Blog Post

Security, Compliance, and Identity Blog
7 MIN READ

Protect your Box environment and Data using Microsoft Cloud App Security

Yoann_David_Mallet's avatar
Jan 20, 2021

 

One of the most used non-Microsoft app that Microsoft Cloud App Security can help protect is Box.

You may ask: "Why would I connect Box to MCAS? What benefits will I gain?"

Continuing on our series on how to use MCAS to protect your non-Microsoft apps, we'll discuss leveraging MCAS to detect threat impacting your Box environment and to protect your data in the cloud.

 

Why connect Box?

In short: for the exact same reasons you would want to connect Office 365 and more, as described here:

 

Benefit

Description

Policy or template

Compromised account or insider threat

The built-in Threat Detection policies in Microsoft Cloud app Security will apply to Box as soon as you have connected it. No additional configuration is necessary: by simply connecting you will start seeing new alerts when applicable.

 

"Potential Ransomware Activity”, or any of the built in detections.

Enforce Data Compliance

By enabling content inspection, you can control the type of data stored in Box, just like you could in Office 365.

You are then able to take actions, such as quarantining or removing a file. You can also simply notify the users of their non-compliant files.

“File containing PII detected in the cloud (built-in DLP engine)”, or simple generic file policies.

Prevent data leakage

Content inspection, in conjunction with restricting file sharing helps prevent data from leaking to unwanted parties.

“File shared with unauthorized domain”, “Stale externally shared files”.

Azure Information Protection integration

Leverage the AIP integration with MCAS to add automatic AIP labeling capabilities to your files stored in Box

(no template available, using generic file policies).

 

 

How to connect Box?

First thing first, let's discuss how to connect Box to Cloud App Security.

 

The process is as straightforward as can be, and is fully described in our Official documentation.

If you would rather see it in action, check out the video below:

 

 

Configure MCAS for Box

By simply connecting box you already gain value: not only the default threat detection policies will apply automatically, but any File Policy you have created to support another app, such as Office 365, will also apply by default to Box (only governance actions require editing existing policies).

Therefore, you would be able to start enforcing compliance requirements right after the connection is established.

 

Of course, each app being unique, there are a number of Box specific configurations and policies that can be leveraged. Let's start here with best practices that apply to most customers.

 

Quick config – Quick value!

Enabling Box policy templates

With regards to Box specifically, we created the following templates to help you handle the specificities of the app, and we recommend most customers to enable them as Box is connected to your MCAS environment.

 

Template

Description

Identify Box shared links without a password

Box can make it very easy to share files with internal or external parties. Sometimes even too easy, and we have seen a number of our customers accidentally leaking data. To help limit this risk, we created this File Policy template in MCAS that allows you to identify non-password protected shared links.

If this policy triggers too many results, it can edited to add additional matching criteria, or content inspection.

 

Detecting unauthorized Watermark Label changes

Box allows watermarking documents to indicate a level of confidentiality to the reader. One may want to control when these are modified, and for that purpose we created this activity policy template.

It can be tweaked to filter results per user, group, file type and more.

Unauthorized account updating shared link expiration dates

 

Box allows placing expiration dates on shared links. Thanks to this Activity policy template, MCAS can alert when an expiration date is extended or changed, avoid potential policy violation. As for the other templates, it can be tweaked to better fit your needs.

 

 

The video below illustrates how to use these templates in your environment:

 

Generic templates 

On top of these specific Box use cases, you can use all the generic features and policy templates offered in MCAS. Here are a few easy examples to deploy.

Template

Description

Mass Download by a single user

Alerts when a single user performs more than 50 downloads within 1 minute (these thresholds can be changed)

 

Potential Ransomware Activity

Alerts when a user uploads files to the cloud that might be infected with ransomware.

Logon from a Risky IP address

Alert when a user logs on from a risky IP address to your sanctioned services.

'Risky’ IP category contains by default anonymous proxies and TOR exits point. You can add more IP addresses to this category through the 'IP addresses range’ settings page.

File Shared with Unauthorized domain

This policy can help you detect file sharing with domains that may represent a certain risk, such as personal email domains (outlook.com, gmail.com) or competitor's organization.

 

Configure your own policy

Of course, these pre-canned templates are only the tip of the iceberg of what can be done to protect your Box environment.

 

Two main types of policies would apply to your Box deployment.

First, Activity Policies can be configured to detect virtually any activity that you deem suspicious for your environment. These are particularly useful if you are concerned about a specific threat in your environment.

 

One of the most common use cases we see for Box users is the ability to apply Data Loss Prevention (DLP) policies.

For that, one can use MCAS File Policies. They allow the admin to detect files with specific properties, sharing level, and even do content inspection to detect sensitive data.

 

One of the key benefits of these File Policies is that they can apply equally to all apps. For instance, if you are using Office 365 and Box, a single policy can be applied to detect your sensitive data shared in the cloud (should you decide to have separate policies for each of your apps it is also possible using the "App" filter).  See the capture below for an example of a policy detecting Credit Card Numbers in DOC files stored in OneDrive, SharePoint or Box:

 

 

Governance Actions

The last part of the File policy creation page is dedicated to Governance actions. These allow you to define actions that will be executed automatically when a policy is triggered. These can be different for each app. For Box the list is quite extensive as displayed here:

 

 

 Let’s discuss a few of these.

Box Governance action

Description

Remove External User

This will remove permissions to any user that is not part of the organization from all matching files. Users are recognized as being part of the org based on their email address domain name.

Remove Direct Shared link

Completely unshare any file that matches the policy.

Set an expiration date on a shared link

Forces a shared link to expire at a specific date. This can be very valuable to limit cases where files are shared and often forgotten, even when not used anymore.

Admin Quarantine

After defining a target folder, this action will move any file that matches the policy to the folder. There, the file can be reviewed, and the admin can decide if it should be authorized or removed.

Trash

As clear as can be. This action can be useful when some data must never be found in cloud storage.

Notify the last file editor

The policy digest would notify the owner of the file. If a file is shared and multiple users can edit it, the last editor may be the one adding the non-compliant data.

Apply Classification label

This action will automatically apply an AIP label to a file. It extends Box capabilities by adding automatic classification of supported document. More info here.

 

 

Real time control

The policies and controls we have discussed above are all relying on Box’s APIs to query activities and data.  While this allows monitoring activities very specific to Box and data already stored, it is an out of band connection (cloud to cloud, users are never aware of this connection) and as such, data is received by MCAS in Near Real Time.

 

For use-cases where real time controls are required, we can leverage another component of MCAS: Conditional Access App Control.

This feature allows MCAS to act as a reverse proxy in the cloud, and allows for a real time control of several activities, for Box or any other Cloud App:

  • Control file downloads
  • Control file Uploads (including malware detection)
  • Control or prevent Cut/Copy/Paste/Print

 

Some of the most common scenario used with Conditional access app Control with Box are:

  • Block download of sensitive data to unmanaged devices
  • Prevent upload of malware.
  • Prevent copying or printing data from an unmanaged device.
  • Prevent file sharing: clicking on the share button would be blocked.
  • Read-only mode: prevent file editing or file creation/upload

 

 

More info on how to use Conditional Access App control is available here:

 

You can also learn about how to deploy Conditional Access App Control in the videos here:

 

Share your thoughts!

We hope this will help you get the best value out of MCAS and secure your environment.

Have you found a scenario that we haven't covered here? Please share with our community and let us know in the comments below.

 

(By Idan Basre and Yoann_David_Mallet)  

 

Updated Nov 02, 2021
Version 5.0
  • Jroth's avatar
    Jroth
    Copper Contributor

    I can't seem to find any documentation on how to make this play nice with Box Drive and Box Tools. Works great for the browser, but totally breaks the ability to sign into Box Drive.  It appears the agent string for the Box Drive appears as follows  "Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko BoxDrive/2.24.198"  which is interpreted by the conditional access policy as "browser", so there's no way for me to say bypass it for Box Drive based on client type.  Any ideas?

    • smartin1000's avatar
      smartin1000
      Copper Contributor

      Following up on Jroth's post....Can Microsoft confirm that the MCAS for Box conditional access policy allows logins for Box Drive? 

      • Yoann_David_Mallet's avatar
        Yoann_David_Mallet
        Icon for Microsoft rankMicrosoft

        Currently, Defender for Cloud Apps does not support apps and thick clients. In that case, you filter out the boxdrive client by having a filter saying "user agent string" "Does not Contain" "BoxDrive". Let me know if that helps!