Maria Puertas Calvo

Senior Data Scientist; Microsoft
Maria Puertas Calvo is a Senior Data Scientist on the Microsoft Identity Security and Protection team. She focuses on improving the intelligence behind Azure AD Identity Protection and all Microsoft Account compromise prevention and detection systems. Her work translates into constant improvements of the Machine Learning algorithms that keep Microsoft users secure and protected. Before Identity, she worked on detecting spam in Outlook.com. Maria has a Master's in Computer Science from the Autonomous University of Madrid, Spain, where she also did academic research in biometrics and Machine Learning.

Maria's Session


Wednesday, June 26
5:35 - 6:00 pm
Ballroom
Behavioral Analytics for Identity Compromise Detection in Real Time
Most compromised identities show a deviation from the user’s normal behavior in their interactions with the Identity Provider. When an attacker accesses an account with newly compromised credentials, chances are they are going to come from a device and location that are uncommon for the user. Even if they can proxy through a location that is nearby to the user’s normal location, the IP address will likely be different. These observations make it seem easy to detect compromised account by using simple rules based on past behavior. However, these simple rules generate too many false positives, and the signal gets lost in the noise. In this talk, I will explain how to use behavioral analytics to design a high-quality identity compromise detection algorithm that scores the authentication based on the likelihood that it is compromised. The authentication patterns are used and compared to historical user patterns and statistics around them, such as the frequency and the recency of each access pattern. These observations are combined into an output score, which is calibrated to a probability of compromise based on known attack and legitimate authentication data. Finally, we will go through how this algorithm can be implemented in real time so the compromised risk assessment can be done inline with the authentication.

Enter your details to receive email updates from Identiverse