One-click integration of Microsoft Cloud App Security with Microsoft Defender ATP
At RSA, RSA is the world’s largest cybersecurity conference, we announced the general availability for Microsoft Defender ATP’s integration with Microsoft Cloud App Security – delivering a native integration to discover the cloud apps used in your organization. This is the first step towards enabling a seamless, zero deployment, native cloud app security solution that works any time any-where. Read below to learn why we do it, how to enable it with a single click, what the new value and experience are and how we’re going to continue to enhance these capabilities in the future.
Even if you are already using Microsoft Cloud App Security to monitor Shadow IT, the new integration provides additional value to the Discovery data.
The short answer is “you get more for less”. 4 main advantages:
Agent-less cloud app discovery
Discovery beyond the corporate network
As a native OS component, we strive to continuously add value for customers via the
Supported operating systems
Windows 10 1903 or later; 1809 (KB 4482887); 1803 (KB 4489894); 1709 (KB 4489890)
Enabling the new integration
If you have Microsoft Cloud App Security up and running in the same tenant as MDATP it’s down to a single click:
Go to the Advanced Settings in the Windows Defender Security Center and enable the Microsoft Cloud App Security integration
And you’re done. Microsoft Defender ATP will start sending the relevant log data to Microsoft Cloud App Security.
If you’re not using Microsoft Cloud App Security yet, start a trial to test this integration.
Image 1: 1-click enablement
Note! After enabling the integration, it takes some time for the data collection to kick off and for data transit and processing to start. It will take few minutes for the connected endpoints to start collecting and sending the desired telemetry and then up to 4 hours to process the first batches and build the report.
Deep insights into your organization’s cloud app usage
Once you’ve enabled the integration, navigate to the Cloud Discovery dashboard from the navigation pane in the Microsoft Cloud App Security portal. Once you select the Win10 endpoint users report from the list of continuous reports, a new “Machines” tab is added to the dashboard.
Image 2: Cloud Discovery – Discovered apps view
Typical use cases
With the Discovery capabilities in Microsoft Cloud App Security you get new insights into the existing cloud use in your organization and tools to evaluate risks and start governing existing Shadow IT. Image 1 depicts the typical lifecycle of managing the discovered apps in your organization.
Image 3: Shadow IT management lifecycle
The new machine view
By integrating with Microsoft Defender ATP, an additional Machines tab is added to dashboard. This provides all the information on a machine-basis, rather than on a user-basis. This allows you to analyze the findings on a machine basis to get granular insights into the apps accessed from specific machines. In addition, all the data now also includes information of cloud apps that were accessed outside of the corporate network.
Image 4: Machine-based investigation in MCAS portal
Continue your investigation in Microsoft Defender ATP
If you find anything suspicious, such as a user having uploaded unusually high amounts of data to a risky app, you may want to continue your investigation in Microsoft Defender ATP and ensure that the machine is not compromised. A single click (on the up-right Microsoft Defender ATP link) will shift to the verbose machine page of MDATP. There, in the machine timeline, you can investigate the root cause down to the process level and if needed even to the ancestor processes, download origins etc.
This native integration is another step towards creating a set of comprehensive, natively integrated security solutions across Microsoft 365. Building this endpoint-based CASB scenario to play together in a seamless experience is a strategic decision to simplify your security and compliance processes.
Based on your feedback during our public preview, we back ported this capability set to Windows 10 1709 to make it more broadly applicable. Update your clients to have it. The updated clients will then also be able to feed telemetry to Microsoft Cloud App Security.
In addition, we will continue to enhance the existing integration with additional capabilities:
Seamless enforcement of Microsoft Cloud App Security policies, such as the blocking of unsanctioned cloud apps
Enforcement statistics of policies sent from Microsoft Cloud App Security to the Microsoft Defender ATP agent