First published to the Microsoft 365 Blog on June 27, 2018
If you are like me, you are pretty amazed at the number of systems and services available today that claim to help you improve your enterprise security. And you are also a bit chagrined by how few sources there are with helpful information on what will actually make you more secure.
In our blog post today, the third in our hybrid blog series, we’re doing our best to help fix that. This post is guest authored by Alex Weinert who leads our Identity Security and Protection team. Alex & his team are a pretty elite group – on an average day they detect and stop 100M+ attacks on our identity systems. And a lot of the time that’s just what they do before lunch.
So Alex has a lot of data and a pretty unique view into what really works when it comes to securing your digital identities.
I hope you’ll find his blog useful! As always, we’d love to hear any feedback or suggestions you have.
I’m Alex Weinert and I get to work on the amazing team responsible for protecting four billion consumer and enterprise accounts from unauthorized access and fraud. Each day, our machine learning and heuristic systems provide risk scores for 18 billion login attempts for over 800 million distinct accounts, 300 million of which are discernibly done by adversaries (i.e., criminal actors, hackers).
Phishing: This is hard to quantify exactly, but we saw 23M risk events in March 2018, many of which are phish related
The volume of these current threats shows a significant rise, and new threats are emerging as well centered around IoT (Internet of Things), privacy, and consent. While we fight the good fight to ward off threats in your cloud infrastructure, we’d also like to recommend steps that you can take that could immediately protect your hybrid infrastructure. But before we can even start, ensure all your privileged Azure AD roles are protected with multi-factor authentication. Recently Microsoft released a baseline protection policy providing a one-click experience to protect privileged Azure AD roles.
Now, let’s get started with the five steps to securing your “hybrid” identity infrastructure!
Step 1: Strengthen your credentials
The top 3 identity attacks are related to passwords. It’s critical to backup passwords with second factor (i.e. multi-factor authentication) or rely on intrinsically secure credentials (like Windows Hello)
Move away from traditional password policies and adopt the NIST guidance for passwords. Turn off complexity and expiry rule and implement an on-premises banned password filter instead. Read more about password guidance.
Enable password hash synchronization for leaked credentials and disaster recovery
Implement Active Directory Federation Services (ADFS) extranet lockout
Step 2: Reduce your attack surface area
Block legacy authentication flows to prevent password spray
Block invalid authentication entry points like block access from certain countries/regions, time of the day, apps
Use Azure AD Privileged Identity Management for just-in-time admin access
Use Azure Advanced Threat Protection for advanced targeted cyber-attacks and insider threats
Step 3: Automate threat response
Implement user risk policy to fix compromised accounts in real-time
Implement sign-in risk policy to prevent suspicious sign-ins in real-time
Step 4: Increase your awareness of auditing and monitoring
Monitor Azure AD Connect Health for insights into potential issues and visibility of attacks on your ADFS infrastructure
Monitor Azure AD Identity Protection
Step 5: Enable end-user self-help
Enable end-users to manage their credentials and their access with self-service password reset and group management
Ensure the right users have the right access to the right resources over time by turning on Azure AD access reviews