Detecting Risky Behavior with Microsoft and Valence

Adrian Sanabria
April 25, 2023
Time icon
min read
Detecting Risky Behavior with Microsoft and Valence

Valence leverages of Microsoft’s new risk signals for human and non-human users

The Microsoft Azure AD team has been busy building identity protection features and making them available via the Microsoft Graph REST API. Valence has been collaborating with the Azure AD team – helping to bring new capabilities to detect Risky Users and Risky Service Principals into our SaaS security platform.

Detecting Risky Business

Microsoft’s Identity Protection feature automates the process of detecting identity-based risks for both human users and non-human service accounts and makes it possible to export these detections to other tools. What kinds of risks are we talking about here? A few examples:

  • Impossible travel
  • Anonymous IP use (TOR, VPN, etc)
  • IPs associated with malware and botnets
  • Leaked passwords
  • Brute-force login attacks

As you might suspect from the examples above, Microsoft uses both internal and external threat intelligence sources to inform these detections. Others use basic tried-and-true heuristic techniques to detect risky activity.

Risky Users

The Microsoft Graph riskyUsers API endpoint tells us the risk state (at risk or not), the risk level (high, medium, low) and any specific risks detected. Every user with detected risks in the Azure AD tenant is listed by this API call. This endpoint also makes it possible to retrieve results for specific users and to filter on properties, like the risk level. Finally, the riskyUsers endpoint can provide the history for any user as well, a feature useful for SOC analysts and incident response teams.

Remediating identity-based breaches has become critical over the past few years. As an example, in the Uber breach that occurred last September, the attackers were able to abuse and bypass MFA without triggering any alerts seen by IT or security. They used stolen credentials to get into Uber systems and pivot to a large, centralized password database used by IT and security, including high-privilege admin credentials. These attackers went from one set of credentials belonging to a contractor, to all the company's credentials and data without being noticed. Uber only discovered the incident when the attacker posted to their internal Slack to taunt them.

Risky Service Principals

Experienced penetration testers know that service accounts are excellent targets for credential theft and lateral movement. Service accounts often need high levels of access to sensitive workloads, but can’t have security features like multi-factor authentication enabled, since they’re ‘machine-to-machine’ accounts – used by scripts, applications and third-party software without human intervention. The Microsoft Graph riskyServicePrincipal API endpoint provides insights into risky non-human identities.

The problem with service accounts is that they have to be able to authenticate without human intervention. That means the passwords or auth tokens must be stored somewhere. In 2022’s Heroku, Travis-CI, Github incident, attackers discovered Github and Travis-CI auth tokens in Heroku’s systems and used them to access and explore private files and repositories.

Risk Detection and Valence

The benefit of bringing Microsoft risk signals into the Valence platform isn’t just convenience. Valence correlates risk signals from all supported SaaS platforms into one place, giving security teams the big picture. A single case of abnormal travel could be a false positive, so it’s difficult to draw a conclusion without more information.

In contrast, what if that abnormal travel detection was accompanied by compromised credentials and three new Salesforce integrations - all in the same hour, from the same user? That’s a much stronger signal that is probably a better use of someone’s time than chasing down isolated detections. It’s also a pattern that would have been tough to spot without a platform like Valence which correlates all these events, attributing them to a single employee.

There are other benefits to having a more complete picture of SaaS use. Investigators can more clearly and quickly see the breadth of an incident. Business users can get a better understanding of how SaaS applications are being used, and can perhaps spot inconsistencies. Those inconsistencies could go two ways - reducing SaaS use where it’s not needed, or increasing it where there is a clear productivity gain.

The benefit of bringing Microsoft risk signals into the Valence platform

This is all made possible through the visibility and correlation of the SaaS data, combined with the ability to directly engage SaaS users to understand their use cases and business justifications.

Valence will continue taking opportunities to ingest risk detections from various platforms. This data, combined with inputs from business users will help security teams and SaaS application owners better understand how to optimize and secure their SaaS use.

Looking forward, Valence will continue to work with the Microsoft Azure AD team to feed and manage the risky signals based on risk indications from other platforms and inputs from other SaaS applications and from the business users (using our collaborative business user engagement platform) to “close the loop” and enrich the data in the Microsoft platform.

Read the Microsoft Blog Post

Latest Blogs

SaaS to SaaS Supply chain security  | Valence security-Close
Free SaaS Security Risk Assessment

Our SaaS Security experts will help you identify risks and recommend actions to secure your SaaS now.

Request Assessment