An explanation of the Cloud App Security products. Demonstrating the features of Microsoft Cloud App Security and some of the current caveats. Summarising the steps required to setup MCAS to pull meaningful data from your hybrid environment.
Securing the hybrid environment with Microsoft Cloud App Security
1. Our Gold Sponsors:
Securing the hybrid environment with Microsoft
Cloud App Security
Matt Fooks
IT Infrastructure & Cloud Tech Manager
matt.c.fooks@gmail.com
2. Our Gold Sponsors:
Speaker Introduction
• Matt Fooks
• Infrastructure Team Leader / Cloud Enthusiast
• https://blog.cloudsinreach.com / @MattFooks
• Email matt.c.fooks@gmail.com
• Co-host Microsoft 365 User Group @M365User
https://m365usergroup.com
4. Our Gold Sponsors:
Benefits of Cloud App Security
Discover and assess risks Control Access Protect your information Detect and protect
5. Our Gold Sponsors:
MCAS - Microsoft Cloud App Security
• Discovered Apps 16,000
• Auto log upload
• Log anonymisation, Cloud app
risk assessments, App/IP/User
analytics
• DLP Support with AIP and third
parties
• Connect to third party SIEM
products
OCAS - Office 365 Cloud App Security
• Discovered Apps 750+
• Manual log uploads / Snapshots
• Office 365 DLP support only
• Connects Office 365 alerts only
A tale of two products
7. Our Gold Sponsors:
CAS role based access
• Office 365 Global Admins and Security Administrators have full access
• Compliance Administrator – Read-only can change/add some data
controls
• Security Reader – Read-only
• App/Instance Admin – View and control for a specific app or instance of
an app
• Group Admin – View and control access for CAS for a specific group
• MSSPs – Can be granted any role and MSSPs can manage CAS for multiple
client tenants
12. Our Gold Sponsors:
Investigate
To aid investigation CAS has a few dashboard tools:
• Activity Log
• Files
• Users and Accounts
• Security Configuration
• App permissions
13. Our Gold Sponsors:
Control over Cloud Apps
• Access control
• Compliance
• Configuration control
• Cloud discovery
• DLP Control
• Privileged accounts
• Sharing control
• Threat detection
21. Our Gold Sponsors:
Steps to continuous log collection
• Create your Ubuntu/Red Hat machine (on-premise or Azure)
• Create a data source in MCAS
• Create log collector from MCAS selecting your data source(s)
• Add networking ports for the receiver type you are using to Azure/Firewall
• Install Docker
• Deploy log collector
• Configure exports from your device to the log collector
25. Our Gold Sponsors:
Add networking ports
• Add rule(s) to allow logs from your devices – In the example below we
have opened up TCP ports 601-700 inbound from our Firewall
(10.0.0.56).
• Add rule to manage your server – SSH (port 22) inbound from your
known locations
26. Our Gold Sponsors:
Install Docker and configure it
Logon to your log collector and install Docker:
Next deploy the log collector:
Good afternoon, thank you for attending my talk on Microsoft Cloud App Security.
I’ll run through the topic of Cloud App Security, then demonstrate some of the features
Firstly can I see a show of hands of anyone using Cloud App Security?
Anyone thinking of using it?
Anyone just came here to sleep off lunch?
A little bit about myself and what I do.
I work for Plexus a UK law firm, HQ in Leeds. I run their Infrastructure, network, telephony and cloud team.
Outside of the day job I also co-host the Microsoft 365 User Group with a couple of MVP friends.
These are held every two months in Leeds and aim to be a forum to share knowledge on Microsoft 365 services/features, adoption, implementation and experiences.
Our next session is on 24th October 2018 in Leeds so please get in touch if your interested in attending/speaking at this event or future events.
Microsoft Cloud App Security is a Cloud Access Security Broker (CASB)
It was developed by a company called Adallom which Microsoft acquired in July 2015.
For a rumoured $250 million!
My involvement in MCAS – Running it in production since June, running with OCAS a few months before that. Helped another company get going with MCAS.
Why – I think it’s a worthy addition to accompany your security toolset.
Helped discover pockets of cloud storage / webmail being used by areas of the business
We then gained control of these through blocking on our endpoint devices.
My interest in Security has increased over recent years after being close to a number of security incidents and seeing their affects. I saw a friend lose his job after his company was hit by Petya ransomware. Also DLA Piper large international law firm where hit severly.
CAS is part of Microsoft 365’s security tools it’s not a silver bullet. You should implement this alongside MFA, AIP, DLP, Intune, Secure score, Privileged Identity Management and other services.
CAS has four aims
With CAS you gain visibility into your Office 365 environment usage and the use of shadow IT. It also provides an assessment of risks.
Real time control over your Office 365 environment, apply a sanctioned and unsanctioned label to apps, revoking access to risky applications
It’s also about Protecting your information – Providing monitoring and control your data in the cloud, enforcing DLP policies and alerting on them. It can give you control of third party apps such as Dropbox and Box.
Last but not least it has Threat Detection and protection– Helping you by identifying risks, abnormal behaviour and security incidents. It can protect you by applying actions like blocking an account from a Cloud app, Azure AD or Office 365.
There are two Cloud App Security products with some big differences.
Microsoft Cloud App Security has – 16,000 discovered apps, ability to auto-upload logs from your on-prem/datacentre proxies and firewalls, Log anonymisation for privacy (important in this GDPR era), comprehensive risk assessments and analytics on Apps, IP addresses and users, DLP support, AIP and third party SIEM products
Office 365 Cloud App Security has – Only 750+ cloud apps, manual log uploads/snapshots, only supports Office 365 DLP and doesn’t provide the ability to revoke access (which is a good feature of MCAS). This is the power of MCAS alerts – having them not only detect but protect.
It’s the same dashboard experience but MCAS is more feature rich than OCAS. Both have a place and depend very much on your environment. If you manage a environment which exists mainly in the cloud space OCAS is right for you. However if you utilise both Office 365 and on-prem and have existing security products; firewalls, proxies, DLP, SIEM solutions then MCAS will allow some integration and insight into cloud and on-prem.
https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365
To get your hands on OCAS you need
Part of EMS E5 or Standalone
EMS E5 is not as expensive as Office 365 E5 so it could be affordable to your business.
CAS uses RBAC
O365 Global admins/security admins – FULL ACCESS
Compliance Admins – Read-only, create/modify file policies, allow file governance actions, view all built in reports in data management
Security Reader – Is pretty much a read-only role
App/Instance Admin – View and control for a specific app or instance of an app
Group Admin - Has permissions to all of the data in Microsoft Cloud App Security that deals exclusively with the specific group selected here. For example, if you give a user admin permission to the group “Birmingham - all users“
App Admin and Group Admin have some further restrictions:
No App permissions, Files page permissions, Conditional Access App Control permissions, or Cloud Discovery activity permissions
Microsoft Cloud App Security enables you to invite external Managed Security Service Providers (MSSPs) as administrators of your Microsoft Cloud App Security portal. External users can now be configured as administrators and assigned any of the roles currently available in Microsoft Cloud App Security
MCAS helps you Discover, Investigate and Control security/compliance. Helping you prevent and effectively deal with incidents.
Now we will take a look at the features of MCAS
After logging into CAS you will be land at the General Dashboard
This gives you an overview of what’s going on a friendly manner
You can see traffic lights for your various apps as well as files monitored, risks, alerts and trends.
Scroll down and you can see activity, trends and location maps of cloud apps or users.
You then have a further dashboard
which gives you more insights into discovered Apps, IPs and users
Worth mentioning is The Cloud App Catalog
This is where you can review a detailed assessment on the apps your business or clients use.
It rates these apps according to various security and compliance standards and vulnerabilities
You can tailor this to what matters to your business. We will take a look at this a little later.
To aid investigation CAS has a few dashboard tools
Each of these gives you more insights to help aid an investigation
I’ll show a couple of these areas little later in the demo
CAS’s power comes from it’s control over apps – not just insights – I’ll explain a little about what benefits each of these bring.
Access control: Who accesses what from where? Continuously monitors behaviour and detects anomalous activities, including high-risk insider and external attacks. It can then apply a policies to alert, block, or require identity verification for any app or specific action within an app. Detect suspicious login events, including MFA failures, disabled account login failures, and impersonation.
Compliance: Are you in breach of your compliance standards? CAS Catalogues and identifies sensitive or regulated data, including sharing permissions for each file, ensuring compliance with regulations such as PCI, SOX, and importantly GDPR!
Configuration control: CAS Detects whether unauthorized changes being made to your configuration?
Cloud Discovery: Investigate what shadow IT you have and usage information. Clearly see and demonstrate the risk, suggest alternatives, block risky apps – Basically get control back!
DLP: Are your files being shared publicly? Do you need to quarantine files? CAS can fit into your existing on-prem DLP solutions to achieve this.
Privileged accounts: Everyone should monitor their admin accounts? CAS provides real time activity monitoring of privileged users and admins
Sharing control: How is data being shared in your cloud environment? Inspect the content of files and content in the cloud, and enforce sharing policies. Blocking files from being shared outside your organization.
Threat detection: Are there suspicious activities threatening your cloud environment?
Alerts to threats by policies you set. By applying machine learning algorithms Cloud App Security enables you to detect behaviour that could indicate that a user is misusing data.
Using Cloud App APIs CAS can give you more visibility and control for connected Apps.
Account information: Visibility into users, accounts, profile information, status (suspended, active, disabled) groups, and privileges.
Audit trail: Visibility into user activities, admin activities, log on activity.
Data scan: Scanning of unstructured data using two processes -periodically (every 12 hours) and in real-time scan (triggered each time a change is detected).
App permissions: Visibility into issued tokens and their permissions.
Account governance: Ability to suspend users, revoke passwords, etc.
Data Governance: Ability to quarantine files, including files in trash, and overwrite files.
App permission governance: Ability to remove tokens.
Show unsanctioned app report can generate a script to run on you device to block access to these
Discovered Apps > … at the top/title > Block apps > Generate Block Script > apply to your device
MCAS is a security service that can protect the cloud but also go further and protect your datacentre environment.
Microsoft recognise that many business will never completely move to the cloud and so a tool that protects just cloud wouldn’t fit many environments.
Lets take a look at how it can do that and to what extent.
The diagram shows the architecture for Cloud App Security
It shows how it fits in with your existing environment.
Pulling information from your existing security endpoints.
There is a growing list of security products that CAS can pull logs from, these include the following:
Barracuda - Web App Firewall (W3C)
Blue Coat Proxy SG - Access log (W3C)
Check Point
Cisco ASA Firewall (For Cisco ASA firewalls, it is necessary to set the information level to 6)
Cisco ASA with FirePOWER
Cisco IronPort WSA
Cisco ScanSafe
Cisco Meraki – URLs log
Clavister NGFW (Syslog)
Dell Sonicwall
Digital Arts i-FILTER
Fortinet Fortigate
iboss Secure Cloud Gateway
Juniper SRX
Juniper SSG
McAfee Secure Web Gateway
Microsoft Forefront Threat Management Gateway (W3C)
Palo Alto series Firewall
Sophos SG
Sophos XG
Sophos Cyberoam
Squid (Common)
Squid (Native)
Websense - Web Security Solutions - Investigative detail report (CSV)
Websense - Web Security Solutions - Internet activity log (CEF)
Zscaler
This table is key understanding what you will get from your on-premise or Azure devices.
This matrix will allow you to understand what exact devices by which vendors are supported and what information can be populated from these devices through your log collector to MCAS.
You maybe employing several of these devices depending on your environments needs and size. You may have several different perimeter firewalls in use, a proxy solution as well as security devices that protect your Wi-Fi. Understanding what you can get from these devices against what your requirements are from MCAS will help you decide what logs to collect and inject into Cloud App Security.
Also OCAS because if you export logs from your security device or appliance you can upload them as a snapshot and I will show that process during the demo in a bit.
https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery
As discussed with both MCAS and OCAS you can upload logs manually.
These are called a snapshot – “An exported log from your device for a set period of time or file size.”
You can anonymise the data simply by checking a box
You are limited by up to 20 log files of 1GB max per log file so 20GB in total at a time
Look at the dashboard, app controls and risk assessments, File tracking, templates and policies, alerts, creating a snapshot and setting up your log collector.
Look at the dashboard
Apps and the risk assessments | Show the Cog, Cloud Discovery settings – Customise metrics that your business or clients is interested in – change GDPR right to erasure.
Look at other settings that you can configure (email, custom logging,
File Tracking – Show tracking files, click on file
Templates and policies - -Show the policies, create a discovered cloud app policy
Alerts and suspending accounts
Creating a snapshot from an exported device log
Show unsanctioned app report can generate a script to run on you device to block access to these
Discovered Apps > … at the top/title > Block apps > Generate Block Script > apply to your device
9. Steps to creating a log collector
Ubuntu/Docker on-premise or Azure? Or RHEL if on-prem – If the only device you want to connect up is a Zscaler this is different and doesn’t require a log collector
You could create a Windows machine however this was pulled. However in most environments your syslogers for your network are usually Linux.
Create a data source – Based on the device you want to export logs from and ingest to MCAS
Create log collector from MCAS selecting your data source(s)
Install Docker (MCAS gives you the command to run)
Deploy the log collector (MCAS will give you the command to run)
Verify the log collector is running properly (MCAS will give you the command to run) – Docker logs LogCollect01
Configure exports from you device to the log collector – In many devices this could be as easy as adding the IP of your log collector and schedule into the devices syslog settings
https://docs.microsoft.com/en-us/cloud-app-security/discovery-docker-ubuntu-azure
On premise is similar you will just need the Ubuntu machine to bypass the proxy
In the production environment I look after we have this running in our Data Centre, the procedure is very similar.
TECH SPECS:
OS: Ubuntu 14.04 and 16.04 (for newer versions, contact support)
Disk space: 250 GB
CPU: 2
RAM: 4 GB
Set your firewall as described in Network requirements
Add virtual machine > Chose Ubuntu (in this case as it’s in Azure) > Complete the basics > chose size of VM (disk size), scale for how many Data Sources you will use.
https://docs.microsoft.com/en-gb/cloud-app-security/discovery-docker-ubuntu-azure
Create a Data Source – Telling it what device and what receiver type to pull logs from
You can create a data source for each device you want data from, depending on your requirements
Create your log collector
Giving it your Ubuntu/Red hat machines IP address
And pointing it to your Data Source we created in the previous step
In your VMs Networking settings (NSG)
Add rule(s) to allow logs from your devices – In the example below we have opened up TCP ports 601-700 inbound from our Firewall (10.0.0.56).
Add rule to manage your server – SSH (port 22) inbound from your known locations
Install Docker (MCAS gives you the command to run)
Deploy the log collector (MCAS will give you the command to run)
Verify the log collector is running properly (MCAS will give you the command to run) – Docker logs LogCollect01
Then configure your on-prem / Azure device to export logs to syslog port
Go to Settings > Automatic log upload
Check that it is connected to the log collector
How does compare to other security products? All depends on your requirements and your environment.
It doesn’t sniff packets on the network like some solutions so will not give you deep insights into your network devices. It is only as good as the logs you ingest to it.
I find it is a great tool for shadow IT and understanding the compliance risks. In my production environment it really compliments our other security tools.
If you have other questions at a later date feel free to get me on twitter or drop me an email.
Thank you for attending I hope you found this useful and thanks to our sponsors for making this event possible.