This post is the third of a three-part series detailing Conditional Access from Microsoft Enterprise Mobility + Security. Today we are re-publishing the third installment with the white paper Protect your data at the front door with conditional access.
Through this blog series, we’ve taken a closer look at conditional access with Enterprise Mobility + Security and the innovations that can help you define and inform your policies with different layers of controls for user/location, applications, and devices. Most of the scenarios we’ve discussed have addressed user-based vulnerabilities, but it’s important to take into consideration the broader threat landscape and its complex risks.
Risk-based conditional access
Although attacks are increasingly sophisticated, each one leaves revealing traces, a calling card. This data can be used to find patterns that will help us protect against attacks. But processing such tremendous volume is no small task—so we got to work. Every month we update more than 1 billion PCs, service more than 450 billion authentications, and analyze more than 200 billion emails for malware and malicious websites. We see just about every kind of attack there is, and we push the data directly into our Microsoft Intelligent Security Graph.
The graph pulls together all of the telemetry and signals that come in from the hundreds of cloud services operated by Microsoft, extensive and ongoing research, and data from partnerships with industry leaders and law enforcement organizations. This graph is unique to Microsoft. We apply our machine learning and data analytics to identify suspicious and anomalous activities that characterize modern sophisticated attacks. The graph makes it possible for us to deliver recommendations and automated actions that protect, detect, and respond across different attack vectors.
You can use the Microsoft Intelligence Graph to inform your conditional access policies to protect against risk events by blocking access when risk is detected.
Microsoft security researchers search for credentials that have been posted on the dark web, which usually appear in plain text. Machine learning algorithms compare these credentials with Azure Active Directory credentials and report any match as “leaked credentials.”
Impossible travel or atypical locations
Machine intelligence detects when two sign-ins originate from different geographic locations within a window of time too short to accommodate travel from one to the other. This is a pretty good indicator that a bad actor succeeded in logging on.
Machine intelligence also flags sign-ins at atypical locations by comparing them against past sign-ins of every user. Sign-ins from familiar devices or sign-ins from or near familiar locations will pass.
Sign-ins from potentially infected devices
The Microsoft Intelligent Security Graph maintains a list of IP addresses known to have been in contact with a bot server. Devices that attempt to contact resources from these IP addresses are possibly infected with malware and are therefore flagged.
Sign-ins from anonymous IP addresses
People who want to hide their device’s IP address, often with malicious intent, frequently use anonymous proxy IP addresses. A successful sign-in from an anonymous IP address is flagged as a risky event. If the risk score is medium, a risk-based conditional access policy can require MFA as additional proof of identity.
Sign-ins from IP addresses with suspicious activity
Multiple failed sign-in attempts that occur over a short period of time, across multiple user accounts, and that originate from a single IP address, also trigger a risk event. Traffic patterns that match those of IP addresses used by attackers are a strong indication that accounts are either already compromised or will be very soon, although the traffic pattern may also originate from an IP address shared with multiple devices via a router or similar device.
Beyond access control
Microsoft Enterprise Mobility + Security (EMS) delivers innovative security technologies that provide a holistic, identity-driven approach to mobility, identity, and security in a mobile-first, cloud-first world.
While our risk-based conditional access helps protect your data “at the front door,” EMS also gives you visibility into user, device, and data activity on-premises and in the cloud, and includes solutions that allow you to protect your corporate data from user mistakes with stronger controls and enforcement.