In today’s hybrid work environments, protecting SaaS applications and the critical data they store is more challenging than ever. This means that understanding and leveraging tools like Microsoft Defender for Cloud Apps is essential for business environments in Australia. In this comprehensive guide, Anthony Porter provides the necessary tools and best practice methods to guide you through using Defender for Cloud Apps.
What is Microsoft Defender for Cloud Apps?
Microsoft Defender for Cloud Apps is a comprehensive solution designed to provide full protection for SaaS applications. It helps monitor and protect cloud app data, offering visibility into risks and control over app usage. By integrating with Microsoft Defender XDR, it provides incident-level detection, investigation, and response capabilities, ensuring full kill chain visibility.
Key features of Defender for Cloud Apps
Adaptive Access Control (AAC): This feature provides dynamic access control based on user behavior and risk levels, helping to mitigate potential threats. AAC leverages machine learning algorithms to continuously assess user risk and adjust access permissions in real-time.
User and Entity Behavior Analysis (UEBA): UEBA helps identify unusual activities by analysing user behavior patterns, enabling proactive
threat detection. It uses advanced analytics to detect anomalies such as unusual login locations, atypical data access patterns, and abnormal file sharing activities.
Data Loss Protection (DLP): DLP features help control sensitive information by detecting and responding to sensitivity labels on content. It includes capabilities like content inspection, contextual analysis, and automated enforcement actions to prevent data breaches.
Integration with Microsoft Purview: Leveraging out-of-the-box data classification types, this integration enhances information protection policies. Microsoft Purview provides a unified data governance solution, enabling comprehensive data discovery, classification, and labeling across your cloud environment.
SaaS Security Posture Management (SSPM): SSPM features enable security teams to continuously assess and improve the security posture of SaaS applications. This includes automated compliance checks, configuration assessments, and security recommendations to mitigate risks.
App-to-App Protection: Extends threat protection to OAuth-enabled apps that have permissions and privileges to critical data and resources. This ensures that third-party applications accessing your data are also monitored and secured.
Integration with Defender for Endpoint: Defender for Cloud Apps integrates seamlessly with Defender for
Endpoint, enabling the ingestion of data for the Cloud Discovery component to provide comprehensive visibility into cloud app usage. This integration also allows for the blocking of unsanctioned apps through the use of Indicators.
Why use tools like Microsoft Defender to secure SaaS applications?
Data protection: SaaS applications often store critical business data. Securing them ensures that sensitive information is protected from unauthorised access and breaches.
Compliance: Many industries have strict regulatory requirements. Using tools like Microsoft Defender for Cloud Apps helps organisations meet these compliance standards.
Visibility and control: Defender for Cloud Apps provides comprehensive visibility into app usage and potential risks, allowing for better control and management of cloud environments.
Threat detection: Advanced threat detection capabilities help identify and mitigate cyber threats, ensuring the security of SaaS applications and the data they hold.
Understanding policy types in Defender for Cloud Apps
Breaking down the policies
Threat detection
Policies can identify and mitigate cyberthreats across Microsoft and third-party cloud services. They can be created from templates or during investigations. These policies leverage machine learning and threat intelligence to detect and respond to advanced threats such as malware, ransomware, and phishing attacks.
1. Activity policy
Activity policies allow you to enforce a wide range of automated processes using the app provider's APIs. These policies enable you to monitor specific activities carried out by various users, or follow unexpectedly high rates of a certain type of activity.
Example use cases
- Monitoring user activities: Track user activities such as file downloads, sharing, deletions, and access to sensitive data. This helps in identifying potential data exfiltration or misuse.
- Compliance enforcement: Ensure users comply with organisational policies by monitoring specific actions, such as accessing restricted files or using unauthorised applications. This is crucial for maintaining regulatory compliance and internal security standards.
Prerequisites
- Integration with cloud services and applications: Ensure seamless integration with various cloud platforms (e.g., Microsoft 365, Google Workspace) to collect comprehensive activity logs.
- User activity logging enabled: Enable detailed logging of user activities across all integrated services to provide a complete audit trail.
Requirements
- Define specific activities to monitor: Identify and document the critical activities that need monitoring, such as file access, sharing, and deletion.
- Set thresholds for alerts and actions: Establish thresholds for generating alerts and automated actions, such as notifying administrators or blocking suspicious activities.
Get in touch
Talk to us today to optimise your operations.
2. Anomaly detection policy
Anomaly detection policies enable you to look for unusual activities on your cloud. Detection is based on the risk factors you set to alert you when something happens that is different from the baseline of your organisation or from the user's regular activity.
Example use cases
- Fraud detection: Identify unusual transactions or behaviors that may indicate fraudulent activity, such as multiple failed login attempts or unusual access patterns.
- Security breach detection: Detect abnormal login patterns, such as logins from unusual locations or devices, which could signify a compromised account.
Prerequisites
- Historical data for establishing normal behavior patterns: Collect and analyse historical data to establish baselines for normal user behavior.
- Machine learning models for anomaly detection: Implement machine learning models to analyse data and detect anomalies in real-time.
Requirements
- Continuous data collection and analysis: Ensure continuous collection and analysis of user activity data to detect anomalies promptly.
- Configuration of anomaly detection algorithms: Configure and fine-tune anomaly detection algorithms to minimise false positives and accurately identify suspicious activities.
3. OAuth app policy
OAuth app policies enable you to investigate which permissions each OAuth app requested and automatically approve or revoke it. These are built-in policies that come with Defender for Cloud Apps and can't be created.
Example use cases
- App authorisation control: Monitor and control OAuth app permissions to prevent unauthorised access to sensitive data and resources.
- Risk assessment: Identify and block risky OAuth apps that may pose security threats, such as those requesting excessive permissions.
Prerequisites
- Integration with OAuth providers: Integrate with OAuth providers (e.g., Google Workspace, Microsoft 365) to monitor app permissions and user consents.
- User consent tracking: Track user consents to ensure that only authorised apps have access to organisational data.
Requirements
- Define criteria for app permissions and risk levels: Establish criteria for evaluating app permissions and determining risk levels.
- Set up automated alerts for high-risk apps: Configure automated alerts to notify administrators of high-risk apps and take appropriate actions.
4. Malware detection policy
Malware detection policies enable you to identify malicious files in your cloud storage and automatically approve or revoke it. This is a built-in policy that comes with Defender for Cloud Apps and can't be created.
Example use cases
- Threat detection: Identify and block files containing malware before they can cause harm to the organisation’s systems.
- Incident response: Automate responses to detected malware incidents, such as isolating affected systems and notifying security teams.
Prerequisites
- Integration with threat intelligence services: Integrate with threat intelligence services to stay updated on the latest malware threats and indicators of compromise.
- Endpoint protection solutions: Deploy endpoint protection solutions to detect and block malware on user devices.
Requirements
- Regular updates to malware definitions: Ensure malware definitions are regularly updated to detect the latest threats.
- Configuration of automated response actions: Configure automated response actions to quickly mitigate the impact of detected malware.
Information protection
Policies ensure data security by detecting and responding to data violations, such as quarantining threats or blocking risky apps. They include automated actions like encryption, access revocation, and alerting to ensure sensitive data remains secure.
1. File policy
File policies enable you to scan your cloud apps for specified files or file types (shared, shared with external domains), data (proprietary information, personal data, credit card information, and other types of data) and apply governance actions to the files (governance actions are cloud-app specific).
Example use cases
- Data loss prevention: Monitor and control the sharing of sensitive files to prevent data leaks and unauthorised access.
- Compliance monitoring: Ensure files comply with regulatory requirements and internal policies by monitoring their content and usage.
Prerequisites
- Integration with file storage and sharing services: Integrate with services like OneDrive, SharePoint, and Google Drive to monitor file activities.
- Data classification and labeling: Implement data classification and labeling to identify and protect sensitive information.
Requirements
- Define file types and actions to monitor: Specify the types of files and actions (e.g., sharing, downloading) that need monitoring.
- Set up alerts and automated actions for policy violations: Configure alerts and automated actions to respond to policy violations, such as blocking file sharing or notifying administrators.
Conditional access
Policies enforce access controls based on user conditions, ensuring only authorised users can access sensitive data. These policies integrate with Entra ID to provide granular access controls based on user roles, device compliance, and real-time risk assessments.
1. Access policy
Access policies provide you with real-time monitoring and control over user logins to your cloud apps.
Example use cases
- Conditional access: Control access to applications based on user location, device, and risk level to enhance security.
- Zero trust security: Implement access controls to enforce least privilege access, ensuring users only have access to the resources they need.
Prerequisites
- Integration with identity providers: Integrate with identity providers (e.g., Microsoft Entra ID) to manage user identities and access controls.
- Conditional access configurations: Set up conditional access policies to enforce security requirements based on various conditions.
Requirements
- Define access conditions and criteria: Establish the conditions and criteria for granting or denying access, such as location, device compliance, and user risk level.
- Set up policies for different user groups and scenarios: Create tailored access policies for different user groups and scenarios to ensure appropriate access controls.
2. Session Policy
Session policies provide you with real-time monitoring and control over user activity in your cloud apps.
Example use cases
- Session monitoring: Monitor user sessions in real-time to detect and respond to suspicious activities, such as unusual session durations or multiple concurrent sessions.
- Activity restrictions: Limit specific actions during a session, such as downloading sensitive files or accessing restricted areas, to enhance security.
Prerequisites
- Integration with cloud applications: Ensure integration with cloud applications to monitor and control user sessions.
- Real-time session monitoring capabilities: Implement real-time session monitoring to detect and respond to suspicious activities promptly.
Requirements
- Define session activities to monitor and restrict: Identify the session activities that need monitoring and restriction, such as file downloads and access to sensitive data.
- Configure alerts and automated responses: Set up alerts and automated responses to handle suspicious session activities, such as terminating sessions or notifying administrators.
Shadow IT
Policies monitor and control unauthorised cloud app usage, helping to secure the organisation’s cloud environment. They provide visibility into unsanctioned apps, assess their risk levels, and enforce governance actions such as blocking or restricting access to high-risk applications.
1. App discovery policy
App discovery policies enable you to set alerts that notify you when new apps are detected within your organisation.
Example use cases
- Shadow IT detection: Identify unauthorised cloud applications used within the organisation to mitigate security risks.
- Risk assessment: Evaluate the risk level of discovered applications to determine their impact on the organisation’s security posture.
Prerequisites
- Continuous log upload and analysis: Ensure continuous upload and analysis of logs from various sources to detect unauthorised applications.
- Integration with endpoint protection solutions: Integrate with endpoint protection solutions to monitor and control application usage on user devices.
Requirements
- Define criteria for app discovery and disk assessment: Establish criteria for discovering and assessing the risk of unauthorised applications.
- Set up alerts for new or risky applications: Configure alerts to notify administrators of new or risky applications and take appropriate actions.
2. Cloud discovery anomaly detection policy
Cloud Discovery anomaly detection policies look at the logs you use for discovering cloud apps and search for unusual occurrences. For example, when a user who never used Dropbox before suddenly uploads 600 GB to Dropbox, or when there are a lot more transactions than usual on a particular app.
Example use cases
- Usage anomalies: Detect unusual increases in cloud application usage, such as large data uploads, unexpected spikes in API calls, or sudden changes in user activity patterns.
- Security threats: Identify potential security threats based on anomalous behavior, such as unusual login times, access from unexpected geographic locations, or abnormal usage of privileged accounts.
Prerequisites
- Historical usage data for establishing baselines: Collect and analyse historical usage data to establish normal behavior patterns for cloud application usage.
- Integration with cloud discovery tools: Ensure integration with cloud discovery tools that can monitor and analyse cloud application usage across the organisation.
Requirements
- Define anomaly detection criteria and sensitivity levels: Establish specific criteria for what constitutes an anomaly, such as thresholds for data uploads, login times, or geographic access.
- Configure alerts for detected anomalies: Set up automated alerts to notify security teams of detected anomalies.
Conclusion
Self-learning and staying updated with tools like Microsoft Defender for Cloud Apps is crucial for any security professional. By understanding its features and policy types, you can better protect your organisation’s data and ensure a robust security posture. Keep exploring, keep learning, and try to stay one step ahead.
For more information on what CBS can offer to boost your security posture, contact us today.