As a CISO, a security architect or a security analyst, you can’t have the same defense strategy as you would for an on-premise Active Directory (AD), compared to one in the cloud. This is especially true with Microsoft Azure cloud services, because Microsoft has created a completely brand-new identity and access management ecosystem. As an introduction, this presentation will go through some of the core changes in Azure AD and followed with some threat assessment against those changes. We will also talk about what are some of security measures that are provided by Microsoft to mitigate those threats.
The above topics are pretty much old and has been explored in the past years, but this presentation aims to focus on detection side of Azure AD. Just like Windows AD, Microsoft also provided Azure users with logging capabilities, called “Azure AD Reports “. These reports are rich in information and can be used as data sources for Threat Hunting research, and detection development. This presentation will unravel the different type of logs and how can you utilize them to “elevate” your detection game against cloud threats. There will be some practical detection mechanisms shared with the attendees that can be applied to their organization right away.
Lastly, the viewer will get a chance to see a new (in-house) tool called “Azula”. Azula is an acronym for “AZure (AD) Unified Lightweight Automated”. This tool has the automation capability of enriching and contextualizing data to help security analysts and threat hunters investigate Azure AD events faster and more efficient. We hope that with these resources, attendees will be able to improve their Azure security posture.