This document provides an overview of Microsoft Cloud App Security. It discusses how the platform provides enterprise-class security for identities and access management, threat protection, information protection, and infrastructure security across cloud apps and services. Key capabilities include discovering shadow IT, assessing app risks, blocking unsanctioned apps, detecting threats, classifying and protecting data, and integrating with other Microsoft security solutions. The document also presents demos of the discovery, protection, and threat detection capabilities and discusses how Cloud App Security can integrate with other security tools and automate security workflows. It concludes with next steps around signing up for a trial and exploring use cases.

1. MICROSOFT
CLOUD APP SECURITY
Sebastien Molendijk
Senior Program Manager

2. https://www.polleverywhere.com/multiple_choice_polls/BjnYY9hZKbBPAVfjvFhgc?preview=true&controls=none

3. Enterprise-class technology
Secure identities to
reach zero trust
Identity & access
management
Security
management
Strengthen your security
posture with insights
and guidance
Threat
protection
Help stop damaging
attacks with integrated and
automated security
Locate and classify
information anywhere
it lives
Information
protection
Infrastructure
security

4. https://www.polleverywhere.com/multiple_choice_polls/
12sqtYRadhdO4r6L1IJM5?preview=true&controls=none

5. https://www.polleverywhere.com/multiple_choice_polls/
Hv68q7qjXJitDquT6sK5P?preview=true&controls=none

6. CLOUD ACCESS SECURITY BROKERS
01

7. Cloud services require a new approach to security

8. Top CASB use cases
Office 365
Salesforce Azure
Box
AWS
Dropbox
Facebook
Twitter
YouTube

9. MICROSOFT CLOUD APP SECURITY
02

11. Office 365
Microsoft Teams

12. DISCOVERING AND ASSESSING THE
RISK OF SHADOW IT
03

13. Shadow IT management lifecycle

14. Discovery of Shadow IT across
SaaS, IaaS and PaaS
Discover cloud usage across all
locations (HQ, Branches, Remote..)
Understand the risk of your SaaS
apps
Risk assessment for 16,000+
cloud apps based on 70+ security
and compliance risk factors
Analyze usage patterns
Understand the usage patterns
and identify high risk volume users by
understanding traffic data, top users
and IP addresses, app categories
Block risky and unsanctioned apps
Using native and programmatic
integration with leading SWG and
Proxies
Continuous monitoring
Be alerted when new, risky or high-
volume apps are discovered
CloudAppDiscovery

15. DISCOVERY ARCHITECTURE WITH MICROSOFT DEFENDER ATP
Firewall / Proxy Log collector
User
IP address
Machine
Microsoft
Cloud App
Security portal
Endpoints
Shadow IT
Microsoft
Defender ATP

16. CloudDiscoverywith
Microsoft DefenderATP
Native, endpoint-based
Discovery of Shadow IT
Discovery of cloud apps
beyond the corporate
network from any Windows
10 machine
Single-click enablement
Machine-based Discovery
Deep dive investigation in
Windows Defender ATP

17. 1-click deployment with Microsoft Defender ATP

18. User education when attempting to access a non-trusted app

19. User education when attempting to access a non-trusted app

20. User education when attempting to access a non-trusted app

21. Shadow IT Discovery for IaaS and PaaS services

22. Shadow IT Discovery for IaaS and PaaS services – Drill down

23. Deployment method
Automatic
log upload
Checkbox
deployment
Supported
platforms
Device-based
Discovery
Off-network
Discovery
Inline blocking
of apps
Deployment
Complexity
Log file (Snapshot report) No No Any No No No Medium
Log collector Yes No Any No No No Medium
Windows Defender ATP Yes Yes
Windows,
Mac coming in
2019
Yes Yes H1 2019 Low
Zscaler Yes No Any No Yes Yes Low
iboss Yes No Any No Yes Yes Low
Shadow IT Discovery deployment options

24. DISCOVERY
DEMO

25. PROTECTING YOUR INFORMATION
02

27. Protect your files and data in the cloud
Data is ubiquitous and you need to make it accessible and collaborative, while safeguarding it
Understand your data and
exposure in the cloud
Classify and protect your data no
matter where it’s stored
Monitor, investigate and
remediate violations
• Connect your apps via our API-based
App Connectors
• Visibility into sharing level,
collaborators and classification labels
• Quantify over-sharing exposure,
external- and compliance risks
• Govern data in the cloud with
granular DLP policies
• Leverage Microsoft’s IP
capabilities for classification
• Extend on-prem DLP solutions
• Automatically protect and
encrypt your data using Azure
Information Protection
• Create policies to generate
alerts and trigger automatic
governance actions
• Identify policy violations
• Investigate incidents
and related activities
• Quarantine files, remove
permissions and notify users

28. Create policies to generate
alerts and trigger automatic
governance actions
Be notified to identify and
investigate policy violations
and related activities
Automatically remediate with
built-in actions incl.
notify owner, notify admin,
make private, quarantine, etc.
Automatically label and
protect existing sensitive
information and when new
files are uploaded
Detectandremediate
overexposed filesand
anomalies

29. Unified labelling with Microsoft
Information Protection -
streamlined experience across
O365 DLP, AIP and MCAS
90 built-in, sensitive information
types you can choose from
Custom sensitive information
types using Regex, keywords and
large dictionary
Leverage Microsoft or 3rd party
DLP engines for classification
Leverage AIP labels
KeyDifferentiators via
MicrosoftInformation
Protection approach

30. INFORMATION PROTECTION
DEMO

31. ENABLING REAL-TIME INFORMATION
PROTECTION
03

32. Context-aware session policies
Control access to cloud apps and
sensitive data within apps based on
user, location, device, and app
SAML, Open ID Connect, & on-
prem apps
Support for Microsoft and non-
Microsoft web apps, including on-
prem apps onboarded via Azure AD
App proxy
Enforce granular monitoring &
control for risky user sessions
Data Exfiltration:
• Block download, Apply AIP
label on download
• Block print
• Block copy/cut
• Block custom activities: (e.g.,
IMs with sensitive content)
Data Infiltration:
• Block upload
• Block paste
ConditionalAccessAppControl

33. Unique integration with Azure AD
Conditional Access
Selective routing to MCAS based on the
session risk determined by Conditional Access
to optimize end user productivity
Simple deployment
Built-in policies that can be configured directly
within the Azure AD portal for an easy
deployment.
Control your on-prem apps
With the same powerful real-time controls by
integrating them with Azure AD Application
Proxy
Worldwide Azure datacenters
infrastructure
MCAS leverages Azure data centers across
the world to optimize performance and user
experience
Keydifferentiators tooptimize
theadminandenduser
experience

34. Cloud apps & services

35. Exemplary use case
Prevent download of sensitive files from unmanaged device
Config:Unmanaged
Any app

36. https://www.polleverywhere.com/multiple_choice_polls/
0AU0d7HMIbntk8IOf5isF?preview=true&controls=none

37. PROTECTING YOUR INFORMATION IN
REAL-TIME
DEMO

38. THREAT PROTECTION IN THE CLOUD
04

39. inbound phishing attacks

40. Detections across cloud apps and sessions
!
!
!

42. Malware
Detection

47. The challenge of securing your environment
The digital estate offers
a very broad surface
area that is difficult to
secure
Bad actors are using
increasingly creative
and sophisticated
attacks
Intelligent correlation
and action on signals is
difficult, time-consuming,
and expensive

48. Identity Security – Covering your environment
Cloud identity threats
Azure AD Identity Protection
On-premises identity threats
Azure ATP
Application sessions
Microsoft Cloud App Security
Azure AD & ADFS

49. On Premises Activities – via Azure ATP
Cloud Activities – via Azure AD IP,
Office 365 and MCAS

50. https://www.polleverywhere.com/multiple_choice_polls/
9gRK9AEY6UcZRqVkd8OJ3?preview=true&controls=none

51. https://www.polleverywhere.com/discourses/qcKw1b76P
E2fNeHvad8RH?preview=true&controls=none

52. M365 UEBA - Overview

54. USER INVESTIGATION PRIORITY
ALERTS
ABNORMAL
ACTIVITIES
USER
CONTEXT

55. Total user risk for
investigation priority –
reflecting security alerts,
abnormal activities and
user impact
User Investigation
Priority

56. Suspicious activities
Alerts
User’s investigation priority

57. Identify top users
to investigate
How abnormal is this
user’s behavior?

58. User Investigation
Priority
Example: User investigation
priority distribution at a
200k+ employee organization
0
20000
40000
60000
80000
100000
120000
140000
160000
Number
of
Users
Scores
Users / Score Distribution

59. Identify abnormal activities by analyzing the behavior of users,
peers and the entire organization
• Login to devices
• Access to on-premises resources
• Remote connections to servers
• Access to cloud applications
• Usage of Share Point Online sites
• User agent, location & ISP analytics
• Mailbox behavior
• Failed logins behavior

60. Suspicious Activity: how does it work?
Suspicious
Has this user accessed
this server before?
Is the ‘finance server’ accessed by
many users in the organization?
Do the peers of this user
login to this server ?
Normal
Does this user have a usual
pattern of logons to servers?

61. Investigation
Priority
Feedback
True positives discovered:
• compromised service account exposed
resources, this was not detected by
ATP products. filtering by activities
with investigation priority helped sort
and find compromised resources.
• User was found to be compromised
(custom policy inbox FW rule). When
reviewed the case we noticed that the
first activities by the adversary would
have been flagged (by User agent+ISP)

62. THREAT PROTECTION
DEMO

64. https://www.polleverywhere.com/multiple_choice_polls/
TH0DTL57l2zAIwcYgqKnw?preview=true&controls=none

65. https://www.polleverywhere.com/multiple_choice_polls/
ajznvQR4A9iqZR2ajAhB6?preview=true&controls=none

66. https://www.polleverywhere.com/multiple_choice_polls/
ZpWYvHObYJU5bcrRaVvcx?preview=true&controls=none

67. https://www.polleverywhere.com/multiple_choice_polls/
HVCvuMK7GFYO3n17eDy5C?preview=true&controls=non
e

68. Enterprise integration
06

69. Export alerts and activities to your SIEM
Better protect your cloud applications while maintaining your usual security workflow, automating
security procedures and correlating between cloud-based and on-premises events​
Automate processes via API or PowerShell​
Create your own applications using programmatic access to Cloud App Security data and actions
through REST API endpoints
External DLP solution
Integrate with existing DLP solutions to extend these controls to the cloud while preserving a
consistent and unified policy across on-premises and cloud activities​
Security Workflow automation with Microsoft Flow
Centralized alert automation and orchestration of custom workflows using the ecosystem of
connectors in Microsoft Flow. Enables routing alerts to ticketing systems (e.g. ServiceNow), gather
end user input for alert investigation, get approval from SOC operator to execute action or apply
additional security controls
Enterprise Integrations

70. Centralized alert automation
and orchestration of custom
workflows
Automate the triage of alerts
Enables an ecosystem of
connectors in Microsoft Flow
incl. >100 3rd party
connectors such as Jira,
ServiceNow, and DocuSign
Out-of-the-box and custom
workflow playbooks that work
with the systems of your
choice
Predefined governance
options when creating
policies
Automating Security
WorkflowswithMSFlow

71. Open incident in ticketing
system & populate with
alert attributes
Request user input to
provide context during
alert investigation
Get admin approval to
execute remediation
action

72. Configuration

73. Configuration steps
• Create an API token in Microsoft Cloud App Security
• Create a MCAS connection in Flow
• Create a Flow starting with the Microsoft Cloud App Security Trigger
• In the MCAS console, assign the Flow to a policy

74. 1. Route alerts to ticketing systems such as Jira or ServiceNow
2. Route alerts to different SOC teams based on geography of the user
3. Request input from a user's manager to triage alert
4. Request user input to decide how to triage an alert
5. Block unsanctioned apps on the firewall using CAS discovery alerts
6. Get admin approval to execute remediation action
7. Disable user in AAD and in on-prem Active Directory based on suspicious alerts
8. Remove malicious forwarding inbox rule in Exchange Online
9. Automatically dismiss “unusual location” alerts when a user has OOF message set to “On”
10. MCAS alert triggers antivirus scan in Microsoft Defender ATP
Sample automation scenarios

75. Reach on-premises systems with Azure Automation

76. Reach on-premises systems with Hybrid Runbook Workers
https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

77. SIEM integration and Automating
Security Workflows
DEMO

78. External Admins
• MCAS is enabled for externally Managed Security
Service Providers (MSSPs) to act as
administrators
• MSSPs can be assigned any of the available
admin roles
For MSSPs
• Ability to provide services across multiple
customer tenants
• Ability to easily switch between tenants within
the portal for MSSPs (See image)
Managed Security Service Provider (MSSP)

79. SUMMARY & NEXT STEPS
07

80. https://www.polleverywhere.com/discourses/jLyE4YUwLZ
7mZUnsfWfyH?preview=true&controls=none

81. https://www.polleverywhere.com/discourses/HWuN6tbi7
pj9mzAFxr12n?preview=true&controls=none

82. Top 10 CASB use cases you should think about
1. Discover the cloud apps and services used in your
organization
2. Assess the risk and compliance of all cloud apps
3. Govern access to discovered cloud apps and
explore enterprise-ready alternatives
4. Discover OAuth apps with access to your
environment
5. Gain visibility into all corporate data stored in the
cloud apps and understand your exposure
6. Enforce DLP and compliance policies for sensitive
data stored in your cloud apps
7. Protect data downloaded to unmanaged devices
8. Detect compromised user and admin accounts, and
identify insider threats
9. Detect and remediate malware in your cloud apps
10. Audit the configuration of your IaaS environments

83. Next steps
Sign up for a Microsoft Cloud App Security Trial.
Upload a log file from your network firewall or
enable logging via Microsoft Defender ATP to
discover Shadow IT in your network and assess the
risks of detected cloud apps.
Connect your Cloud Apps to Microsoft Cloud App
Security to detect suspicious user activity and
exposed sensitive data.
Enable out-of-the-box anomaly detection policies
and start detecting cloud threats in your
environment.
Continue with more advanced use cases across
Information Protection, Compliance and more.

84. RESOURCES
aka.ms/mcas​
aka.ms/mcascommunity
aka.ms/mcasblog
aka.ms/mcastech
aka.ms/mcastrial
aka.ms/mcaslicensing

85. THANK YOU