What is Microsoft Defender for Cloud Apps?
Microsoft Defender for Cloud Apps is a Cloud Application Security Broker, and helps customers in 4 key areas:
- Visibility: Detect all cloud services; assign each a risk ranking; identify all users and third-party apps able to log in.
- Data security: Identify and control sensitive information (DLP); respond to sensitivity labels on content.
- Threat protection: Offer adaptive access control (AAC); provide user and entity behavior analysis (UEBA); mitigate malware.
- Compliance: Supply reports and dashboards to demonstrate cloud governance; assist efforts to conform to data residency and regulatory compliance requirements
Customers accomplish these use cases with three different technologies:
- Reverse proxy configuration: Customers can set up Defender for Cloud Apps as a reverse proxy, essentially becoming a middle-man for internet traffic. By proxying user’s activity on the internet, security teams establish conditional app access control and dictate who can access what on the internet and from where. This configuration takes careful tuning, and reverse proxies can incur performance issues, but this is a powerful security control tool.
- Monitoring third party proxy and firewall logs: Defender for Cloud Apps integrates with many popular proxies/firewalls, and when set up with an integration, Microsoft can discover web traffic based on that network data, helping uncover shadow IT, and giving customers visibility into where users are browsing and how risky those sites are based on criteria and intelligence maintained by Microsoft.
- Direct integrations into SaaS applications: Microsoft publishes connectors for dozens of applications, where they can keep an eye on what’s happening to data within SaaS apps and monitor user and admin activity.
Once configured, Defender for Cloud Apps produces alerts that are easily overwhelming to customers. That’s where Red Canary comes in. In the following example, we looked at a low severity Defender for Cloud Apps Alert. On review, we see that there were over 100 failed logon attempts to Teams in a single session:
Microsoft considered this alert to be low severity. However, after review by the Red Canary, we wanted the customers to take another look, putting it back in front of the customer as “Highly suspicious” based on the login activity related here.
Integrate Microsoft Defender for Cloud Apps with Red Canary
To configure Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud Application Security or MCAS), you need to integrate Microsoft Graph v2 with Red Canary. Click here for instructions to set up Microsoft Graph v2.