I’m Alex Weinert and I get to work on the amazing team responsible for protecting four billion consumer and enterprise accounts from unauthorized access and fraud. Each day, our machine learning and heuristic systems provide risk scores for 18 billion login attempts for over 800 million distinct accounts, 30 million of which are discernibly done by adversaries (i.e., criminal actors, hackers).
At Ignite last year, I spoke about the top 3 attacks on our identity systems. Here is the recent volume of these attacks:
- Breach replay: 4.6BN attacks detected in May 2018
- Password spray: 350k in April 2018
- Phishing: This is hard to quantify exactly, but we saw 23M risk events in March 2018, many of which are phish related
The volume of these current threats shows a significant rise, and new threats are emerging as well centered around IoT (Internet of Things), privacy, and consent. While we fight the good fight to ward off threats in your cloud infrastructure, we’d also like to recommend steps that you can take that could immediately protect your hybrid infrastructure. But before we can even start, ensure all your privileged Azure AD roles are protected with multi-factor authentication. Recently Microsoft released a baseline protection policy providing a one-click experience to protect privileged Azure AD roles.
Now, let’s get started with the five steps to securing your “hybrid” identity infrastructure!
Step 1: Strengthen your credentials
- The top 3 identity attacks are related to passwords. It’s critical to backup passwords with second factor (i.e. multi-factor authentication) or rely on intrinsically secure credentials (like Windows Hello)
- Move away from traditional password policies and adopt the NIST guidance for passwords. Turn off complexity and expiry rule and implement an on-premises banned password filter instead. Read more about password guidance.
- Enable password hash synchronization for leaked credentials and disaster recovery
- Implement Active Directory Federation Services (ADFS) extranet lockout
Step 2: Reduce your attack surface area
- Block legacy authentication flows to prevent password spray
- Block invalid authentication entry points like block access from certain countries/regions, time of the day, apps
- Use Azure AD Privileged Identity Management for just-in-time admin access
- Use Azure Advanced Threat Protection for advanced targeted cyber-attacks and insider threats
Step 3: Automate threat response
- Implement user risk policy to fix compromised accounts in real-time
- Implement sign-in risk policy to prevent suspicious sign-ins in real-time
Step 4: Increase your awareness of auditing and monitoring
- Monitor Azure AD Connect Health for insights into potential issues and visibility of attacks on your ADFS infrastructure
- Monitor Azure AD Identity Protection
Step 5: Enable end-user self-help
- Enable end-users to manage their credentials and their access with self-service password reset and group management
- Ensure the right users have the right access to the right resources over time by turning on Azure AD access reviews
Check out the other posts in this series: