Defending Your CIAM from Current ThreatsAlex Weinert, Group Program Manager

Microsoft Identity’s Security & Protection Team

@alex_t_weinert

If we could just get security out of the way . . .

Customers would love us!

But they aren’t all customers . . .

Or even humans . . .

Some aren’t feeling like themselves . . .

And success attracts attention.

Types of Badness

Compromise – dual ownership, bad actor has access to someone else's account

Abuse – account created to violate Microsoft TOU (example spammer)

Apps

Analytics

CRM andMarketingAutomation

Business

Social IDs

Business & GovernmentIDs

contoso

Customers

Azure Active Directory B2C

Azure Active Directory B2C

Provide branded (white-label)registration and login experiences

Securely authenticate your customersusing their preferred identity provider

Capture login, preference, and conversion data for customers

Microsoft Account (MSA) at a Glance

ML protection systems processes

>20TB of data daily

~9Bauthentications

~ 7.5B MSA automatically deflect 20M

attacks per day

Replay Defenses

Password Spray (aka Brute Force, Hammering)• Iterate through known account names with most common passwords

• Probability of account compromise by password spray: 1%

1. 1234562. 1234567893. qwerty4. 1111115. 123456786. 1231237. password8. 12345679. 1234510. 123456789011. abc12312. 12313. 12332114. password115. qwertyuiop16. 66666617. a12345618. 123419. 65432120. 520131421. 123456a22. iloveyou23. 1111111124. 15975325. 123123123

We Hate (Bad) Rulez.

• BAD GUIDANCE• Complexity Rules: Upper, lower, number

and special? Password123!

• Add expiration Rules: Monthly? Sep2017!Quarterly? Fall2017!

• GOOD GUIDANCE• http://aka.ms/passwordguidance

• Minimum Length Requirements (to defeat brute force hash attacks)

• Don’t use commonly attacked passwords

If your customers see value, so will attackers.

Old time bank robbers

How to get account?

Create a Sign Up Script

Phish, Password Spray, Breach

Replay

Steal It

Make It

Payment Instrument?

Buy Stuff

Not Yet

Add stolen payment instrument

Support value transfer?

Yes

Yes Transfer Value $$$

No

If your customers find value –so will criminals

• Direct asset extraction

• online shopping• wire transfer

• Indirect asset extraction• credit instrument fraud

• points/discount/rewards

• Service abuse

• Storage, compute, messages to traffic illicit content

• Audience exploitation

• SPIM, SPAM, product placement, traffic boosting

Identifying Threats

1. Protect against fraudulent sign ups

2. Protect against account takeover

3. Protect sensitive operations

How to get account?

Create a Sign Up Script

Phish, Password Spray, Breach

Replay

Steal It

Make It

Payment Instrument?

Buy Stuff

Not Yet

Add stolen payment instrument

Support value transfer?

Yes

Yes Transfer Value $$$

No

1

2

3

3

3

“Screened” Account Signups

GOODBAD

UNKNOWN

Signups are labeled for training using high precision automatic detections.

• MSA and Microsoft internal partners submit verdicts based on account behavior.

• Accounts are labeled as good, bador unknown.

• Manual analysis is used to constantly track accuracy of labels.

• Abandoned challenged signups are considered bad.

?

<4% of daily signup requests are valid

Model, measure, and improve.

Measurements

• All accounts are labeled as good, bad or unknown.

• Concentrate on quality of offline detections

• Use manual analysis of accounts.

• Remove errors from labels

• Evaluate model before deployment

• Compute precision, recall, FPR.

• Model acceptance criteria.

• Measure model performance in production.

• Track account creation volume, challenge volume, challenge abandonment rate…

• Measure precision, recall based on labeled accounts after creation.

LABEL QUALITY

MODEL QUALITY

MEASURE PERFORMANCE

Layers of Protection

PREVENTION

Heuristics

Machine Learning

DETECTION

Offline Analysis

1st&3rd Party Intelligence

Credentials in the wild

MITIGATION

Challenges

Lockdowns

RECOVERY

Compromise Recovery

Password Reset

Lost Security Info

Maintain Altitude

Customers that have verified recovery options

Password reset

success

Password reset success jumped

User retention

User retention rate improves

Compromise

recovery

Compromise recovery improves

Allows more aggressive security posture

Overall healthier user base!

Invest in Automation

Learner

Credentials

MSA

Analysis

SeemsGood

SeemsBad

Classifier

Self-reporting Threat dataRelying parties Behavior

Schroedinger'sUser

?

LabelData We were right!

We were wrong!

Analyze

Update

Deploy

20+ TB Logs

TRAINING:

APSA Overview

Signup,

Challenge

Telemetry

MSA+Partner

Labels

EVALUATE

Pass

FailCHALLENGE

Pass

Fail

Provision Account

Helpdesk: The trouble is in the title

Au

to A

pp

rove

Self

Hel

p O

pti

on

s

87.85%

Au

to R

ejec

t

9.97%

.86%

89.66%

MSA Account Recovery Funnel

5.34M

Thanks!@alex_t_weinert

Alex.Weinert@microsoft.com