Pete explains the core features of Cloud App Security (CAS), the CASB solution from Microsoft.
- [Instructor] I want to start by explaining a bit about how Microsoft CASB, Cloud App Security works before I show you. It starts with discovery, where CAS uses traffic log data to discover cloud apps in your organization and to get detailed insights about both the traffic and the users behind it. It also allows us to evaluate the risk of discovered cloud apps based on more than 70 criteria and to take action by sanctioning, tagging, or blocking them.
With Cloud App Security we can also enable alerting on user or file behavior anomalies and control the data stored in our cloud apps leveraging API connectors to those applications directly. Conditional access app control is a reverse proxy infrastructure and integration with Azure Active Directory conditional access that allows us to configure real time monitoring and control of the conditions under which users are attempting to access our data. Classic Cloud Discovery Architecture basically processes the logs from your firewalls and your proxies to identify application usage on your corporate network.
But the obvious next question is what about the roaming users? What about the users who work from home? In today's world just discovering apps with traffic flowing through the firewall leaves some pretty big gaps and most CASB solutions can get visibility down to the user and the IP address but typically not at the machine or the device level itself. We all know that most users are working from multiple devices today and with Cloud App Security and Windows Defender Advanced Threat Protection we can actually get detailed discovery data including activity details down to the Windows 10 machine level and we can enable integration between Cloud App Security and Defender ATP by flipping a single switch, I'll show you how a little later.
Let's look at some of the core features of Microsoft Cloud App Security. So firs there's the cloud app catalog which details more than 16,000 cloud apps based on 70 criteria and it's an agentless deployment model. We simply upload firewall logs through the console. We can use native integration with leading proxies to enforce access control and we can also establish automated workflows, so security information event management integration for centralized monitoring of our alerts and custom workflows from our SIM system.
Now through specialists that inspect more than 70 attributes of these applications we're looking at compliance industry standards, security features and posture and terms of service that give a solid risk assessment. That allow us to make sanctioning decisions from an informed perspective, usage analytics will show us the number of apps, the traffic patterns and the usage patterns in our environment so we have a better idea of what we need to enforce and the dashboards right out of the gate give us a visual summary of key usage statistics and custom queries that give us a good starting point for drilling down into those problem areas.
Cloud App Security can help us detect malicious activity across apps including malware implanted in cloud app so threat delivery and persistence we call it. Malicious OAuth applications, failed logins, suspicious inbox rules for example. We can also look at indicators of compromised sessions including activities from suspicious IPs or anonymous IPs, unfamiliar countries or those impossible travel scenarios between sessions. Indicators of a compromised session including activity from a suspicious or anonymous IPs, unfamiliar countries, impossible travel between sessions.
Or we can look at malicious use of an end-user account. Oftentimes indicated by unusual file share activity, downloads, deletions, file exfiltration activity so in other words files being copied out of your environment and malicious use of a privileged user. For example, unusual account impersonation or unusual administrative activities such as multiple virtual machines being deleted all at once. Or the passwords of many user accounts being reset all at the same time.
Now Cloud App Security has a rules engine that includes some smart policies out of the box. But it also allows us to create rules and alerts that are important to our organization based on our specific security and compliance requirements. But Cloud App Security also includes User and Entity Based Behavior Analytics which is a mouth full. Which leverages machine learning to detect anomalous user behavior and sophisticated cyber attacks using behavior based, cloud driven advanced attack detection.
This technology which is based on Microsoft's Intelligent Security Graph is adaptive, automatic, very smart, always learning, and massively scalable, and the best part I think is no action is required by you. There are also several out of box user and entity behavioral analytics workflows that institute automatic threat detection spotting anomalous behavior from say an employee with malicious intent like copying corporate information ahead of a layoff, setting up funky inbox forwarding rules, compromised user accounts, unusual types or amounts of data being exfiltrated from your organization or even ransomware and in the case of rogue applications a malicious application that your user thought was legitimate and maybe gave consent to some plug-ins? That consent info is actually invisible without a solution like Cloud App Security.
Now through Cloud App Security integration with Microsoft Flow you can actually create your own custom automated security workflow. Now whether you want to automatically open a help desk ticket and service now or you want to do some automated data collection from the end user, or get an email approval from your SOC operator to automatically remediate an issue. Or even supply additional security controls to a potentially compromised user or end point. What makes the Microsoft CASB solution different? Well, rather than just building another product like other CASB solutions on the market.
Microsoft has built a CASB solution that's natively integrated with other components in the Microsoft Cyber Security stack. Integrating with Azure Active Directory and conditional access for identity and access management for example. Or with Azure Information Protection for securing corporate information, and native integration with the adaptive capabilities of the Intelligent Security Graph. I do want to talk just a moment about the licensing skews of Cloud App Security so you have a good baseline for the functionality that you may already own.
At the lowest tier at Azure AD Premium Plan one. We get the discovery capabilities of Cloud App Security but without all of the integrations, the alerting, and the enforcement. With Office 365 Cloud App Security, we get a sub-set of Microsoft CAS capabilities that provide enhanced visibility and control for Office 365 apps. So Office 365 Cloud App Security includes the threat detection based on user activity, discovery of shadow IT logs for apps that have similar functionality to Office 365 offerings and to control app permissions specifically for Office 365 and Microsoft Cloud App Security is the full stack solution that gives us comprehensive cross-SAS capabilities for that full catalog of 16,000 apps.
Strong data controls, advanced threat protection with the full service we get visibility into the whole of shadow IT in our environment by discovering cloud apps that are in use. On prem through our firewall and proxy logs and anywhere based on that integration with Windows Defender Advanced Threat Protection and you can control and protect data in the apps once you sanction them to the service. So as you can see there's a lot of functionality rolled up into Microsoft Cloud App Security.