This document provides an overview of Microsoft Cloud App Security. It discusses how the platform provides enterprise-class security for identities and access management, threat protection, information protection, and infrastructure security across cloud apps and services. Key capabilities include discovering shadow IT, assessing app risks, blocking unsanctioned apps, detecting threats, classifying and protecting data, and integrating with other Microsoft security solutions. The document also presents demos of the discovery, protection, and threat detection capabilities and discusses how Cloud App Security can integrate with other security tools and automate security workflows. It concludes with next steps around signing up for a trial and exploring use cases.
Microsoft 365 provides holistic security across these four aspects of security.
By helping enterprise businesses secure corporate data and manage risk in today’s mobile-first, cloud-first world Microsoft 365 enables customers to digitally transform by unifying user productivity and enterprise security tools into a single suite that enables the modern workplace.
Identity & Access Mgmt
Secure identities to reach zero trust
Threat Protection
Help stop damaging attacks with integrated and automated security
Information Protection
Protect sensitive information anywhere it lives
Security Management
Strengthen your security posture with insights and guidance
Here's the slide deck from my session titled "Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps" which was presented on the Modern Workplace Conference Paris 2022 Virtual event.
Overview of Data Loss Prevention Policies in Office 365Dock 365
Presentation about identifying, monitoring, and automatically protect sensitive information across Office 365.
With a DLP Policy, you can:
- Identify sensitive information across many locations, such as SharePoint Online and OneDrive for Business.
- Prevent the accidental sharing of sensitive information.
- Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.
- Help users learn how to stay compliant without interrupting their workflow.
- View DLP reports showing content that matches your organization's DLP policies.
Visit www.mydock365.com to learn more about SharePoint with Dock.
Microsoft 365 provides holistic security across these four aspects of security.
By helping enterprise businesses secure corporate data and manage risk in today’s mobile-first, cloud-first world Microsoft 365 enables customers to digitally transform by unifying user productivity and enterprise security tools into a single suite that enables the modern workplace.
Identity & Access Mgmt
Secure identities to reach zero trust
Threat Protection
Help stop damaging attacks with integrated and automated security
Information Protection
Protect sensitive information anywhere it lives
Security Management
Strengthen your security posture with insights and guidance
Here's the slide deck from my session titled "Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps" which was presented on the Modern Workplace Conference Paris 2022 Virtual event.
Overview of Data Loss Prevention Policies in Office 365Dock 365
Presentation about identifying, monitoring, and automatically protect sensitive information across Office 365.
With a DLP Policy, you can:
- Identify sensitive information across many locations, such as SharePoint Online and OneDrive for Business.
- Prevent the accidental sharing of sensitive information.
- Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.
- Help users learn how to stay compliant without interrupting their workflow.
- View DLP reports showing content that matches your organization's DLP policies.
Visit www.mydock365.com to learn more about SharePoint with Dock.
Get comprehensive protection across all your platforms and clouds
Protect your organization from threats across devices, identities, apps, data and clouds. Get unmatched visibility into your multiplatform environment that unifies Security Information and Event Management (SIEM) and Extended Detection and Response (XDR). Simplify your security stack with Azure Sentinel and Microsoft Defender.
Patch management is critical to reducing your attack surface and keeping your endpoints and business running smoothly. Unfortunately, it's also a process that must be repeated weekly, monthly, quarterly, and whenever critical fixes have been identified for your environment. The good news is: with the right tools and some advance planning, this process can run smoothly and leave your IT team with more time to support core business goals.
Join us to learn about trends in patch management, including the latest ways Ivanti is helping Security and IT teams work together like a well-oiled machine.
Microsoft Information Protection demystified Albert HoitinghAlbert Hoitingh
This session was presented at the North American Collaboration Summit 2022. It covers the many technical aspects of Microsoft Purview Information Protection.
Microsoft Office 365 Advanced Threat Protection leverages our approach and our strengths to help customers be secure against advanced threats and recover quickly in the event they are attacked.
Protect their data
Detect compromised users
And gain the required visibility to respond to threats
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
Community IT CTO Matthew Eshleman reviews security fundamentals in Office 365. Small and medium sized nonprofits are in a great position to take advantage of the native security tools offered in Office 365.
Platform + Intelligence + Partners
This new understanding has led us to build new solutions for our customers. It informs our entire approach across three critical elements:
Building a platform that looks holistically across all the critical end-points we talked about – building security into our platform as well as providing security tools and technologies to you
Acting on the Intelligence that comes from our security-related signals and insights – helps you and us to detect threats more quickly
Fostering a vibrant ecosystem of partners who help us raise the bar across the industry – we know we’re not your only security vendor, and we want to work with the industry and take a holistic approach to technology
Microsoft 365 provides holistic security that is aligned to these four pillars of security.
By helping enterprise businesses secure corporate data and manage risk in today’s mobile-first, cloud-first world Microsoft 365 E5 enables customers to digitally transform by unifying user productivity and enterprise security tools into a single suite that enables the modern workplace.
Identity & Access Mgmt
Protect users’ identities and control access to valuable resources based on user risk level
Information Protection
Ensure documents and emails are seen only by authorized people
Threat Protection
Protect against advanced threats and recover quickly when attacked
Security Management
Gain visibility and control over security tools
Introduction to Microsoft Enterprise Mobility + SecurityAntonioMaio2
Microsoft has given us some amazing capabilities with the Microsoft Enterprise Mobility + Security (EM+S) suite to help protect both our information and our investments in Office 365. This collection of features gives you just about everything you need in the Microsoft Cloud for security, compliance and Information Protection. With such a vast array of services, tools and features, its often challenging to understand everything this product provides or how its layered on top of existing Office 365 security controls. In this session we’ll review the capabilities available to you in Microsoft EM+S, and you'll discover which ones may best fit with your security and compliance needs. Come and join us, as we also dive deep into some of the most useful Microsoft EM+ S tools.
Cyberspace is the new battlefield:
We’re seeing attacks on civilians and organizations from nation states. Attacks are no longer just against governments or enterprise systems directly. We’re seeing attacks against private property—the mobile devices we carry around everyday, the laptop on our desks—and public infrastructure. What started a decade-and-a-half ago as a sense that there were some teenagers in the basement hacking their way has moved far beyond that. It has morphed into sophisticated international organized crime and, worse, sophisticated nation state attacks.
Personnel and resources are limited:
According to an annual survey of 620 IT professional across North America and Western Europe from ESG, 51% respondents claim their organization had a problem of shortage of cybersecurity skills—up from 23% in 2014.1 The security landscape is getting more complicated and the stakes are rising, but many enterprises don’t have the resources they need to meet their security needs.
Virtually anything can be corrupted:
The number of connected devices in 2018 is predict to top 11 billion – not including computers and phones. As we connect virtually everything, anything can be disrupted. Everything from the cloud to the edge needs to be considered and protected.2
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Karim Vaes
https://www.xylos.com/en/corporate/events/explore-new-digital-ways
Public cloud and security go hand in hand, if you approach it properly
The cloud is already being well used, but lots of organisations still have questions about its security. Is data protection in the cloud really optimal, or is this uncertainty justified? In this breakout session we look at the main concerns we hear from our customers. Can we build a perimeter around cloud applications? Which sectors or scenarios are not suitable for the cloud, and where in particular is it recommended? How do I get to grips with ‘shadow IT’? Do I have to manage things myself in the cloud? Does the public cloud satisfy the strictest security requirements? And what's the most secure authentication? Data protection isn't just limited to firewalls or intrusion systems, after all. The key lies in having a comprehensive security policy, and in this session we zoom in on the major components and challenges.
Speaker: Karim Vaes, Solution Architect, Xylos
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
This presentation will bring insights into how the Zero Trust framework can help organizations improve their cybersecurity posture and resilience and what the organizational challenges are.
Get comprehensive protection across all your platforms and clouds
Protect your organization from threats across devices, identities, apps, data and clouds. Get unmatched visibility into your multiplatform environment that unifies Security Information and Event Management (SIEM) and Extended Detection and Response (XDR). Simplify your security stack with Azure Sentinel and Microsoft Defender.
Patch management is critical to reducing your attack surface and keeping your endpoints and business running smoothly. Unfortunately, it's also a process that must be repeated weekly, monthly, quarterly, and whenever critical fixes have been identified for your environment. The good news is: with the right tools and some advance planning, this process can run smoothly and leave your IT team with more time to support core business goals.
Join us to learn about trends in patch management, including the latest ways Ivanti is helping Security and IT teams work together like a well-oiled machine.
Microsoft Information Protection demystified Albert HoitinghAlbert Hoitingh
This session was presented at the North American Collaboration Summit 2022. It covers the many technical aspects of Microsoft Purview Information Protection.
Microsoft Office 365 Advanced Threat Protection leverages our approach and our strengths to help customers be secure against advanced threats and recover quickly in the event they are attacked.
Protect their data
Detect compromised users
And gain the required visibility to respond to threats
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
Community IT CTO Matthew Eshleman reviews security fundamentals in Office 365. Small and medium sized nonprofits are in a great position to take advantage of the native security tools offered in Office 365.
Platform + Intelligence + Partners
This new understanding has led us to build new solutions for our customers. It informs our entire approach across three critical elements:
Building a platform that looks holistically across all the critical end-points we talked about – building security into our platform as well as providing security tools and technologies to you
Acting on the Intelligence that comes from our security-related signals and insights – helps you and us to detect threats more quickly
Fostering a vibrant ecosystem of partners who help us raise the bar across the industry – we know we’re not your only security vendor, and we want to work with the industry and take a holistic approach to technology
Microsoft 365 provides holistic security that is aligned to these four pillars of security.
By helping enterprise businesses secure corporate data and manage risk in today’s mobile-first, cloud-first world Microsoft 365 E5 enables customers to digitally transform by unifying user productivity and enterprise security tools into a single suite that enables the modern workplace.
Identity & Access Mgmt
Protect users’ identities and control access to valuable resources based on user risk level
Information Protection
Ensure documents and emails are seen only by authorized people
Threat Protection
Protect against advanced threats and recover quickly when attacked
Security Management
Gain visibility and control over security tools
Introduction to Microsoft Enterprise Mobility + SecurityAntonioMaio2
Microsoft has given us some amazing capabilities with the Microsoft Enterprise Mobility + Security (EM+S) suite to help protect both our information and our investments in Office 365. This collection of features gives you just about everything you need in the Microsoft Cloud for security, compliance and Information Protection. With such a vast array of services, tools and features, its often challenging to understand everything this product provides or how its layered on top of existing Office 365 security controls. In this session we’ll review the capabilities available to you in Microsoft EM+S, and you'll discover which ones may best fit with your security and compliance needs. Come and join us, as we also dive deep into some of the most useful Microsoft EM+ S tools.
Cyberspace is the new battlefield:
We’re seeing attacks on civilians and organizations from nation states. Attacks are no longer just against governments or enterprise systems directly. We’re seeing attacks against private property—the mobile devices we carry around everyday, the laptop on our desks—and public infrastructure. What started a decade-and-a-half ago as a sense that there were some teenagers in the basement hacking their way has moved far beyond that. It has morphed into sophisticated international organized crime and, worse, sophisticated nation state attacks.
Personnel and resources are limited:
According to an annual survey of 620 IT professional across North America and Western Europe from ESG, 51% respondents claim their organization had a problem of shortage of cybersecurity skills—up from 23% in 2014.1 The security landscape is getting more complicated and the stakes are rising, but many enterprises don’t have the resources they need to meet their security needs.
Virtually anything can be corrupted:
The number of connected devices in 2018 is predict to top 11 billion – not including computers and phones. As we connect virtually everything, anything can be disrupted. Everything from the cloud to the edge needs to be considered and protected.2
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Karim Vaes
https://www.xylos.com/en/corporate/events/explore-new-digital-ways
Public cloud and security go hand in hand, if you approach it properly
The cloud is already being well used, but lots of organisations still have questions about its security. Is data protection in the cloud really optimal, or is this uncertainty justified? In this breakout session we look at the main concerns we hear from our customers. Can we build a perimeter around cloud applications? Which sectors or scenarios are not suitable for the cloud, and where in particular is it recommended? How do I get to grips with ‘shadow IT’? Do I have to manage things myself in the cloud? Does the public cloud satisfy the strictest security requirements? And what's the most secure authentication? Data protection isn't just limited to firewalls or intrusion systems, after all. The key lies in having a comprehensive security policy, and in this session we zoom in on the major components and challenges.
Speaker: Karim Vaes, Solution Architect, Xylos
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
This presentation will bring insights into how the Zero Trust framework can help organizations improve their cybersecurity posture and resilience and what the organizational challenges are.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + SecurityDavid J Rosenthal
Digital transformation with freedom and peace of mind
Holistic, identity-driven protection
Help guard your data from attacks on multiple levels using innovative, identity-driven security techniques.
Productivity without compromise
Preserve the mobile and desktop experiences your workers need to stay working with familiar apps and tools.
Flexible, comprehensive solutions
Do more with less—protect users, devices, apps, and data with intuitive mobile management on a future-ready platform.
microsoft@atidan.com
Embracing secure, scalable BYOD with Sencha and CentrifySumana Mehta
Scalable enterprise mobility solutions: How to give your employees tools they need without sacrificing user experience and security.
Consumerization of IT and BYOD are here – and it’s a GOOD thing. Today's dynamic workplaces and hyper-competitive markets drive demand for more mobile productivity solutions. Nearly 70% of enterprise employees report making better decisions, being more productive and happier if they are allowed to use mobile devices and cloud-based tools. Yet, IT organizations often resist these trends because of cost and risk associated with multi-platform, multi-device ecosystem having access to corporate data and resources.
In this webinar, product experts from Sencha and Centrify will help your organization embrace BYOD and SaaS in a cost-effective, scalable way. Sencha Space is an advanced platform for securely deploying mobile apps and delivering a consistent, elegant, mobile user experience to end-users. Users can launch any mobile web app, or HTML5 app in a secure, managed environment. Combining Space with secure, Active Directory- or Cloud-Based Identity and Access Management (IAM) from Centrify gives IT visibility and control over mobile platforms and SaaS / in-house apps while improving user experience and reducing security risk.
Kaasaegsed ettevõtted muutuvad üha mobiilsemaks, kuna töötajad suudavad üha enam tööd teha kontorisse tulemata. Kuidas sellises uues situatsioonis säilitada kontroll organisatsiooni andmete üle ning tagada kasutajate ja seadmete turvalisus.
Esineja: Tõnis Tikerpäe
IT organizations are looking to cloud automation for its opportunities for their infrastructures and are finding a solution to the madness. Cloud management services allow for predictability and adaptability — both valuable properties of infrastructure agility. Cloud computing shoulders some of the burden for IT professionals in offering scalability and adjustability, all while being cost effective. In doing so, cloud services have the capabilities for you to fight planned obsolescence.
Fragments-Plug the vulnerabilities in your AppAppsecco
Appsecco presented on the common mistakes that developers make when building mobile apps.
This session covered how these mistakes make your app vulnerable to attack and abuse? How an attacker perceives security of mobile app?
https://youtu.be/EzC86gWVPZk
Maximize your cloud app control with Microsoft MCAS and ZscalerZscaler
Are you using or ready to deploy Microsoft Cloud App Security (MCAS)? While having CASB visibility and control is key to a good cloud app strategy, it is only as good as the traffic it can see. Zscaler and Microsoft have partnered to deliver key MCAS integrations that help you confidently embrace cloud apps and minimize the risks associated with unsanctioned apps.
Maximize your cloud app control with Microsoft MCAS and ZscalerAnkit Dua
Are you using or ready to deploy Microsoft Cloud App Security (MCAS)? While having CASB visibility and control is key to a good cloud app strategy, it is only as good as the traffic it can see. Zscaler and Microsoft have partnered to deliver key MCAS integrations that help you confidently embrace cloud apps and minimize the risks associated with unsanctioned apps.
Eric Golpe. Security, privacy, and compliance concerns can be significant hurdles to cloud adoption. Azure can help customers move to the cloud with confidence by providing a trusted foundation, demonstrating compliance with security standards, and making strong commitments to safeguard the privacy of customer data. This presentation will educate you in the fundamentals of Azure security as they pertain to the Cortana Analytics Suite, including capabilities in place for threat defense, network security, access control, and data protection as well as data privacy and compliance. Go to https://channel9.msdn.com/ to find the recording of this session.
SaaS and Cloud applications have been a huge help to businesses across the world, enabling organisations to be more productive and reducing the workload for IT departments providing complex systems – however, there is a hitch. Even though they can help individuals and departments, these systems, if they are not known about or managed, can cause serious problems for compliance, security, and bring unexpected costs.
These types of applications which are unknown to the IT department are often referred to as Shadow IT. Finding what SaaS / Cloud apps are in play is not an easy task as there are over 14,000 of them. Understanding more about what they do, how much they cost and who is using them is something every IT manager needs to get to grips with.
Build a complete security operations and compliance program using a graph dat...Erkang Zheng
Attackers think in graphs; defenders operate with lists. That’s why attackers win.
What if we could have a graph-based, data-driven security and compliance platform that can:
· intelligently analyze my environment,
· automatically keep up with the constant changes,
· help us understand and navigate that complexity, and
· manage compliance in a data-driven, continuous way.
This presentation describes how my security team built our security operations and automate compliance evidence collection using a graph database. There are also actual screenshots from the JupiterOne platform showing the discovery of thousands of assets from connected AWS accounts and other cloud providers; the configuration analysis of these resources; the query and search with graphs to visualize the relevant relationships; as well as the alerts, findings, and compliance mapping. All without the need for additional 3rd party solutions.
Similar to Cloud App Security Customer Presentation.pdf (20)
3. Enterprise-class technology
Secure identities to
reach zero trust
Identity & access
management
Security
management
Strengthen your security
posture with insights
and guidance
Threat
protection
Help stop damaging
attacks with integrated and
automated security
Locate and classify
information anywhere
it lives
Information
protection
Infrastructure
security
14. Discovery of Shadow IT across
SaaS, IaaS and PaaS
Discover cloud usage across all
locations (HQ, Branches, Remote..)
Understand the risk of your SaaS
apps
Risk assessment for 16,000+
cloud apps based on 70+ security
and compliance risk factors
Analyze usage patterns
Understand the usage patterns
and identify high risk volume users by
understanding traffic data, top users
and IP addresses, app categories
Block risky and unsanctioned apps
Using native and programmatic
integration with leading SWG and
Proxies
Continuous monitoring
Be alerted when new, risky or high-
volume apps are discovered
CloudAppDiscovery
15. DISCOVERY ARCHITECTURE WITH MICROSOFT DEFENDER ATP
Firewall / Proxy Log collector
User
IP address
Machine
Microsoft
Cloud App
Security portal
Endpoints
Shadow IT
Microsoft
Defender ATP
27. Protect your files and data in the cloud
Data is ubiquitous and you need to make it accessible and collaborative, while safeguarding it
Understand your data and
exposure in the cloud
Classify and protect your data no
matter where it’s stored
Monitor, investigate and
remediate violations
• Connect your apps via our API-based
App Connectors
• Visibility into sharing level,
collaborators and classification labels
• Quantify over-sharing exposure,
external- and compliance risks
• Govern data in the cloud with
granular DLP policies
• Leverage Microsoft’s IP
capabilities for classification
• Extend on-prem DLP solutions
• Automatically protect and
encrypt your data using Azure
Information Protection
• Create policies to generate
alerts and trigger automatic
governance actions
• Identify policy violations
• Investigate incidents
and related activities
• Quarantine files, remove
permissions and notify users
28. Create policies to generate
alerts and trigger automatic
governance actions
Be notified to identify and
investigate policy violations
and related activities
Automatically remediate with
built-in actions incl.
notify owner, notify admin,
make private, quarantine, etc.
Automatically label and
protect existing sensitive
information and when new
files are uploaded
Detectandremediate
overexposed filesand
anomalies
29. Unified labelling with Microsoft
Information Protection -
streamlined experience across
O365 DLP, AIP and MCAS
90 built-in, sensitive information
types you can choose from
Custom sensitive information
types using Regex, keywords and
large dictionary
Leverage Microsoft or 3rd party
DLP engines for classification
Leverage AIP labels
KeyDifferentiators via
MicrosoftInformation
Protection approach
32. Context-aware session policies
Control access to cloud apps and
sensitive data within apps based on
user, location, device, and app
SAML, Open ID Connect, & on-
prem apps
Support for Microsoft and non-
Microsoft web apps, including on-
prem apps onboarded via Azure AD
App proxy
Enforce granular monitoring &
control for risky user sessions
Data Exfiltration:
• Block download, Apply AIP
label on download
• Block print
• Block copy/cut
• Block custom activities: (e.g.,
IMs with sensitive content)
Data Infiltration:
• Block upload
• Block paste
ConditionalAccessAppControl
33. Unique integration with Azure AD
Conditional Access
Selective routing to MCAS based on the
session risk determined by Conditional Access
to optimize end user productivity
Simple deployment
Built-in policies that can be configured directly
within the Azure AD portal for an easy
deployment.
Control your on-prem apps
With the same powerful real-time controls by
integrating them with Azure AD Application
Proxy
Worldwide Azure datacenters
infrastructure
MCAS leverages Azure data centers across
the world to optimize performance and user
experience
Keydifferentiators tooptimize
theadminandenduser
experience
47. The challenge of securing your environment
The digital estate offers
a very broad surface
area that is difficult to
secure
Bad actors are using
increasingly creative
and sophisticated
attacks
Intelligent correlation
and action on signals is
difficult, time-consuming,
and expensive
48. Identity Security – Covering your environment
Cloud identity threats
Azure AD Identity Protection
On-premises identity threats
Azure ATP
Application sessions
Microsoft Cloud App Security
Azure AD & ADFS
49. On Premises Activities – via Azure ATP
Cloud Activities – via Azure AD IP,
Office 365 and MCAS
58. User Investigation
Priority
Example: User investigation
priority distribution at a
200k+ employee organization
0
20000
40000
60000
80000
100000
120000
140000
160000
Number
of
Users
Scores
Users / Score Distribution
59. Identify abnormal activities by analyzing the behavior of users,
peers and the entire organization
• Login to devices
• Access to on-premises resources
• Remote connections to servers
• Access to cloud applications
• Usage of Share Point Online sites
• User agent, location & ISP analytics
• Mailbox behavior
• Failed logins behavior
60. Suspicious Activity: how does it work?
Suspicious
Has this user accessed
this server before?
Is the ‘finance server’ accessed by
many users in the organization?
Do the peers of this user
login to this server ?
Normal
Does this user have a usual
pattern of logons to servers?
61. Investigation
Priority
Feedback
True positives discovered:
• compromised service account exposed
resources, this was not detected by
ATP products. filtering by activities
with investigation priority helped sort
and find compromised resources.
• User was found to be compromised
(custom policy inbox FW rule). When
reviewed the case we noticed that the
first activities by the adversary would
have been flagged (by User agent+ISP)
69. Export alerts and activities to your SIEM
Better protect your cloud applications while maintaining your usual security workflow, automating
security procedures and correlating between cloud-based and on-premises events
Automate processes via API or PowerShell
Create your own applications using programmatic access to Cloud App Security data and actions
through REST API endpoints
External DLP solution
Integrate with existing DLP solutions to extend these controls to the cloud while preserving a
consistent and unified policy across on-premises and cloud activities
Security Workflow automation with Microsoft Flow
Centralized alert automation and orchestration of custom workflows using the ecosystem of
connectors in Microsoft Flow. Enables routing alerts to ticketing systems (e.g. ServiceNow), gather
end user input for alert investigation, get approval from SOC operator to execute action or apply
additional security controls
Enterprise Integrations
70. Centralized alert automation
and orchestration of custom
workflows
Automate the triage of alerts
Enables an ecosystem of
connectors in Microsoft Flow
incl. >100 3rd party
connectors such as Jira,
ServiceNow, and DocuSign
Out-of-the-box and custom
workflow playbooks that work
with the systems of your
choice
Predefined governance
options when creating
policies
Automating Security
WorkflowswithMSFlow
71. Open incident in ticketing
system & populate with
alert attributes
Request user input to
provide context during
alert investigation
Get admin approval to
execute remediation
action
73. Configuration steps
• Create an API token in Microsoft Cloud App Security
• Create a MCAS connection in Flow
• Create a Flow starting with the Microsoft Cloud App Security Trigger
• In the MCAS console, assign the Flow to a policy
74. 1. Route alerts to ticketing systems such as Jira or ServiceNow
2. Route alerts to different SOC teams based on geography of the user
3. Request input from a user's manager to triage alert
4. Request user input to decide how to triage an alert
5. Block unsanctioned apps on the firewall using CAS discovery alerts
6. Get admin approval to execute remediation action
7. Disable user in AAD and in on-prem Active Directory based on suspicious alerts
8. Remove malicious forwarding inbox rule in Exchange Online
9. Automatically dismiss “unusual location” alerts when a user has OOF message set to “On”
10. MCAS alert triggers antivirus scan in Microsoft Defender ATP
Sample automation scenarios
78. External Admins
• MCAS is enabled for externally Managed Security
Service Providers (MSSPs) to act as
administrators
• MSSPs can be assigned any of the available
admin roles
For MSSPs
• Ability to provide services across multiple
customer tenants
• Ability to easily switch between tenants within
the portal for MSSPs (See image)
Managed Security Service Provider (MSSP)
82. Top 10 CASB use cases you should think about
1. Discover the cloud apps and services used in your
organization
2. Assess the risk and compliance of all cloud apps
3. Govern access to discovered cloud apps and
explore enterprise-ready alternatives
4. Discover OAuth apps with access to your
environment
5. Gain visibility into all corporate data stored in the
cloud apps and understand your exposure
6. Enforce DLP and compliance policies for sensitive
data stored in your cloud apps
7. Protect data downloaded to unmanaged devices
8. Detect compromised user and admin accounts, and
identify insider threats
9. Detect and remediate malware in your cloud apps
10. Audit the configuration of your IaaS environments
83. Next steps
Sign up for a Microsoft Cloud App Security Trial.
Upload a log file from your network firewall or
enable logging via Microsoft Defender ATP to
discover Shadow IT in your network and assess the
risks of detected cloud apps.
Connect your Cloud Apps to Microsoft Cloud App
Security to detect suspicious user activity and
exposed sensitive data.
Enable out-of-the-box anomaly detection policies
and start detecting cloud threats in your
environment.
Continue with more advanced use cases across
Information Protection, Compliance and more.
