Cloud Discovery, which is one of the Microsoft Cloud App Security (MCAS) features, helps organizations to identity applications and user activities, traffic volume, and typical usage hours for each cloud application. In a nutshell, it can help to detect "Shadow IT" applications and possible risky applications.
This blog concentrates on the Microsoft Cloud App Security - 'Cloud Discovery' feature and its integration with Microsoft Defender for Endpoint (MDE) service. If you want to learn more about Microsoft Cloud App Security I encourage you to start from here: Cloud App Security Overview document.
The Cloud Discovery identifies cloud applications that the organization might not have visibility to, provides risk assessments and ongoing analytics and lifecycle management capabilities to control use. Cloud Discovery analyses the traffic logs and runs them against the cloud app catalog; to provide information on the discovered applications and the users accessing them.
Picture and description from Cloud App Security playbook.
Cloud Discovery analyzes traffic logs against Microsoft Cloud App Security's cloud app catalog of over 16,000 cloud apps. The apps are ranked and scored based on more than 80 risk factors to provide insights and visibility into applications used in the cloud, and the risk Shadow IT poses to the organization. At the time of writing the following options are available to ingest network traffic data to MCAS:
The snapshot reports provides ad-hoc visibility on traffic logs manually upload from firewalls and proxies.
The following options are available for the continuous reports:
Based on my personal experience, the Microsoft Defender for Endpoint (MDE) has been the selected solution in most cases I have worked. The main reason has been easy and smooth integration with the Microsoft Cloud App Security.
The Cloud Discovery API offers an option to automate traffic log upload and get automated Cloud Discovery report and risk assessment. You can also use the API to generate block scripts and streamline app controls directly to your network appliance.
The following chapters concentrate on MCAS & MDE integration benefits. The policy examples are based on the traffic information collected by the MDE service.
Cloud App Security uses the traffic information collected by Microsoft Defender for Endpoint (MDE) about the cloud apps and services being accessed from IT-managed Windows 10 machines. The native integration enables you to run Cloud Discovery on any machine in the corporate network, using public Wi-Fi, while roaming, and over remote access. It also enables machine-based investigation.
Traffic data is analyzed against the Cloud App Catalog to identify more than 16,000 cloud apps and to assess their risk score. Active users and IP addresses are also identified as part of the analysis.
The current traffic detection model:
Here, I will go through some of the typical Cloud Discovery scenarios requested by customers I have worked with. Selected scenarios to identify apps from the cloud discovery data are:
In both scenarios, the App Discovery policies are used. The detection mechanism is based on the collected data, where MCAS creates alerts if a match is found based on the App Discovery policies.
The Cloud Discovery dashboard gives a nice overview of the collected data, possible alerts, and apps discovered in the network. Inside the marked area, you can find the apps and alerts created.
When you select the application, you can see the detailed usage of the app. The App page includes overall information (+ alerts tab) of the application usage including the list of top rankings at the bottom of the page.
There are two kind of Cloud Discovery policies in MCAS:
In the policy configuration, you have a variety of options to configure your Cloud Discovery policy. In my example, I'm using the app "category" and "risk score".
Detect potential data exfiltration by a user to a cloud storage app and mark the app as unsanctioned.
In this example Cloud Discovery policy is configured with the following settings:
During the tests, I used different apps from the cloud storage category. The apps were StoreBigFile, Lucky Cloud, and FileDropper. All of the apps are found with a risk score of 2 from the Cloud App Security cloud app catalog.
When the traffic is received by MCAS, the data will be analyzed. If the traffic matches the Cloud Discovery policies alert is created in the MCAS instance.
As you can see from the below, the dashboard contains information about the traffic to the 'FileDropper' application. To perform a deeper analysis of the app usage, users, and devices, select the app for details. The best part is the integration between MCAS and MDE which allows you to see device information on the dashboards. This integration offers a smooth transition to the MDE portal when deep-dive investigation of network traffic is needed.
As configured, when the App is found (FileDropper) it's marked as "unsanctioned" (red tag) by the governance actions in the example policy.
With this policy, you can detect potential exposure of your organization to cloud apps that do not meet your security standards. The idea of this policy is to detect any App that risk score by App Catalog is below 3 and mark such App immediately as "unsanctioned".
The policy is configured with the following settings:
I tested a number of Webmail & also Online meeting applications with similar detection policies but in example pictures, there is "Daum" webmail used. When the data is received from the MDE service, the MCAS makes parsing to the data and creates an alert.
In the example case, "High" category alert received from the suspicious application used in my organization.
In the policy, governance action is configured. This means, that when the policy detects the app, the app is immediately tagged with the "Unsanctioned" tag.
Because of MCAS and MDE integration and, governance action to the application, the next time user browses to the 'Daum' webmail app it will be blocked by MDE from W10 devices. How cool is that? :)
Worth mentioning is, in general, Unsanctioning an app doesn't block use of the app but enables to monitor its use more easily with the Cloud Discovery filters. Blocking the apps only works when accessing the app using a Windows 10 device with MDE configured, and MCAS & MDE integration has been configured.
The app marked as unsanctioned in MCAS should be found from MDE in a two (2) hours timeframe.
Cloud App Security (MCAS) can help to block access to unsanctioned apps by using existing on-prem security appliances. Basically, you manage the apps in the MCAS end by tagging them as sanctioned/unsanctioned and create a dedicated block script and import it to the appliance. This solution doesn't require redirection of all of the organization's web traffic to a proxy. More information and how to establish the solution is found from the Microsoft docs article: "Export a block script to govern discovered apps".
There are a lot of development activities on-going in the MCAS and MDE services to deeper the integration and strengthen the security posture of the environment. I recommend following the MCAS updates from both, M365 Roadmap and What's new in Cloud App Security pages for future updates.
Microsoft Zero Trust deployment guide for apps contains also a hint of what's coming next in terms of app management (more granular controls).
Sami Lamppu works for Nixu Corporation in Finland. He wrote the contents of this blog, and it was edited by the MCAS team. Nixu is a cybersecurity services company that helps organizations embrace digitalization securely. https://www.nixu.com
To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security.
Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter, and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.