SC-400 Microsoft Information Protection Administrator – Creating and Configuring Data Loss Prevention Policies Part 3

7. Understanding Microsoft Cloud App Security (MCAS)

What exactly is Cloud App Security? Well, you might have heard of the term CASB before. That acronym that stands for Cloud Access Security Broker. Well, basically, Microsoft Cloud app security is Microsoft’s version of a CASB. Okay? So the goal here is to allow us to focus on our environment and the traffic that’s flowing within our environment. Whether it’s traffic within our internal environment flowing to different websites, traffic flowing to the cloud environment, different web based applications, it’s important for us to have a good feel for all the different things that are going on and also be able to control some of that. So Microsoft’s Cloud App Security is a capability that can allow us to have a measure of control over the flow of traffic and things that are going on by using some different means. By, first off, importing logs, by utilizing something called API Connectors, application programming Interface connectors, and then also we can support what’s known as a reverse proxy.

Okay, so this is going to give us some control. This is going to allow us to gather some data analytics and figure out what’s happening in our environment in regards to different applications. Users are using different web apps and also prevent what is called shadow it. What exactly is when I use that term shadow it? Well, shadow it is when you’ve got users that are using apps that aren’t really approved in order to get things done in their environment. Again, this would be kind of like a situation where we don’t approve of say, Dropbox. We make everybody use one drive, one drive for business, but we’ve got users that want to use Dropbox. Okay, that’s sort of shadow it. The problem you run into there a lot of times is when users are wanting to do things that they’re used to doing in other, maybe you have a user that you hired, an employee that you’ve hired and they were used to doing things a certain way at their previous company.

When they get to your company, they then start utilizing web applications that aren’t really approved for our company and could put a lot of what we’re trying to achieve in our company at risk. So Microsoft’s Cloud App Security Framework supports over 16,000 software as a service based apps that it can detect and there’s different risk categories that it supports as well for detecting that to help you make sure everything is compliant. It also supports analyzing the sensitive information and classifications, things that we learn in Azure. Information protection, data loss prevention, the information governance, all that stuff plays a part with Cloud App Security as well. Being able to detect that, that users are using this stuff and then apply policies to deal with those threats as they happen. Okay.

This is also going to help try to identify things like ransomware. If a system has been compromised, it helps us determine if some of our systems are at high risk and then what to do with those systems if they are rated at a high risk. Okay, another goal here is to try to assess the compliance of your cloud apps and try to determine how compliant things are.

Microsoft security team is actually rating the different apps that are out there, including things like Dropbox, which I used as my example, to determine if they are a risk to our environment. Okay, so another thing we have with cloud apps security is the fact that it integrates visibility with your different cloud by doing the following. First off, you can do what’s called cloud discovery. This is going to help you map and try to identify your environment and the different cloud apps that are being used. It also helps us sanction as well as unsanction apps. So there might be things you want to approve, there might be things you don’t. You might approve salesforce, for example, for your sales team, but then a third party downloaded old sales app that some users use, like the old act app or something like that, that somebody was using, may not be approved. And we also support App Connectors.

App Connectors is going to allow us to connect to these other cloud based apps to determine who’s using those apps and gain some visibility and governance over the apps that they’re using and try to basically gain as many analytics as we can to determine who’s using these different apps and how much they’re using those apps. This also works in conjunction with Conditional Access. So conditional access getting into the concepts of policies where people are allowed to run things or they’re not allowed to run things based on the rules that we’ve put in place. Okay, the other thing that this allows us to do with our policies is fine tune things.

We can fine tune different settings and things that are allowed, different rules and restrictions that are allowed on the applications that our users are using. For example, maybe we do allow Dropbox, right? But maybe we only allow files that are underneath a certain classification level to be shared in Dropbox. We don’t allow certain higher levels of classifications to be utilized. Or maybe we just don’t allow Dropbox altogether. We can control that. Okay, if you look in this diagram here, this is a little diagram that shows the flow of information you’ve got your users using tablets, laptops, desktops, even smartphones, and they’re able to access cloud based apps. But with the help of cloud app security, we can have traffic flowing into our cloud app security environment looking at the analytics that we’ve got. We can have our Firewalls, our proxies, sending information to cloud app security and it keeps us in the loop and shows us the big picture of what people are doing within our environment as far as these different applications and what they’re doing.

This involves Connectors and all that as well. So when they say API application programming interface. We’re able to set connections up between these cloud apps and our environment so that we can gain knowledge directly from them. The other thing you can do that’s really cool is with the help of Windows Defender ATP, the advanced threat protection that’s running on our Windows Ten Machines. Those Windows Ten machines report information as well as well as allow us to implement policies to block what the users are doing. So this gives us policy control. The policy control is going to help us define what users can do inside the cloud, okay? We can detect any kind of risky behavior, they’re performing violations, maybe suspicious data that they’re sharing out there on the cloud based on the classification levels. And of course we can provide remediation for that.

We can put in rules that are going to block things and disallow things to happen and provide a way to mitigate some of the threats of users that are sharing information out there that shouldn’t. Okay. Another thing this does is provides us a way of looking at the types of policies that are going to be maybe correlating to the different pieces of information that’s being downloaded, as well as uploaded to and from our environment and the cloud itself, and then provide us with a way to prevent future dealings with that type of technology from happening again. So it gives us a way to basically remediate and prevent things from happening again in the future.

So if we notice something out of the ordinary that maybe we allowed previously, we can add a rule in place now that stops it in the future. Okay? So cloud App security is a very powerful feature that Microsoft gives us as a good CASB the cloud app security broker for controlling the goings on in our environment. The other thing too, in closing, I’d like to say is not only does it support our Azure services, but you can gain a lot and work with the AWS side of things as well. So with Amazon Web services and all that, we can connect to all that and gain insights and analytics from that also. So it’s a really powerful tool that we can put to a really good use in helping secure our environment.

8. Configuring policies in Microsoft Cloud App Security (MCAS)

So to get into Cloud App security, you’re going to go to Portal Cloudappsecurity. com. That is the way you’re going to get into this. That’s going to bring you right into the cloud app security portal. You also are going to want to make sure that you have a Cloud App Security license. Now you’re going to do that. You can do that through Azure. So if I go to Portal Azure. com, portal Azure. com, and to verify you’ve got a license, just click your menu bar, go to Azure Active Directory. This is one of the few ways you can actually do this. Once you get in Azure Active Directory, you’re going to check licenses.

So we’ll come down here and we’ll select licenses. You can get Cloud App Security by itself, licensed by itself, or you can get it as part of your Enterprise Mobility Plus Security. So if I come over here, Enterprise Mobility Plus Security, I can click on that and then go over here to where it says Service Plan details. And you’re going to notice that Cloud App Security is right here available for us. And that’s part of our EMS subscription. So your EMS subscription gets it. Or you could get cloud app security by itself. Okay, so jumping back over to Cloud App security this is called the Cloud App Security Dashboard. This gives you kind of a quick look at your alerts, any discovered apps you’ve got, if you’ve started performing any kind of investigations, if you’ve set up any cloud connectors, any of that can be looked at if you’ve found any malware in your environment.

All of that just sort of gives you a quick glue glance at it. Right here in your dashboard, you click the menu bar here. That’s how you can see your dashboard, which is where I’m at. Okay, now I’ve also got this Discovery drop down. I can click that and I can click to create a snapshot report. A snapshot report is going to give you a bunch of analytic data based on the stuff you’ve got in your environment. Now, the first thing you have to think about when you do a snapshot like that is what are your data sources? So if I drop this down right here, here are all the data sources that I can support. I’ve got the barracuda. F series firewall. Web app firewalls. Blue Coat checkpoint. So whatever firewall you’ve got in your environment, you can basically export those log files in here and you can upload these into your data sources and you can pull all your analytics based on that. So as you can see, there’s a tremendous amount of options here.

Most of the firewalls that people are going to be having in their environment is going to be located right here in this list. So these are a lot of your well known data sources, but you can also do generic as well. So they’ve got generic firewall based logs. Even the W three C, which is just a basic web server log you can import in here if you want and gain analytic data. So you can upload all that here and pull all that information. Now in your tenant, you actually can view a sample of a report if you want. So you can click View Sample report here and they show you, give you a good look at what that’s going to be. So they tell you get 128 apps here.

They’ve listed how many users you’ve got, IP addresses, the traffic flow that they’ve got throughput here’s, all the different apps that they’ve found, and this is all built by Microsoft’s Graph API. They even show you the apps headquarters location down here. So this gives you a good look at supporting what their snapshot report is going to look like based on the information that you pull in. Okay, so from there, another thing I can do is investigate. I can look at the activity log here and I can see any activity out of the ordinary that’s happened.

As you can see here, the activity that I’ve got in my environment is showing you information about the users who have logged on and it shows you the IP addresses they’ve logged on from, it tells you the location they’ve logged on from, the devices, the date, and you can even filter this if you want. You can filter it by apps, you can filter it by the user. You can filter it by IP address the activity type that they were performing, whatever type of activity that the user was using, whether in this case, most of this is just an app based system or logging on. But there’s quite a few different activities you could sort by here, which is really nice.

You can also do location if you want, select the location, and then you can even set up a different queries so you can have it look for special queries like security risk for example, and filter that way so they have quite a few nice little filtering capabilities that you can go with there. And then you’ve got I can investigate files that have been discovered in the environment that users have opened. You can filter all those also if you want, you can look at user accounts, users and accounts that have logged on and the dates and time last seen, whether it was an internal affiliation based on the IP address, or whether it was external, somebody hitting from the Internet. You can look at security configuration as well.

So this is involving Azure, and I was also telling you, you can look at Amazon Web Services also this will be connected using an API connector. And then they’ve got regulatory compliance. This is tied to all of our Azure information protection policies, data loss prevention policies, all of that stuff. It ties to all that as well and can help us determine if there’s any compliance issues there. Okay, all right? And then we’ve got policies that we can set. So we got investigations. We can do just kind of research what’s out there. But Policies, this is where some of our real control comes in. I can go to policies and I have a bunch of different pre built policies that are already available to me.

As you can see, quite a few different policies here. Risky sign in, data exfiltration, suspicious inbox, forwarding, somebody forwarding something through email. Impossible travel that gets into somebody logging on in different atypical locations. I’m logging on in New York right now and then somebody logs on over in Yugoslavia or something five minutes later. That’s a little impossible, right? So that’s where you get into that. Anonymous IP addresses. People trying to hide their IP address by tour. So there’s a lot of different policies here and they give a nice little description under each one. You can create a policy. So you can create policies based on like, access somebody trying to connect in the activities that they’re actually trying to perform, whether it’s like opening an app or forwarding an email. App discovery. This is based on the applications that were discovered out there. Users are using, okay, cloud discovery, anomaly detection, something out of the ordinary somebody’s using that they haven’t used before.

File policy, I can stop you from using certain types of files. File extensions, open authorization, authentication, app policy. That means you got cloud apps authenticating to each other on different sites. Session policies looking at people connecting in and how long they’re logged on during a particular session and all that. Let’s create a file policy. Now, one thing of note about doing a file policy is you have to go over to settings right here and click the settings option, and you have to make sure that you support enable file monitoring. And when you first come in here for the very first time, this is not turned on. I actually already have turned it on, but this is not turned on. You got to make sure that’s turned on for this to be supported. Okay, so then we come back over to policies. Let’s click to create a policy and we’ll do a file policy and let’s block any type of file that’s a VBS. So I’m going to say block VBS files. That’s a visual basic. File severity is medium.

That’s going to rate it as a medium severity. And then we’ll set this will be an access control thing. Okay, so access control to a file. This is files matching all the following. The access level is going to be based on the extension equal to VBS extension. And then we don’t need to actually set a date and time on this. I’m just going to close out of that applies to all files, all owners. Content inspection. It’s not actually needing to analyze the data because it’s just going by file extension. But if you wanted with content inspection, you can enable it and actually have it go in there and that combines this with the Azure information protection, sensitive labels, data loss prevention and all of that. So regular expressions, all that stuff. We can also have it create an alert as well. So it’ll actually create an alert. It will limit that to five. And if I wanted to send an email to somebody, I could send an alert message.

I can put in a phone number here, have it send me an alert. Pretty neat stuff you can do there. Down here. Microsoft just says, hey, we’d love to hear from you can give them a comment if you want. And then at that point I’m just going to click to create and it’s going to create my little policy. So I’ve now added that as a policy. Okay. And then finally over here we’ve got alerts so we can go through here and see if we’ve actually got some alerts. Anything out of the ordinary that’s popped up. And as you can see at the moment, I haven’t.

So no news is good news obviously when you’re looking at this. But definitely as you can see, cloud app security is a great way for us to see the goings on that are happening and allow us to apply some policies that are going to lock things down and prevent web based apps and all that from going through things that we might not want to allow to go through. I can configure all that, not to mention the fact that I have the ability to do app connectors and connect to things like the Amazon Web services, other applications, other web based applications, Dropbox, all that stuff.

So you have a lot of stuff here like you can even go to the app. If you go to Discover, you can go to the cloud app catalog. And this is where Microsoft has over 16,000, as you can see at the time. This time 16,651 apps that you can look at there. And what’s great about it is it kind of ranks these based on their security score. Of course you’ll notice Microsoft’s apps are ranked the highest. Kind of funny how that works out, but you can see all the different applications that are there that are ranked and you can see what if your company is thinking about utilizing a certain web app in their environment.

This is a great way for you to sort of go through and look and see if the app is going to meet your company’s security standards. But definitely fun to go through here and take a look at some of the apps that are available. Definitely encourage you to do that, get a feel for what’s there. And again, the fact that we can connect to those apps and provide the app using an app connector, provide analytics for that data, that’s really valuable for us. So there’s a lot you can do with cloud app security as far as just getting a feel for the things that are going on in your environment and locking everything down.

9. Implementing Data Loss Prevention Policies in Test Mode

All right? So in data loss prevention, it’s important for us to not only understand how to create and configure policies for it, but also we need to be able to test things out. Now just a forewarning, when you create data loss preventions in a trial tenant, it can take up to 24 hours before it takes effect. So just be aware that it, you may not be able to test, test these out right away. Microsoft is, I think, trying to remedy that. They’re trying to get that time period down to less than an hour even for trial tenants. But I don’t know if they’ve gotten there yet. It just depends. You can try this, but just be aware that it may not take effect immediately. If you’re trying this on a trial tenant, you may have to wait a while. All right? All right, so first let’s go take a look at our policy and we’re going to set it to testing it out. All right? So we’re on portal Microsoft. com, we’re going to click the show all Ellipse symbol. We’re going to click compliance.

That’s going to bring us into the compliance center and then we’re going to go to the data loss prevention area, all right. And then policies. And we have a policy that we’ve created called US. Patriot act, right? Okay. So what we’re going to do is we’re just going to click on that and edit the policy, okay. And we’re going to go right here where it’s going to say test or turn on the policy. So we’ll just go next, next, next. And here it is. We’re just going to say test it out first. So we had turned, we’ve turned it on, but we’re going to say test it out. All right. And then show policy tips while in test mode. This feature especially, you have to wait a while before it takes effect. The policy tips don’t show up very quickly. It can take up to 24 hours before they’ll show up. So just kind of a forewarning in that. Just be aware that if you test this out, you may not get the policy tips right out of the gates. All right? So I’m going to say test out first. I’m going to click next. I’m going to click Submit, all right? And this will take just a moment to update the policy. But once it’s updated, we can then go and test it out.

All right, we’re going to click Done and we’re going to go and open up a new tab on my web browser. I’m going to go to portal Office. We’re going to open up Outlook. So we’ll go over here to Outlook and we’ll fire off an email, okay? So just go to New Message and I’m just going to make up a , just a fake email address. Then I’m going to put social.

The subject is going to be sharing my Social Security number. Okay? So I’m going to say, here is my Social Security number. I’m just going to make up a number. We’ll say 256-76-8765. All right, so there’s a fake Social Security number, all right? And I’m going to go ahead and hit send immediately. Look what happens. Notifications come in, right? And we’ll click at this notification. I didn’t get the policy tip. No policy tip pop up, but says, delivery has failed. Your message couldn’t be delivered, reported. It’s not a real email, but look right here. This is the one that matters. Your email message conflicts with a policy in your organization. Message is sent to people outside your organization. Message contains the following sensitive us sensitive information us.

Social Security number. Okay? All right, so as you can see, and I can click on the message, and I can see that message right there. So as an admin, I’m getting this message, and I’m able to see what this person sent. So this is a great way for you to do a quick test with this and try and submit it. You could also open up a Word document spreadsheet.

Try to share that with somebody via teams. Or if you want to, try posting it to a SharePoint site that’s public or attach a file to an email and do it that way, you’re going to get the same kind of thing. But remember, you need to wait on all of this stuff take effect. One of the things that people get into is they get in a hurry and they want to see this happen quickly. It could take up to 24 hours before this takes effect in a trial tenant, okay? In a live tenant, in a normal tenant that you pay for can take about an hour to take effect, but a trial tenant can take longer, so be advised on that, all right? But all in all, pretty easy to test out. DLP.