Securing the hybrid environment with Microsoft Cloud App Security
•Download as PPTX, PDF•
0 likes•918 views
An explanation of the Cloud App Security products. Demonstrating the features of Microsoft Cloud App Security and some of the current caveats. Summarising the steps required to setup MCAS to pull meaningful data from your hybrid environment.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Securing the hybrid environment with Microsoft Cloud App Security
Similar to Securing the hybrid environment with Microsoft Cloud App Security (20)
Recently uploaded
Recently uploaded (20)
Securing the hybrid environment with Microsoft Cloud App Security
- 1. Our Gold Sponsors: Securing the hybrid environment with Microsoft Cloud App Security Matt Fooks IT Infrastructure & Cloud Tech Manager matt.c.fooks@gmail.com
- 2. Our Gold Sponsors: Speaker Introduction • Matt Fooks • Infrastructure Team Leader / Cloud Enthusiast • https://blog.cloudsinreach.com / @MattFooks • Email matt.c.fooks@gmail.com • Co-host Microsoft 365 User Group @M365User https://m365usergroup.com
- 3. Our Gold Sponsors: What is Microsoft Cloud App Security? CASB – Cloud Access Security Broker
- 4. Our Gold Sponsors: Benefits of Cloud App Security Discover and assess risks Control Access Protect your information Detect and protect
- 5. Our Gold Sponsors: MCAS - Microsoft Cloud App Security • Discovered Apps 16,000 • Auto log upload • Log anonymisation, Cloud app risk assessments, App/IP/User analytics • DLP Support with AIP and third parties • Connect to third party SIEM products OCAS - Office 365 Cloud App Security • Discovered Apps 750+ • Manual log uploads / Snapshots • Office 365 DLP support only • Connects Office 365 alerts only A tale of two products
- 6. Our Gold Sponsors: MCAS - Microsoft Cloud App Security OCAS - Office 365 Cloud App Security Licensing
- 7. Our Gold Sponsors: CAS role based access • Office 365 Global Admins and Security Administrators have full access • Compliance Administrator – Read-only can change/add some data controls • Security Reader – Read-only • App/Instance Admin – View and control for a specific app or instance of an app • Group Admin – View and control access for CAS for a specific group • MSSPs – Can be granted any role and MSSPs can manage CAS for multiple client tenants
- 8. Our Gold Sponsors: Cloud App Security Features Discover – Investigate - Control
- 9. Our Gold Sponsors: General Dashboard
- 10. Our Gold Sponsors: Cloud Discovery Dashboard
- 11. Our Gold Sponsors: Cloud App Catalog
- 12. Our Gold Sponsors: Investigate To aid investigation CAS has a few dashboard tools: • Activity Log • Files • Users and Accounts • Security Configuration • App permissions
- 13. Our Gold Sponsors: Control over Cloud Apps • Access control • Compliance • Configuration control • Cloud discovery • DLP Control • Privileged accounts • Sharing control • Threat detection
- 14. Our Gold Sponsors: Connected Apps
- 15. Our Gold Sponsors: Protect the hybrid environment Collecting logs from existing devices
- 16. Our Gold Sponsors: Cloud App Security Integration
- 17. Our Gold Sponsors: Supported devices
- 18. Our Gold Sponsors: Vendor data attributes Data source Target App URL Target App IP Username Origin IP Total traffic Uploaded bytes Barracuda Yes Yes Yes Yes No No Blue Coat Yes No Yes Yes Yes Yes Checkpoint No Yes No Yes No No Cisco ASA (Syslog) No Yes No Yes Yes No Cisco ASA with FirePOWER Yes Yes Yes Yes Yes Yes Cisco FWSM No Yes No Yes Yes No Cisco Ironport WSA Yes Yes Yes Yes Yes Yes Cisco Meraki Yes Yes No Yes No No Clavister NGFW (Syslog) Yes Yes Yes Yes Yes Yes Dell SonicWall Yes Yes No Yes Yes Yes Digital Arts i-FILTER Yes Yes Yes Yes Yes Yes Fortigate No Yes No Yes Yes Yes Juniper SRX No Yes No Yes Yes Yes Juniper SSG No Yes Yes Yes Yes Yes McAfee SWG Yes No No Yes Yes Yes MS TMG Yes No Yes Yes Yes Yes Palo Alto Networks No Yes Yes Yes Yes Yes Sophos Yes Yes Yes Yes Yes No Squid (Common) Yes No Yes Yes No Yes Squid (Native) Yes No Yes Yes No Yes Websense - Investigative detail report (CSV) Yes Yes Yes Yes Yes Yes Websense - Internet activity log (CEF) Yes Yes Yes Yes Yes Yes Zscaler Yes Yes Yes Yes Yes Yes
- 19. Our Gold Sponsors: Creating a snapshot
- 20. Our Gold Sponsors: Microsoft Cloud App Security Demo
- 21. Our Gold Sponsors: Steps to continuous log collection • Create your Ubuntu/Red Hat machine (on-premise or Azure) • Create a data source in MCAS • Create log collector from MCAS selecting your data source(s) • Add networking ports for the receiver type you are using to Azure/Firewall • Install Docker • Deploy log collector • Configure exports from your device to the log collector
- 22. Our Gold Sponsors: Create a Ubuntu machine
- 23. Our Gold Sponsors: Create Data Source
- 24. Our Gold Sponsors: Create Log Collector
- 25. Our Gold Sponsors: Add networking ports • Add rule(s) to allow logs from your devices – In the example below we have opened up TCP ports 601-700 inbound from our Firewall (10.0.0.56). • Add rule to manage your server – SSH (port 22) inbound from your known locations
- 26. Our Gold Sponsors: Install Docker and configure it Logon to your log collector and install Docker: Next deploy the log collector:
- 27. Our Gold Sponsors: Verify success in CAS
- 28. Our Gold Sponsors: Any questions? • Email matt.c.fooks@gmail.com • Twitter @MattFooks • Microsoft 365 User Group - @M365User – HTTPS://M365UserGroup.com
- 29. Our Gold Sponsors: Gold Sponsors Silver Sponsors Bronze Sponsors
Editor's Notes
- Good afternoon, thank you for attending my talk on Microsoft Cloud App Security. I’ll run through the topic of Cloud App Security, then demonstrate some of the features Firstly can I see a show of hands of anyone using Cloud App Security? Anyone thinking of using it? Anyone just came here to sleep off lunch?
- A little bit about myself and what I do. I work for Plexus a UK law firm, HQ in Leeds. I run their Infrastructure, network, telephony and cloud team. Outside of the day job I also co-host the Microsoft 365 User Group with a couple of MVP friends. These are held every two months in Leeds and aim to be a forum to share knowledge on Microsoft 365 services/features, adoption, implementation and experiences. Our next session is on 24th October 2018 in Leeds so please get in touch if your interested in attending/speaking at this event or future events.
- Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) It was developed by a company called Adallom which Microsoft acquired in July 2015. For a rumoured $250 million! My involvement in MCAS – Running it in production since June, running with OCAS a few months before that. Helped another company get going with MCAS. Why – I think it’s a worthy addition to accompany your security toolset. Helped discover pockets of cloud storage / webmail being used by areas of the business We then gained control of these through blocking on our endpoint devices. My interest in Security has increased over recent years after being close to a number of security incidents and seeing their affects. I saw a friend lose his job after his company was hit by Petya ransomware. Also DLA Piper large international law firm where hit severly. CAS is part of Microsoft 365’s security tools it’s not a silver bullet. You should implement this alongside MFA, AIP, DLP, Intune, Secure score, Privileged Identity Management and other services.
- CAS has four aims With CAS you gain visibility into your Office 365 environment usage and the use of shadow IT. It also provides an assessment of risks. Real time control over your Office 365 environment, apply a sanctioned and unsanctioned label to apps, revoking access to risky applications It’s also about Protecting your information – Providing monitoring and control your data in the cloud, enforcing DLP policies and alerting on them. It can give you control of third party apps such as Dropbox and Box. Last but not least it has Threat Detection and protection– Helping you by identifying risks, abnormal behaviour and security incidents. It can protect you by applying actions like blocking an account from a Cloud app, Azure AD or Office 365.
- There are two Cloud App Security products with some big differences. Microsoft Cloud App Security has – 16,000 discovered apps, ability to auto-upload logs from your on-prem/datacentre proxies and firewalls, Log anonymisation for privacy (important in this GDPR era), comprehensive risk assessments and analytics on Apps, IP addresses and users, DLP support, AIP and third party SIEM products Office 365 Cloud App Security has – Only 750+ cloud apps, manual log uploads/snapshots, only supports Office 365 DLP and doesn’t provide the ability to revoke access (which is a good feature of MCAS). This is the power of MCAS alerts – having them not only detect but protect. It’s the same dashboard experience but MCAS is more feature rich than OCAS. Both have a place and depend very much on your environment. If you manage a environment which exists mainly in the cloud space OCAS is right for you. However if you utilise both Office 365 and on-prem and have existing security products; firewalls, proxies, DLP, SIEM solutions then MCAS will allow some integration and insight into cloud and on-prem. https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365
- To get your hands on OCAS you need Part of EMS E5 or Standalone EMS E5 is not as expensive as Office 365 E5 so it could be affordable to your business.
- CAS uses RBAC O365 Global admins/security admins – FULL ACCESS Compliance Admins – Read-only, create/modify file policies, allow file governance actions, view all built in reports in data management Security Reader – Is pretty much a read-only role App/Instance Admin – View and control for a specific app or instance of an app Group Admin - Has permissions to all of the data in Microsoft Cloud App Security that deals exclusively with the specific group selected here. For example, if you give a user admin permission to the group “Birmingham - all users“ App Admin and Group Admin have some further restrictions: No App permissions, Files page permissions, Conditional Access App Control permissions, or Cloud Discovery activity permissions Microsoft Cloud App Security enables you to invite external Managed Security Service Providers (MSSPs) as administrators of your Microsoft Cloud App Security portal. External users can now be configured as administrators and assigned any of the roles currently available in Microsoft Cloud App Security
- MCAS helps you Discover, Investigate and Control security/compliance. Helping you prevent and effectively deal with incidents. Now we will take a look at the features of MCAS
- After logging into CAS you will be land at the General Dashboard This gives you an overview of what’s going on a friendly manner You can see traffic lights for your various apps as well as files monitored, risks, alerts and trends. Scroll down and you can see activity, trends and location maps of cloud apps or users.
- You then have a further dashboard which gives you more insights into discovered Apps, IPs and users
- Worth mentioning is The Cloud App Catalog This is where you can review a detailed assessment on the apps your business or clients use. It rates these apps according to various security and compliance standards and vulnerabilities You can tailor this to what matters to your business. We will take a look at this a little later.
- To aid investigation CAS has a few dashboard tools Each of these gives you more insights to help aid an investigation I’ll show a couple of these areas little later in the demo
- CAS’s power comes from it’s control over apps – not just insights – I’ll explain a little about what benefits each of these bring. Access control: Who accesses what from where? Continuously monitors behaviour and detects anomalous activities, including high-risk insider and external attacks. It can then apply a policies to alert, block, or require identity verification for any app or specific action within an app. Detect suspicious login events, including MFA failures, disabled account login failures, and impersonation. Compliance: Are you in breach of your compliance standards? CAS Catalogues and identifies sensitive or regulated data, including sharing permissions for each file, ensuring compliance with regulations such as PCI, SOX, and importantly GDPR! Configuration control: CAS Detects whether unauthorized changes being made to your configuration? Cloud Discovery: Investigate what shadow IT you have and usage information. Clearly see and demonstrate the risk, suggest alternatives, block risky apps – Basically get control back! DLP: Are your files being shared publicly? Do you need to quarantine files? CAS can fit into your existing on-prem DLP solutions to achieve this. Privileged accounts: Everyone should monitor their admin accounts? CAS provides real time activity monitoring of privileged users and admins Sharing control: How is data being shared in your cloud environment? Inspect the content of files and content in the cloud, and enforce sharing policies. Blocking files from being shared outside your organization. Threat detection: Are there suspicious activities threatening your cloud environment? Alerts to threats by policies you set. By applying machine learning algorithms Cloud App Security enables you to detect behaviour that could indicate that a user is misusing data.
- Using Cloud App APIs CAS can give you more visibility and control for connected Apps. Account information: Visibility into users, accounts, profile information, status (suspended, active, disabled) groups, and privileges. Audit trail: Visibility into user activities, admin activities, log on activity. Data scan: Scanning of unstructured data using two processes -periodically (every 12 hours) and in real-time scan (triggered each time a change is detected). App permissions: Visibility into issued tokens and their permissions. Account governance: Ability to suspend users, revoke passwords, etc. Data Governance: Ability to quarantine files, including files in trash, and overwrite files. App permission governance: Ability to remove tokens. Show unsanctioned app report can generate a script to run on you device to block access to these Discovered Apps > … at the top/title > Block apps > Generate Block Script > apply to your device
- MCAS is a security service that can protect the cloud but also go further and protect your datacentre environment. Microsoft recognise that many business will never completely move to the cloud and so a tool that protects just cloud wouldn’t fit many environments. Lets take a look at how it can do that and to what extent.
- The diagram shows the architecture for Cloud App Security It shows how it fits in with your existing environment. Pulling information from your existing security endpoints.
- There is a growing list of security products that CAS can pull logs from, these include the following: Barracuda - Web App Firewall (W3C) Blue Coat Proxy SG - Access log (W3C) Check Point Cisco ASA Firewall (For Cisco ASA firewalls, it is necessary to set the information level to 6) Cisco ASA with FirePOWER Cisco IronPort WSA Cisco ScanSafe Cisco Meraki – URLs log Clavister NGFW (Syslog) Dell Sonicwall Digital Arts i-FILTER Fortinet Fortigate iboss Secure Cloud Gateway Juniper SRX Juniper SSG McAfee Secure Web Gateway Microsoft Forefront Threat Management Gateway (W3C) Palo Alto series Firewall Sophos SG Sophos XG Sophos Cyberoam Squid (Common) Squid (Native) Websense - Web Security Solutions - Investigative detail report (CSV) Websense - Web Security Solutions - Internet activity log (CEF) Zscaler
- This table is key understanding what you will get from your on-premise or Azure devices. This matrix will allow you to understand what exact devices by which vendors are supported and what information can be populated from these devices through your log collector to MCAS. You maybe employing several of these devices depending on your environments needs and size. You may have several different perimeter firewalls in use, a proxy solution as well as security devices that protect your Wi-Fi. Understanding what you can get from these devices against what your requirements are from MCAS will help you decide what logs to collect and inject into Cloud App Security. Also OCAS because if you export logs from your security device or appliance you can upload them as a snapshot and I will show that process during the demo in a bit. https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery
- As discussed with both MCAS and OCAS you can upload logs manually. These are called a snapshot – “An exported log from your device for a set period of time or file size.” You can anonymise the data simply by checking a box You are limited by up to 20 log files of 1GB max per log file so 20GB in total at a time
- Look at the dashboard, app controls and risk assessments, File tracking, templates and policies, alerts, creating a snapshot and setting up your log collector. Look at the dashboard Apps and the risk assessments | Show the Cog, Cloud Discovery settings – Customise metrics that your business or clients is interested in – change GDPR right to erasure. Look at other settings that you can configure (email, custom logging, File Tracking – Show tracking files, click on file Templates and policies - -Show the policies, create a discovered cloud app policy Alerts and suspending accounts Creating a snapshot from an exported device log Show unsanctioned app report can generate a script to run on you device to block access to these Discovered Apps > … at the top/title > Block apps > Generate Block Script > apply to your device 9. Steps to creating a log collector
- Ubuntu/Docker on-premise or Azure? Or RHEL if on-prem – If the only device you want to connect up is a Zscaler this is different and doesn’t require a log collector You could create a Windows machine however this was pulled. However in most environments your syslogers for your network are usually Linux. Create a data source – Based on the device you want to export logs from and ingest to MCAS Create log collector from MCAS selecting your data source(s) Install Docker (MCAS gives you the command to run) Deploy the log collector (MCAS will give you the command to run) Verify the log collector is running properly (MCAS will give you the command to run) – Docker logs LogCollect01 Configure exports from you device to the log collector – In many devices this could be as easy as adding the IP of your log collector and schedule into the devices syslog settings https://docs.microsoft.com/en-us/cloud-app-security/discovery-docker-ubuntu-azure On premise is similar you will just need the Ubuntu machine to bypass the proxy In the production environment I look after we have this running in our Data Centre, the procedure is very similar.
- TECH SPECS: OS: Ubuntu 14.04 and 16.04 (for newer versions, contact support) Disk space: 250 GB CPU: 2 RAM: 4 GB Set your firewall as described in Network requirements Add virtual machine > Chose Ubuntu (in this case as it’s in Azure) > Complete the basics > chose size of VM (disk size), scale for how many Data Sources you will use. https://docs.microsoft.com/en-gb/cloud-app-security/discovery-docker-ubuntu-azure
- Create a Data Source – Telling it what device and what receiver type to pull logs from You can create a data source for each device you want data from, depending on your requirements
- Create your log collector Giving it your Ubuntu/Red hat machines IP address And pointing it to your Data Source we created in the previous step
- In your VMs Networking settings (NSG) Add rule(s) to allow logs from your devices – In the example below we have opened up TCP ports 601-700 inbound from our Firewall (10.0.0.56). Add rule to manage your server – SSH (port 22) inbound from your known locations
- Install Docker (MCAS gives you the command to run) Deploy the log collector (MCAS will give you the command to run) Verify the log collector is running properly (MCAS will give you the command to run) – Docker logs LogCollect01 Then configure your on-prem / Azure device to export logs to syslog port
- Go to Settings > Automatic log upload Check that it is connected to the log collector
- How does compare to other security products? All depends on your requirements and your environment. It doesn’t sniff packets on the network like some solutions so will not give you deep insights into your network devices. It is only as good as the logs you ingest to it. I find it is a great tool for shadow IT and understanding the compliance risks. In my production environment it really compliments our other security tools. If you have other questions at a later date feel free to get me on twitter or drop me an email.
- Thank you for attending I hope you found this useful and thanks to our sponsors for making this event possible.