webinar: beyond two-factor: secure access control for office 365
TRANSCRIPT
Prevent the Misuse of Stolen Credentials James Romer – Chief Security Architect EMEA
Beyond Two-Factor: Secure Access Control for O365
• All attendee audio lines are muted
• Submit questions via Q&A panel at any time
• Questions will be answered during Q&A at the end of the presentation
• Slides and recording will be sent later this week
• Contact us at [email protected]
Webinar Housekeeping
Security Professional
Third-Party Research
• Verizon Data Breach Investigations Report• Dedicated a section to credentials
• M-Trends 2016 Report• Observation #1 -- Credentials, in general
• Password Complexity enforcement • Single Factor Authentication to publicly exposed applications
1. The Trouble with Tor – Mathew Prince https://blog.cloudflare.com/the-trouble-with-tor 2. 2016 Data Breach Investigations Report by Verizon http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ 3. Mandiant M-Trends 2016 https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
Standard 2-Factor
2 Factor #FAIL – Disclaimer
• The following 2 Factor Fail Slides are examples of where and how that second factor has failed or been compromised. This does not mean to illustrate the removal of the use of second factor authentication methods. We recommend evaluating the security need of the identity being protected by the second factor authentication method.• We are in danger of running towards a broken methodology
2 Factor #FAIL – Hard Tokens
• Hard Tokens Anyone?• Provisioning and management nightmare• User experience • How about crafty users ?
2 Factor #FAIL – SMS
• SS7 – Thank You Karsten Nohl• Social Engineering • Mobile Phone Providers are a weak link• DRAFT NIST Special Publication 800-63B
• Must not send to VOIP based numbers• Deprecated SMS as an Out-of-Band Authentication
2 Factor #FAIL – KBQ-KBA
• Social Engineering• Some are based on Public Record• Users tend to forget answers• Security Practices guide users to leverage incorrect answers
2 Factor #FAIL – Simple Push-to-Accept
• Human Behavior --- Implementation• Wrongly accept authentication requests
Dave Kennedy DEFCON 22 -- Destroying Education and Awareness https://www.youtube.com/watch?v=vcA6dLl5Sa4&feature=youtu.be&t=30m38s
User Experience / Security
Not all users are created equal, but everyone hates
additional auth. steps
Getting beyond the old school, multi-step/interruption processes
Clean authentication experience enhances user adoption
Balancing security needs with user preferences – don’t have compromise
Users choose how they want to authenticate
Flexible authentication workflows for different user groups
Best PossibleUser Experience
SECURITY
HAPPYUSERS
MFA Step
Deny
Redirect
Allow
Go PASSWORDLESS – Even less disruption for users
Multi-Layered Risk Analysis Only require a MFA step
if risk present
Single Sign-OnConvenience of removing log-in
across multiple systems
User Self-ServiceAllow user to help themselves
without a Help Desk call
On-Prem AppsHomegrown AppsSaaS AppsVPNData Stores
• Password Resets• Account Unlocking• Enrollment• User Personal Info
• Library of over 8000+ apps• All Federation protocols supported• Support custom branding
• Enough Doom and Gloom! – The Solution?
• Recognizes people• Makes it easy• Is part of a
community• Adjusts over time
Pre-Authentication Risk AnalysisAdaptive Authentication
• Layered Risk Analysis = Stronger Security
• No User Experience Impact
• Only present MFA when needed
• No other vendor has as many “layers”
Device Recognition
Threat Service
Directory Lookup
Geo-Location
Geo-Velocity
Geo-Fencing
Fraud Detection
Identity Governance
Behavior Analytics
Behavioral Biometrics
Pre-Authentication Risk AnalysisAdaptive Authentication
Device Recognition
Threat Service
Directory Lookup
Geo-Location
Geo-Velocity
Geo-Fencing
Fraud Prevention
Identity Governance
Behavior Analytics
Behavioral Biometrics
Do we recognize this device?Associated with a user we know?
Real-time Threat IntelligenceIP Address Interrogation
Group membership and attribute checking Request coming from a known location?
Do we have employees, partners or customers here?
Has an improbable travel event taken place?
Who should/does have access rights?High Access Rights = greater risk/vulnerability
Track normal behaviorLooking for anomalies
Typing Sequences & Mouse MovementsUnique to each user on each device
Access request coming from within or outside a geographic barrier
Reduce # of OTPs, Block device class,Identify “porting” status, Block by carrier
Phone Number Fraud PreventionSecure Phone-based Authentications & Comply with NIST Standards
OTP Spam Prevention
Regulate number of OTPs allowed
Number been ported without consent?
Block by global carrier networks
Block by phone number class
A component of SecureAuth Adaptive Authentication
Block Recently Ported Numbers
Block by Number Class
Block By Carrier Network
Protecting the Identity and the 2fA Method
Thre
at S
ervi
ce
Geo
Loca
tion
Geo
Velo
city
Devi
ce R
ecog
nitio
n
Beha
vior
Bio
met
rics
Dire
ctor
y O
r Attr
ibut
e Ch
ecki
ng
UBA
Geo
Fenc
ing
Seco
nd F
acto
r Met
hod
O365 Support
• SecureAuth and O365• Certified Microsoft Integrator :
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-federation-compatibility/#secureauth-idp-720• Rich/Thick Client support for Outlook, Lync, Skype for Business, Web based
access and Mobile app access for the office suite • Intelligent and Adaptive access control for the organization
Demo
• SecureAuth and O365• Browser access from an untrusted device• Browser access from a trusted device• Browser access from an anonymous source
Become Proactive!
• Now that we have all this information on our Identities what else can we do with it?• Take automated actions• Provide the most appropriate 2fA option• Apply continuous authentication measures• Lock the User account / Reset Password• Report Automated Action to SIEM• Send Notification to Administrators• Send Notification to User • Allow the valid Identity to self remediate with Service Service tools
In Summary – 2fA Is Not Enough
Profound difference between being “compliant” & actually
being “secure”
Antiquated 2FA doesn’t provide adequate access controls• KBAs - socially engineered• Tokens & devices can be
compromised• OTPs via SMS/Text can be
intercepted• Push-to-accept known to
routinely be falsely accepted
Old school approaches & methods carry an increasing IT burden and cost to manage
Compliance/2FANOT Enough
30+ MFA MethodsChoice and Flexibility
Multi-Layered Risk Analysis Strengthen security with
minimal disruption to users
+• Fingerprint Biometric• Symbol-to-Accept• SecureAuth App (w/
Fraud Detection)• 25+ more methods…
+
Infinite Workflows Different auth workflows for
groups, individuals, and/or apps
SIEMSecurity Info & Event Mgmt
UBAUser Behavior Analytics
DashboardVisualize Access Control Data
Data Sharing Correlate Access Control Data with Your Security Operations Center (SOC)
We use ADFS – Do we need to replace it?
• SecureAuth as a claims provider trust• Take advantage of best of breed 20+ authentication techniques• Utilise 10 layers of pre-authentication risk checking – bring authentication
intelligence into ADFS • Compliment ADFS with all common SSO standards • Deploy adaptive authentication without impacting the users
• SecureAuth authentication adapter• Installs into ADFS to provide adaptive authentication• Take advantage of best of breed authentication techniques
Question & Answer
THANK YOUCopyright SecureAuth Corporation
2017