Microsoft Defender for Cloud Apps

Security tools are continuing to become smarter and some might say that Microsoft’s responsibility to help end users and businesses is becoming more and more vital. The attack or threat vectors (how hackers can get to your systems and data) are becoming wider and to counter this, the Microsoft cloud app security has been tightened through the use of a suite of tools that have been aligned into specific groups.

Let’s remind ourselves of these groups, and highlight the group this guide addresses:

Microsoft Defender for End Point
  • Protection at the endpoint level.  
  • Delivered via a unified platform for both preventative protection, detection as well as automated investigated and response.  
Microsoft Defender for Office 365
  • Protection at the email level and collaboration tools.
  • Safeguarding measures against malicious threats via email messages, links and other collaboration tools.   
Microsoft Defender for Identity
  • Protection at the identity level via Azure Active Directory Domain Services (Azure AD DS). 
  • Identify / Detect / Investigate compromised identities and insider actions. 
  • Previously known as Microsoft Advanced Threat Protection (ATP) 
Microsoft Defender for Cloud Apps
  •  Protection at the Application level. 
  • Cross SaaS based solution allowing deep visibility, data controls and threat protection across business aps.  

Microsoft Defender for Cloud Apps was formerly known as Microsoft Cloud App Security. It excels at protecting an organisation and it’s users from cyber threats, without them having to consider how or where they are accessing an application from. This is done by using the Conditional Access Control Feature of Azure AD.

Many users are working within a corporate environment using BYOD’s (Bring Your Own Device) and are unaware of where an application is running – whether it be on premise or cloud-based.  Microsoft Defender for Cloud Apps integrates with any identity provider (IdP) to protect users at the data access and session control level. By using Microsoft’s IdP, (Azure AD) the integration and deployment methods are further streamlined because of the close integration with Azure AD.

Conditional Access App Control is enabled by setting the conditions on which users can access corporate systems. The three key controls are:

Who has access?  Which users or user groups (departments) have access to particular systems

What Cloud Apps can be accessed?  Define the applications that are available to users.

Where access is granted? Which locations and networks are open to access by authorised users.

Once these conditions are established, Microsoft Defender for Cloud Apps can be employed to manage access using access rights and session controls defined in Azure AD. Setting up Microsoft Defender For Cloud Apps requires someone with security experience that Is capable of establishing the right conditions of access and ensure the correct levels of protection are achieved. Vissensa has a security team that work with organisations who can implement and manage the Microsoft Defender suite of products, enhancing your Microsoft cloud app security.

Features of Microsoft Defender For Cloud Apps

The main features of Microsoft Defender for Cloud Apps is that it guards against the main attack vectors seen in the access and use of cloud apps which include:

Stealing Sensitive Data

This is also known as data exfiltration. Attacks by unknown and unregistered devices gaining access to a network can be blocked from downloading files or data. The function also interrupts and prevents the extraction of information by simple cut, copy, and print commands that could be actions from the unmanaged device.

Additional Multifactor Authentication

When a request to access sensitive data is detected, Conditional Access Control in Azure AD will force additional multifactor authentication to the requesters registered MFA (Multi Factor Authentication) device, preventing unauthorised access to the data.

Protect On Download

Instead of blocking the download of sensitive documents, you can require documents to be labelled and encrypted when you integrate with Microsoft Information Protection (MIP). This action ensures the document is protected and user access is restricted in a potentially risky session.

Labelling Of Files

Microsoft Cloud App security solutions require any sensitive files uploaded to the network to be classified with a definition defined by the organisation for the type of file content ( financial, HR, personal, competitive etc.) prior to its acceptance for upload. This prevents the upload and distribution of sensitive information to unrestricted areas of the network, or for them to be shared inadvertently with other non authorised users.

Malware Scanning

Microsoft Defender has many features where malware can be detected within the system or at its boundaries (such as email attachments). This feature completes the circle by using Microsoft’s Threat intelligence algorithms and processes to scan instantaneously on upload or download its contents and identify suspicious payloads within the file.

High Risk User Monitoring

Identified high risk users of systems are subject to more rigorous monitoring of user sessions at logon for compliance. The monitoring includes the logging of the user’s actions during sessions so that the Security team can investigate and analyse the user behaviour to understand where, and under what conditions, session policies should be applied in the future.

Block Access And Custom App Activities

There are a number of scenarios in the Microsoft Defender for Cloud Apps where it is possible to grade the access to specific applications and block users if the risk profile exceeds a predetermined condition. Examples of these conditions could be using a certificate to try and gain access, rather than the authorised MFA route, where content is attempted to be shared or transferred in Teams, Slack or other collaborative platforms. These scans and interventions are carried out in real time.

Supported Apps And Clients

Session and access controls can be applied to any interactive single sign-on (SSO), using the SAML 2.0 authentication protocol or, if you are using Azure AD, the Open ID Connect authentication protocol as well. Furthermore, if your apps are configured with Azure AD, you can also apply these controls to apps hosted on-premises configured with the Azure AD App Proxy. In addition, access controls can be applied to native mobile and desktop client apps. It is recommended that you seek assistance from a security expert familiar with the Microsoft Defender suite of products to install and configure such security policies. Many of these features require integration and collaboration with other parts of the product set to provide a complete security umbrella. Vissensa have a security team who have assisted many organisations in their cloud and on-premise security journeys.

More from the Microsoft Defender Series: