Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded...
Transcript of Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded...
![Page 1: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/1.jpg)
Defending Your CIAM from Current ThreatsAlex Weinert, Group Program Manager
Microsoft Identity’s Security & Protection Team
@alex_t_weinert
![Page 2: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/2.jpg)
If we could just get security out of the way . . .
![Page 3: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/3.jpg)
Customers would love us!
![Page 4: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/4.jpg)
But they aren’t all customers . . .
![Page 5: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/5.jpg)
Or even humans . . .
![Page 6: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/6.jpg)
Some aren’t feeling like themselves . . .
![Page 7: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/7.jpg)
And success attracts attention.
![Page 8: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/8.jpg)
Types of Badness
Compromise – dual ownership, bad actor has access to someone else's account
Abuse – account created to violate Microsoft TOU (example spammer)
![Page 9: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/9.jpg)
![Page 10: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/10.jpg)
Apps
Analytics
CRM andMarketingAutomation
Business
Social IDs
Business & GovernmentIDs
contoso
Customers
Azure Active Directory B2C
Azure Active Directory B2C
Provide branded (white-label)registration and login experiences
Securely authenticate your customersusing their preferred identity provider
Capture login, preference, and conversion data for customers
![Page 11: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/11.jpg)
Microsoft Account (MSA) at a Glance
ML protection systems processes
>20TB of data daily
~9Bauthentications
~ 7.5B MSA automatically deflect 20M
attacks per day
![Page 12: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/12.jpg)
Replay Defenses
![Page 13: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/13.jpg)
Password Spray (aka Brute Force, Hammering)• Iterate through known account names with most common passwords
• Probability of account compromise by password spray: 1%
1. 1234562. 1234567893. qwerty4. 1111115. 123456786. 1231237. password8. 12345679. 1234510. 123456789011. abc12312. 12313. 12332114. password115. qwertyuiop16. 66666617. a12345618. 123419. 65432120. 520131421. 123456a22. iloveyou23. 1111111124. 15975325. 123123123
![Page 14: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/14.jpg)
We Hate (Bad) Rulez.
• BAD GUIDANCE• Complexity Rules: Upper, lower, number
and special? Password123!
• Add expiration Rules: Monthly? Sep2017!Quarterly? Fall2017!
• GOOD GUIDANCE• http://aka.ms/passwordguidance
• Minimum Length Requirements (to defeat brute force hash attacks)
• Don’t use commonly attacked passwords
![Page 15: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/15.jpg)
If your customers see value, so will attackers.
Old time bank robbers
![Page 16: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/16.jpg)
How to get account?
Create a Sign Up Script
Phish, Password Spray, Breach
Replay
Steal It
Make It
Payment Instrument?
Buy Stuff
Not Yet
Add stolen payment instrument
Support value transfer?
Yes
Yes Transfer Value $$$
No
If your customers find value –so will criminals
• Direct asset extraction
• online shopping• wire transfer
• Indirect asset extraction• credit instrument fraud
• points/discount/rewards
• Service abuse
• Storage, compute, messages to traffic illicit content
• Audience exploitation
• SPIM, SPAM, product placement, traffic boosting
![Page 17: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/17.jpg)
Identifying Threats
1. Protect against fraudulent sign ups
2. Protect against account takeover
3. Protect sensitive operations
How to get account?
Create a Sign Up Script
Phish, Password Spray, Breach
Replay
Steal It
Make It
Payment Instrument?
Buy Stuff
Not Yet
Add stolen payment instrument
Support value transfer?
Yes
Yes Transfer Value $$$
No
1
2
3
3
3
![Page 18: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/18.jpg)
“Screened” Account Signups
GOODBAD
UNKNOWN
Signups are labeled for training using high precision automatic detections.
• MSA and Microsoft internal partners submit verdicts based on account behavior.
• Accounts are labeled as good, bador unknown.
• Manual analysis is used to constantly track accuracy of labels.
• Abandoned challenged signups are considered bad.
?
<4% of daily signup requests are valid
![Page 19: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/19.jpg)
Model, measure, and improve.
![Page 20: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/20.jpg)
Measurements
• All accounts are labeled as good, bad or unknown.
• Concentrate on quality of offline detections
• Use manual analysis of accounts.
• Remove errors from labels
• Evaluate model before deployment
• Compute precision, recall, FPR.
• Model acceptance criteria.
• Measure model performance in production.
• Track account creation volume, challenge volume, challenge abandonment rate…
• Measure precision, recall based on labeled accounts after creation.
LABEL QUALITY
MODEL QUALITY
MEASURE PERFORMANCE
![Page 21: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/21.jpg)
Layers of Protection
PREVENTION
Heuristics
Machine Learning
DETECTION
Offline Analysis
1st&3rd Party Intelligence
Credentials in the wild
MITIGATION
Challenges
Lockdowns
RECOVERY
Compromise Recovery
Password Reset
Lost Security Info
![Page 22: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/22.jpg)
Maintain Altitude
![Page 23: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/23.jpg)
Customers that have verified recovery options
Password reset
success
Password reset success jumped
User retention
User retention rate improves
Compromise
recovery
Compromise recovery improves
Allows more aggressive security posture
Overall healthier user base!
![Page 24: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/24.jpg)
Invest in Automation
![Page 25: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/25.jpg)
Learner
Credentials
MSA
Analysis
SeemsGood
SeemsBad
Classifier
Self-reporting Threat dataRelying parties Behavior
Schroedinger'sUser
?
LabelData We were right!
We were wrong!
Analyze
Update
Deploy
20+ TB Logs
![Page 26: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/26.jpg)
TRAINING:
APSA Overview
Signup,
Challenge
Telemetry
MSA+Partner
Labels
EVALUATE
Pass
FailCHALLENGE
Pass
Fail
Provision Account
![Page 27: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/27.jpg)
Helpdesk: The trouble is in the title
![Page 28: Defending Your CIAM from Current Threats€¦ · Azure Active Directory B2C Provide branded (white-label) registration and login experiences Securely authenticate your customers using](https://reader034.fdocuments.in/reader034/viewer/2022050107/5f4574f02d104853b6341bbe/html5/thumbnails/28.jpg)
Au
to A
pp
rove
Self
Hel
p O
pti
on
s
87.85%
Au
to R
ejec
t
9.97%
.86%
89.66%
MSA Account Recovery Funnel
5.34M