As many of our Healthcare customers start using cloud services like Office 365, protecting the user’s identity has become increasingly important. Identities have become the best way for an attacker to breach an organization. All an adversary needs to do is compromise one user’s identity and then they can move laterally inside the network or just use email to gather more information about the organization. In fact, according to the “Verizon Data Breach Investigations Report 2018” 81% of data breaches involved weak, default or stolen passwords.
The above infographic shows the scope of the problem. All the attacks above have something in common; a stolen identity. What is more concerning is that some of these identities are user accounts that have admin access to the cloud service. Healthcare organizations know that their data is valuable and bad actors are using stolen administrative identities to get health information. That can result in an incredible amount of damage because the attacker can cover their tracks a lot faster and exfiltrate with the health data.
So, how can you protect your organization from these attacks?
First, require multifactor authentication for your users based on various conditions. We build these controls into Azure Active Directory Conditional access. More importantly, you can trigger these controls based on the risk of the login session. This will reduce the “MFA fatigue” as users will only be prompted when they do something out of their normal behavior, such as using a different device than they normally do or coming from a strange location. It also considers risk factors, like if the user is using a TOR browser to sign in. If the service sees the risk, the user will be prompted for the second factor and then they can log in as they usually would. In addition, if the user’s identity is stolen and available for sale on the dark web our intelligence can force a password reset for the user during the authentication process. This automated response will reduce the risk of the breached identity and allow the user to continue with their work while alerting IT to the incident so they can research the source of the breach.
Second, ensure that your users who need administrative rights to the service only have access to admin rights when necessary. This “Just in Time” access can be delivered via Azure Active Directory Privileged Identity Management (PIM). Users requesting access must check out those rights and are verified with an Azure Multifactor Authentication challenge. This second factor challenge is in addition to any challenge that was required to log into the service through the Azure Active Directory Conditional Access rule that I discussed earlier. The administrative rights are only provided for a set period of time and then they are removed. Since users do not have these privileges assigned to their identity at all times, the risk of privileged account breach is greatly reduced.
Third, review access regularly. While reviewing logs is important, we developed Azure Active Directory Access Reviews to automate that process. Access Reviews gives your organization insight into what resources are being accessed by your employees, guests and business partners. You can audit users’ access to applications and configure automated notifications to people to review their access and their guests' access. This will further reduce your exposure as you can remove access when people don’t need it anymore. Access reviews can also assist with HIPAA compliance as access reports are part of the audit process.
Finally, utilize analytics to review behavior of users in both on premises and cloud resources. The Microsoft solution of Azure Advanced Threat Protection (ATP) is a cloud-based security solution that helps you identify, detect and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Using machine learning Azure ATP can identify suspicious behavior and enable your security operations team to investigate issues before they become a major incident.
The plans I laid out above will give your organization a good start at reducing risk around compromised accounts. Health data is a prime target for hackers to sell and use to commit crimes that target insurance reimbursements. In the end all the tools in the world can’t stop the weakest link in any organization; human error. People will always make a mistake and click on a malicious link or open a malicious attachment in their personal email on their work computer. Educating your users is critical, but automated intelligence will enable your organization to respond quickly before a breach shuts down operations.