Use Microsoft Defender for Cloud Apps to Protect your M365 Tenant

That the world of IT is changing is an understatement, and that it’s changing quicker than it used to is common knowledge, but the ramification of those changes can be hard to perceive when we’re in the middle of the shifting sands. Only a few years ago, having good firewall systems with content filtering and malware inspection was considered state of the art. Today, you have two problems, first, most of your users aren’t in the office so they’re not behind that big “blinky light” protector and second, most of the applications and services your users are accessing aren’t on-premises anymore, they’re cloud services that they access from any device with an internet connection.

No problem says the older, “pry my servers from my cold, dead hands” IT Pro, we’ll just force everyone’s traffic back to on-premises via VPN and then we can inspect all the traffic. Sounds good? Quick question, when your VPN went from 10% of the workforce using it to 100% at the start of 2020 – how was the user experience? And even if that was mitigated, how’s their experience when they’re using Teams / Zoom? Not quite so “modern” anymore?

The point is that security and firewall and filtering need to move with the times and in this article, we’re going to discuss Cloud Access Security Brokers (CASBs) and specifically, Microsoft’s Defender for Cloud Apps (MDCA), up until recently known as Microsoft Cloud App Security (MCAS). We’ll also look at how you can use MDCA specifically with Microsoft 365.

A CASB is an on-premises or cloud-based software firewall that sits between cloud services and users, enforcing policies and monitoring activity.

Deploy Microsoft Defender for Cloud Apps

While the new name makes perfect sense, I know that I’ll have to deal with numerous questions about the difference between it and Microsoft Defender for Cloud, the new name for Azure Security Center and Azure Defender. Defender for Cloud is all about protecting workloads in Azure (and AWS & GCP, hence the name change from Azure Defender to Defender for Cloud), whereas Defender for Cloud Apps is all about spotting shadow IT, managing SaaS service access by your end-users, and applying policy.

Let’s start with how it works – MDCA needs to have data on what apps your users are browsing on the internet. You can continuously upload logs from your on-premises firewalls and proxy servers, you can integrate directly with a set of cloud services that have API connections and you can use Microsoft Defender for Endpoint as an agent for MDCA. The number of cloud services that can be integrated into MDCA are increasing, at the time of writing they are:

• • Atlassian (Preview)

• • AWS

• • Azure

• • Box

• • Dropbox

• • Egnyte

• • GCP

• • GitHub Enterprise Cloud

• • Google Workspace

• • NetDocuments

• • Office 365

• • Okta

• • OneLogin

• • Salesforce

• • ServiceNow

• • Slack

• • Smartsheet

• • Webex

• • Workday

• • Zendesk

The list of supported firewalls and proxies is too long to list, but you can find it here. It includes all the usual suspects plus cloud-based “firewalls” such as Zscaler and iboss. You can also use Syslog or FTP with “container appliances” to upload custom logs to MDCA and you can customize the log parser if you need to.

As mentioned, if you’re using Defender for Endpoint (MDE) Plan 2 on Windows 10/11, it’s an excellent way to gather data for MDCA. Note that while MDE also supports Android, iOS, Linux and MacOS, they’re not supported as agents for MDCA today, and Defender for Business (in public preview) and Defender for Endpoint Plan 1 (included in Microsoft 365 E3) also aren’t supported. Since both MDCA and Endpoint Plan 2 are part of Microsoft 365 E5 licensing, this is less of a hurdle than you might think (see flavors below). The steps to integrate them are really simple, a single slider in each portal needs to be enabled.

The power this brings is not to be underestimated, you get a full 360 view of all services accessed by your users, no matter where they’re working and how they’re connecting, and you can apply policies to them.

Shadow IT Discovery

OK, once you have data flowing into Defender for Cloud Apps through any of the methods above, you’ll start getting Cloud Discovery reports. This will tell you what service categories are most used, which apps are most used by your users and if there’s the usage of high/medium and low-risk apps. Commonly known as shadow IT, this is the usage of apps that the business isn’t aware of, including potential storage of sensitive data in these locations. It’s vital that this is discovered and managed and Defender for Cloud Apps helps you a lot with this task.

Defender for Cloud Apps Cloud Discovery dashboard

Based on this data you can start digging into the riskiest apps with high usage and identify why they’re being used and what the risks are. There’s a built-in catalog of 30,036 apps (and growing, last time I looked it was just over 27,000). Each app/cloud service in the catalog has an overall score from 1-10, based on four categories, General, Security, Compliance and Legal.

Defender for Cloud Apps catalog listing

The point of the catalog is to give you instant visibility into the security stance (perhaps of a service you’ve just found out is used by the entire finance department) and regulatory compliance of an app, without having to spend hours digging through their website or requesting more information from them. For instance, if your organization requires suppliers to adhere to a specific compliance regulation you can filter the catalog to identify any application in use that doesn’t.

The next step is to sanction or unsanction an app. The latter will block access if you’re using Defender for Endpoint, Zscaler or iboss and there are options to download a script to add the block to on-premises firewalls. But even if you’re not outright blocking the use of these apps, it does allow you to track down the users and suggest an alternative app with a better security track record.

Another way that I find this discovery useful is by letting me find popular apps that I can publish through Azure Active Directory for users to add governance around their usage.

Using Defender for Cloud Apps

There are several types of policies you can use to detect risky behavior, and suspicious activity and in some cases, automatically remediate the issue. Activity policies use the APIs of integrated applications and let you build custom alerts for multiple failed sign-ins, large amounts of file downloads or logins from unusual countries or regions. Anomaly detection uses User and Entity Behavioral Analytics (UEBA) and Machine Learning and for most detections, it takes seven days to establish a baseline so it can identify what’s unusual. Signals used in these policies include risky IP addresses, inactive accounts, location, device, user agent etc. Malware detection across Box, Dropbox, Google Workspace and Office 365 (when used with Defender for Office 365) are one of these policies.

Defender for Cloud Apps activity policy to catch ransomware

OAuth app policies keep an eye on apps that are granted permissions in Azure AD, either by end-users (if you allow this) or by administrators, we covered the risks and mitigations in-depth in an article and webinar.

File policies bring a built-in DLP engine to inspect content across 100+ file types and allow you to take automated action when the content matches your criteria. You can create policies for publicly shared files, files shared with a specific domain or with a specific set of unauthorized users, and even for specific high-risk file extensions.

Access policies is a very cool concept, essentially combining the best of Azure AD Conditional Access policies with the app control of MDAC. You deploy the apps using Conditional Access App Control and this lets you not only block access to applications based on the device the user is using for instance, but it also allows you to use session policies to control what a user can do in the app. You can monitor all activity, block all downloads, block specific activities, require step-up authentication for sensitive tasks, protect files on download or upload, block malware and educate users on protecting sensitive files.

Defender for Cloud Apps cloud discovery anomaly detection policy

Finally, App discovery policies alert you to new cloud services that are being used (to continue the fight against Shadow IT) and cloud discovery anomaly detection policies alert you to unusual activity in cloud apps.

Unlike many other security applications, what I like about Defender for Cloud Apps is that it creates many default policies for you “out of the box” so you’re getting good protection, even before you create your own policies.

Alerts from these policies can be sent as emails, or text messages or you can use a Power Automate playbook to notify the right people. You can also automatically disable a user account, require the user to sign in again or confirm them as compromised to automatically contain a potential attack.

As you can see, you can provide granular control over what your users can and can’t do in cloud applications and if they’re working from home (on Windows 10/11 devices) they’re still under your purview. Note that it’s not only end-user SaaS services that are protected with Defender for Cloud Apps: AWS, GCP and Azure admin access and usage can also be monitored and controlled.

The integration with the rest of the Microsoft 365 Defender stack is also strong, here’s an example of a Data Loss Prevention policy being used to control sensitive data in third-party apps.

Microsoft 365 Data Loss Prevention Policy integration

Flavors of Defender for Cloud Apps

There are three flavors of Defender for Cloud Apps, the full version that we’ve described so far, which is part of Microsoft 365 E5 licensing (or a stand-alone license). With Office 365 E5 you get Office 365 Cloud App Security which only has a catalog of about 750 cloud apps (that are similar in functionality to Office 365), only manual upload of firewall logs for analysis, app control and threat detections for office type apps only and Conditional Access App Control for Office 365 apps only.

Cloud App Discovery on the other hand is part of Azure Active Directory Premium P1 and brings the full catalog of cloud apps, and both manual and automatic log upload but no information protection / DLP or threat detections at all (hence the name “discovery”).

Here’s a deep dive on licensing if you really have trouble going to sleep. 🥱 Alternatively, I appeared on an episode of the Sysadmin DOJO Podcast discussing this exact topic:

Defender for Cloud Apps for Microsoft 365

There’s quite a steep price jump from Microsoft 365 E3 to E5 and this could have been a hard sell a few years ago, before the pandemic. Today, however, if your business collaboration is built on Office 365, digital transformation is the aim of the business and people are working from anywhere, the power of Defender for Cloud Apps, with Defender for Endpoint as the agent, makes it a lot easier to convince the bean counters.

If you’re an MSP and you have clients with strong security and compliance needs (financial industry, lawyers, medical facilities etc.), even if they’re an SMB, definitely consider the upgrade to E5. This doesn’t just give you Defender for Cloud Apps; it also offers Defender for Identity along with a whole heap of other security features.

To properly protect your Hyper-V virtual machines, use Altaro VM Backup to securely backup and replicate your virtual machines. We work hard perpetually to give our customers confidence in their Hyper-V backup strategy.

To keep up to date with the latest Hyper-V best practices, become a member of the Hyper-V DOJO now (it’s free).

Conclusion

As you can tell, Defender for Cloud Apps is a powerful tool with numerous uses. To learn more, visit the Ninja training page (each Microsoft security product has one) which is a set of links to webinars, docs pages, blog articles, interactive guides, product videos and GitHub repositories.