Your ability to properly assess your risk is directly correlated to the breadth and depth of your intelligence.
For security teams seeking to protect against identity-based threats, they need to be able to answer basic questions like:
- How many sources of data can you draw from?
- Can you break out of your current silos to gain greater visibility?
- How well do you understand the potential impact from risks?
- How likely are your identities to be compromised?
- Do you have the context to make smart decisions?
- Can you respond effectively to risks and threats as they arise?
The good news is that for users of Azure Active Directory Identity Protection, answering these questions and reaching better security outcomes just got a lot easier.
Authomize, the Identity Threat Detection and Response (ITDR) Platform, will begin enriching AAD Identity Protection with contextual identity and access data from across all environments, improving the overall quality of the Risky Users scoring.
For those new to the term, ITDR is the new category of identity and access security tools used for protecting against identity-based attacks, providing a critical layer of security for identity and access.
Authomize’s ITDR Platform connects to cloud services, applications, and IAM infrastructure to collect and analyze data on identities, access privileges, assets, and privilege usage to produce actionable insights to eliminate identity risks and mitigate active threats.
The benefit for Azure customers from the addition of Authomize’s data to Identity Protection is the extension of visibility over not just their Microsoft products, but all of their applications and services across all their environments.
This is a big boon for multi-cloud organizations who utilize a mixture of Azure, AWS, GCP, Azure AD, Okta, a variety of HR tools, and of course all of their SaaS applications like GitHub, Salesforce, Dropbox, and G Suite just to name a few drops in the ocean of possibilities.
So how does Authomize’s extensive yet granular visibility help us to better understand our risk?
Assessing and Operationalizing Risk
On a high level, there are three points through which Authomize takes risk into account:
- Using a Risk Score as a basis for determining access (ie least privilege access)
- Understanding the blast radius in relation to that Risk
- Using this data to provide context to your security platforms such as SIEMs
Diving a bit deeper, we can see a couple of examples for how risk is used in practice.
Developing an actionable risk score depends on your ability to confidently know how likely a threat is to happen, and what the extent of the damage can be if the situation turns south.
Azure AD Identity Protection customers currently have valuable visibility on data such as login attempts, device information, and location data that can help them to determine if there are reasons to trigger additional conditional access measures.
If there are indications that the account has been compromised like:
- Users with leaked credentials
- Sign-ins from anonymous IP addresses
- Impossible travel to atypical locations
- Sign-ins from infected devices
- Sign-ins from IP addresses with suspicious activity
Then Azure AD Identity Protection policies can automatically block a sign-in attempt or require additional action, such as requiring a password change or prompt for Azure AD Multi-Factor Authentication.
This decision to trigger one of these responses is based on the assessment of risk.
By incorporating Authomize’s in-depth insights on who has access to which assets, and what those identities can do with their privileges, Azure AD Identity Protection users immediately gain a clearer, more comprehensive picture of their risk level.
This scoring is based on two components:
Account Takeover Risk
How likely is it that a malicious actor could gain control of the account? Some of the factors in this equation include:
- No MFA enabled
- Leaked credentials
- Stale Password
- Stale access keys
- User impersonation detected
- Unused permissions
- Partially offboarding
- Local account that is not managed in the IdP
- External users
The more risk factors, the higher this score climbs.
In the event that the account is taken over by a bad actor, what will they be able to impact?
For example, if Sue’s account is compromised, we need to consider:
- If she is an administrator? (or a shadow admin)
- What services and applications does she have access to?
If Sue has high level and far reaching access privileges, then she puts the organization at significant risk.
Authomize can track access privileges across all environments, including through nested groups, to understand all of the access paths that an identity has to an asset. This includes detecting access privileges for identities external to your Azure AD like 3rd parties, contractors, and those in other IdPs like Okta.
Creating Actionable Analysis and Response
These two risk components taken together help Authomize produce the overall risk score that is then sent on to Azure AD Identity Protection over the open API for use on the dashboard to aid in making smarter, data-driven decisions.
While this integration adds additional dimensions to Azure AD Identity Protection, the benefits actually flow both ways.
Risky user and login data collected by Azure AD Identity Protection is used by Authomize to enrich our analysis. Our ITDR Platform can then utilize our automated response workflows to take actions like refactoring risky policies, sending contextual identity data alerts to SecOps tools like SIEMs, and much, much more.