Chances are you’ve heard the phrase “attackers don’t break in, they log in.” Identities have evolved to be the most targeted asset, because they enable cyber criminals to move and operate across environments to achieve their goals. In 2023, identity-based attacks reached a record-high with 30 billion attempted password attacks each month, as cyber-criminals capitalize on the smallest misconfigurations and gaps in your identity protection.  

As customers have applied MFA, device compliance, and other Zero Trust core principles to their identity environments, attackers have shifted to attacking the identity infrastructure itself. While it is critical to protect all identities – identifying, preventing, detecting and responding to attacks on the Identity admins, apps, and services that provide the foundation of your Zero Trust platform is more critical than ever. That’s why it’s critical for organizations to build a holistic approach to defend their identity estate across both – on-prem infrastructure and cloud identities – by making Identity Threat Detection and Response (ITDR) a cornerstone of their defense strategy. KuppingerCole defines ITDR as a class of security solutions designed to proactively detect, investigate, and respond to identity-related threats and vulnerabilities in an organization’s IT environment. 

Today we are thrilled to announce that Microsoft has been recognized as an overall leader in the KuppingerCole Leadership Compass Identity Threat Detection and Response: IAM Meets the SOC. The report calls out our strengths across key capabilities ranging from identity posture to remediation, while further highlighting Microsoft’s commitment to protecting all organizations. VP KuppingerCole US and Global Head of Research Strategy Mike Neuenschwander states that “Microsoft’s approach to ITDR is refreshingly open, including integration with other cloud identity platforms such as AWS, Google Cloud, and Okta.”.  

Figure 1: ITDR Leadership compass with Microsoft as a leader

Streamline your identity protection with ITDR and generative AI  

At Microsoft, we look at ITDR as a set of capabilities at the intersection of Identity and Access Management (IAM) and Extended Detection and Response (XDR). Designed to break down organizational silos and optimize collaboration and effectiveness of identity and SOC teams, we built a seamless integration between Microsoft Entra ID and Microsoft Defender XDR that empowers organizations to reinforce their security boundary with complete protection across their hybrid identity landscape.  Further, generative AI in the form of Microsoft Copilot for Security is embedded across all touchpoints, helping security and IT professionals respond to cyber threats, process signals, and assess risk exposure at the speed and scale of AI. 

As organizations begin to implement their ITDR strategies, they should consider 4 key areas: 

• Enforce secure, adaptive access: Adopting a comprehensive, defense-in-depth strategy that spans identities, endpoints, and networks is the starting point of any ITDR initiative. Implementing consistent identity and network access policies from a single unified engine across public and private networks is critical to protecting identities and securing access to resources. The Zero Trust Network Access model of Microsoft Entra Private Access enables secure connectivity to private resources from Windows, iOS, Mac, and Android operating systems and across any port and protocol, including SMB, RDP, FTP, SSH, SAP, printing, and all other TCP/UDP based protocols to significantly reduce the risk of potential breaches. Using advanced user and entity behavioral analytics (UEBA) in Microsoft Entra ID Protection, Conditional Access policies make real-time access decisions based on contextual factors such as user, device, location, network, and real-time risk information to control what a specific user can access and how and when they have access seamlessly across on-premises and cloud environments. Analyze risk signals in real time and automatically block access or prompt re-authentication, like MFA, to stop suspicious activity in real time and before a breach occurs.  
• Proactively protect your on-premises resources and harden your identity posture: Misconfigurations in identity infrastructure, permissions, or access controls are the Achillies’ heel of identity security. All it takes is one compromised user account, infected device, or an open port for an attacker to access and laterally move anywhere inside your network. These breaches-waiting-to-happen can have far-reaching consequences as Identities have become an integral part of almost every element of modern security practices. Microsoft provides detailed, identity-specific posture recommendations spanning on-premises Active Directory environments, Microsoft Entra ID deployments and even other common identity solutions all within the context of a broader security posture score. 
• Disrupt and remediate identity threats at machine speed: Automatic attack disruption is an out-of-the-box capability in Defender XDR that stops the progression and limits the impact of some of the most sophisticated attacks that involve identity compromise. Using the significant breadth of our signals, it not only disrupts ongoing attacks but accurately predicts the attacker’s next move and proactively blocks it with 99% confidence. Ransomware campaigns are now disrupted within an average of 3 minutes. Our powerful capabilities support identity-involved attacks like business email compromise, adversary-in-the-middle, and can even disrupt Ransomware campaigns within an average of 3 minutes. 
• Augment your security teams with generative AI: Microsoft Copilot for Security is the first generative AI security product to help protect organizations at machine speed and scale. Copilot for Security is an AI assistant for security teams that builds on the latest in large language models. Copilot is native within the existing Entra and Defender experiences, helping identity and SOC teams prioritize, understand and act upon identity risks and security incidents with step-by-step recommendations in seconds.  

As the sophistication and prevalence of identity-based attacks continue to grow, ITDR is becoming increasingly critical to modern cybersecurity and we are excited to see KuppingerCole highlight this in their latest report. Looking forward, we will continue to integrate our industry-leading solution and AI capabilities to help our customers future-proof their defenses and stay resilient against evolving cyberthreats in the workforce identity space. 

​​To learn more about Microsoft’s ITDR solution visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Microsoft named an overall leader in KuppingerCole Leadership Compass for ITDR appeared first on Microsoft Security Blog.

We’ve designed these policies based on our deep knowledge of the current cyberthreat landscape to help our customers strengthen their security baseline, and we’ll adapt them over time to keep the security bar high. These policies are part of a broader initiative to strengthen security, which includes key engineering advances.

This blog post explains why we decided to create these policies, how they work, how they differ from security defaults, and what Microsoft Entra customers can expect as we roll them out.

Microsoft Entra Conditional Access

Increase protection without compromising productivity.

Try for free

Buckle up, we’re going for a ride. I have a great security story to share—about multifactor authentication, seat belts, radical ideas, and the pit of success.

Ten years ago, in 2013, we had just started the identity security team and had a radical idea: We changed the policy in our Microsoft account ecosystem (the consumer identity system behind things like Outlook.com, Skype, Xbox, and OneDrive) to require multifactor authentication factors for every single account. Today, 100 percent of consumer Microsoft accounts older than 60 days have multifactor authentication—and it’s been this way for 10 years. We give accounts 60 days to meet this policy requirement, then we block sign-ins until the user adds a strong authentication factor.

This move caused a huge stir. Many of the teams within Microsoft that relied on consumer identity were convinced multifactor authentication would add too much friction. They feared users would hate it. Pundits predicted catastrophe, but by virtually all metrics, the multifactor authentication requirement was a smashing success. Because we could safely challenge suspicious sign-ins, Microsoft account hacking plummeted by more than 80 percent, and good user recovery increased from 57 percent to 81 percent when accounts were hacked.

Securing an email or phone number to use as a multifactor authentication factor raised costs for fraudsters enough that synthetic account creation plummeted by 99 percent. Before we enacted this policy, users who forgot their passwords recovered their accounts at a rate of only 16 percent. Under the new policy, unaided password recovery jumped to more than 90 percent. And the policy didn’t drive customers away. In fact, the multifactor authentication policy had such a positive effect on integrity, security, and recoverability that customer retention improved by more than 5 percent. Good security reduces friction.

When Microsoft account joined forces with the team responsible for Microsoft Entra ID (formerly Azure Active Directory) late in 2014, we sought to replicate the success of this consumer-focused program. But we found the going much harder in the commercial space because we weren’t in control of account policies—customers were. Not only did identity admins fear user friction the way we had, but they were also grappling with budget constraints and talent shortages, as well as security and technical backlogs (none of this has gotten easier!). If we wanted to help our enterprise customers adopt multifactor authentication, we’d need to do more.

We tried all kinds of promotional campaigns. We offered the same kind of risk-based multifactor authentication challenges we used to protect our consumer users in a commercial product, Microsoft Entra ID Protection (formerly Azure AD Identity Protection). Disappointingly, these efforts barely moved the needle. When Nitika Gupta (Principal Group Product Manager, Microsoft) and I presented monthly multifactor authentication usage rates at Microsoft Ignite in 2017, it was just 0.7 percent of monthly active users. And we calculated this metric with lenience, counting users who carry a multifactor authentication claim from any source—on-premises federation, third-party providers, or Microsoft Entra multifactor authentication.

To make progress, we needed another radical idea, so in 2018, we made multifactor authentication available at no additional cost for all customers at all license levels. Even trial accounts included multifactor authentication. Over the next year—now that price wasn’t a barrier—multifactor authentication adoption rates only increased to 1.8 percent. At this rate, unless something changed, we wouldn’t reach 100 percent adoption for another 50 years. It was time to get even more radical.

So, in 2019, we came up with “security defaults,” which provides on-by-default multifactor authentication, and applied it to all new tenants. More than 80 percent of new tenants leave security defaults turned on, protecting tens of millions of users. Combining this uptick with pandemic-driven changes in work increased our multifactor authentication utilization to more than 25 percent. We were getting somewhere.

Our next move, starting in 2022, was to extend security defaults to existing tenants, often simpler, smaller customers, who haven’t touched their security settings. We’ve approached this carefully to minimize customer disruption. We’re still rolling out the program, but it has already protected tens of millions more users. More than 94 percent of existing tenants we’ve rolled security defaults out to have kept them enabled.

In just the past year, we’ve turned on security defaults for almost seven million new and existing tenants. These tenants experience 80 percent fewer compromises than tenants without security defaults. Today, security defaults drive more than half of today’s multifactor authentication usage in Microsoft Entra ID, and we’ve driven overall multifactor authentication utilization up to just over 37 percent.

But our goal is 100 percent multifactor authentication. Given that formal studies show multifactor authentication reduces the risk of account takeover by over 99 percent, every user who authenticates should do so with modern strong authentication.¹ In a world where digital identity protects virtually every digital and physical assets and makes virtually all online experiences possible—and in a year when we’ve blocked more than 4,000 password attacks per second—we need to do more to drive multifactor authentication adoption. And so now, we’re kicking off the next radical idea.

Auto-rollout of Conditional Access policies

In the early 1960’s, if you wanted seat belts in your car, you could certainly have them. You just had to go to the store, buy some webbing and a buckle, figure out where to drill holes, and install the backing plates. Unsurprisingly, virtually no one did that. After 1965, when all manufacturers were required to install seat belts in all models, traffic injuries plummeted. And now, your car owes its safety rating in part to the annoying ding-ding-ding of the dashboard should you forget to buckle up. This approach—of making a secure posture easy to get into and hard to get out of—is sometimes called the “pit of success.”

Similarly, in the early days of cloud identity, if you wanted multifactor authentication for your accounts, you could certainly have it. You just had to pick a vendor, deploy the multifactor authentication service, configure it, and convince all your users to use it. Unsurprisingly, virtually no one did that. But when we applied the “pit of success” philosophy for consumer accounts in 2013 with multifactor authentication on by default, and for enterprise accounts in 2019 with security defaults, account compromise plummeted as multifactor authentication usage went up. And we’re incredibly excited about the next step in the journey: the automatic roll-out of Microsoft-managed Conditional Access policies.

Today, many customers use security defaults, but many others need more granular control than security defaults offer. Customers may not be in a position to disable legacy authentication for certain accounts (a requirement for security defaults), or they may need to make exceptions for certain automation cases. Conditional Access does a great job here, but often customers aren’t sure where to start. They’ve told us they want a clear policy recommendation that’s easy to deploy but still customizable to their specific needs. And that’s exactly what we’re providing with Microsoft-managed Conditional Access policies.

Microsoft-managed Conditional Access policies provide clear, self-deploying guidance. Customers can tune the policies (or disable them altogether), so even the largest, most sophisticated organizations can benefit from them. Over time, we’ll offer policies tailored to specific organizations, but we’re starting simple.

Because enabling multifactor authentication remains our top recommendation for improving your identity secure posture, our first three policies are multifactor authentication-related, as summarized in the table below:

Pay lots of attention to the first policy. It’s our strong recommendation—and a policy we’ll deploy your behalf—that multifactor authentication protect all user access to admin portals such as https://portal.azure.com, Microsoft 365 admin center, and Exchange admin center. Please note that while you can opt out of these policies, teams at Microsoft will increasingly require multifactor authentication for specific interactions, as they already do for certain Azure subscription management scenarios, Partner Center, and Microsoft Intune device enrollment.

You can view the policies and their impact using the new policy view user experience, which includes a policy summary, alerts, recommended actions, and a policy impact summary. You can also monitor them using sign-in and audit logs. You can customize the policies by excluding users, groups, or roles that you want to be exceptions, such as emergency and break glass accounts. If you require more extensive customizations, you can clone a policy and then make as many changes as you want.

We’ll begin a gradual rollout of these policies to all eligible tenants starting next week. We’ll notify you in advance, of course. Once the policies are visible in your tenant, you’ll have 90 days to review and customize (or disable) them before we turn them on. For those 90 days, the policies will be in report-only mode, which means Conditional Access will log the policy results without enforcing them.

The Conditional Access policies you need, based on the latest cyberthreat information

As with security defaults, we’ve carefully considered the managed policies we’re rolling out automatically. We want the experience to feel like consulting directly with Microsoft’s identity security team, as though we examined your environment and said, based on everything we’ve learned from securing thousands of customers, “These are the policies you need.”

What’s more, we’ll keep improving the policies over time. Our eventual goal is to combine machine learning-based policy insights and recommendations with automated policy rollout to strengthen your security posture on your behalf with the right controls. In other words, as the cyberthreat landscape evolves, we’d not only recommend policy changes based on the trillions of signals we process every day, but we’d also safely apply them for you ahead of bad actors.

Not only will the seat belts already be in your car, but we’ll also help you fasten them to keep everyone safer. That way, you can keep your eyes on the road ahead.

Learn more

Learn more about Microsoft Entra Conditional Access.

The auto-rollout of Conditional Access policies is just one initiative we’re taking to strengthen your security. Learn about engineering advances we’re making in a recent memo to all Microsoft engineers from Charlie Bell, Executive Vice President, Microsoft Security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and  X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.

All statistics listed throughout this blog are based on Microsoft internal data.

¹How effective is multifactor authentication at deterring cyberattacks? Microsoft.

The post Automatic Conditional Access policies in Microsoft Entra streamline identity protection appeared first on Microsoft Security Blog.

As you might imagine, the more identities become integral to how we work, the more they become a target. With just a single compromised account, attackers can quickly bypass existing security protocols and move laterally to increasingly sensitive accounts or resources. Privilege misuse and credential compromise have been two of the most common and damaging attack vectors organizations face, but identity threats are becoming increasingly sophisticated. Cybercriminals have evolved from brute force and password spray tactics to targeting the underlying identity infrastructure in an effort to slip through even the smallest gaps in protection.

Beyond the complexity of these attacks is their sheer volume. It’s estimated that more than 80 percent of breaches can be attributed to identity-based attacks, and as more and more cybercrime groups join nation-state actors in executing these types of attacks, that number is only going to grow.² To counter these ever-growing identity threats, a new security category has emerged: identity threat detection and response (ITDR).

What is ITDR?

At Microsoft, we see ITDR as an integrated partnership between two historically separate, but critically important, disciplines: identity and access management (IAM) and extended detection and response (XDR).

IAM is a foundational element of any organization’s security strategy, providing a baseline for identity security and helping IT departments control what company resources users can and cannot access. By using IAM best practices such as strong authentication, Conditional Access, and identity governance, organizations can reduce their overall attack surface area while also providing the information and context needed to detect breaches.

XDR solutions are designed to deliver a holistic, simplified, and efficient approach to protect organizations against advanced attacks. These solutions correlate identity signals with telemetry from other domains like endpoints, cloud applications, and collaboration tools, giving security operations center (SOC) teams a more complete view of the cyberattack kill chain. With this enhanced visibility, they can more effectively investigate threats and provide automated remediation across multiple domains using vast sets of intelligence and built-in AI.

IAM and XDR each provide immense benefits to organizations, but when working together in concert, they provide a robust and comprehensive ITDR solution.

Whether you are just starting on your ITDR journey or are already well on your way, Microsoft can help. In this blog post, we’ll talk through the critical areas of ITDR and bring insights from our leadership in both identity and security.

Microsoft Identity Threat Detection and Response

See how identity and access management and extended detection and response work together to improve your security strategy.

Learn more

Prevent identity attacks before they happen with secure adaptive access

The best-case scenario in any attack is that the bad actors are stopped before they can breach your security. When working with customers, we recommend they implement granular Conditional Access policies as a powerful first step in thwarting cybercriminals and keeping their organization safe.

Multifactor authentication, for instance, has been shown to reduce the risk of compromise from identity attacks by 99.9 percent. This is one of the most important steps and organization can take. Attackers are constantly evolving their tactics, looking for the smallest crack they can exploit, whether that be a human or workload identity they can compromise or misconfigured policies and identity infrastructure that let them gain even more control. That’s why we recommend you also use Conditional Access policies to protect non-human identities, whether applications, services, or containers. It’s critical to create more secure access policies and manage the lifecycles of different workload identities to prevent an attack.  

IT and identity practitioners need to analyze relevant risk signals from across their unique landscape and enforce universal Conditional Access policies in real time. The deep integration of our IAM and XDR platforms helps organizations do just that. Leveraging insights from the more than 65 trillion signals daily across Microsoft’s ecosystem, our identity protection capabilities detect things like atypical travel, unfamiliar sign-in properties, and leaked credentials. These capabilities then assign each sign-in attempt a risk score, which in turn can trigger pre-defined remediation efforts or block access entirely until an administrator can review. 

Detect advanced attacks with threat-level intelligence.

A robust identity posture is the first step toward identity security, helping to thwart the majority of attacks. Effective breach detection and response completes the story. Ever-evolving attack strategies and the impact of human error from multifactor authentication fatigue or social engineering attacks mean we must always “assume breach.” A recent survey found that 76 percent of businesses expect a successful attack to be executed within the next 12 months, highlighting why it is imperative to detect a breach quickly and accurately.³ To do this, you need powerful detections both at the identity level and across the entire cyber kill chain.

Our customers benefit from robust identity detections out of the box, each prioritized by potential impact and augmented with additional signals and insights into the latest attack strategies. By ingesting signals from on-premises Active Directory, Microsoft Azure Active Directory, and other third-party identity providers as well as the underlying identity infrastructure, like Active Directory Federation Services and Active Directory Certificate Services, SOC teams gain a comprehensive view of their identity landscape, user activities, and risk.

We help you harness the power of our best-of-breed identity detections by integrating our identity security capabilities directly into our XDR platform so SOC teams can see identity alerts and data within the context of broader security incidents. By correlating identity data with signals from across other security domains, not only is each individual alert increasingly more accurate but analysts also gain unprecedented insight into the entirety of an attack and its progression. 

Learn more about how to empower your SOC team to spot even the most advanced identity attacks.

Respond and remediate attacks faster with automatic attack disruption

Detecting a breach and remediating an attack are two very different things. The final piece of a successful ITDR strategy is the ability to stop in-progress attacks and limit lateral movement. At Microsoft, we have infused AI and machine learning into our security capabilities to help empower the SOC with intelligent automation that can disrupt attacks at machine speed.  

Analysts can confidently automate workflows and remediation tactics thanks to the high level of accuracy our correlated incidents provide. This effectively shifts the response time from hours or days to minutes or seconds. When a breach occurs, every second matters, and costs can soar to 80 percent higher when security AI and automation aren’t fully deployed.⁴

Human efficiency is also critical, so we have designed our portals with the needs of each unique persona in mind while enabling a seamless flow of information and workflow processes. By prioritizing everything from alerts to configurations and posture management, users can focus better on what is most important to them.

Find out how to stop advanced attacks at machine speed.  

Get started today

As the sophistication and prevalence of identity-based attacks continue to grow, identity protection and ITDR are becoming increasingly critical to modern cybersecurity. Partner with a proven leader in both identity and security to streamline your identity protection and deploy a successful ITDR strategy.

Learn more about Microsoft’s Identity Threat Detection and Response solution.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2023 State of SaaSOps study, BetterCloud. 2023.

²Verizon Data Breach Investigation Report, Verizon. 2022.

³Cyber Risk Index (CRI), Trend Micro. 2023.

⁴Cost of a Data Breach Report, Ponemon Institute. 2021.

The post XDR meets IAM: Comprehensive identity threat detection and response with Microsoft appeared first on Microsoft Security Blog.

In 2022, Microsoft tracked 1,287 password attacks every second (more than 111 million per day).³ Phishing is an increasingly favored attack method, up 61 percent from 2021 to 2022.⁴ And our data for 2023 shows that this trend is continuing. Passwords should play no part in a future-looking credential strategy. That’s why you don’t need a password for Microsoft Accounts—hundreds of thousands of people have deleted their passwords completely.⁵

For stronger, streamlined security, Microsoft passwordless authentication can help your organization eliminate password vulnerabilities while providing simplified access across your entire enterprise. In honor of World Password Day, this blog will help you make the case to your organization that when it’s time to “verify explicitly” as part of a Zero Trust strategy, modern strong authentication using phishing-resistant passwordless credentials provide the best security and an excellent return on investment (ROI).

Go passwordless for simplicity, security, and savings

If you’ve read my blog on why no passwords are good passwords, you know my feelings on this subject. To quote myself: “Your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or reused.” As Microsoft Chief Information Security Officer Bret Arsenault likes to say, “Hackers don’t break in—they log in.”

Passwords alone are simply not sufficient protection. Old-fashioned multifactor authentication bolts a second factor onto a password to add a layer of protection, but the most popular of these—telephony—is also the most problematic (see my blog about hanging up on phone transports to understand why telephony is a poor option for multifactor authentication). Even with strong methods, like using Microsoft Authenticator to augment a password, you still have the vulnerability of the password itself. The best password is no password—and you can get there today with Windows Hello, security keys, or, my favorite, Microsoft Authenticator.

Figure 1. Identity protection methods are not made equal; certain protections are far more secure than others.

In 2022, Microsoft committed to the next step of making passwords a thing of the past by joining with the FIDO Alliance and other major platforms in supporting passkeys as a common passwordless sign-in method. Passkeys aim to not only replace passwords with something more cryptographically sound, but that’s also as easy and intuitive to use as a password. Passwordless technology, such as Windows Hello, that’s based on the Fast Identity Online (FIDO) standards, strengthens security by doing the verification on the device, rather than passing user credentials through an (often vulnerable) online connection. It also provides a simplified user experience, which can help boost productivity as well.

That was the goal when longtime Microsoft collaborator Accenture decided to simplify their user experience by removing the requirement for password authentication. With 738,000 employees spread across 49 countries, the company decided it was in its best interest to make their identity and access management (IAM) automated and easy. Accenture chose the Microsoft Authenticator app, Windows Hello for Business, and FIDO2 security keys as its passwordless authentication solutions. As described in their case study, the results are already being felt: “The adoption of passwordless has led to faster login times, more reliable experience, fewer failed authentications, and improved overall security posture.”⁶

Whether you’re part of a global organization like Accenture or a small startup, the authentication methods policy in Microsoft Azure Active Directory (Azure AD)—now part of Microsoft Entra—allows your IAM team to easily manage passwordless authentication for all users from a single pane of glass. Even better, a recent Forrester Consulting study found that a composite organization based on interviewed customers securing its business apps with Azure AD benefited from a three-year 240 percent ROI (a net present value of USD8.5 million over three years) while reducing the number of password reset requests to its help desk by a significant 75 percent annually.⁷

Multifactor authentication can’t do it all

A 2021 report by the Ponemon Institute found that phishing attacks were costing large United States-based companies an average of USD14.8 million annually.⁸ That’s way up from 2015’s figure of USD3.8 million. Microsoft alone blocked 70 billion email and identity attacks in 2022. But on the positive side, multifactor authentication has been shown to reduce the risk of compromise by 99.9 percent for identity attacks.⁹ That’s a pretty stellar statistic, but it’s not bulletproof; especially when considering that SMS is 40 percent less effective than stronger authentication methods.¹⁰ Attackers are always learning and improvising, as shown in the rise of multifactor authentication fatigue attacks. In this type of cyberattack:

1. The threat actor uses compromised credentials (often obtained through a phishing attack) to initiate an access attempt to a user’s account.
2. The attempt triggers a multifactor authentication push notification to the user’s device, such as “Did you just try to sign in? Yes or no.”
3. If the targeted person doesn’t accept, the attacker keeps at it—flooding the target with repeated prompts.
4. The victim becomes so overwhelmed or distracted, they finally click “yes.” Sometimes the attacker will also use social engineering, contacting the target through email, messaging, or phone pretending to be a member of the IT team.

One widely publicized multifactor authentication fatigue attack happened in September 2022, when an 18-year-old hacker used the compromised credentials of a contractor to gain access to a major rideshare company’s internal networks. Once inside, he was able to access tokens for the company’s cloud infrastructure and critical IAM service. Our research was ahead of this type of attack back in 2021 when we built multifactor authentication defenses into the Authenticator app, including number matching and additional context. To learn more, be sure to read my blog post: Defend your users from multifactor authentication fatigue attacks.

All identity protection rests on Zero Trust

Zero Trust is just another way of describing proactive security. Meaning, it’s the measures you should take before bad things happen, and it’s based on one simple principle: “Never trust; always verify.” In today’s decentralized, bring-your-own-device (BYOD), hybrid and remote workplace, Zero Trust provides a strong foundation for security based on three pillars:

• Verify explicitly: Authenticate every user based on all available data points—identity, location, device health, service or workload, data classification, and anomalies.
• Use least-privilege access: This means limiting access according to the user’s specific role and task. You should also apply risk-based policies and adaptive protection to help secure your data without hindering productivity.
• Assume breach: This allows your security team to minimize the blast radius and prevent lateral movement if a breach occurs. Maintaining end-to-end encryption and using analytics will also strengthen threat detection and improve your defenses.

And when it comes to “verify explicitly” as part of Zero Trust, no investment in the field of credentials is better than a passwordless journey; it literally moves the goalposts on the attackers.

May the Fourth be with you all!

Security year round

At Microsoft Security, we believe security is about people. Empowering users with strong, streamlined access from anywhere, anytime, on any device is part of that mission. Learn more about Microsoft passwordless authentication and how it can help your organization eliminate vulnerabilities while providing fast, safe access across your entire enterprise.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹World Password Day, National Day Calendar.

²Most common passwords: latest 2023 statistics, Paulius Masiliauskas. April 20, 2023.

³Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

⁴Over 255m phishing attacks in 2022 so far, Security Magazine. October 26, 2022.

⁵The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.

⁶A passwordless enterprise journey, Accenture.

⁷The Total Economic Impact™ of Microsoft Entra, a commissioned study conducted by Forrester Consulting. March 2023.

⁸New Ponemon Institute Study Reveals Average Phishing Costs Soar to $14.8M Annually, Nearly Quadrupling Since 2015, GlobeNewswire. August 17, 2021.

⁹17 Essential multi-factor authentication (mfa) statistics [2023], Jack Flynn. February 6, 2023.

¹⁰How effective is multifactor authentication at deterring cyberattacks? Lucas Meyer, et al. May 1, 2023.

The post How Microsoft can help you go passwordless this World Password Day appeared first on Microsoft Security Blog.

Zero Trust is a proactive, integrated approach to security across the digital estate that explicitly and continuously verifies every transaction, asserts least privilege access, and relies on intelligence, advanced detection, and real-time response in the face of threats.

Adopting an end-to-end Zero Trust security strategy, and implementing Zero Trust security pillars, promotes the most secure and optimized access for users in the modern hybrid workforce. Organizations need to adapt to stay competitive, and cybersecurity remains a top concern as work environments continue to shift toward hybrid and remote settings.

Enable a more productive hybrid or remote workplace

Hybrid work introduces significant challenges for security teams as employees spend more time outside the traditional network perimeter where visibility, control, and consistency are harder to enforce. This impacts security teams who work to secure sensitive data and devices.

Figure 1. Hybrid and remote workers can enable more productive, secure workflows in both global and local locations with a comprehensive Zero Trust strategy in place.

Embracing a Zero Trust security model provides your organization with the necessary tools and framework to more effectively secure hybrid work environments. Adopting an end-to-end Zero Trust strategy also comes with several other business benefits in this new world of work, including:

• Improved employee experience and productivity.
• Increased organizational agility and adaptability.
• Strengthened talent retention.

One of the first steps organizations must take to modernize and equip themselves with proper data security measures is to determine if they:

• Know the types of sensitive information they have and where it lives.
• Protect and prevent loss of sensitive data across environments.
• Have a method for managing insider risks to understand user intent.

Answering these questions can help organizations discern how well they match up to today’s evolving security risks and how they could improve their security posture by implementing a Zero Trust architecture.

A Zero Trust framework helps organizations strengthen their defenses, giving employees the flexibility to work from anywhere and use applications that live outside of traditional corporate network protections. Zero Trust makes securing data across multiple channels, such as emails, messages, shared storage, cloud apps, and devices much easier. And, with hybrid workforces, data security incidents can happen anytime, anywhere.

A simplified security architecture through Zero Trust improves business agility across many types of workplaces, including hybrid. Through efficient system management and user access, organizations can move quickly to pursue business opportunities and support remote work while assessing and managing risk. This is particularly important since collaborating across multiple environments and devices due to remote and hybrid work can result in severe data security incidents, especially if your organization does not have visibility into its data or if a user has malicious intent to exfiltrate the data or share sensitive information and make it visible. Instituting Zero Trust architecture also improves security posture and reduces the risk of data breaches, even for people, resources, and data outside the corporate network perimeter.

Figure 2. Teams must collaborate with each other to implement a comprehensive, cross-cloud Zero Trust framework into their security practices.

Innovate and rapidly modernize your organization’s security posture

Zero Trust is designed to modernize your security posture and ensure comprehensive security across all identities. A comprehensive Zero Trust approach also helps break down siloes between IT teams and systems, enabling better visibility and protection across your entire IT stack. Using tools like Microsoft Purview Compliance Manager, your security team can also measure the security posture of your assets against industry benchmarks and best practices. Analyzing productivity and security signals helps your team better evaluate your security culture, identifying areas for improvement or best practices for compliance.

Today’s security leaders must balance the challenges of hybrid or remote access, protecting sensitive data, and compliance requirements with the business need to collaborate, innovate, and grow. Rapidly modernizing your security posture by implementing a Zero Trust framework will not only help your organization to meet and exceed regulatory and compliance requirements, but it will also help enable your organization to protect against a fast-changing threat landscape. As your organization begins this journey, remember that teams must:

• Collaborate on how to address the most critical threats they face.
  • This involves continuous improvement and evaluation across the entire digital estate to increase visibility. Teams can automate tasks that slow down team efforts, such as implementing IT help desk support, which saves teams time and money to use for proactively addressing serious security problems.
• Simultaneously defend their organizations against attacks and other security threats.
  • As a part of defending against security attacks and threats, security teams should ask themselves how they protect data and identities, while also evaluating and managing endpoint device health. This can help teams evaluate attacks that may occur while determining insider risk alongside user behavior analysis.
• Strive for continuous security improvement.
  • Because of the ever-evolving threat landscape, security teams must also continuously improve and check in on their security status, including continuous monitoring for threats that otherwise would not or could not be detected proactively. Zero Trust allows teams to protect against bad actors and potential security threats automatically and proactively through multistep defense across identities and endpoints.
• Prioritize their need for end-to-end visibility.
  • Another component of defending against security attacks and threats is increasing the security team’s visibility throughout the entire digital estate. Organizations should adopt specific policies to ensure data and identities are protected and meet compliance requirements, as necessary, and set alerts for attacks to enable quick remediation.

Consider the Rapid Modernization Plan guidance Microsoft uses to implement Zero Trust, which allows teams to use a set of specified initiatives for successful and quick deployment. The process goes as follows:

1. Validate trust for all access requests from identities, endpoints, apps, and networks.
2. Prepare and enable ransomware recovery.
3. Protect on-premises and cloud data from malicious access.
4. Streamline threat response.
5. Unify visibility across all security pillars.
6. Reduce manual effort on security teams.

Adopting a Zero Trust model enables end-to-end visibility across the security estate. The automated response that the Zero Trust approach takes protects assets, remediates threats, and supports investigations, ultimately empowering security teams to respond more quickly to threats across all pillars.

Secure your organization’s digital estate through a comprehensive Zero Trust approach

Adopting an end-to-end Zero Trust strategy is a critical step that organizations can take to increase productivity in, innovate, and modernize their hybrid work environments. We look forward to diving into additional scenarios in our next Zero Trust blog.

To learn more about protecting your business:

• Get started with our Zero Trust assessment tool.
• 5 reasons to adopt a Zero Trust security strategy for your business.
• Securely work from anywhere.
• Safeguard your most critical assets.
• Meet regulatory and compliance requirements.
• Minimize the impact of internal or external bad actors.
• Rapidly modernize your security posture.

And, to dive deeper into Microsoft Security solutions, join us on April 13, 2023, for Microsoft Secure Technical Accelerator. During this event, you can engage with our product and engineering teams through a live Q&A during each session, learn best practices, build community with your security peers, and get prescriptive technical guidance that will help you and your organization implement our comprehensive security solutions. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Secure hybrid and remote workplaces with a Zero Trust approach appeared first on Microsoft Security Blog.

Attackers will innovate—our response in the defender community needs to be thoughtful and strategic. But we don’t need to panic. We can take as an example ransomware attacks. These are scary and grab headlines because of crippling work stoppages or huge ransoms. But recent studies by Expert Insights confirm what we’ve known for ages—more often than not, attacks like ransomware are the second stage, predicated by an identity compromise. In fact, if you read all the attention-grabbing headlines, you’ll find that most novel techniques rely on compromising identity first. This shows the importance of getting our identity basics right and keeping our eyes on the ball.

Pamela Dingle gave a keynote at Authenticate 2022 in which she discussed identity attacks in terms of waves (and has recapped on LinkedIn—if you haven’t read it, you should). She was kind enough to let me weigh in, and I’m going to borrow the paradigm to frame our guidance. Pam likened escalating identity attacks to threats in a voyage in her talk. These threats decrease in volume as they increase in sophistication and novelty: 

This is an awesome frame for thinking through the attacks, so we’ll use it here to complement her blog with concrete features and guidance. I am adding one more threat to her framework—the critical importance of posture agility that helps us deal with the next “rogue wave.” Hopefully, this framing will help you build out a strategic approach that addresses the critical issues you are facing now, help you invest thoughtfully for emerging threats, and set you up for defensive agility in the year ahead. Let’s dive in.

Password attacks

Simple password attacks are pervasive. They are the water we swim in. I detail these extensively in “Your Password Doesn’t Matter.” The dominant three attacks are:

• Password spray: Guessing common passwords against many accounts.
• Phishing: Convincing someone to type in their credentials at a fake website or in response to a text or email.
• Breach replay: Relying on pervasive password reuse to take passwords compromised on one site and try them against others.

These attacks are effectively free to execute on a massive scale. As a result, Microsoft deflects more than 1,000 password attacks per second in our systems, and more than 99.9 percent of accounts that are compromised don’t have multifactor authentication enabled. Multifactor authentication is one of the most basic defenses against identity attacks today, and despite relentlessly advocating multifactor authentication usage for the past six years, including it in every flavor of Microsoft Azure Active Directory (Azure AD), and innovating in mechanisms from Microsoft Authenticator to FIDO, only 28 percent of users last month had any multifactor authentication session. With such low coverage, attackers increase their attack rate to get what they want. The adoption rate is a demonstration of a critical issue I will return to in this blog—in most organizations, budgets and resources are tight, security staff is overwhelmed, and shiny object syndrome pulls us in many directions, preventing the closure of issues.

Driving more multifactor authentication usage is the most important thing we can do for the ecosystem, and if you aren’t yet requiring multifactor authentication for all users, enable it. Old-fashioned, bolt-on multifactor authentication was clunky, requiring copying codes from phone to computer and getting multiple prompts. Modern multifactor authentication using apps, tokens, or the device itself is very low friction or even invisible to the users. Old-fashioned multifactor authentication had to be bought and deployed separately and at additional cost. Modern multifactor authentication is included in all SKUs, deeply integrated into Azure AD, and requires no additional management.

Our strong position is that all user sessions should be multifactor authentication protected, and we are doing all we can to get there. This is why all new tenants created since 2019 have multifactor authentication enabled by default, and why we are now turning on multifactor authentication on behalf of tenants who have not demonstrated interest in their security settings.

Multifactor authentication attacks

If you have enabled multifactor authentication, you can pat yourself on the back and be happy that you’ve effectively deflected the dominant identity attacks. While still far less than the 100 percent we are striving for, the 28 percent of users who are now protected with multifactor authentication include some who are targets for attackers. To get to these targets, attackers have to attack multifactor authentication itself.

Examples here include:

• SIM-jacking and other telephony vulnerability attacks (why we’re asking you to hang up on telephony multifactor authentication).
• Multifactor authentication hammering or griefing attacks, which is why we’re asking you to move away from simple approvals.
• Adversary-in-the-middle attacks, which trick users into doing the multifactor authentication interaction. This is why phishing-resistant authentication is critical, especially for key assets.

Note these attacks require more effort and attacker investment, and as a result are detected in the tens of thousands per month—not thousands per second. But all the attacks mentioned are on the rise, and we expect to see that continue as basic multifactor authentication coverage increases.

To defeat these attacks, it is critical not just to use multifactor authentication, but to use the right multifactor authentication. We recommend Authenticator, Windows Hello, and FIDO. For organizations with existing personal identity verification card and common access card (PIV and CAC) infrastructure, certificate-based authentication (CBA) is a good phishing-resistant (and executive order-compliant) solution. Bonus: All of these methods are considerably easier to use than passwords or telephony-based multifactor authentication.

Post-authentication attacks

Determined attackers are using malware to steal tokens from devices—allowing a valid user to perform valid multifactor authentication on a valid machine, but then using credential stealers to take the cookies and tokens and use them elsewhere. This method is on the rise and has been used in recent high-profile attacks. Tokens can also be stolen if incorrectly logged or if intercepted by compromised routing infrastructure, but the most common mechanism by far is malware on a machine. If a user is running as admin on a machine, then they are just one click away from token theft. Core Zero Trust principles like running effective endpoint protection, managing devices, and, critically, using least privileged access (meaning, run as a user, not an admin, on your machines) are great defenses. Pay attention to signals that indicate that token theft is occurring, and require re-authentication for critical scenarios like machine enrollment.

Another bypass attack is OAuth consent phishing. This is where someone tricks an existing user into giving an application permission to access on their behalf. Attackers send a link asking for consent (“consent phishing”) and if the user falls for the attack, then the app can access the user’s data even when the user is not present. Like other attacks in this category, they are rare but increasing. We strongly recommend inspecting what apps your users are consenting to and limiting consent to applications from verified publishers.

Infrastructure compromise

As you get more effective at using identity to secure your organizations and build your Zero Trust policies, advanced attackers are attacking identity infrastructure itself—predominantly taking advantage of outdated, unpatched, or otherwise insecure on-premises network vulnerabilities to steal secrets, compromise federation servers, or otherwise subvert the infrastructure we rely on. This mechanism is insidious, because the attackers often take advantage of access to hide their tracks, and once the access control plane is lost, it can be incredibly difficult to effectively evict an actor.

We are working hard to strengthen hybrid and multicloud detections and build automated protection for specific indicators that attackers are moving against identity infrastructure. Critically, because of the incredible difficulty of protecting on-premises deployments from malware, lateral movement, and emerging threats, you should reduce your dependencies on on-premises infrastructure, shifting authority to the cloud where possible. You should specifically isolate your cloud infrastructure from your on-premises environment. Finally, it is critical to partner closely with your security operations center (SOC) to make sure that privileged identity administrators and on-premises servers win special scrutiny. And because today’s sophisticated adversaries will look for any gap in your security, securing user identities also means protecting non-human identities and the infrastructure that stores and manages identities as well.

The rogue wave: Attack velocity and intensity

Our team assists with hundreds of significant cases every year, and one of the most critical issues we see is the difficulty of keeping up with increasing volumes and intensity of attacks. Whether it is assisting customers who are running Windows Server 2008 Domain Controllers or the customers still struggling with multifactor authentication rollout, the rapid pace of attacker innovation is hard to meet for organizations with the tremendous budget, resources, hiring, and political pressure facing them—and that only addresses those organizations that think about security. Our consumer accounts (like those used to access Outlook.com or Xbox) are 50 times less likely to be hacked than enterprise accounts—because, for these consumer accounts, we can manage the multifactor authentication policy, risk mitigations, and other key security aspects. All these capabilities (and more) are available to organizations—but the cost of posture management proves too much for many customers.

Our team is committed not just to reducing costs associated with identity attacks, but to massively reducing the investments required to get and stay secure. This is the common thread that runs through our many investments—whether it is Conditional Access gap analysis, adapting Authenticator to address evolving multifactor authentication fatigue attacks, continuously evolving and expanding our threat detections, or our security defaults program, we are committed to protecting the users, organizations, and systems that depend on identity from unauthorized access and fraud—it is very clear that this must include helping organizations start secure (or get secure) and stay secure, to do more with less.

As you invest in identity security, we encourage you to invest in mechanisms that allow your organization to be agile—automating responses to common threats (for example, auto-blocking or requiring password change), using mechanisms like Authenticator that can evolve and adapt to new threats, shifting authority to the cloud (where detections and mitigations are agile), and being attentive to indications of risk derived from our machine learning systems.  

Fair winds and following seas in 2023

Whether you’re an admin at a major company or launching a startup from your garage, protecting user identities is crucial. Knowing who is accessing your resources and for what purpose provides a foundation of security upon which all else rests. For that reason, it’s imperative to do everything possible to strengthen your identity posture today. The challenges are significant, but defensive strategies and technology are there to help.

If I may be so bold as to propose some New Year’s resolutions for your identity security efforts:

1. Protect all your users with multifactor authentication, always, using Authenticator, Fast Identity Online (FIDO), Windows Hello, or CBA.
2. Apply Conditional Access rules to your applications to defend against application attacks.
3. Use mobile device management and endpoint protection policies—especially prohibiting running as admin on devices—to inhibit token theft attacks.
4. Limit on-premises exposure and integrate your SOC and identity efforts to ensure you are defending your identity infrastructure.
5. Bet hard on agility with a cloud-first approach, adaptable authentication, and deep commitments to automated responses to common problems to save your critical resources for true crises.

Each of these recommendations has value in and of itself, but taken together, they represent an approach to defense-in-depth. Defense-in-depth encourages us to assume that any single control might be overcome by an attacker, so we have multiple layers of defense. In the recommendations listed in this blog, a user with perfect authentication should never be compromised, but we layer in endpoint protection, SOC monitoring, automated responses, and posture agility assuming that no one control is adequate.

To learn more about how you can protect your organization, be sure to read Joy Chik’s blog, Microsoft Entra: 5 identity priorities for 2023. If you’re interested in a comprehensive security solution that includes identity and access management, extended detection and response, and security information and event management, visit the Microsoft Entra page, along with Microsoft Defender for Identity and Microsoft Sentinel, to learn how this family of multicloud identity and security products can protect your organization.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 2023 identity security trends and solutions from Microsoft appeared first on Microsoft Security Blog.

In that spirit of discovery, we’re looking forward to joining the IAM community at the Gartner Identity & Access Management Summit, August 22 to 24, 2022, in Las Vegas, Nevada. We’ll be sharing some of Microsoft’s recent insights about strengthening lifecycle and permissions management, stopping attacks on identity infrastructure, and moving to a cloud-based identity platform. With the recently announced Microsoft Entra, identity threat detection and response (ITDR), and our security information and event management (SIEM) and extended detection and response (XDR) solutions, we’re committed to providing end-to-end protection for your organization. Be sure to visit Microsoft Booth #304 and connect with our frontline defenders.

Gartner IAM Summit—Microsoft sessions

We’re excited to meet with our customers, colleagues, and peers at the 2022 Gartner Identity & Access Management Summit. Microsoft will present three research-backed sessions led by senior product managers, including a special look at ITDR led by Alex Weinert, Director of Identity Security at Microsoft.

Title: Manage, Secure, and Govern Identities Across Multicloud Infrastructures
Speaker: Balaji Parimi, Partner General Manager
Date/Time: Monday, August 22, 2022 | 11:45 AM to 12:15 PM PT
Synopsis: Going multicloud makes you more agile and resilient. But it also creates more complexity and blind spots for your security and identity teams. It’s time to reimagine how we manage, secure, and govern identities, and enforce least-privileged access consistently across cloud platforms. In this session, we’ll explore how cloud infrastructure entitlement management (CIEM) can strengthen your Zero Trust security in a multicloud world.

Title: Beyond the Firewall: Upgrading from On-Premises to the Microsoft Cloud Identity
Speaker: Brjann Brekkan, Group Program Manager, Identity and Network Access
Date/Time: Monday, August 22, 2022 | 1:15 PM to 1:35 PM PT
Synopsis: Today’s new normal of “work from anywhere” and “on any device” has exposed the challenges of using on-premises authentication technologies and platforms as the control plane for enterprise applications and collaboration. You’re invited to join the Microsoft Identity product group for this interactive session. We’ll discuss the latest trends and platform capabilities to accelerate and simplify the journey of adopting a modern cloud-based identity platform.

Title: Identity Threat Prevention, Detection, and Response—Essential Defenses for a New Generation of Attacks
Speaker: Alex Weinert, Director of Identity Security
Date/Time: Tuesday, August 23, 2022 | 11:15 AM to 11:45 AM PT
Synopsis: Attacks against identity infrastructure are accelerating. Instead of trying to compromise individual accounts, today’s attackers seek to gain unrestricted access to multicloud environments and workloads wherever they’re deployed. For that reason, protecting accounts is not enough—organizations need robust protections for the identity infrastructure itself. In this session, we’ll share how Microsoft envisions the future of ITDR, including what an effective identity and security collaboration should look like to help your organization grow fearlessly.

Bridging the IAM and SOC divide

Even as we approach another IAM summit, many organizations are still shocked to learn the reality of how most identity breaches occur. According to the 2022 Verizon Data Breach Investigations Report, 65 percent of breaches are caused by credential misuse, while only 4 percent caused are by system vulnerabilities.¹ A full 82 percent of breaches involve the human element, including social engineering attacks, user errors, and data misuse.

As I will discuss in my Tuesday session, ITDR offers a way of reimagining the scope and collaboration between the SOC and identity admins that can help stop more of these credential-based attacks. IAM requires a lot of the same telemetry and inventory that SOC teams have, but the two groups rarely share tools. That’s because each team buys tools for different reasons. Operations and identity admins want stable, predictable operations and high uptime. Security analysts aren’t concerned with uptime; they care about identifying threats. In other words, IAM is mostly focused on letting only the good guys in, but it also needs an equal capability for keeping the bad guys out.

So, how do we reduce that staggering 65 percent of breaches that result from account-takeover attacks? And how do we know if and when the architecture itself is faulty? The solution lies in unifying more signals and more controls into a holistic solution. Microsoft is positioned to bridge the chasm between SOC and IAM because Microsoft Azure Active Directory (Azure AD) is already the foundation identity that so many organizations rely on. In addition, Microsoft Sentinel provides a cloud-native SIEM and SOAR solution with built-in user entity and behavior analytics (UEBA), while Microsoft Defender provides XDR capabilities for user environments, and Microsoft Defender for Cloud provides XDR for infrastructure and multicloud platforms.

Microsoft Entra: The way in is the way forward

Along with bridging the SOC and IAM relationship, Microsoft Entra is a vital component of Microsoft’s approach to ITDR. The products in the Entra family help provide secure access by providing IAM, CIEM, and identity verification in one solution.

Entra encompasses all of Microsoft’s existing IAM capabilities and integrates two new product categories: Microsoft Entra Permissions Management is a CIEM solution that empowers customers to discover, remediate, and monitor permission risks across all major public cloud platforms (such as Amazon Web Services, Azure, and Google Cloud Platform) from a unified interface. Microsoft Entra Verified ID provides a decentralized identity service based on open standards, safeguarding your organization by allowing admins to seamlessly customize and issue verifiable credentials in all your apps and services. 

Microsoft is working with our customers to reimagine IAM for our new decentralized workplace, and we’re committed to providing end-to-end protection for your organization with Microsoft Entra and SIEM and XDR. We look forward to meeting with you at Gartner Identity & Access Management Summit, August 22 to 24, 2022, in Las Vegas, Nevada. Be sure to stop and chat with us at Microsoft Booth #304.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹2022 Data Breach Investigations Report, Verizon. 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

The post Connect with Microsoft Security experts at the 2022 Gartner Identity & Access Management Summit appeared first on Microsoft Security Blog.

In this environment, security transformation has become key to survival. The mandate to explicitly verify every access request, focus on least privilege access overall, and constantly assume breach to maintain vigilance was made clear, as exemplified by calls from governments and businesses worldwide to accelerate the adoption of Zero Trust strategies.

Sidebar: Zero Trust is a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction, asserts least privilege, and relies on intelligence, advanced detection, and real-time response to threats.

The evolution of Zero Trust

Microsoft has embraced Zero Trust to defend our own estate and as a guiding principle for the development of our products. We have also helped thousands of our customers—including Siemens— deploy Zero Trust strategies, accelerate their digital transformation, and increase frequency of advanced attacks using our Zero Trust architecture.

Figure 1: Learnings across thousands of Zero Trust deployments have informed our Zero Trust architecture, which emphasizes the critical importance of integrating policy enforcement and automation, threat intelligence, and threat protection across security pillars.

Lessons learned and emerging trends

Today, we’re publishing the new whitepaper, Evolving Zero Trust, to share the key lessons we’ve learned by embracing Zero Trust at Microsoft and supporting thousands of organizations in their Zero Trust deployments. This informs our beliefs on Zero Trust implementations needed to evolve to adapt and keep organizations protected. We’re also sharing the evolution of our recommended Zero Trust architecture and maturity model that has been informed by these insights.

Highlights from the paper include:

• Lessons from the most successful organizations: The last couple of years have reinforced the importance of applying Zero Trust comprehensively across the digital estate. Organizations that were furthest along in their journeys were more resilient against sophisticated attacks, improved user experiences, and reduced implementation and management costs. We also saw that successful organizations doubled down on automation and a robust Zero Trust governance strategy—both of which can improve security posture and time to remediation while reducing the workload on scarce security personnel.
• Emerging industry trends: Zero Trust is a dynamic security model that continues to evolve to meet current threats and business realities. Going forward, we will see deeper integration of Zero Trust across pillars—leading to simplified policy automation, more advanced and intelligent threat detection, and more comprehensive attack mitigation. We also predict a wider adoption of the principles behind Zero Trust—verify explicitly, enforce least privilege access, and assume breach—to include the tools and processes used to develop applications, the hybrid and multi-cloud environments in which they run, as well as the application themselves.
• A more connected Zero Trust architecture: The learnings highlighted above led us to refine our Zero Trust architecture to more emphasize the critical importance of capturing telemetry from across the environment to inform policy decisions, provide better threat intelligence, measure the user experience, and more. The updated architecture showcases the importance of integrating policy enforcement and automation, threat intelligence, and threat protection across security pillars.

This document showcases the incredible evolution and acceleration in the adoption of Zero Trust security strategies. Just a few years ago, Zero Trust was merely a new buzzword for many organizations. Today, 76 percent of large organizations have adopted a Zero Trust approach. We hope that the lessons, trends, and positions we shared in this document are helpful in the planning and application of your own Zero Trust strategy.

The insights and actionable learnings in this document have been provided by a diverse group of customers, partners, and security-focused individuals working across applications, data, endpoint management, identity, infrastructure, networking, threat protection, and our own internal security organization. I’d like to thank our customers and partners for their expertise and insights, as well as my colleagues for their contributions to this whitepaper, architecture, and maturity model guidance.

Learn More

Get the complete  Zero Trust whitepaper for key insights, Zero Trust architecture, and a maturity model to help accelerate your adoption.

For a repository of technical resources to help accelerate the deployment and integration of Zero Trust across all security pillars, visit the Zero Trust Guidance Center.

Use the Zero Trust Assessment tool to evaluate your Zero Trust security posture, maturity, and receive practical recommendations to help reach key milestones.

Read the 2021 Microsoft Digital Defense Report (MDDR) for in-depth findings about Microsoft’s tracking of nation-state threat groups, specific threat actors, attack methods, and more.

To learn more about Zero Trust, visit Microsoft Security’s Zero Trust website.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report shares new insights on nation-state attacks, John Lambert, Microsoft. 25 October 2021.

The post Evolving Zero Trust—Lessons learned and emerging trends appeared first on Microsoft Security Blog.

Companies operating with a Zero Trust mentality across their entire environment are more resilient, consistent, and responsive to new attacks—Solorigate is no different. As threats increase in sophistication, Zero Trust matters more than ever, but gaps in the application of the principles—such as unprotected devices, weak passwords, and gaps in multi-factor authentication (MFA) coverage can be exploited by actors.

Applying Zero Trust

Zero Trust in practical terms is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. It relies on contextual real-time policy enforcement to achieve least privileged access and minimize risks. Automation and Machine Learning are used to enable rapid detection, prevention, and remediation of attacks using behavior analytics and large datasets.

Verify explicitly

To verify explicitly means we should examine all pertinent aspects of access requests instead of assuming trust based on a weak assurance like network location. Examine the identity, endpoint, network, and resource then apply threat intelligence and analytics to assess the context of each access request.

When we look at how attackers compromised identity environments with Solorigate, there were three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software. In each of these cases, we can clearly see where the attacker exploited gaps in explicit verification.

• Where user accounts were compromised, known techniques like password spray, phishing, or malware were used to compromise user credentials and gave the attacker critical access to the customer network. On-premises identity systems are more vulnerable to these common attacks because they lack cloud-powered protections like password protection, recent advances in password spray detection, or enhanced AI for account compromise prevention.
• Again, in cases where the actor succeeded, highly privileged vendor accounts lacked protections such as MFA, IP range restrictions, device compliance, or access reviews. In other cases, user accounts designated for use with vendor software were configured without MFA or policy restrictions. Vendor accounts should be configured and managed with the same rigor as used for the accounts which belong to the organization.
• Even in the worst case of SAML token forgery, excessive user permissions and missing device and network policy restrictions allowed the attacks to progress. The first principle of Zero Trust is to verify explicitly—be sure you extend this verification to all access requests, even those from vendors and especially those from on-premises environments.

Cloud identity, like Azure Active Directory (Azure AD), is simpler and safer than federating with on-premises identity. Not only is it easier to maintain (fewer moving parts for attackers to exploit), your Zero Trust policy should be informed by cloud intelligence. Our ability to reason over more than eight trillion signals a day across the Microsoft estate coupled with advanced analytics allows for the detection of anomalies that are very subtle and only detectable in very large data sets. User history, organization history, threat intelligence, and real-time observations are an essential mechanism in a modern defense strategy. Enhance this signal with endpoint health and compliance, device compliance policies, app protection policies, session monitoring, and control, and resource sensitivity to get to a Zero Trust verification posture.

For customers that use federation services today, we continue to develop tools to simplify migration to Azure AD. Start by discovering the apps that you have and analyzing migration work using Azure AD Connect health and activity reports.

Least privileged access

Least privileged access helps ensure that permissions are only granted to meet specific business goals from the appropriate environment and on appropriate devices. This minimizes the attacker’s opportunities for lateral movement by granting access in the appropriate security context and after applying the correct controls—including strong authentication, session limitations, or human approvals and processes. The goal is to compartmentalize attacks by limiting how much any compromised resource (user, device, or network) can access others in the environment.

With Solorigate, the attackers took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all. Conversely, customers with good least-privileged access policies such as using Privileged Access Workstations (PAW) devices were able to protect key resources even in the face of initial network access by the attackers.

Assume breach

Our final principle is to Assume Breach, building our processes and systems assuming that a breach has already happened or soon will. This means using redundant security mechanisms, collecting system telemetry, using it to detect anomalies, and wherever possible, connecting that insight to automation to allow you to prevent, respond and remediate in near-real-time.

Sophisticated analysis of anomalies in customer environments was key to detecting this complex attack. Customers that used rich cloud analytics and automation capabilities, such as those provided in Microsoft 365 Defender, were able to rapidly assess attacker behavior and begin their eviction and remediation procedures.

Importantly, organizations such as Microsoft who do not model “security through obscurity” but instead model as though the attacker is already observing them are able to have more confidence that mitigations are already in place because threat models assume attacker intrusions.

Summary and recommendations

It bears repeating that Solorigate is a truly significant and advanced attack. However ultimately, the attacker techniques observed in this incident can be significantly reduced in risk or mitigated by the application of known security best practices. For organizations—including Microsoft—thorough application of a Zero Trust security model provided meaningful protection against even this advanced attacker.

To apply the lessons from the Solorigate attack and the principles of Zero Trust that can help protect and defend, get started with these recommendations:

1. More than any other single step, enable MFA to reduce account compromise probability by more than 99.9 percent. This is so important, we made Azure AD MFA free for any Microsoft customer using a subscription of a commercial online service.
2. Configure for Zero Trust using our Zero Trust Deployment Guides.
3. Look at our Identity workbook for Solorigate.

Stay safe out there.

— Alex Weinert

For more information about Microsoft Zero Trust please visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Using Zero Trust principles to protect against sophisticated attacks like Solorigate appeared first on Microsoft Security Blog.