Apr 20 2017
- last edited on
Feb 19 2021
Over the past 30 days we have been trying out Microsofts Cloud App Security service they recently aquired from Adallom. We had a breach incedent recently where rogue actors were able to gain access to one of our executives Office 365 Accounts. They used this account to send a Phishing message to one of our corporate controllers whom noticed weird dialouge this person would never use in the body of the message to alert IT Security to the breach. We quickly remediated by changing the password and temporarily removing access to the tenant for the user. During our research for the post incedent report we found multiple discrepancies between the information being shown in the CAS portal VS. the information shown from Azure AD. For example, the CAS shows the rogue actors accessing the tenant through an Azure DataCenter in the Netherlands. Azure AD shows the same actions coming from a different IP in Lagos Lagos NG. CAS failed to capture several logons prior to the 1st failed logon attempt from the IPs. Azure AD shows extensive logging of each app accessed by the rogue actors. CAS failed to alert us to Unordinary usage coming from this account even though we had set up the General Anomoly Protection policy to alert us of any anomolous logins. Over all we are pretty unsatisfied with the product. We do have an open support ticket with MS to look at the descrepancies and explain them, but so far I dont have much confidence anything will be resolved based on the interactions I am having with the front line agents. Pretty dissapointing in my opinion. Is anyone else running this service that could report anything positive around their experiences?
Jul 21 2017 07:00 AM
We got this response on the 6th of this month. "Engineering investigated the log entries provided in the April timeframe. There was a performance issue that was since remediated that may have contributed to this inconsistency in the logging. This has since been corrected and you should see consistent behavior since June 15th and going forward. If you do not see consistent logging, can you provide me with data to show this."
We did not continue with the service after the trial.