Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

Microsoft Cloud App Security and Windows Defender ATP - better together

kimkischel's avatar
kimkischel
Icon for Microsoft rankMicrosoft
Sep 27, 2018

Based on our findings, enterprises today have an average of 1,100 cloud applications in their organization, with IT unaware of 61% of the cloud services that users access.

 

Sourcing from a cloud app catalog of more than 16,000 applications, Discovery in Microsoft Cloud App Security (MCAS), Microsoft Cloud Access Security Broker (CASB) solution identifies the cloud apps that are being used in your organization, provides risk assessments, ongoing analytics and lifecycle management capabilities to control the use.

 

Microsoft Cloud App Security now uniquely integrates with Windows Defender Advanced Threat Protection (ATP) to enhance the Discovery of Shadow IT in your organization and extend it beyond your corporate network. Our CASB can now leverage the traffic information collected by the Windows Defender ATP, no matter which network users are accessing cloud apps from. This seamless integration does not require any additional deployment and gives admins a more complete view of cloud app- and services usage in their organization.

 

Integration Highlights

  • Discovery of cloud apps beyond the corporate network from any Windows 10 machine
  • Single-click enablement
  • Machine-based Discovery
  • Deep dive investigation in Windows Defender ATP

 

 

 

How it works

Windows Defender ATP is an integrated part of Windows 10 Enterprise E5. To leverage the existing sensors and send traffic information to Microsoft Cloud App Security, you need to enable this integration via a simple toggle in the Windows Defender Security Center. Windows Defender ATP will then continuously log resource usage from all Windows 10 machines that are onboarded to the service, and report it back to Microsoft Cloud App Security, with signals shared via the Microsoft Intelligent Security Graph.

To get started, admins can go to the Advanced settings page in the Windows Defender Security Center. All you need to do, is activate a single button to enable the connection - and MCAS will start pulling the information immediately.

 

Image 1: Activate Microsoft Cloud App Security in the Windows Defender Security Center

 

Microsoft Cloud App Security will then leverage the traffic information from Windows Defender ATP’s log store to surface all relevant details in the Discovery Dashboard and provide relevant insights for discovered apps, users, IP addresses and a new, machine-centric view.

Admins now have visibility into the cloud apps that are being accessed, no matter which network the devices are logged into. Furthermore, admins will be able to see how many and which devices are accessing each one of the apps that are discovered.

 Image 2: The data source are W10 endpoints and the new tab allows for machine-centric view of cloud app Discovery

  

Given the native integration of these products, admins can easily pivot between the two portals. In Image 3 the admin is investigating the usage details of a cloud storage app. To investigate an individual machine with particularly high traffic for this app in more detail, admins can leverage the Windows Defender ATP deep-link within MCAS to navigate directly to the machine investigation in Windows Defender ATP and continue there. 

 

Image 3: Machine-centric deep dive into the usage for an individual cloud app and portal integration with WDATP

 

Enabling this seamless Cloud App Discovery experience in Microsoft Cloud App Security is the first step in creating a sophisticated lifecycle management approach to help ensure that your organization securely accesses cloud apps and services. Leverage the breadth of capabilities to identify which apps are being used in your organization, assess their potential risk and enable continuous monitoring to take immediate action when new cloud apps are discovered.

In the near future we will be adding more capabilities to this powerful and unique CASB integration, that will allow admins to manage and block unsanctioned applications

 

More info and feedback

Learn how to get started with Microsoft Cloud App Security with our detailed technical documentation. Don’t have Microsoft Cloud App Security? Start a free trial today!

New to Windows Defender Advanced Threat Protection? Learn more.

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

 

Updated Nov 02, 2021
Version 8.0
  • kimkischel That's a nice addition to the Discovery capabilities. Good to give admins the ability to leverage the intelligence you have and share it for enhanced security.

  • Hello Kim, 

    First, this is an awesome feature.  I have a question w.r.t. data processing. How long will it take on average until the data is visible in CAS? In Windows Defender ATP the data shows up pretty fast within the console, however I assume that in CAS the data needs to be assessed etc. So let's assume a user accesses drop box or GitHub, after how many minutes/hours/days should the data become visible in the CAS App Discovery console? I have ran a few tests myself, but I don't seem to find a pattern. 

    Regards

    Alex

  • kimkischel With the integration to MCAS being via the Intelligent Security Graph, and with MCAS being fed that information with personally identifiable information (machine + person / user), how are you protecting the personal information when the Intelligent Security Graph information is used for purposes other than discovery in MCAS (e.g., the "6.5 trillion signals" number)? All of those signals, with personal information associated, would give a pretty complete picture of someone's behaviour if compromised.

  • dustintadam's avatar
    dustintadam
    Iron Contributor

    kimkischel; We enabled this, but so far we are only getting telemetry in CAS from Win 10 machines that have upgraded to 1809, is this normal?

  • Alex Verboon It takes up to 2 hours for data to arrive into MCAS. For large tenants with large amount of data it will take much less. You can also find those details in our technical documentation.

     

    Additionally, our Cloud Discovery dashboard shows aggregated data across overall apps, categories etc., the data in it is analyzed every 4-6 hours.

  • osalem1977's avatar
    osalem1977
    Copper Contributor

    @Kim Kischel

    Hi Kim, everything is adding up all in the right direction with this integration.Can one expect more preventive controls on the endpoints from a DLP perspective.

    I.e. rule based policy from MCAS to (monitor/block) exfiltration of data via web based/storage cloud app, based on unified lable or dynamically detected by MDATP? O365 DLP is taking good care of that within O365 apps, but through web proxy with HTTPS with a malicious insider - any mitigation for this scenario ?

    Fully aware that MSDATP is EDR in its core, just hoping that this integration with MCAS can be unleached, i see a possibility.

     

    regards,

    //Osama