askformore@bittnet.ro
Scheduled Classes
Microsoft Defender for Cloud Apps - fight cyber threats from services cloud Microsoft and of third parties

Microsoft Defender for Cloud Apps – combat cyber threats from services cloud Microsoft and of third parties

Views: 113

IT teams are tasked with finding the balance between setting up easy access to applications while always maintaining control to be able to protect critical company data. In this context, the security platform Microsoft Defender for Cloud Apps (ex Microsoft Cloud App Security or MCAS) has become mandatory in its role of Cloud Access Security Broker (CASB) that connects the applications in cloud and users, while offering logging facilities, API connectors, proxy services in both directions of connections, visibility of data in transit and above all advanced analytical mechanisms necessary to identify and combat cyber threats targeting companies' services.

With the appearance of the central platform Microsoft 365 Defender, the new one Microsoft Defender for Cloud Apps natively integrated with Microsoft Defender for Endpoint and Microsoft Defender for Identity, being developed based on the needs of security professionals and offering a simplified implementation, centralized administration and advanced capabilities to automate many activities.

According to Gartner studies, CASB broker platforms are considered the main enforcement points for security policies that will condition consumer access to security services. cloud to applications offered by vendors. The main purpose is to implement and control the security policies of the company as users address the resources based on cloud, to help us monitor the security of users and data, being practically the equivalents of classic "firewalls" in traditional infrastructures.

In the role of CASB, Microsoft Defender for Cloud Apps help IT professionals identify and combat cyber threats to services cloud and more, easily integrating with the products Microsoft. A schematic representation of how the organization's data flows in cloud and the positioning of the CASB is in this figure.

Source Microsoft Learn

The main functionalities offered by Microsoft Defender for Cloud Apps:

  • Shadow IT discovery and control (services managed outside the IT department: identifies applications cloud, IaaS and PaaS services used by organizations to better control risk.
  • Protecting sensitive information anywhere in cloud: identification, classification and protection of stored sensitive information, data loss prevention (DLP) capabilities applied to the various data leakage points in organizations.
  • Protection against cyber threats and anomalies: Detect unusual behavior between apps, users, and potential ransomware applications by combining multiple detection methods including User Entity Behavioral Analysis (UEBA), rule-based detection, and quick visualization of how apps are being used.
  • Conformity assessment of applications cloud: assessing whether they comply with the regulations and industry standards specific to the organization.

The administration portal can be accessed at the portal address.cloudappsecurity.com

The first administrative section from the platform portal Microsoft Defender for Cloud Apps is that of Discovery (discovery) where you can see both apps cloud both known and unseen, the signs of Shadow IT and unauthorized applications that may violate companies' security policies and compliance standards.

By analyzing traffic logs they compare it to a library of over 15000 apps cloud entered into the vendor's catalog, the platform can categorize each identified application and compare it with over 80 risk factors providing visibility into risks, Shadow IT and how applications and data are being used cloud.

The Discovery Dashboard gives you a quick overview of the types of apps in use, open alerts, risk levels of apps in your organization, and you can see who the top app users are and where each app is coming from using filters for collected data.

To understand what is happening in the environment of cloud associated with the organization in order to prevent in real time the violation of security standards and to allow users to bring their own devices while protecting the organization against data leakage and theft, Microsoft Defender for Cloud Apps integrate with identity providers (Identity providers) through Conditional Access App Control.

Access and session policies can be used in the portal Microsoft Defender for Cloud Apps to further refine filters and set actions to be taken on a user so that:

  • To prevent data exfiltration: by blocking the download, retrieval of content, copying and printing of sensitive documents
  • Implement download protection: instead of blocking the download of sensitive documents, they can be required to be tagged and protected with Azure Information Protection, ensuring that the document is protected and that user access is restricted in a potentially risky session.
  • Untagged files are prevented from being uploaded: before a sensitive file is uploaded, shared and used by others, it is important that it has the right tag and protection, which can later block uploading a file before the content is classified.
  • Monitor user sessions for compliance: By monitoring risky users when they log in to apps and recording their session actions. It can also investigate and analyze user behavior to understand where and under what conditions to apply session policies in the future.
  • Block access: For certain applications and users, depending on several risk factors.
  • Block custom activities: such as sending messages with sensitive content in applications such as Microsoft Teams messages are checked for sensitive content and blocked in real time.

Last but not least, one of the important functionalities Microsoft Defender for Cloud Apps is the classification and protection of information classified as sensitive, highly butyl to prevent users from accidentally exposing critical files or information vital to the organization with serious legal consequences.

For this purpose, Microsoft integrated the native product with Azure Information Protection, a platform cloud based specialized in the classification and protection of files and messages in the organization. This product is the basis for the implementation of information protection through the following steps:

  • Organizational data discovery
  • Classifying sensitive information and labeling it as personal data, public data, general data, confidential or strictly confidential
  • Enabling integration Azure Information Protection in Microsoft Defender for Cloud Apps in the platform settings
  • Active data protection by creating file policies to actively detect sensitive information and act on its sensitivity as follows:
    • Trigger alerts and email notifications.
    • Change file sharing permissions.
    • Sending files to Quarantine where they will be analyzed later.
    • Remove inappropriate file or folder permissions.
    • Deleting files
  • The final stage is monitoring and reporting where alerts can be investigated to better understand the reported issues and decide if they are real or false positives.

In Microsoft Defender for Cloud Apps can also define anomaly detection policies for a wide variety of security issues including:

  • impossible travel:simultaneous activities of the same user in different locations within a period shorter than the estimated travel time between the two locations.
  • Activity from infrequent country:registered in a location that has not been recently or never visited by users in the organization.
  • Malware detection:scan files from applications cloud of organization and running suspicious files through Microsoft's threat intelligence engine (motor Microsoft of threat intelligence) to determine if they are associated with known malware.
  • Ransomware activity:detection of uploading files to cloud which could be infected with ransomware.
  • Activity from suspicious IP addresses which has been identified as being at risk of Microsoft Threat Intelligence.
  • Suspicious inbox redirect: Detects suspicious inbox forwarding rules set in a user's mailbox.
  • Unusual multiple file download activities in a single session against the recommended template (baseline), which could indicate an attempted breach.
  • Unusual administrative activities: detected in a single session against the recommended template (baseline), which could indicate an attempted breach.

To deepen your knowledge, I recommend the official course Microsoft SC-200 Microsoft Security Operations Analyst associated with role based certification Microsoft Certified: Security Operations Analyst Associate.

  • To consult the full range of courses Microsoft given by Bittnet Training, click here.
  • To consult the full range of courses in technology cyber security given by Bittnet Training, click here.
  • To consult the full range of courses in technology cloud given by Bittnet Training, click here.