(uptempo music plays) - Hello, and welcome back to Microsoft Mechanics Live. Coming up we're gonna take a look at how you can build a zero trust network, and our work 'till now in Microsoft 365. We're gonna break this down to the core concepts of what is Zero Trust. How's Microsoft been
delivering against that concept with Microsoft 365, and conditional access, and how built-in intelligence from the cloud actually improves your ability to detect, and respond to risks. And, finally how you can get on board fast with security base line; something new as well as secure store,
and much much more, And for that I'm joined by Alex Weinert, as a lead engineer on that
editing team at Microsoft. - Happy to be here. - And you also cover
things like Xbox log-ins, consumer, commercial all of it right? - Yeah the Identity
Security, and Production team protects all accounts hosted by Microsoft; whether you're in a business, enterprise, or you know
anything from Xbox, Outlook, Skype if you log
into it we protect it. - Alright so we're hearing this term a lot Zero Trust Networks. For the folks that are new to that term what does that actually mean? - I think easiest way to think about it is if we can go back twenty five years to the Walled Garden approach, right? - [Jeremy] Right. - Where we thought you know if there is somebody on my they
must be in the building, they must be on a device that I issued, it made you feel pretty good about that. And as you look at the
attacks that we have where attackers are able
to get into networks within twenty four hours, get domain admin networks within forty
eight hours, stay resident in that works for 100
days, you know we see that that Walled Garden approach has some pretty serious flaws. - And it kind of extended out to the concept of VPN as well right? - Right well that's the issue you start from a place where even if your network was sacred at one time as soon as you punch a VPN into that you have connectivity to the outside world right? - [Jeremy] Right. - And so we see cases where either new vulnerabilities
emerge, and those VPNs can be attacked in that way, or just where you know
there is exceptions made. - Right and some of the things that we've seen in terms of VPN vulnerabilities, what have you observed I guess
in your years during all the identity work
at Microsoft in terms of some issues we've
encountered over the years. - I mean I will give you an example based on one attack that we dealt with that was pretty severe, and the
way it started was that the VPN was set in a pretty good way. The security team, and Sesos specifically were very convinced they
had a good thing going. They had an Exec who traveled to do some business meetings, and
that person lost their phone, and had to get a new one, and that new device in a new
country was out there, where that person couldn't
get their phone set up for that VPN from where
they were, and they were insistent that they would be allowed to get onto the network. - [Jeremy] Okay. - So they called, they yelled right people got scared, and what happened was, the exception was made right? - [Jeremy] Right. - And so at that point the Exec was happy, and the I.T. team was
busy, and they kind of forgot about what they had done. - And this all came out in the course of the investigation that we did, that this was the history. - Unfortunately for this company the next step was you know the bad guys kind of figured out that this had happened, and that this rule set had been allowed. And once they did that they were able to exploit that same hole through the VPN by coming in from a bot net node, on that kind of device in that country, and then it was game over right? - [Jeremy] Right. - And we talk about it's the crunchy shell around the soft chewy center, and like the bad guys like to get into
that soft chewy center. When we think about Zero Trust, you know it's more like Zero Trust in the network. - [Jeremy] Right. - Right you wanna think about it as though every asset you have is available on the open internet, because they are. - Yeah. - Right. - Right, and even
classically, anything about networks you're gonna
have different services different ports that are open for example; if you need to SSH into a resource, or RDP's these are some
of the most common things. The kind of Ironic thing is when you do move to the cloud a lot of the attackers follow you. It's kind of like the type of organism that kind of attach to
other fish, and stuff up in the sea, they go back up with you into the cloud their looking for the same types of ports that are open. - Right, and if again part of your problem here is if you make this assumption that once I have it on my network it's fine, or I put up firewall
around it then it's okay. - [Jeremy] Yep. - But the assumptions have been proven over, and over again to be false, and so whether it's through
port scans of the type you're talking about, or it's through exceptions to the type
we talked about before you know that's a fundamental flaw in your thinking; so you know be explicit about not well it must be okay to have this port open because it's on my network, but what is the resource, who should have access to it, when should they have access you know building policy is the way to go. - And the scary thing
is once they do actually find that open port, and do a brute force against it, then they
can actually start to do things like move laterally
through a network. So for example: on 1433 an old classic chestnut of a sequel port kind of issue where a lot of times
the admin creds aren't set up correctly for some of the critical accounts there, once you gain access to that server, and you can actually open up a command shell you've got basically admin privs, and you can start moving laterally
through the network. - Right, and it's pretty amazing effective people are doing that, and again you know expect that your attacker once they're in your network is at a main admin inside of forty eight hours. - Right right right, so we've had a long history then at Microsoft
in terms of putting controls into place to start to prevent these types of vulnerabilities effectively by applying the controls
more internally right? - Right well so we sort
of you know years ago started the idea of assume breach. - So right away you're kind of okay somebody's already in the network how do I set up policies, and controls, but the other thing we talked about is that it's a new world right, like if I look out here most of the people in the audience have
smartphones in their pockets, and laptops in their bags
right, and you're using the conference WiFi, so how many networks have you been on today,
how many devices you've been on today, how many
apps have you used today? Right the only thing we can really pen that policy around is the user. So that's the other
thing we've been saying for awhile; Identity is the control point, and within Identity conditional access is the policy language right? So that's where we say that's really where it comes back down to conditional access. I think that as we get more focused on Zero Trust which is great the advantage we have at
some levels that we have this great group of people that using it they're on this journey with us, and we learn from them right? - Yeah. - So we have right now daily, we have twenty seven thousand users under protection of conditional access per day. - And we're seeing something like a 300% year over year growth
in the adoption of it. - Right. - All those customers, all those tenants are teaching us right, what do they need, what are the things that we need to do? The other thing that's really significant is that we have all that signal right? - [Jeremy] Right. - We understand what the threats are, what the attacks are, and we can see the policies that are effective, and then help people use those policies. - Right so the real crux of this is there's no standing trust,
there's no inherited trust, Zero Trust is
about really making sure every time a resource is accessed we can assess how trustworthy that access is, or request is, - [Alex] Right - So if you're new CA, and I think a lot of people it sounds
like here are using it. What's an example of how you'd maybe start using it? How would we protect a
risky log in for example? - Yeah, so we want to be thinking in terms of continuous verification,
and reverification of the elements of access, and really in terms of what makes
sense for the business. So I'm gonna give us some simple examples as we're kinda we have a quick time line. I'm just in the Azure portal. I went to Azure directory, and if you go down to security you'll see conditional access there. And we set up a few
policies for this demo. For this example I just want to do something real simple, which is we're gonna MFA every
access to SharePoint. So we'll say the friction is low, you know you can go
get to other resources, but we wanna make sure
there is a challenge on every access to SharePoint, and for those of you who aren't yet using conditional access I
understand many of you are, but basically you have two elements. It's very easy to think about. You have what's under these assignments what we call conditions, and conditions are the selectors for the policy. If these conditions are met we're gonna fire the policy right? - [Jeremy] Right. - [Alex] So which user do you want? - The cool thing that we've added that I want to show off real
quick is that we now allow you to assign
conditional access policies by roles, so if you
wanna look at my exchange admin needs to be under a specific policy; that's much much easier to do. And the other thing
that's cool, and new is that you know the full
support for B2B, and making it really easy to set your business partners if you set
policies for them as well. - [Jeremy] Okay. - [Alex] Okay so now
here we've just selected my user as an example,
and then for CloudOps it's really important we
think about Zero Trust, if you imagine your network is on the open internet that means the
apps in your network you want to model them in the same way. Which means that every
internal, and external app under the management
of the conditional access. - [Jeremy] Right. - [Alex] So here we have it set to the example applications,
and for Saz apps I think are three thousand now. - [Jeremy] So now Microsoft,
and also non-Microsoft apps. - [Alex] But yeah no
definitely third party Saz as well Microsoft Saz, as well as your on brim apps using the app proxy. So you can actually get all
of your apps in that model. - [Jeremy] Very cool. - [Alex] And what that allows you to do is have a consistent policy language, and consistent auditing you know, consistent security model for it all. So then we can finally look at things like what do we do when
that policy matches? - [Jeremy] Mmkay. - So here typically our model is in Azure Active Directory that your gonna say user can access an app based on who they are, but what
on conditional access does, it says if these conditions apply let's make them do some extra stuff right? - Right. - So the extra stuff we're gonna use for this example is multi-factor off. We could instead use a TOU, we could challenge them, block
them there's new stuff we're doing all the time. - One of the cool side
benefits here in terms of MFA it gives you basically that step up into a second factor of authentication if we detect, something looks risky for example, but it also will eliminate some problems if we can say that say that something looks like it's not risky. So for example if they're within an IP range that we know, we trust it's our own set of IPs, in a location that Alex is always logging in from, maybe your home, maybe the
same device all the time, then we can actually start to reduce some of those second factor problems, but still have the same
security level right? - Right, and just to
give you a sense there is a ton of other
conditions that we would let let you signal on, and
sign in risk uses one of them so it's super easy to set up. You just go in here, click on sign in risk, and then pick the levels that you wanna fire that policy on. The other thing I wanna show just briefly is that we don't stop right when you get access, there's also the ability to instruct the system to
do downstream things. So in this example that
we're about to show we're gonna talk about
SharePoint actually taking additional decisions
based on the conditions of the log in, and the way that we do that is send a signal downstream that says hey look I wanna do some addition enforced, app
enforced restrictions, or what we call limited access mode. - [Jeremy] Okay. - [Alex] And then conditional
access app control lets us invoke Microsoft
product security, so you can get some really rich
you know front signal, and auditing, and that
sort of thing there. So let's say you have a user who's at risk they get a sketchy log in right, and maybe you wanna in this case say well it's a low value resource I wanna see what that attacker is
doing; let's follow them. - [Both] Right. - So this gives you some
really incredible power in terms of thinking
about how you model this. Again you're verifying everything, you're controlling everything. - What does it look like then to go to the user experience. - Absolutely we see in here that we've set up a policy
that says we don't need MFA until we go to SharePoint, - [Jeremy] Yep. - [Alex] So this is why by example if I go over here to Outlook, and the demo Gods are smiling here I am right, and I have my mail no problem. - [Jeremy] Okay. - [Alex] If I go back, and I go to SharePoint now, Conditional Access is going to be invoked at the point we
try to get that access, and we see that that we
get an interstitial here which is I need to
approve a sign in request. Now a super cool thing
we've been doing is the authenticator app is
the way to go, and we've just did an integration
with the Apple Watch. So here I've just touch my wrist, I feel like Dick Tracy right, and I've approved the sign in request. Super super easy. So increasingly these authentication gestures are getting really really easy to get very very strong off. If you're running Windows Hello, it's literally like look at your screen. And so that's a really good way to go, and so now we're into SharePoint, and I can see here that I got some fun stuff, and maybe scheduling a team lunch. - [Jeremy] Okay. - [Alex] Okay, and if I zoom in on this to try, and make it a
little bit easier to see, you can see that this is
classified in General. - [Jeremy] Right. - [Alex] Okay, and now these labels these classifications are
available to the tenent to decide, to the customer decide how these are set up, but because this is a General I just got right in no
problem, no restrictions, I can do whatever I want to do. If I were to go back to SharePoint now this is some super cool work that we've done in conjunction with
the SharePoint team. When we go to this financial site we can see that it's classified differently, and this is something Contravism have been asking us for a while. So this is classified Confidential, - [Jeremy] Yep. - [Alex] Right, because
of the Classification therefor, and the fact that we put it in limited access mode we can now see that this yellow bar is showing up, and it's basically saying that your organization isn't gonna let you
download, print, or sync. - [Jeremy] Yup. - [Alex] Right, so
we've been able to put a restriction that said this
content is too special to get on a computer
that isn't being managed. - So it's really cool to just step back for a second, so even
within the same browser session you didn't need to reboot. Even while you're running you could do some thing to even disable
a session for example, but here we saw we had a
step up off even though we were logged in mail, then when we were actually moving laterally
through SharePoint some of the sites are
labeled, and classified as such that you have
a different experience from site to site. - Right, and by putting
these restrictions in place you know this capability lets you actually extend your
horizon of productivity. Right, you're able to sort of think alright instead of nobody can to this, it's just nobody can download here. For them it means if
somebody has to work late you know you go home, you need to review a document, make some notes on a say a PowerPoint presentation right? - Yep. - Then you can do that, it's just that you can't save it to your local drive. So that document remains protected, but the employee can still be productive. Right, and that's what we're looking for. Constantly using good security to push out that horizon of productivity. - True true, very cool, very cool. - Alright one more thing
I would love to show you is there are other ways
to think about this, and I wanna talk briefly
to blocking legacy off. - [Jeremy] Yes. - [Alex] So this is another thing that we've added recently, and just to show you where to find it in, under the cloud apps
that you're using here you can look into these conditions, and what we've done is
said we want to look at what clients apps we're using, and in this case we're saying we don't let in any apps that are in the other category. Which is to say Legacy Off, PoP, Imap, Examol off, Headerbased Off, these things that are not gonna allow us to do MFA challenges, or to have a good session. - Monitoring malthentication. - Right most of our tactics are using tools built on these legacy off programs. - Right Right. - So what we've found
statistically is that if you turn on this policy you will stop 66% of the compromises in your work. - [Jeremy] Wow. - It's crazy like I was
surprised that strong. - Couple of big percentages
to kind of back up 66% block through not
using those old legacy off platforms, also 99.9%
effectiveness for MFA as we've heard as in blocking identity based attacks, so really really big numbers. - And it's all available to you now. It's not hard to do. - Alright so this is a
beautiful looking app here is it Pegasus mail? - Yeah this is the latest,
hottest Pegasus Client. - [Jeremy] And the Luna
Theme we rolled out with Windows XP I think. - [Alex] Right. - [Jeremy] It looks real good. - [Alex] And so what we do, we set this up earlier, and we've
turned on this Legacy Off protocol, and what you'll
see is that it's very simple, that when conditional access sees that policy, and applying
it to me as a user it's gonna say sorry
you don't get to log in. Right, and so we've just stopped the use of that client altogether,
so we've stopped all the vulnerabilities that come along with that protocol, right? - [Jeremy] Very cool, very cool. So at the protocol level you can stop things at the site to site level, you can also do things in terms of making sure that users are often in a secure way. So we've shown a lot of stuff today, but what's actually available now? And how should people get started? - Well almost, I mean
everything I've shown you, you can use either in preview, or in GA. Most of the stuff has
been generally available for awhile. Like I say we have millions of customers around the world using it everyday. And we're seeing real results in terms of security improvements. In fact we're moving more, and more towards codeifying,
here's some policies we're seeing be super effective. We take all that intelligence my team gets from, it's like six, and
a half billion signals a day, forty terra bites of data a day go through our machine
learning system alone. - [Jeremy] Yup. - The nut of that is that we can do a lot to say these are the behaviors, resulting compromises, these are the policies that can help you out. - Right. - So there's another
thing I'd love to show you just real quick about
something we've been doing in that regard. Under the policies there's another kind of policy that we've been working on, and kind of creating, so
as we look at you know again the usage of this, what makes people more secure there's a
set of pieces of guidance we're trying to get out. - [Jeremy] Right. - [Alex] One of them is
please MFA your Admins - [Jeremy] Yup. - [Alex] This is crazy, - [Jeremy] Totally. - [Alex] I have all my
team, I have a group of investigators that we do first response these major breaches. - [Jeremy] Yeah. - And it's almost always like yeah your admin had password 123, and no MFA, and or they got keystroke logger, or they got phished right? - [Jeremy] Right. - Or they got no MFA,
and I mean that means the bad guy gets right in there they own you at that point right? - [Jeremy] Yup, yup. - So this is a policy
that you know as much as everything else is very rich, we're creating a set of kind of canned policies, like best practice policies, and literally all you have to do is go turn it on. Set use policy now, you're done. - [Jeremy] Very cool. - Right, so that's a thing that we're really happy about, and
then we're extending a little bit farther in
terms of that guidance, and those best practices, and in terms of how to create a very secure environment in the Zero Trust mindset, and that is something called Secure Score. - [Jeremy] Okay. - [Alex] And Secure
Score has been around for awhile in office, we made a massive investment in it in Microsoft 365, and one of the things that's happened is that there's an identity specific place for the identity admin, there's
a network specific place for the network admin,
the infrastructure admin, and so forth, so the identity secure score is where you as identity folks can go, and go say what are the things I can do that have the biggest impact on improving my security posture, and then build a plan around that. If you look at the top one on here it says enable MFA for
Azure AD privileged users, and it will just loop us straight back. We see the quick explanation
of what to do, and then we can go down
here, and say let's get started, and when you get started it will take you right back to that
baseline policy and turn it on. - [Jeremy] Yep. It goes straight in so there's a whole new kind of update that we're doing across the board for secure score
that actually applies to all the other workloads
as well as identity like you see here, so
very, very, cool stuff. So where would you tell
people to go in terms of getting started with,
maybe a website or maybe more information, what's
the best place there? - Yeah so go to aka.ms/ZeroTrust, and there's a lot of content
there about conditional access, and we'll
continuously extend that, and have more content
there for the Zero Trust framework, and conditional access as well. - Good stuff thank you for today Alex, and thank you for watching today, and joining us in the audience. That's all the time we have for this show. Follow us on Twitter, and
subscribe to our YouTube. Goodbye for now. (applause) (uptempo music plays)
