Want to improve protection for your cloud applications?
Then you’re in the right place.
Because today I’m going to show you the exact techniques that I use to maintain the visibility of my cloud apps.
What is Microsoft Cloud App Security?
- Microsoft Cloud App Security is Microsoft CASB (Cloud Access Security Broker) and is a critical component of the Microsoft Cloud Security stack. It’s a comprehensive solution that can help your organization as you move to take full advantage of the promise of cloud applications but keeps you in control through improved visibility into activity.
- It also helps increase the protection of critical data across cloud applications (Microsoft and 3rd parties).
- With tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, your organization can more safely move to the cloud while maintaining control of critical data.
How Does Microsoft Cloud App Security Works?
Cloud discovery uses your traffic logs to discover and analyze which cloud apps are in use. You can manually upload log files for analysis from your firewalls and proxies, or you can choose automatic upload.
Sanctioning and un-sanctioning
- MS Cloud App Security enables you to sanction/block apps in your organization, using the Cloud app catalog.
- The Cloud app catalog rates risk for your cloud apps based on regulatory certifications, industry standards, and best practices.
- You can then customize the scores and the weights of various parameters to your organization’s needs.
- Based on these scores, Microsoft Cloud App Security lets you know on how risky the app is, according to over 50 risk factors that might affect your environment.
- App connectors leverage APIs provided by various cloud app providers to enable the Microsoft Cloud App Security cloud to integrate with other cloud apps and extend control and protection. This enables Microsoft 365 Cloud App Security to pull information directly out of cloud apps for analysis.
- In order to connect an app and extend protection, the app administrator authorizes MS Cloud App Security to access the app, and then Cloud App Security queries the app for activity logs and scans data, accounts, and cloud content.
- Microsoft 365 Cloud App Security can then enforce policies, detect threats, and provide governance actions for resolving issues.
- Policies allow you to define the way you want your users to behave in the cloud. They enable you to detect risky behavior, violations or suspicious data points, and activities in your cloud environment, and, if required, to integrate remediation processes to achieve complete risk mitigation.
- There are multiple types of policies that correlate to the different types of information you want to gather about your cloud environment and the types of remediation actions you may want to take.
What does Microsoft Cloud App Security Provide?
Discovering which applications are in use across an organization is just the first step in making sure sensitive corporate data is protected. Understanding use cases, identifying top users, and determining the risk associated with each application are all important components to understanding an organization’s overall risk posture. Microsoft Cloud App Security provides ongoing risk detection, analytics, and powerful reporting on users, usage patterns, upload/download traffic, and transactions so that you can identify anomalies right away.
How to create a new discovery report?
- Access “Microsoft Defender for Cloud Apps” portal
- On the left, select Discover and Cloud Discovery dashboard.
- Next, select “Create a new report“
Next, enter details that you wish and select “Create“
Note: Report creation analysis takes up to 24 hours to process
Create cloud app discovery policies to give you the ability to get alerted when new apps are discovered that are either risky, non-compliant or trending. Start by using the built-in templates to create app discovery policies for risky and high volume apps. The configuration can be adjusted if needed.
- New high-volume app – alerts when new apps are discovered that have total daily traffic of more than 500 MB
- Risky app – alerts when new apps are discovered with risk score lower than 6 and that is used by more than 50 users with total daily use of more than 50 MB
Once the policy is created, you will get notified when an application with high volume and high risk is discovered. This will allow you to efficiently and continuously monitor applications in your network.
Creating an App Discovery Policy
- Go to the “Cloud App Security Portal“
- Click on “Control” and then “Policies“
- Create “Policy” and pick “App Discovery policy“
- Select the template for a New high-volume app
- Scroll down and click “Create“
Create File Policies
- File policies are a great tool for finding threats to your information protection policies, for instance finding locations where users store sensitive information, credit card numbers and third-party ICAP files in your cloud.
- With Cloud App Security, not only can you detect these unwanted files stored in your cloud that leave you vulnerable, but you can take immediate action to stop them in their tracks and lock down the files that pose a threat.
- Using Admin quarantine, you can protect your files in the cloud and remediate problems, as well as prevent future leaks from occurring.
- Use file policies to detect information sharing and scan for confidential information in your cloud applications.
Create the following file policies to get visibility on how information is being used within your organization.
- A file containing PII detected in the cloud (built-in DLP engine) – alert when a file containing personally identifiable information (PII) is detected by our built-in data loss prevention (DLP) engine in a sanctioned cloud app.
- Files shared with unauthorized domains – alert when the file is shared with an unauthorized domain (such as your competitor).
- File shared with personal email addresses – alert when a file is shared with a user’s personal email address.
Use preset templates to start, review files in matched policies tab. Scope policies to a single SharePoint/OneDrive site to understand on how the policies are working before adding additional applications or sites.
How to Create a File Policy?
- Go to the “Microsoft Cloud App Security Portal“
- Click on “Control and then “Policies“
- Create “Policy and pick “File Policy“
- Select the template for a File containing PII detected in the cloud (built-in DLP engine)
- Scope it to down to SharePoint and OneDrive & Folder
- Click create
Follow the same steps and use the templates mentioned above.
For additional information about file policies, follow this link.
Permissions: Global Admin, Security Admin or User Group Admin
Creating an activity policy can help you detect malicious use of an end-user or privileged account or an indication of a possible compromised session.
Creating Activity Policies
Follow this link to learn more about activity policies.
- Mass download by a single user – this policy will give you visibility into possible data exfiltration. By default, this policy will also alert on OneDrive client syncs
- Multiple failed user logon attempts to an app – possible brute force attack or compromised account.
- Login from a risky IP Address – possible compromised account.
- Potential ransomware activity – alert when a user uploads files to the cloud that might be infected with ransomware.
- This detection identifies malicious files in your cloud storage, whether they’re from your Microsoft apps or third-party apps.
- Microsoft Cloud App Security uses Microsoft’s threat intelligence to recognize whether certain files are associated with known malware attacks and are potentially malicious.
- This built-in policy is disabled by default.
- Not every file is scanned, but heuristics are used to look for files that are potentially risky. After files are detected, you can then see a list of Infected files.
- Click on the malware file name in the file drawer to open a malware report that provides you with information about that type of malware the file is infected with.
Note: Malware detection is disabled by default. Make sure to enable it to get alerted on possible infected files.
Investigating and Remediating Alerts
Investigate and determine the nature of the violation associated with the alert. Try to understand if it’s a serious, questionable violation or anomalous behavior for the user. Investigate further by looking at the description of the alert and what triggered as well as looking at similar activities.
If you dismiss alerts, it’s important to understand why they are of no importance or if it’s a false positive. If there is too much noise coming in, be sure to review and tune the policy triggering the alert.
- In the “Microsoft Cloud App Security Portal” – Go to “Alerts“
- Click on an Alert you’d like to investigate. In this example, we’re investigating a single user who had multiple failed login attempts which could be a sign of brute force and a compromised identity.
- Read the description of the alert and look at the details provided to see if anything looks suspicious.
- We see that this user is an admin and has had over 12 failed logins. There is a chance that an attacker is trying to compromise this account.
- Click to on ‘View all user activity’ to view activities by this user for additional information for your investigation process.
- If we look at the captured images, we can see that he’s an admin whose account has been compromised. We’re able to make that conclusion by seeing that he had multiple failed logins from a TOR IP address and tried to exfiltrate data by his mass download alert.
- Now that we have enough information to infer that the alert is true. We can resolve the alert by the options available to us. In this case, the best approach would be to suspend the user since his account is compromised.
- Click on Resolve and write on how you resolved the alert
Reducing False Positives
Anomaly detection policies are triggered when they are unusual behaviors performed by the users in your environment. Microsoft Cloud App Security has a learning period where it uses entity behavioral analytics as well as machine learning to understand the “normal” behavior of your users. Use the sensitivity slider to decide the sensitivity of that policy in addition to scoping specific policies for a given group only.
As an example, to reduce the number of false positives within the impossible travel alert you can set the sensitivity slider to low. If you have users in your organization that are frequent corporate travelers, you can add them to a user group and select that group in the scope of the policy.
Add your corporate IP Address and VPN ranges, you will see fewer alerts in relation to impossible travel and infrequent country.
Click on Settings followed by IP Address ranges
Name the range
Enter the IP address range
Select a Category
Add a tag to tag specific activities from this range
These are the applications that installed by business users in your organization request permission to access user information and data and sign in on behalf of the user in other cloud apps, such as Microsoft 365, G Suite and Salesforce. When users install these apps, they often click accept without closely reviewing the details in the prompt, including granting permissions to the app.
You’ll have the capability to ban and revoke access to these apps.
Many users grant access to their Microsoft 365, G-Suite and Salesforce corporate accounts when trying to access an OAuth application. The issue arises is that IT has usually had no visibility into these applications or what the risk level associated is. Cloud App Security gives you the capability to discover the OAuth applications your users have installed and which corporate account they’re using to login. Once you discover which OAuth apps are being used by which account, you can allow or ban access right in the portal.
Manage OAuth Apps
The OAuth page contains information regarding which applications your users are granting access to using their corporate Microsoft 365, Salesforce and G-Suite credentials.
Ban or approve and app:
- Go to the “Microsoft Cloud App Security Portal” -> Click on “Investigate” -> Click on “OAuth Apps“
- Click on the “App Drawer” to view additional information on each application and the permission that was granted
- You can ban or approve the app by clicking either the approve or ban icon
Note: If you decide to ban an app, you can notify the user that the app they installed and provided permissions to is banned and can add a custom notification message.
This functionality is only available for G-Suite and Salesforce connected applications.
- On the OAuth apps page -> click on the three dots to the very right of the app row
- Click on Revoke app
OAuth policies notify you when an OAuth app is discovered that meets the specific criteria.
Follow this link on directions to create OAuth app policies.
CASB for Cloud Platforms
Permissions: Global Admin
Note: The Azure AD Global role doesn’t automatically provide privileged users with access to Azure subscriptions.
Elevate permissions to privileged users to add your Azure subscriptions – after you add the subscriptions make sure to disable the elevation.
To improve your cloud security posture, add your azure subscriptions into Cloud App Security; the integration with Azure Security Center will notify you when there are missing configurations and security controls. You’ll be able to identify anomalies in your environment and pivot to the Azure Security portal to apply these recommendations and solve for vulnerabilities.
To learn more about the integration with Azure Security Center click here.
Real-Time Monitoring and Control
Permissions: Security Admin or Global Admin
- Conditional access app control utilizes a reverse proxy architecture and is uniquely integrated with Azure AD’s Conditional Access (CA).
- Azure AD Conditional Access allows you to enforce access controls on your organization’s apps based on certain conditions.
- The conditions define the ‘who’ (for example a user, or group of users), the ‘what’ (which cloud apps) and the ‘where’ (which locations and networks) a conditional access policy is applied to.
- After you’ve determined the conditions, you can route users to the MS Cloud App Security where you can protect data with Conditional Access App Control by applying access and session controls.
- Conditional access app control enables user app access and sessions to be monitored and controlled in real time based on access and session policies.
- Access policies are used for PC and mobile devices and session policies are used for browser sessions.
Access and Session policies give you the following capabilities:
- Block on download
- Protect on download
- Prevent documents copy/print
- Monitor low-trust sessions
- Block Access
- Create read-only mode
- Restrict user sessions from non-corporate network
- Block upload
Azure Portal – Azure Active Directory
- Go to “Azure Active Directory” (AAD) under “Protect”, click on “Conditional Access“
- Create a Policy within AAD to enable Conditional Apps
- Assign a test user group and assign one Cloud App (SharePoint or 3rd party app that’s SSO configured) to get started during testing
- Click on Session and click on “Use Conditional Access App Control”
- Select “Use custom policy” which will route the session through the Microsoft Cloud App Security Portal
- Once you created the policy, make sure to log out of each configured app and log back in.
- Log back into the CAS portal, go into Settings and click on Conditional Access App Control
- The configured applications should show up in the portal as Conditional Access App Control apps.
Creating a Session Policy
We’ll be creating a session policy using a template to monitor all activities to get started.
Create additional policies using the preset templates to test the different controls available.
- Go to the “Cloud App Security Portal“
- Click on “Control” and then “Policies“
- Create “Policy” and pick “Session Policy“
- Select the template to Monitor all activities
- Click Create
Microsoft Cloud App Security License
The price for commercial licenses for Microsoft Cloud App Security varies by program, region and agreement type. In the Direct channel, there are ERP standalone list prices. Please see details on the pricing configurations here. Additionally, if customers want to use the Conditional Access App Control feature of Microsoft Cloud App Security, they must also have at least an Azure Active Directory Premium P1 (AAD P1) license for all users they intend to enable for this feature.
Licensing plans available to US government customers that include Microsoft Cloud App Security are described in the licensing tables below. Additional details can be found in our licensing and pricing descriptions:
At the end of this, you should have an understanding about information protection, real-time monitoring and threat protection capabilities of Microsoft 365 Cloud App Security.
Now I’d like to hear from you:
Which strategy from today’s post are you going to try first? Or maybe I didn’t mention one of your favorite cloud app security tips.
Either way, let me know by leaving a comment below right now.
Want to improve your Exchange Online experience for better productivity? Check out the tips and tricks mentioned here.