Threat Response Strategy
Cloud Access Security Broker
Cloud App Security
This course will explore best practices and fundamentals using Microsoft 365’s Secure Score as a primary barometer to measure protection and readiness as well as timely and effective responses to threat incidents. After completing lessons and watching video demos, students should be equipped with the knowledge and skills to protect themselves and their organizations.
- Evaluate and manage Microsoft Office 365 tenant security using Secure Score
- Manage incident investigation
- Review and manage Microsoft 365 security alerts
- General cybersecurity enthusiasts who want to stay current with best practices
- People studying for the Microsoft MS-101 exam
- Cyber security professionals/administrators responsible for the safety of an organization
- Basic understanding of Office/Microsoft 365
- Basic understanding of computer networking
- General knowledge of different threat types
In this video, we'll be doing a demo of Microsoft Cloud App security. You can reach the main dashboard by coming to portal.cloudappsecurity.com as I have highlighted over here. The first thing you're going to want to do is hit 'Discover'. Now, as you can see here, currently, we don't have any Cloud Discovery reports created. And this is a completely clean, brand new environment, which again is not very useful for a demo. So, as we've done previously with the attack simulation training, I'll be using screenshots for the remainder of the demo.
Now, here we can see what cloud discovery looks like when it's up and running and has already detected some apps. In this case, we have 302 of them. You can see they're sorted by app categories and they have associated risk levels with them. On the bottom right, you can also see users associated with these apps. Obviously, in this case for security purposes, their email addresses have been redacted. And down here on the lower left, you can see the list of the discovered apps.
Okay, and now, let's zoom back out and head on over to the Discovered Apps tab. By default, we have a list of apps and they're typically sorted by risk score. A score of 10 showing green is typically a sanctioned app with very, very low risk. So, it receives a score of 10 out of 10. Now, if we filter for riskier apps, we can lower the risk score and we see some apps that are slightly riskier. In the Apps field, we can also search for individual apps directly. So, in this case, we can search for a popular cloud storage provider called Mega. And we see that this app received a score of five. We also see that it's associated with 16 different users and 13 different IP addresses. And we do have some details on the bottom, some general information about the company and the app. And if we scroll down a little bit, we see some information about their security posture, and perhaps, most importantly, their compliance.
So, seeing this data right here gives us a clue as to why it received a score of just five. And if, for example, your organization has to follow HIPAA guidelines, this area right here can help you make an informed decision about whether this app is appropriate for your company. Now, scrolling back up, we see that the number of users is also a clickable link. Clicking this link shows us the 16 users associated with this app. From here, you can also hit the 'IP addresses' tab to see the IP addresses associated with MEGA.
Now, from here, let's do a deeper dive into this particular IP address, ending in 92. And here we can see that there's actually three apps associated with this IP. We can see what they are by hitting 'Discovered apps.' And, of course, we see there's Box, Facebook, and, of course, MEGA. Box received a risk score of nine and its green, indicating that it's rather safe. Whereas MEGA, despite being a cloud storage provider, just like Box, receives only a score of five. And if we head on over to the User History tab, we can see the dates that our users engaged MEGA.
Now, let's say based on all of that information, we feel comfortable blocking this app in our organization. We can click the three dots on the upper right hand side and click 'Generate Block Script' to automatically set a policy to block this app. Clicking Generate Block Script creates this pop up where we can select from a pulldown menu, a firewall policy. This will generate a block script for 43 unsanctioned apps across all reports. There are quite a few templates here, so the block script best suited for your environment may vary.
Once that's completed, we can test it from the users end. If we actually attempt to navigate to MEGA, we should be met with this web page saying that "This website is blocked by your organization. Contact your administrator for more information." This is generated by Windows Defender, and this is a successful block. Now, what if we want to block other apps like MEGA that are similar in risk factor? Well, we can automate that by creating a policy. So, here I am back at Cloud App Security under 'Policies,' and I can click 'Create policy' and select 'App Discovery Policy.'
On the next screen, the first thing to do is to select a template and there are many to choose from. In this case, we will be selecting 'New Risky App' similar to MEGA. Make sure you give it a policy name and an appropriate description and then we can set the criteria for the risk. If you recall, we use the Compliance risk factor, specifically HIPAA, to determine whether this app was appropriate or not. So, here we have set the compliance risk factor to HIPAA being false, and the risk score equaling five. And in the next section, you can set a threshold. By default, number of users is set to greater than 50 and, if you recall, we had 16 users match our query before.
So, if we left this as is, the policy wouldn't have caught MEGA. So, here you can see that we've removed that criteria and we only care about the traffic. We check this box off to create an alert for each matching event, so that we're notified when there's a matching app detected. And lastly, our governance action, we're automatically tagging this app as unsanctioned and automatically blocking it from our organization. Then hit 'Create' to finalize the policy. That about does it for Cloud App Security. We've gone over how to detect unsanctioned apps, block them manually, and also create a policy to automatically block similar apps in the future. Hope you found this helpful. Thanks for watching.
Aaron has been in the IT industry for 10 years servicing a variety of industries, from small retail businesses to multi-billion dollar hedge funds. Specializing in workflow optimization, he has helped users at all levels increase their productivity and efficiency ranging from tasks like taking medical offices to paperless, to administering patch management, JIRA, Confluence, and other project management platforms.
Prior to starting his IT career, Aaron was a test prep teacher, helping high school students improve their standardized test scores for college admissions. He joins Cloud Academy to combine his two passions, technology and teaching.