As stated in an earlier blog, Zero Trust Architecture resets the security posture of the organization to act as if hostile adversaries have both internal and external access to the network. You must assume that a breach has occurred or is imminent in a Zero Trust approach to cybersecurity. The traditional Defense in Depth strategy of protecting the perimeter of the digital estate and trusting everyone inside is no longer a sound cybersecurity premise. Identity is the new perimeter for Zero Trust Architecture and Azure Active Directory is at the core.
In the 1979 film, “When a Stranger Calls” the police are doing forensics on a series of threatening phone calls that Jill, the babysitter, keeps receiving. Finally, in the plot twist, Sergeant Sacker calls Jill back to inform her that they have traced the calls to their origin, “We’ve traced the call. It’s coming from inside the house.” Unlike Jill’s unfortunate circumstances our organizations must presume external actors have infiltrated our digital estate with a run of the house—including compromised identity and credentials.
Compromised Credentials Are a Hacker’s Favorite Things
In Verizon’s 2021 Data Breach Investigations Report, External Actors continually execute successful breaches by leveraging compromised credentials. The attacks tend to look like internal actors until forensic investigations reveal that actor is indeed an external threat that has infiltrated the digital estate. This is why one of the most foundational practices within the Identification and Authentication (IA) Domain, and arguably all of the Cybersecurity Maturity Model Certification (CMMC) framework, is IA.3.083 “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” After surpassing weak authentication through credential hijacking, the first stage of the breach can remain undetected for months or years while adversaries move laterally through your network.
Since the beginning of 2021, there have been more than two dozen 'headliner' cyber breaches—ranging from the top social networks to mobile carriers to local retailers in our communities. The principal interests of these attacks have been primarily stolen credentials and identity—email addresses, phone numbers, hashed passwords, and other Personally Identifiable Information (PII). Most often, an email address or phone number is 50% of the information needed to compromise login credentials. Combined with phishing attacks—the most prevalent attack type—adversaries have a treasure trove of identity credentials to be leveraged across a multitude of organizations.
As Alex Simons, CVP, Identity Program Management at Microsoft stated, “The only people in the world who love passwords are hackers!” Compromised credentials remain the number one method that bad actors use to gain access to your organization. In fact, Microsoft Security Research found that the risk of credential compromise could be reduced up to 99% by simply enabling Multifactor Authentication (MFA) across your enterprise.
Fortifying the New Identity-Centric Perimeter
This brings us back to adopting a Zero Trust mindset for your digital culture and estate. And yes, it is a cultural shift for everyone. By moving the digital perimeter from the network edge to identity, you no longer need to focus on whether bad actors are internal or external threats. No one accessing the network is implicitly trusted nor granted privileges beyond what is necessary for task completion. Even if an organization follows CMMC IA.3.083 mentioned above, it is imperative to control and track sessions and activities attached to a single identity.
Large, highly resourced companies are still challenged to perform this level of identity management and monitoring across their digital estate. With over 75% of the Defense Industrial Base (DIB) being small businesses, the challenge to effectively resource and standup a proactive Security Operations Center (SOC) remains a daunting task to meet the compliance requirements for CMMC Level 3 and beyond. Almost two entire CMMC domains – Audit and Accountability (AU) and Incident Response (IR) – could require one FTE for a 200-person company as an example. The only financial mitigation or offset comes through the use of technology or the use of a Managed Security Services Provider (MSSP).
Introducing Microsoft Defender for Identity
Microsoft Defender for Identity (MDI), previously known as Azure Advanced Threat Protection or Azure ATP, is one of those technologies that can help organizations protect and monitor user identities at scale. Organizations deployed on Microsoft 365 GCC or GCC High can take an identity-centric approach and evaluate user sign-in behaviors in real-time, along with device and application risk profiles. Not only can MDI ingest and analyze user activities (i.e. multiple data points around each authentication attempt and session) Microsoft will correlate suspicious user behavior with other verified malicious attacks happening across millions of other cloud environments to generate possible intelligence.
For example, if a user is attempting to login to an application from Birmingham, AL and then five minutes later the same account is attempting a second login from Lubbock, Texas on a non-standard device, this behavior needs to be flagged. Firstly, unless the user has broken the space-time barrier—and teleported 1000 miles in under five minutes—it’s unlikely that this impossible travel is authentic. Second, the device profile has changed and doesn’t represent what’s known or common for that individual. Thirdly, Microsoft Defender for Identity is using machine learning to analyze new threat patterns to determine if your organizational risk has increased or if your organization is being attacked.
The above example and capabilities align to System & Communications Protection SC.3.190 “Protect the authenticity of communications” and System & Information Integrity SI.2.216 “Monitor organizational systems… to detect attacks and indicators of potential attacks.”
Microsoft Defender for Identity gets a superset of capabilities when paired with other components of Microsoft 365 Defender, a fully functioning Extended Detection and Response (XDR) suite. By correlating data from apps, email, and endpoints, your organization gains a comprehensive view of your threat landscape and procedures to mitigate and remediate attacks. More importantly, by analyzing suspicious behaviors in real-time, your security operations team can proactively hunt for threats versus waiting for a breach to occur.
Identity Monitoring and Defense Built for Microsoft US Sovereign Cloud
In a previous article, we laid out the differences and benefits between Microsoft’s Commercial and Government Cloud offerings. Defender for Identity is built on the FedRAMP High accredited Microsoft Azure Government Cloud and includes interoperability with Microsoft 365 GCC, GCC High, and DoD. This MDI can be licensed for users through the F5 and E5 license or standalone.
Microsoft Defender for Identity for GCC, GCC High, and DoD leverage the same underlying technologies and provides same capabilities as the commercial instance of Defender for Identity with a few exceptions:
- Integration with Microsoft Defender for Endpoint (On Roadmap)
- VPN integration (On Roadmap)
Not only will MDI integrate with Azure Active Directory and your organization’s Microsoft 365 environment, MDI will also analyze on premises Active Directory and provide insights on where improvements can be made across a company’s entire identity estate.
Identity is the First Step to a Zero Trust Architecture
Already underway, the DIB is undertaking its most significant digital transformation with CMMC, and the Department of Homeland Security is now taking a deeper look at the program. Moreover, achieving Zero Trust Architecture is not a mutually exclusive endeavor for DIB companies. Nor is Zero Trust the latest bandwagon or industry buzzword that everyone is incorporating into their marketing. Zero Trust is a fundamental shift in our culture to not only protect our digital estate more effectively, but to also enable a higher degree of secure collaboration between organizations without boundaries.
Identity is the first step on our Zero Trust Journey. Once the Identity is fortified, we can shift to the security and protection of new devices, apps, IoT, and more. Bad actors and the threat landscape are evolving at cloud speed. These bad actors will continually attack the DIB supply chain through social engineering and pretexting to get your identity credentials—the keys to your digital estate.
In this article, there were some questions that were presented and left unanswered. However, this conversation is not done. We want you to pose questions of your own about your identity perimeter, Zero Trust Architecture, CMMC, and other security and compliance topics. The best way to get those questions asked and answered real-time is one of our upcoming events and webinars. We are expanding this conversation in the DIB community to accelerate the transformation. Let’s work together to secure our national supply chain and innovate like never before.