Sam Broughton - Microsoft Security Consultant, Satisnet
Microsoft Cloud App Security (MCAS) is Microsoft's CASB solution that acts as a universal tool that manages Software as a Service (SaaS) applications, specifically 3rd party cloud applications. This capability allows you monitor cloud apps that are approved for use but also unsanctioned cloud apps, which are being utilised by your end-users within the organisation, however, are not permitted or are no longer required from previous projects, also known as Shadow IT.
However, MCAS can also natively integrate across the broader Microsoft product stack as well as take advantage of your on-premise security appliance to provide a more holistic view of events and deliver further unique management and control capabilities.
Below is a list, but not limited to, of native and on-prem integrations with MCAS that can aid with monitoring, detecting, remediating cloud and on-prem threat vectors:
MICROSOFT DEFENDER FOR ENDPOINT
Provides data about the cloud apps and services being accessed from managed endpoints
Enables Cloud Discovery within MCAS on any machine in the corporate network and via remote access
MCAS integrates with Microsoft Defender for Endpoint natively and extends Cloud Discovery capabilities by ultimately providing machine-based investigation. MCAS uses the traffic information collected by Microsoft Defender for Endpoint about the cloud apps and services being accessed from the devices within the organisation's environment.
The endpoint logs collected by Microsoft Defender for Endpoint are sent to MCAS to provide user information based on endpoint and network traffic activities. This provides device context and pairs this with usernames to determine the users, activities and the machines involved to detect additional potential risks.
By enabling the integration with Microsoft Defender for Endpoint, access to unsanctioned apps can be quickly blocked within the MCAS portal. Once a cloud app has been tagged as unsanctioned within MCAS, the unsanctioned app's domain indicator is automatically synced to Microsoft Defender for Endpoint. Defender for Endpoint then enforces the restrictions to the endpoints to block access to the cloud apps based the domain names provided by MCAS.
AZURE ACTIVE DIRECTORY (AD) IDENTITY PROTECTION
Create anomaly detection policies to start the process of detecting and collating UEBA events
Target numerous behavioural anomalies across the users, machines and mobile devices connected to the environment
Automate the detection and remediation of identity-based risk
MCAS integrates with Azure AD Identity Protection's policies to provide user entity behavioural analytics (UEBA) across an organisation's environment. It provides MCAS with generating a holistic overview of the investigation Priority Score for each user within the organisation.
The score is based on the security alerts, abnormal activities and potential business and asset impact related to each user discovered by Azure AD Identity Protection AI engine and machine learning algorithms. This will assist with assessing how urgent the incident is and the priority of investigation for a specific machine or user based on various indicators such as employee job title, permissions, previous user behaviour and asset type.
Policies provided by Azure AD Identity Protection can be fine-tuned to preference using a severity slider of Low, Medium or High. The sensitivity slider allows you to control which alerts are ingested within MCAS to reduce or increase the event detection based on severity.
Azure AD Identity Protection also provides automated protection controls specified within its policies. Suppose an account was identified as a risk. In that case, a policy can enforce the user to verify their identity and request that they change their password, thus, providing proactive security controls to be enforced. At the same time, an incident response investigation can be carried out within MCAS.
AZURE INFORMATION PROTECTION (AIP)
Apply classification labels as a governance action to files that match specific policies
View all classified files in a central location
Investigation according to classification level, and quantify the exposure of sensitive data over your cloud applications
Create policies to make sure classified files are being handled properly
With the integration and use of Azure Information Protection, MCAS can specify policies to apply classification labels automatically, with or without protection and enforce how sensitive files can be used. Files can be investigated by filtering for the applied classification label within the MCAS portal and enables greater visibility and control of sensitive data in the cloud.
AIP labels must first be published as part of the policy via the Azure Information Protection portal within Azure AD before they can be used within MCAS. If labels are migrated to unified labels, labels must be published via Office 365 Security and Compliance Centre.
DEFENDER FOR IDENTITY
Provides security alerts divided into categories seen in a typical cyber-attack kill chain
Alerts on suspicious user behaviours and activities
After enabling Microsoft Defender for Identity integration, on-premise user activities will be forwarded to MCAS for all the users in the organisation's environment. Advanced insights on your users that combine alerts and suspicious activities are provided across cloud, on-prem and hybrid environments. Microsoft Defender for Identity policies will also be populated within MCAS's policies tab providing readily available detection capabilities based on the data being integrated within MCAS.
Microsoft Defender for Identity security alerts provides MCAS with the ability to distinguish the suspicious activities detected by Microsoft Defender for Identity sensors on the network. The threat actors and endpoints involved in each threat. Security alerts raised within Microsoft Defender for Identity contain direct links to the involved users and endpoints, allowing investigations easy and direct to investigate within the MCAS investigation tab.
The security alerts are divided into categories seen in a typical cyber-attack kill chain such as the following:
Reconnaissance phase alerts
Compromised credential phase alerts
Lateral movement phase alerts
Domain dominance phase alerts
Exfiltration phase alerts
CONDITIONAL ACCESS APP CONTROL
Conditional Access App Control utilises a reverse proxy once integrated with a cloud identity provider (IdP) such as Azure conditional access, AWS or Google Cloud Platform. With the integration of Azure Conditional Access, apps can be quickly and easily be configured to work with Conditional Access App Control to provide session control for your organisation's cloud apps-based conditions defined within an MCAS policy such as the following:
Block download, cut, copy and print sensitive documents
Blocks the upload or download of potentially malicious files scanned against MS Threat Intel
Monitor risky users signing into apps and their actions within the session to ensure compliance with regulatory standards
Can block for specific app and users to enforce company compliance and policies
It's essential to enable users in your organisation to make the most of the services and tools available to them in cloud apps and mobile devices. However, it's just as crucial of ensuring that confidentiality, integrity and availability are still being provided.
To achieve this, Conditional Access App Control provides real-time control of a user's cloud application session or an on-premises app that uses the Azure AD Application Proxy. By implementing a session control, you can monitor and stop potential breaches and data leaks in real-time, before employees intentionally or inadvertently put your data and organisation at risk.
You may want to connect MCAS to your existing Security Information and Event Management (SIEM) solution to enable alerting from across your cloud environment and to contain a centralised way of monitoring of all alerts and activities from connected cloud apps. Integrating your SIEM with MCAS allows you to protect your cloud applications better while maintaining your usual security workflow, automating security procedure, and correlating between cloud-based and on-premise events.
Once your SIEM solutions are integrated with MCAS, all alerts and activities will be forwarded from MCAS to the SIEM form the last two days. The below diagram demonstrates the basic architecture of the telemetry data being taken from MCAS over an encrypted HTTPS channel on port 443, and then be forwarded to the internal log server that's running the MCAS SIEM agent and then being received by the SIEM.
The integration can be easily achieved by configuring the MCAS RESTful API and specifying the log server configurations settings, e.g. remote IP and Syslog port. You can also filter the alerts and activities that have occurred within your cloud environment to be forwarded to the SIEM agent. Upon completion, MCAS will generate a SIEM token which is required for the installation of the MCAS SIEM agent to complete the integration and begin streaming the alerts and activities into the SIEM solution.
Secure Web Gateway (SWG) Secure Web Gateway monitors your organisation's traffic allowing the capability of setting policies to block user web sessions. Together, with the integration of MCAS and your SWG, they will enhance the Cloud Discovery security experience.
The integration will provide seamless deployment of Cloud Discovery by using the SWG to proxy traffic and sent it to MCAS. This eliminates the requirement of installing log collectors on security network appliances within your organisation to enable Cloud Discovery. With the block capabilities of an SWG, the process of blocking unsanctioned apps within MCAS can be automated. This work with any app that you set as unsanctioned in MCAS which will be pinged by the SWG every two hours, and then automatically blocked by the SWG.
MCAS will also enhance your SWG with its risk assessment for 200 currently leading cloud apps and a risk assessment on the 200 leading cloud apps, which can be viewed directly from one the one following supported SWG products:
Established in 2004, Satisnet Limited are a leading Security Integrator, Managed Security Services Provider (MSSP) and Cyber Training Innovator, with operations throughout the UK and EMEA. Boasting 60+ staff spread across three 24x7x365 UK-based, Security Operations Centres (SOCs) Satisnet are an industry-leader in the security/infrastructure space. A fledgeling Satisnet entered the cyber security space in 2002 focusing on a problem that few at the time recognised, namely vulnerability and patch management. Quickly establishing themselves as the EMEA leaders in this field, and partnering as Platinum Partners with key vendors in this space, Satisnet are excited to be partnering with another ‘Patch Powerhouse’ who are bringing a fresh approach to the space.