In the past we have blogged about conditional access and how it can help you protect your data from harm. In this blog, we are going to look at the types of threats that conditional access will actually help you protect against.
Every month Microsoft update more than 1 billion PCs, service more than 450 billion authentications and analyse more than 200 billion emails for malware and malicious websites. All this data is then pushed into the Microsoft Intelligent Security Graph enabling Microsoft to identify where the most serious threats come from. Below, we have outlined the top 5 threats that you need to be aware of.
Microsoft security researchers search for credentials that have been posted on the dark Web, which usually appear in plain text. Machine learning algorithms compare these credentials with Azure Active Directory credentials and report any match as “leaked credentials.”
Impossible travel or atypical locations
Machine intelligence detects when two sign-ins originate from different geographic locations within a window of time too short to accommodate travel from one to the other. This is a pretty good indicator that a bad actor succeeded in logging on.
Machine intelligence also flags sign-ins at atypical locations by comparing them against past sign-ins of every user. Sign-ins from familiar devices or sign-ins from or near familiar locations will pass.
Sign-ins from potentially infected devices
The Microsoft Intelligent Security Graph maintains a list of IP addresses known to have been in contact with a bot server. Devices that attempt to contact resources from these IP addresses are possibly infected with malware and are therefore flagged.
Sign-ins from anonymous IP addresses
People who want to hide their device’s IP address, often with malicious intent, frequently use anonymous proxy IP addresses. A successful sign-in from an anonymous IP address is flagged as a risky event. If the risk score is medium, a risk-based conditional access policy can require MFA as additional proof of identity.
Sign-ins from IP addresses with suspicious activity
Multiple failed sign-in attempts that occur over a short period of time, across multiple user accounts and that originate from a single IP address, also trigger a risk event. Traffic patterns that match those of IP addresses used by attackers are a strong indication that accounts are either already compromised or will be very soon, although the traffic pattern may also originate from an IP address shared with multiple devices via a router or similar device.
To find out more about how conditional access can help your organisation protects its critical data, or to discuss identity management, please contact us.