Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Defending Your CIAM from Current ThreatsAlex Weinert, Group Program Manager
Microsoft Identity’s Security & Protection Team
@alex_t_weinert
If we could just get security out of the way . . .
Customers would love us!
But they aren’t all customers . . .
Or even humans . . .
Some aren’t feeling like themselves . . .
And success attracts attention.
Types of Badness
Compromise – dual ownership, bad actor has access to someone else's account
Abuse – account created to violate Microsoft TOU (example spammer)
Apps
Analytics
CRM andMarketingAutomation
Business
Social IDs
Business & GovernmentIDs
contoso
Customers
Azure Active Directory B2C
Azure Active Directory B2C
Provide branded (white-label)registration and login experiences
Securely authenticate your customersusing their preferred identity provider
Capture login, preference, and conversion data for customers
Microsoft Account (MSA) at a Glance
ML protection systems processes
>20TB of data daily
~9Bauthentications
~ 7.5B MSA automatically deflect 20M
attacks per day
Replay Defenses
Password Spray (aka Brute Force, Hammering)• Iterate through known account names with most common passwords
• Probability of account compromise by password spray: 1%
1. 1234562. 1234567893. qwerty4. 1111115. 123456786. 1231237. password8. 12345679. 1234510. 123456789011. abc12312. 12313. 12332114. password115. qwertyuiop16. 66666617. a12345618. 123419. 65432120. 520131421. 123456a22. iloveyou23. 1111111124. 15975325. 123123123
We Hate (Bad) Rulez.
• BAD GUIDANCE• Complexity Rules: Upper, lower, number
and special? Password123!
• Add expiration Rules: Monthly? Sep2017!Quarterly? Fall2017!
• GOOD GUIDANCE• http://aka.ms/passwordguidance
• Minimum Length Requirements (to defeat brute force hash attacks)
• Don’t use commonly attacked passwords
If your customers see value, so will attackers.
Old time bank robbers
How to get account?
Create a Sign Up Script
Phish, Password Spray, Breach
Replay
Steal It
Make It
Payment Instrument?
Buy Stuff
Not Yet
Add stolen payment instrument
Support value transfer?
Yes
Yes Transfer Value $$$
No
If your customers find value –so will criminals
• Direct asset extraction
• online shopping• wire transfer
• Indirect asset extraction• credit instrument fraud
• points/discount/rewards
• Service abuse
• Storage, compute, messages to traffic illicit content
• Audience exploitation
• SPIM, SPAM, product placement, traffic boosting
Identifying Threats
1. Protect against fraudulent sign ups
2. Protect against account takeover
3. Protect sensitive operations
How to get account?
Create a Sign Up Script
Phish, Password Spray, Breach
Replay
Steal It
Make It
Payment Instrument?
Buy Stuff
Not Yet
Add stolen payment instrument
Support value transfer?
Yes
Yes Transfer Value $$$
No
1
2
3
3
3
“Screened” Account Signups
GOODBAD
UNKNOWN
Signups are labeled for training using high precision automatic detections.
• MSA and Microsoft internal partners submit verdicts based on account behavior.
• Accounts are labeled as good, bador unknown.
• Manual analysis is used to constantly track accuracy of labels.
• Abandoned challenged signups are considered bad.
?
<4% of daily signup requests are valid
Model, measure, and improve.
Measurements
• All accounts are labeled as good, bad or unknown.
• Concentrate on quality of offline detections
• Use manual analysis of accounts.
• Remove errors from labels
• Evaluate model before deployment
• Compute precision, recall, FPR.
• Model acceptance criteria.
• Measure model performance in production.
• Track account creation volume, challenge volume, challenge abandonment rate…
• Measure precision, recall based on labeled accounts after creation.
LABEL QUALITY
MODEL QUALITY
MEASURE PERFORMANCE
Layers of Protection
PREVENTION
Heuristics
Machine Learning
DETECTION
Offline Analysis
1st&3rd Party Intelligence
Credentials in the wild
MITIGATION
Challenges
Lockdowns
RECOVERY
Compromise Recovery
Password Reset
Lost Security Info
Maintain Altitude
Customers that have verified recovery options
Password reset
success
Password reset success jumped
User retention
User retention rate improves
Compromise
recovery
Compromise recovery improves
Allows more aggressive security posture
Overall healthier user base!
Invest in Automation
Learner
Credentials
MSA
Analysis
SeemsGood
SeemsBad
Classifier
Self-reporting Threat dataRelying parties Behavior
Schroedinger'sUser
?
LabelData We were right!
We were wrong!
Analyze
Update
Deploy
20+ TB Logs
TRAINING:
APSA Overview
Signup,
Challenge
Telemetry
MSA+Partner
Labels
EVALUATE
Pass
FailCHALLENGE
Pass
Fail
Provision Account
Helpdesk: The trouble is in the title
Au
to A
pp
rove
Self
Hel
p O
pti
on
s
87.85%
Au
to R
ejec
t
9.97%
.86%
89.66%
MSA Account Recovery Funnel
5.34M
Thanks!@alex_t_weinert