MICROSOFT CLOUD APP SECURITY Sebastien Molendijk Senior Program Manager
https://www.polleverywhere.com/multiple_choice_polls/BjnYY9hZKbBPAVfjvFhgc?preview=true&controls=none
Enterprise-class technology Identity & access Threat Information Security protection protection management management Secure identities to Help stop damaging Locate and classify Strengthen your security reach zero trust attacks with integrated and information anywhere posture with insights automated security it lives and guidance Infrastructure security
https://www.polleverywhere.com/multiple_choice_polls/ 12sqtYRadhdO4r6L1IJM5?preview=true&controls=none
https://www.polleverywhere.com/multiple_choice_polls/ Hv68q7qjXJitDquT6sK5P?preview=true&controls=none
01 CLOUD ACCESS SECURITY BROKERS
Cloud services require a new approach to security
Top CASB use cases Box YouTube Twitter Office 365 AWS Facebook Dropbox Salesforce Azure
02 MICROSOFT CLOUD APP SECURITY
Office 365 Microsoft Teams
03 DISCOVERING AND ASSESSING THE RISK OF SHADOW IT
Shadow IT management lifecycle
Cloud App Discovery Discovery of Shadow IT across SaaS, IaaS and PaaS Discover cloud usage across all locations (HQ, Branches, Remote..) Understand the risk of your SaaS apps Risk assessment for 16,000+ cloud apps based on 70+ security and compliance risk factors Analyze usage patterns Understand the usage patterns and identify high risk volume users by understanding traffic data, top users and IP addresses, app categories Block risky and unsanctioned apps Using native and programmatic integration with leading SWG and Proxies Continuous monitoring Be alerted when new, risky or high- volume apps are discovered
DISCOVERY ARCHITECTURE WITH MICROSOFT DEFENDER ATP Shadow IT Firewall / Proxy Log collector User Endpoints IP address Microsoft Cloud App Machine Security portal Microsoft Defender ATP
Cloud Discovery with Microsoft Defender A TP Native, endpoint-based Discovery of Shadow IT Discovery of cloud apps beyond the corporate network from any Windows 10 machine Single-click enablement Machine-based Discovery Deep dive investigation in Windows Defender ATP
1-click deployment with Microsoft Defender ATP
User education when attempting to access a non-trusted app
User education when attempting to access a non-trusted app
User education when attempting to access a non-trusted app
Shadow IT Discovery for IaaS and PaaS services
Shadow IT Discovery for IaaS and PaaS services – Drill down
Shadow IT Discovery deployment options Autom omatic Checkbo box x Supp ppor orted d Device-ba base sed d Off-networ ork Inline blocking Deployme ment Deplo loyment yment meth thod log uploa oad deploym yment platforms rms Discov overy Discov overy of apps Complexi xity Log file e (Snap apshot report) No No Any No No No Medium Log colle llect ctor Yes No Any No No No Medium Windows, Windows ws Defender er ATP TP Yes Yes Mac coming in Yes Yes H1 2019 Low 2019 Zscaler aler Yes No Any No Yes Yes Low iboss Yes No Any No Yes Yes Low
DEMO DISCOVERY
02 PROTECTING YOUR INFORMATION
Protect your files and data in the cloud Data is ubiquitous and you need to make it accessible and collaborative, while safeguarding it Monitor, investigate and Understand your data and Classify and protect your data no exposure in the cloud matter where it’s stored remediate violations Create policies to generate • Govern data in the cloud with • • Connect your apps via our API-based alerts and trigger automatic granular DLP policies App Connectors governance actions Leverage Microsoft ’ s IP • • Visibility into sharing level, Identify policy violations capabilities for classification • collaborators and classification labels Extend on-prem DLP solutions Investigate incidents • • • Quantify over-sharing exposure, and related activities Automatically protect and • external- and compliance risks encrypt your data using Azure Quarantine files, remove • Information Protection permissions and notify users
Detect and remediate overexposed files and anomalies Create policies to generate alerts and trigger automatic governance actions Be notified to identify and investigate policy violations and related activities Automatically remediate with built-in actions incl. notify owner, notify admin, make private, quarantine, etc. Automatically label and protect existing sensitive information and when new files are uploaded
Key Differentiators via Microsoft Information Protection approach Unified labelling with Microsoft Information Protection - streamlined experience across O365 DLP , AIP and MCAS 90 built-in, sensitive information types you can choose from Custom sensitive information types using Regex, keywords and large dictionary Leverage Microsoft or 3 rd party DLP engines for classification Leverage AIP labels
DEMO INFORMATION PROTECTION
03 ENABLING REAL-TIME INFORMATION PROTECTION
Conditional Access App Control Context-aware session policies Control access to cloud apps and sensitive data within apps based on user, location, device, and app SAML, Open ID Connect, & on- prem apps Support for Microsoft and non- Microsoft web apps, including on- prem apps onboarded via Azure AD App proxy Enforce granular monitoring & control for risky user sessions Data Exfiltration: Block download, Apply AIP • label on download Block print • Block copy/cut • Block custom activities: (e.g., • IMs with sensitive content) Data Infiltration: Block upload • Block paste •
Key differentiators to optimize the admin and end user experience Unique integration with Azure AD Conditional Access Selective routing to MCAS based on the session risk determined by Conditional Access to optimize end user productivity Simple deployment Built-in policies that can be configured directly within the Azure AD portal for an easy deployment. Control your on-prem apps With the same powerful real-time controls by integrating them with Azure AD Application Proxy Worldwide Azure datacenters infrastructure MCAS leverages Azure data centers across the world to optimize performance and user experience
Cloud apps & services
Exemplary use case Prevent download of sensitive files from unmanaged device Any app Config: Unmanaged
https://www.polleverywhere.com/multiple_choice_polls/ 0AU0d7HMIbntk8IOf5isF?preview=true&controls=none
DEMO PROTECTING YOUR INFORMATION IN REAL-TIME
04 THREAT PROTECTION IN THE CLOUD
inbound phishing attacks
Detections across cloud apps and sessions ! ! !
Malware Detection
The challenge of securing your environment Bad actors are using The digital estate offers Intelligent correlation increasingly creative a very broad surface and action on signals is and sophisticated area that is difficult to difficult, time-consuming, attacks cks secur ure and expens nsive
Identity Security – Covering your environment Azure AD Identity Protection Cloud identity threats Azure AD & ADFS Azure ATP On-premises identity threats Microsoft Cloud App Security Application sessions
Cloud Activities – via Azure AD IP , Office 365 and MCAS On Premises Activities – via Azure ATP
https://www.polleverywhere.com/multiple_choice_polls/ 9gRK9AEY6UcZRqVkd8OJ3?preview=true&controls=none
https://www.polleverywhere.com/discourses/qcKw1b76P E2fNeHvad8RH?preview=true&controls=none
M365 UEBA - Overview
USER INVESTIGATION PRIORITY ABNORMAL USER ALERTS ACTIVITIES CONTEXT
User Investigation Priority Total user risk for investigation priority – reflecting security alerts, abnormal activities and user impact
User’s investigation priority Suspicious activities Alerts
Identify top users to investigate How abnormal is this user’s behavior?
User Investigation Priority Users / Score Distribution 160000 Example: User investigation priority distribution at a 140000 200k+ employee organization 120000 Number of Users 100000 80000 60000 40000 20000 0 Scores
Identify abnormal activities by analyzing the behavior of users, peers and the entire organization Login to devices • Access to on-premises resources • Remote connections to servers • Access to cloud applications • Usage of Share Point Online sites • User agent, location & ISP analytics • Mailbox behavior • Failed logins behavior •
Suspicious Activity: how does it work? Is the ‘ finance server ’ accessed by many users in the organization? Has this user accessed this server before? Does this user have a usual pattern of logons to servers? Do the peers of this user login to this server ? Suspicious Normal
Recommend
More recommend