THAT DON’T LOOK LIKE NORMAL CONDITIONAL ACCESS POLICIES. THEY’RE DESIGNED TO BE VERY, VERY LOCKED-IN AND VERY EASY TO IMPLEMENT AND SO IF WE WERE TO ZOOM IN ON THIS, RIGHT, AGAIN IT JUST REPEATS WHAT YOU SAW IN THE SECURE SCORE. BUT ALL YOU GET IS: TURN IT ON, SET A TIME TO TURN IT ON, AND YOU CAN EXEMPT SOME USERS. AND IT’S SUPER SIMPLE. SO IF YOU TURN THIS ON, PLEASE DO, IT WILL JUST AUTOMATICALLY ENROLL ALL YOUR PRIVILEGED USERS INTO MFA AND AS NEW PRIVILEGED USERS COME IN OR GO OUT, WHATEVER THE RULES FOLLOW THEM AROUND. SO THAT’S ANOTHER IMPORTANT PIECE OF WORK. WE’RE WORKING TOGETHER BOTH WITHIN THE THREATS THAT WE SEE INSIDE OF AZURE A.D. AND THEN AS YINON’S TEAM AS WE’RE INTEGRATING SIGNAL ACROSS, SOME OF THE STUFF HE DIDN’T SHOW YOU IS IT ALSO INCLUDES THINGS LIKE DEFENDER SIGNAL FROM DEVICES, WE’RE BRINGING IN SIGNAL FROM AIP FOR ANOMALOUS DOCUMENT UPLOADS, OR SORRY OPENS. THERE’S A SET OF THINGS THAT WE CAN BRING IN AND THIS CANVAS WILL GET RICHER OVER TIME AND THEN ALL THAT WILL GO BACK AND AGAIN. STATISTICALLY WE CAN SAY WE KNOW WHAT ATTACKS ARE WORKING, WE KNOW WHAT POLICIES DEFEAT THOSE ATTACKS AND BRING THOSE BACK TO YOU IN THIS WAY SO THIS IS DESIGNED TO BE SUPER EASY. SWITCHING BACK TO THE PRESENTATION, YEAH, SO — SO THIS IS THE SECURE SCORE PITCH. ESSENTIALLY MOST OF OUR USER COMPROMISES ARE PREVENTABLE. IT’S JUST A MATTER OF TURNING ON THE RULES. BASELINE PROTECTION IS DESIGNED TO DO THAT. WE’LL BRING OUT SOON A BASELINE PROTECTION FOR USERS WHICH WILL ALLOW YOU TO DO MFA REGISTRATION AND SOME OF THE BEST PRACTICES FOR USERS AS WELL AS TURNING OFF LEGACY AUT. THIS H WHICH IS A PROBLEM SET OF PROTOCOLS LIKE XML OFF AND POP AND BASIC THAT ARE ASSOCIATED HEAVILY WITH ATTACKS. AND THEN WE TALKED ABOUT SECURE SCORE SO JUST SUMMING UP THE THINGS WE SAW. AND SO LET ME TALK ABOUT THE THIRD PILLAR HERE, SO WE’RE GIVING IT TO YOU IN TERMS OF SECURE SCORE. WE’RE GIVING IT TO YOU IN TERMS OF BASELINE POLICIES, AND THEN THE LAST PIECE IN TERMS OF MAKING THIS MUCH, MUCH EASIER FOR YOU IS JUST DOCUMENTATION. SO WE DID A BUNCH OF STUDIES AND AGAIN THIS IS WHAT FEEDS THE SECURE SCORE, IF YOU TURN ON MFA, YOU’LL DEFEAT 99.99 OF THE ATTACKS THAT PEOPLE HIT. I MEAN, AND IT’S BY THE WAY, MARIA IS THE DATA SCIENTIST WHO PULLED THIS NUMBER AND I WENT BACK AND I WAS LIKE IS THAT REALLY THE NUMBER? IT’S ACTUALLY REALLY THE NUMBER. SO SOMETIMES IT’S JUST CONVENIENT AND IT LINES UP. THIS WAS 99.99. SO ONE ONE THOUSANDTHS OF THE COMPROMISES IF YOU JUST TURN ON MFA FOR USER BASE, EVERYBODY IS DOING MFA FOR TWITTER AND GOOGLE AND XBOX. THEY’RE USED TO IT SO I THINK THIS IS ONE OF THOSE THINGS WHERE WE JUST HAVE TOK SEPTEMBER THAT PASSWORDS AREN’T GOOD ENOUGH AND THE FRICTION IS ACCEPTABLE FOR MFA. TURNING OFF BASIC AUTH, TURNING OFF LEGACY AUTH I’M SORRY REDUCES COMPROMISE BY 66. PEOPLE WHO USE ACTIVE DIRECTORY IDENTITY PROTECTION, THOSE POLICIES REDUCE COMPROMISE BY 96 SO REALLY SIGNIFICANT IMPROVEMENTS. IF YOU WANT TO SEE THE NUMBER OF 101 COME DOWN SHORTER AND SHORTER AS I DO, THEN PLEASE LOOK AT THE REPORTS. SO OFTEN WE GET THE THING FROM THE CUSTOMER THAT’S LAKE, WHY DIDN’T YOU TELL US? WE GO BACK AND SHOW THEM THE LOGS. IT’S LIKE WE TOLD YOU ON THIS DATE AND THIS DATE AND THIS DATE AND THEN WE CALLED YOU. AND SO IT’S IMPORTANT THAT YOU’RE PAYING ATTENTION TO THE SIGNALS YOU’RE GETTING. AND THEN FINALLY, I WOULD ENCOURAGE YOU TO USE SELF-HELP WHEREVER AVAILABLE. A GOOD EXAMPLE IS SELF-PASSWORD RESET. I’LL TELL YOU TALES FROM THE CRYPT STORY. WHEN I WAS DOING SECURITY FOR XBOX, WE TRACKED 60 OF OUR USER COMPROMISES TO OUR TIER 1 SUPPORT, 60. AND THE REASON WAS THAT YOU TAKE A GROUP OF PEOPLE AND YOU PAY THEM AND INNOCENT THEM BASED ON CUSTOMER SATISFACTION AND SPEED OF RESOLUTION, AND WATCH WHAT HAPPENS. THE HACKERS CALL IN, THEY ACT DISSATISFIED AND IMPATIENT AND THEN PEOPLE WILL SUDDENLY DO WHATEVER THEY HAVE TO DO TO KEEP THEIR NUMBERS UP SO IF YOUR JOB IS CUSTOMER SATISFACTION AND YOUR CUSTOMER IS THE HACKER, RIGHT, THEN IT’S EASY TO DO A LITTLE CRYING, A LITTLE SCREAMING, YOU GET YOUR WAY. AND THERE’S REALLY GOOD PLAYBOOKS FOR HOW TO BREAK SUPPORT CENTERS, SO WHAT WE ENCOURAGE YOU TO DO IS WHEREVER POSSIBLE, CODIFY YOUR POLICIES, ESPECIALLY FOR THINGS LIKE PASSWORD RESET INTO SELF-HELP TOOLS AND ELIMINATE THAT TIER ONE, THAT’S EXACTLY WHAT WE DID. WE TOOK ALL THAT POWER AWAY FROM TIER 1. AND THE RESULTS WERE STAGGERING IN TERMS OF BOTH COST REDUCTION, BUT ALSO INCREASED SECURITY AND ACTUALLY HAPPIER USERS. SO THINGS LIKE JUST REGISTER FOR MFA AND THEN IF YOU FORGET YOUR PASSWORD YOU USE YOUR MFA TO RECOVER OR WHATEVER. I WOULD BE REMISS IF I DIDN’T MENTION, WE’RE WORKING REALLY HARD TO GET AWAY FROM PASSWORDS ALTOGETHER AND PLEASE JOIN US ON THE JOURNEY. ALL THIS IS CODIFIED IN A PAPER CALLED: SECURITY STEPS. WE’LL KEEP THIS PAPER UPDATED ALONG WITH THE SECURE SCORE AND THE POLICIES, SO THOSE THREE THINGS WILL WORK TOGETHER. THOSE WILL BE THE THREE LEGS OF THE STOOL SO ANY ONE OF THOSE TOOLS SHOULD HELP YOU MOVE YOUR DEFINITETY POSTURE TO A MORE SECURE PLACE AND REDUCE THE VOLUME OF ATTACKS YOU’RE GETTING. IF YOU DO GET AN ATTACK, NOBODY’S PERFECT SO THERE WILL BE ATTACKS TO GET THROUGH, THEN THAT’S WHEN YOUR INVESTIGATIONS AND FORENSICS TOOLS WILL KICK IN AND WE’LL CONTINUE TO MAKE THAT ENVIRONMENT RICHER AS WELL. THERE WILL BE A LOT OF EXCITING STUFF COMING OUT OVER THE NEXT YEAR. I WILL PASS IT BACK TO YINON ONE MORE TIME FOR A LITTLE BIT MORE ADVICE.>>YEAH, SO WE TALKED ABOUT THE AZURE AD IDENTITY PROTECTION AND THE POLICIES. NEXT STEP, TO GAIN ALL THE VISIBILITY YOU NEED FOR THE ACTIVE DIRECTORY AND THE CLOUD-UP SECURITY SESSIONS. THEN PLEASE GO DEPLOY AZURE ATP, DEPLOY CLOUD-UP SECURITY, VERY SIMPLE STEPS, SIGN INTO EACH OF THESE PORTALS, DO THE STEPS. DEPLOY THE AD SENSOR FOR THE AZURE ATP, AND CONNECT YOUR CLOUD APPLICATIONS TO CLOUD-UP SECURITY. THESE ARE LITERALLY 10 MINUTE STEPS YOU NEED TO TAKE IN ORDER TO MONITOR THE OUT OF THE BOX ALERTS THAT THESE PRODUCTS ACTUALLY PRODUCE TO YOU. MORE ADVANCED STEPS, YOU CAN EXTEND YOUR VISIBILITY BY INTEGRATING VPN LOGS INTO AZURE ATP, PERFORMING SHADOW IT DISYOU’VE ARE I IN CLOUD-UP SECURITY AND I ENCOURAGE YOU TO SEE THE OTHER SESSIONS ON THESE TOPICS IN ORDER TO GET A DEEPER DIVE ON THESE TWO PRODUCTS BUT AGAIN THE BASIC DEPLOYMENT IS SO EASY THAT YOU SHOULD JUST GO AND DO THAT AND ENJOY THE SIGNAL AND HAVE A UNIFORM VIEW, A COMPLETE VIEW, END TO END OF WHAT DO ATTACKERS ACTUALLY DO WHEN THEY GET A COMPROMISED ACCOUNT. THIS IS SUPER VALUABLE DATA THAT YOU NEED, IF YOU ACTUALLY GOT COMPROMISED.>>ALL RIGHT, SO SUMMING UP — WE’VE GOT 5 MINUTES SO WE’LL GO AHEAD AND MOVE TO QUESTIONS BUT BEFORE WE DO, JUST REAL QUICK, THERE’S A BUNCH OF OTHER REALLY GOOD SESSIONS GOING ON HERE. KAYLA BAKER WILL BE DOING A SESSION ON CONDITIONAL ACCESS WHICH I’D RECOMMEND HITTING AT NOON. THERE’S OTHER SESSIONS THAT DANA WILL BE DOING AND OTHER FOLKS SO JUST KEEP AN EYE OUT FOR ANYTHING THAT SAYS IDENTITY OR ATP OR MCAS IN IT. AND THEN FINALLY THANK YOU VERY MUCH AND WE HAVE ABOUT 4 MINUTES FOR QUESTIONS BUT THANK YOU GUYS VERY MUCH FOR YOUR TIME AND ATTENTION TODAY. [ APPLAUSE ]>>YOU WANT TO TAKE QUESTIONS FROM HERE?>>IF YOU HAVE QUESTIONS, PLEASE COME TO THE MICS, AND WE’LL JUST GO I THINK — [ OFF MICROPHONE ] SURE.>>HELLO, HELLO. HOW ABOUT THE ATA ADVANCED ANALYTICS, IS THERE ANY HOPE WITH THAT?>>THERE IS HOPE OF COURSE. THIS IS A PRODUCT THAT WE CONTINUE TO SUPPORT. THE MAIN DIFFERENCE IS THAT WITH ATA, THE SIGNAL DOESN’T GET TO OUR CLOUD, SO WE CANNOT DO THIS CROSS-CORRELATION, SO ONE OF THE BIGGEST BENEFITS OF AZURE AT MOVING TO AZURE — [ INAUDIBLE ] – – AS A SERVICE SO YOU DON’T NEED TO DO ANYTHING BESIDES DEPLOYING THE SENSOR AND THE OTHER THING IS THE CROSS-CORRELATIONS WE’VE JUST SEEN BUT ATA CONTINUES TO DELIVER THIS SECURITY VALUE BUT ON YOUR ON-PREMISES AS A SILO.>>GOT IT. THANKS.>>HEY, ON THE CUSTOM CONTROL, SORRY, ON MFA FOR THE SECURE SCORE FOR ADMINS, PRIVILEGED ROLES, WILL THAT HONOR CUSTOM CONTROLS THAT ARE USED FOR MFA, LIKE DUO WHERE YOU’RE USING THE JASON COMMAND?>>WE’RE NOT YET DOING THAT IN THE SECURE SCORE SO THE WAY THAT YOU — IN SECURE SCORE THERE’S A WAY TO SAY I’M DOING THIS ANOTHER WAY, THAT’S THE NON-CHEATING WAY TO GET YOUR SCORE UP WITHOUT USING THE ACTUAL THING. SOME PEOPLE SAY I’M DOING IT ANOTHER WAY WITHOUT ACTUALLY DOING IT BUT IF YOU’RE USING DUO YOU CAN SAY I’M DOING IT ANOTHER WAY AND IT WOULD COME OFF THE LIST.>>THIS GOES TO BACK TO WHAT YOU SAID ABOUT USING PASSWORD HASH SYNC. WHY THAT OVER PASSWORD PASSTHROUGH WITH SEAMLESS SINGLE SIGN-IN?>>JUST BECAUSE STATISTICALLY MORE PEOPLE ARE DOING ADFS BUT IF YOU’RE USING PTA, THAT’S GROOVY, PASSWORD AUTHENTICATION. YEAH, THAT’S GREAT. BUT WE STILL NEED — WE STILL WANT TO SEE THAT SYNCHRONIZATION COMING UP FOR THE CLOUD CHECK BECAUSE WE’RE NOT CHECKING DIRECTLY AGAINST YOUR AD SERVER.>>SO YOU RECOMMEND DOING THAT WITH PASSWORD SYNC?>>YEAH, YOU DON’T WANT TO — [ SIMULTANEOUS SPEAKERS ] GIVEN THE VOLUMES WE’RE DOING YOU DON’T WANT US DOING THE TEST AGAINST YOUR DOMAIN CONTROL SO YEAH YOU STILL NEED IT IN THAT CASE BECAUSE IF YOU DO THE TEST WE HAVE TO DO IT IN THE CLOUD.>>ALL RIGHT, COOL.>>WE’RE GOING TO JUST ROUND ROBIN HERE.>>MY QUESTION IS ABOUT LOGGING FOR POWERSHELL LOG-IN, SUCCESSFUL LOG INS FOR POWERSHELL. IS THAT LOGGED SOMEWHERE?>>SO IF YOU HAVE A POWERSHELL LOG-IN AS A –>>AS A USER, YOU CAN LOG IN TO YOUR MAILBOX USING POWERSHELL, RIGHT?>>RIGHT, THE LOG-IN WOULD SHOW UP AND POWERSHELL WOULD BE THE AGENT IN THAT CASE. THAT’S IN THE LOGS. YOU’RE ASKING WHETHER WE HAVE A RISK SIGNAL SPECIFICALLY FOR THAT?>>WELL, MY QUESTION ACTUALLY WE HAVEN’T SEEN THOSE LOGS. WE HAVEN’T SEEN SUCCESSFUL OR FAILED LOG-ONS IF SOMEONE USES POWERSHELL. I’M JUST ASKING IS THAT BEING LOGGED?>>WHY DON’T WE — I WANT TO UNDERSTAND THE CASE MORE CAREFULLY SO I’LL GIVE YOU A CARD HERE AND WE’LL — JUST COME UP AND WE’LL FOLLOW UP ON THAT ONE. I LIKE TO UNDERSTAND WHAT’S MISSING IN THE LOG IN THAT CASE. I’M NOT FAMILIAR WITH AN ISSUE THERE SO I’D LIKE TO FOLLOW UP.>>REGARDING ATP AND EVERYTHING YOU’RE DOING HERE WITHIN THE CONSOLE, I’M WONDERING THOUGH WHAT THE LICENSE LEVEL REQUIRED IS, LIKE FOR EMS OR OFFICE 365, IS IT E3 OR E5?>>YEAH, SO AZURE ATP IS IN THE EMSC5 ALONG WITH AZURE DEPARTMENTTY PROTECTION AND CLOUD-UP SECURITY, SO IT’S EMSC5 BUT IT’S [ INAUDIBLE ] AZURE ATP SPECIFICALLY.>>ALL RIGHT. OVER HERE? OR I DON’T KNOW WHY WE’RE DOING IT ON ROUND ROBIN.>>YEAH, HI, SO A LOT OF NEW FEATURES AND EXCITING THINGS COMING UP. HOW DO THESE APPLY TO GOV CLOUD? I KNOW THAT’S USUALLY LIKE ONE STEP BEHIND.>>SO GOV CLOUD. YOU’RE IN GOV CLOUD, RIGHT?>>YEAH.>>SO WHERE I THINK, I DON’T KNOW OF ANYTHING THAT’S DELAYED IN THIS SET FOR GOV CLOUD. SOMETIMES YOU’RE RIGHT THERE HAVE BEEN SOMETIMES THINGS ARE LAGGING. I DON’T THINK WE HAVE ANY DELAYS IN THIS IN GOV CLOUD AND ATP AND MCAS ARE BOTH DEPLOYED IN A DIFFERENT WAY.>>AZURE ATP AND MCAS ARE ON THE WAY TO GOV CLOUD. I DON’T HAVE AN EXACT ETA BUT I CAN TELL YOU THAT THIS IS IN PROGRESS.>>OKAY.>>I HAVE A LOT OF CLIENTS WHO WANT TO EXCLUDE TRUSTED LOCATIONS FOR MFA. DO YOU ADVISE AGAINST THAT?>>EXCLUDE TRUSTED LOCATIONS FOR MFA? I THINK WHAT I — I DON’T THINK IT’S TERRIBLE. THE THING WE HAVE TO REALIZE IS THAT MFA IS OFTEN — YOU’RE JUST DOING IT ONCE PER DEVICE, RIGHT? IN PRACTICE. SO IT’S NOT NECESSARILY THE CASE THAT IT’S BAD TO HAVE IT HAPPEN ON A TRUSTED LOCATION TOO, SO GENERALLY A WIDER UMBRELLA CAN BE BETTER BUT THE THING THAT AS LONG AS YOU HAVE A RISK POLICY THAT’S SITTING UNDERNEATH THAT, BECAUSE SOMETIMES PEOPLE CAN BE ON YOUR TRUSTED NETWORK BUT STILL HAVE ANOMALIES, THINGS CAN STILL BE WRONG, SO WE’D LIKE YOU TO HAVE AN UMBRELLA OF A RISK POLICY UNDERNEATH THAT. IF YOU DO AN EXCLUSION THEN HAVE A RISK POLICY THAT CATCHES IN AND ALL ANOMALIES THAT HAPPEN.>>ON THE SECURE SCORE RECOMMENDATIONS, CAN IT BE CHANGED SO THAT YOU CAN SEE WHICH RECOMMENDATIONS REQUIRE A SUBSCRIPTION UPGRADE?>>I THINK — SO THERE’S SOME — LOTS OF STUFF IS IN, LIKE WITH SECURE SCORE, WE’RE STILL ITERATING AS WE GET CUSTOMER FEEDBACK. ONE OF THE THINGS WE’RE TRYING NOT TO DO IS TO TRY TO USE IT AS A SALES DEVICE. AND SO THE IDEA IS THAT YOUR SECURE SCORE YOUR CAP IS BASED ON YOUR CURRENT LICENSURE, AND THEN THERE WILL BE ANOTHER VIEW ABOVE THAT WHICH SAYS YOU CAN GO HIGHER BUT THESE ARE THE THINGS YOU’D HAVE TO CHANGE LICENSE WISE. WE’RE TRYING TO MAKE THAT TRANSPARENT.>>AT THE MOMENT IT’S GIVING ME RECOMMENDATIONS FOR STUFF THAT REQUIRES SEVERAL SUBSCRIPTION UPGRADES. THAT’S WHY I’M ASKING.>>YEAH, WE HAVEN’T — THAT WHOLE CRANK HASN’T TURNED COMPLETELY YET BUT THE PLAN IS TO TRY TO KEEP IT SO WE’RE VERY CLEAR ABOUT WHAT’S IN AND WHAT YOU CAN DO RIGHT NOW VERSUS WHAT YOU WOULD NEED TO INCREASE YOUR LICENSE FOR.>>THANKS.>>ALL RIGHT, TRUST YOU GUYS TO KNOW WHO’S NEXT. I THINK YOU’RE THE ONE AT THE MIC, SO –>>OKAY, WE HAVE A G3, AND IT HAS ATP ATTACHED TO IT CURRENTLY. WE HAVE PURCHASED EMS. WHAT ARE WE MISSING TO GET THE FULL FEATURES?>>YOU HAVE EM E5?>>NO LIT BE E3.>>AND ATP?>>SO YOU’RE MISSING AZURE AD IDENTITY PROTECTION AND CLOUD-UP SECURITY. THESE ARE BOTH IN THE EMS E5 BUNDLE.>>IS THAT INCLUDED IN THE THREAT INTELLIGENCE?>>YOU’RE GOING TO SEE SIGNAL FROM AZURE AD IP ON YOUR E3 LICENSE. THE FULL SIGNAL, THE FULL FIDELITY OF THAT SIGNAL IS RESERVED FOR E5 SO WE WON’T NOT TELL YOU THAT THE SIGN IN WAS RISKY. WE’LL TELL YOU THE SIGN IN WAS RISKY OR THE USER WAS AT RISK. IF YOU WANT TO KNOW ALL THE DETAILS OF WHY THAT’S E5.>>AND THE RISK POLICIES.>>AND THE RISK BASED POLICIES ARE ALSO E5. SO WE’RE OUT OF TIME SO WE NEED TO CLEAR THE STAGE BUT I’LL BE

No Comments

Leave a Reply