Over the next few weeks we will look at different cloud solutions to increase cyber security and hopefully provide insight into what’s going on with your end-point.

The key to effective security is simply knowledge – knowing what your employees and organization are doing is key to securing your environment. Regardless of the controls you have put in place there will almost always be a workaround, and while most are not intentionally malicious, they do produce threats to the organization, whether they’re compliance-based, data leaks, or just a lack of control on corporate information.

Today, we’re going to look at Microsoft’s Cloud Apps Security.

Microsoft Cloud Apps security is available as a standalone offering at $5.00 per user per month or included with Microsoft Enterprise Mobility Suite + Security E5, or Azure Active Directory Premium 2. These packages, which we will discuss in more detail in a later post, offer a host of security services to help strengthen a corporate network. I would suggest looking at all the benefits in Azure Active Directory Premium 2, as it offers a comprehensive solution for security for less than $10.00 per user per month.

Cloud App Security is designed to identify applications and services being used by all devices on your network. Agent or agentless information can be collected from your firewall or from a network device by installing an agent. This is the discovery phase and provides complete visibility and context for usage. Now you will have the ability to know what users are doing on your network. Think about this, if a user were to be transferring 100GB of data to box storage – or worse yet, transferring it via HTTP. This may not be suspicious in and of itself, but you may not have known that level of detail in the past until it was too late. With appropriate security in place, you will now have the ability to investigate early and prevent a potential breach, which could otherwise go unnoticed for months at a time.

Once you have identified sanctioned cloud apps, you can set granular controls and polices to share your data leak protection in your cloud environment. Preventing the use of non-sanctioned cloud based apps which is key to protecting your organizations assets.

When you have configured your polices, the real power of Cloud App discovery can be utilized. Threat protection identifies not only policy volitions (and locks them down) but uses Microsoft threat intelligence and research to identify high-risk usage, security incidents, and detect abnormal user behavior to prevent threats and provide real-time feedback via Microsoft Azure Portal and/or email notifications when a policy violation or threat has been identified.

Cloud App discovery can be used not only in a proactive security model to understand user behavior and provide insight into what’s leaving your network, but also as a real-time reactive tool preventing data loss that may have gone unnoticed.

Configuring this service isn’t that difficult with a bit of experience and practice. The first question that needs to be asked is agent or agentless. Agentless means collecting data from the firewall and then analyzing it with cloud app security; this is a good option in a mixed network environment (i.e.: Macs, Windows, Linux, etc.), with a few caveats:

  1. Your firewall must be supported (In most cases Enterprise and SMB firewalls such as Cisco, Sonicwall, Sophos, Palo Alto, etc. will work).
  2.  You can only analyze what you collect, meaning if you’re not collecting target URL, then it will not be available within the report.
  3. Continuous report data is analyzed twice per day

At a high level, you need to deploy a log collector (syslog or FTP) and then upload to Azure, for additional details see: http://bit.ly/2gFauH6

Agent deployments are very simple. You download an agent that is unique to your Azure deployment and push out via GPO, etc.. I personally prefer the agent deploy as it collects data for users that are off network. For additional information: http://bit.ly/2gEu468. Ideally running both the agent and agentless configuration would give the greatest insight into the end points.

The bullet points:

  • Cloud app Discovery/Security, cloud service provided by Microsoft
  • Standalone at $5.00 per user per month
  • Included with Azure AD P2 (recommended)
  • Included with EMS +security E5
  • Provides insight into what apps are being use by devices on your network
  • Pro-active lockdown of end point when a policy violation has occurred or threat
  • Two deployment models

Firewall data collection (agentless)

  • Requires a data collector
  • Agent deploys
  • Agent to be installed on each computer
  • Reports and Notification


Follow me on Twitter @JSLauria for real-time security notification.