Configuring Microsoft Cloud App Security (MCAS) for SaaS Governance

Configuring Microsoft Cloud App Security (MCAS) for SaaS Governance

07/01/2024

This technical and educational article aims to guide security analysts, IT administrators and systems engineers in configuring and using Microsoft Cloud App Security (MCAS), now part of Microsoft Defender for Cloud Apps (MDCA), for the governance of SaaS (Software as a Service) applications. MDCA is a comprehensive Cloud Access Security Broker (CASB) solution that provides visibility, data control, and threat protection for your cloud applications, helping to ensure security and compliance in an ever-expanding cloud environment [1].

Introduction

The mass adoption of SaaS applications has brought numerous productivity benefits, but it has also introduced new security challenges. Organizations often lose visibility and control over data that is stored and shared across cloud applications, creating what is known as "Shadow IT." Additionally, protecting against real-time threats and ensuring compliance for these applications is complex. Microsoft Defender for Cloud Apps addresses these challenges by enabling companies to discover and control the use of cloud apps, protect sensitive data, and detect anomalous behavior that could indicate threats [2].

This practical guide will cover setting up MDCA, from discovering Shadow IT and connecting applications to creating access, session, activity, and anomaly detection policies. Step-by-step instructions, configuration examples, and validation methods will be provided so that the reader can implement a robust SaaS governance strategy, protecting their data and users in cloud applications and strengthening their organization's security posture.

Why is Microsoft Cloud App Security crucial?

  • Shadow IT Discovery: Identifies all cloud applications in use in your organization, assesses their risks and allows you to control them.
  • Data Protection: Prevents the exfiltration of confidential data and ensures compliance with DLP (Data Loss Prevention) policies in cloud applications.
  • Access and Session Controls: Allows you to enforce granular access controls and monitor real-time session activities for connected applications.
  • Threat Detection: Uses behavioral analysis and machine learning to detect anomalous activities and cyber threats in cloud applications.
  • Application Governance: Helps manage application permissions, user activities, and security settings for SaaS applications.
  • Integration with Microsoft 365 Defender: Correlates MDCA signals with other Defender solutions for a unified view of incidents.

Prerequisites

To implement Microsoft Cloud App Security, you will need the following items:

  1. Licensing: A license that includes Microsoft Defender for Cloud Apps (e.g., Microsoft 365 E5, Microsoft 365 E5 Security, Enterprise Mobility + Security E5, or an MDCA standalone license) [3].
  2. Administrative Access: An account with the role of Global Administrator, Security Administrator or Cloud App Security Administrator in the Microsoft 365 Defender portal (https://security.microsoft.com).
  3. Log Sources (for Shadow IT): Firewall and proxy logs for Shadow IT discovery. For deeper integration, API connectors for specific SaaS applications (e.g. Office 365, Salesforce, Box).
  4. Microsoft Defender for Endpoint (Optional, but recommended): For deeper Shadow IT discovery and application control on managed devices.

Step by Step: Configuring Microsoft Security for Cloud Apps

Let's explore setting up MDCA for SaaS governance.

1. Accessing the Microsoft 365 Defender Portal

  1. Open your browser and navigate to https://security.microsoft.com.
  2. Log in with an account that has the necessary permissions.
  3. In the left navigation pane, select Cloud Apps.

2. Application Discovery (Shadow IT)

Application discovery is the first step to gaining visibility into SaaS usage in your organization.

  1. In the MDCA left navigation pane, select Discovery > Log Snapshots or Log Collectors.

  2. Log Snapshots: For quick assessment, you can load firewall or proxy traffic logs manually.

    • Click Create Log Snapshot and follow the instructions to upload a log file.

  3. Log collectors: For continuous, automated discovery, configure a log collector in your environment.

    • Click Add Log Collector and follow the instructions to configure the collector (usually a virtual machine or container that forwards logs to MDCA).

  4. Defender for Endpoint Integration: If you have Defender for Endpoint, Shadow IT discovery is automatically enabled, providing cloud app usage data directly from endpoints.

  5. After data collection, go to Discovery > Discovered Applications to see the list of cloud applications, their risk levels, and usage statistics.

3. Connecting Applications (API Connectors)

For deeper governance and protection, connect SaaS applications directly via APIs.

  1. In the MDCA left navigation pane, select Settings > Application Connectors.
  2. Click + Connect an application.
  3. Select the application you want to connect (ex: Office 365, Salesforce, Box).
  4. Follow the specific instructions for each application to grant the necessary permissions. This usually involves logging in as the application administrator and authorizing MDCA.

4. Creating Access and Session Policies

Access and session policies allow you to control user access and activities in real time.

  1. In the MDCA left navigation pane, select Control > Policies.
  2. Click Create Policy > Access Policy or Session Policy.

Example: Session Policy to Block Download of Sensitive Data

This policy can prevent users from downloading sensitive files from a SaaS application when accessing them from an unmanaged device.

  1. Policy Type: Session Policy.
  2. Name: Block Downloading Sensitive Data to Unmanaged Device.
  3. Severity: High.
  4. Category: Data loss prevention.
  5. Activity filters: Configure the conditions:
    • Applications: Select the target SaaS application (e.g. SharePoint Online).
    • Users: Select target users or groups.
    • Device: Select Device Brand = Not Supported or Not Hybrid Azure AD Joined.
    • Activity type: Download.
    • Content inspection: Configure to detect confidential data (e.g. Credit Card Number, CPF).
  6. Actions: Select Block (for downloads) and Monitor.
  7. Click Create.

5. Creating Activity Policies

Activity policies let you detect and control specific user actions in connected apps.

  1. In the MDCA left navigation pane, select Control > Policies.
  2. Click Create Policy > Activity Policy.
  3. Name: Mass Deletion of Files Alert on OneDrive.
  4. Severity: Medium.
  5. Category: Threat detection.
  6. Activity filters: Configure the conditions:
    • Applications: OneDrive for Business.
    • Activity type: Delete file.
    • Activity count: Greater than 10 (in a period of 5 minutes).
  7. Actions: Select Generate alert and Send email alert to administrators.
  8. Click Create.

6. Creating Anomaly Detection Policies

Anomaly detection policies use machine learning to identify unusual behavior that could indicate an attack.

  1. In the MDCA left navigation pane, select Control > Policies.
  2. Click Create Policy > Anomaly Detection Policy.
  3. MDCA offers several pre-defined anomaly policies (e.g. Unusual file download activity, Logon activity from a suspicious IP address, Logon activity from a rarely accessed country/region).
  4. You can enable and adjust the settings for these policies.

Validation and Testing

Validating MDCA implementation is crucial to ensure policies work as expected.

1. Testing Session and Access Policies

  1. Simulate the scenario: Try to access a SaaS application (e.g. SharePoint Online) from an unmanaged device or a locall unreliable.
  2. Try to perform the action restricted by the policy (e.g. downloading a confidential file).
  3. Verify that the session policy blocks the action and displays a notification to the user.

2. Checking Activity Alerts and Anomalies

  1. Simulate the activity: In a test environment, run the activity you configured to generate an alert (e.g. quickly delete multiple files in OneDrive).
  2. Wait a few minutes.
  3. In the Microsoft 365 Defender portal, go to Incidents and alerts > Alerts.
  4. Filter by Service = Microsoft Defender for Cloud Apps and check if the alert was generated.

3. Reviewing the Activity Log

The MDCA activity log records all actions detected in connected applications.

  1. In the MDCA left navigation pane, select Logs > Activity Log.
  2. Filter by user, application, or activity type to verify that expected actions are being recorded and policies are applied.

Security Tips and Best Practices

  • Start with Visibility: Prioritize Shadow IT discovery to understand your organization's cloud application landscape before implementing strict controls.
  • Gradual Implementation: Start with policies in Monitor or Audit Only mode to understand the impact and adjust before applying blocking actions.
  • Full Integration: Integrate MDCA with Microsoft Defender for Endpoint to enhance Shadow IT discovery and endpoint protection.
  • Comprehensive Policies: Create policies that cover access, session, activity, and anomaly detection for multi-layered protection.
  • Data Classification: Use Microsoft Information Protection (MIP) to classify and label sensitive data, and use these labels in MDCA DLP policies.
  • User Education: Communicate to users about MDCA policies and the importance of using approved and secure applications for corporate data.
  • Continuous Review: Review and adjust MDCA policies regularly to adapt to changes in application usage, the threat landscape, and compliance requirements.

Common Troubleshooting

  • Apps not appearing in discovery: Verify that firewall/proxy logs are loading correctly or that integration with Defender for Endpoint is active. Make sure relevant traffic is being captured.
  • Application connectors fail: Check permissions granted to MDCA on the SaaS application. Check the connection logs in MDCA for error messages. You may need to reauthorize the connector.
  • Policies are not applied: Verify that the policy is enabled and that the user and application are in scope of the policy. Check the activity filters to ensure the conditions are being met. For session policies, ensure that traffic is being routed through the MDCA conditional access control proxy.
  • False Positives: Adjust the sensitivity of anomaly detection policies or add exclusions for legitimate activity. For activity policies, refine the filters to be more specific.
  • Performance Issues: Using the conditional access control proxy may introduce a small amount of latency. Monitor performance and optimize policies if necessary.

Conclusion

Microsoft Defender for Cloud Apps (MDCA) is an indispensable tool for any organization looking to protect their data and users in SaaS application environments. By providing visibility into Shadow IT, granular access and session controls, and advanced threat detection, MDCA enables enterprises to effectively extend their security posture to the cloud. Careful implementation of MDCA policies, combined with SaaS governance best practices and integration with other Microsoft 365 Defender solutions, significantly strengthens your organization's cyber resilience. With this practical guide, security professionals will be able to configure and manage MDCA to ensure their cloud applications are secure, compliant, and in control.

References:

[1] Microsoft Learn. What is Microsoft Defender for Cloud Apps?. Available at: https://learn.microsoft.com/pt-br/defender-cloud-apps/what-is-defender-for-cloud-apps [2] Microsoft Learn. Discovery of Shadow IT. Available at: https://learn.microsoft.com/pt-br/defender-cloud-apps/shadow-it-discovery [3] Microsoft Learn. Microsoft Defender for Cloud Apps licensing requirements. Available at: https://learn.microsoft.com/pt-br/defender-cloud-apps/what-is-defender-for-cloud-apps#licensing-requirements