Examine the Defender for Cloud Apps

Completed

Apps in Microsoft Teams allow you to leverage additional capabilities, enhance your experience, and make Teams work for you by adding your favorite Microsoft and third-party services.

In the modern business environment, users often want to use their own devices to access your systems. They might download and use apps from app stores and other locations that you can't control directly. You need to ensure that such practices don't put your sensitive and business-critical data at risk. Defender for Cloud Apps can assist with this task.

What is Defender for Cloud Apps?

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker. It's a layer between cloud applications and cloud application users. Microsoft Defender for Cloud Apps is designed for security professionals who need to monitor activity centrally and enforce security policies.

Microsoft Defender for Cloud Apps natively integrates with leading Microsoft solutions. It provides visibility into the apps being used, control over data travel, and analytics to identify and combat cyber threats.

Screenshot of Defender for Cloud Apps dashboard.

The Defender for Cloud Apps framework

Defender for Cloud Apps uses a four-stage framework:

  • Discover and control the use of Shadow IT: Identify the cloud apps, IaaS, and PaaS services used by your organization. Investigate usage patterns, assess the risk levels and business readiness of more than 25,000 SaaS apps against more than 80 risks. Start managing them to ensure security and compliance.

  • Protect your sensitive information anywhere in the cloud: Understand, classify, and protect the exposure of sensitive information at rest. Leverage out-of-the-box policies and automated processes to apply controls in real time across all your cloud apps.

  • Protect against cyberthreats and anomalies: Detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.

  • Assess the compliance of your cloud apps: Assess if your cloud apps meet relevant compliance requirements including regulatory compliance and industry standards. Prevent data leaks to non-compliant apps, and limit access to regulated data.

Architecture

Defender for Cloud Apps provides:

  • Cloud Discovery: Using Cloud Discovery to map and identify your cloud environment and the cloud apps your organization is using.

  • Sanction or unsanction apps: Apps should be sanctioned or unsanctioned after you've reviewed the list of discovered apps in your environment. Secure your environment by approving or sanctioning safe apps or prohibiting or unsanctioning unwanted apps.

  • App connectors: Deploy app connectors that use the APIs of app providers to give visibility and control by Defender for Cloud Apps over the apps you connect to.

  • Conditional Access App Control: Provides real-time protection, visibility, and control over access and activities within your cloud apps. Session controls in Defender for Cloud Apps work with the featured apps.

  • Policies: Enables you to define the way you want users to behave in the cloud. You detect risky behavior, violations, or suspicious data points and activities in your cloud environment. If necessary, you can integrate remediation workflows to achieve complete risk mitigation.

Diagram showing the Defender for Cloud Apps being used in an organization.

Conditional Access App Control

To allow featured apps to be controlled by Microsoft Defender for Cloud Apps Conditional Access App Control, there are four steps:

  1. Configure your identity provider (IdP) to work with Defender for Cloud Apps.

  2. Sign into each app with a user scoped to the policy.

  3. Verify the apps are configured to use access and session controls.

  4. Test the deployment.

You must also have Microsoft Entra ID P1 or higher, or the license required by your identity provider (IdP) solution, and licenses for Microsoft App Security.

Policy control

You use policies to define the way you want users to behave in the cloud. Policies enable you to detect risky behavior, violations, or suspicious data points and activities in your cloud environment. You can integrate remediation workflows to mitigate risks. There are multiple types of policies that correlate to the different types of information you want to gather about your cloud environment, and the types of remediation actions you might take. Examples include:

  • Quarantine a data violation threat.

  • Block a risky cloud app from being used by your organization.

For more information, see:

Plan and configure threat policies in Microsoft Defender XDR

Technical adoption for implementing threat protection and XDR involves:

  • Setting up the suite of XDR tools provided by Microsoft to:

    • Perform incident response to detect and thwart attacks.

    • Proactively hunt for threats.

    • Automatically detect and respond to known attacks.

    • Integrating Microsoft Defender XDR and Microsoft Sentinel.

    • Defining SecOps processes and procedures for incident response and recovery.

  • Implementing threat protection and XDR also involves a few related activities, including:

  • Using the XDR tools to monitor both your business critical and honeypot resources, which you implemented in the security breach prevention and recovery article to lure attackers into showing their presence before they can attack your real resources.

  • Evolving your SecOps team to be aware of the latest attacks and their methods. Many organizations can take a four-staged approach to these deployment objectives, summarized in the following table.

Stage 1 Stage 2 Stage 3 Stage 4
Turn on XDR tools:
- Defender for Endpoint
- Defender for Office 365
- Microsoft Entra ID Protection
- Defender for Identity
- Defender for Cloud Apps

Investigate and respond to threats using Microsoft Defender XDR
Turn on Defender for Cloud

Define internal process for SecOps

Monitor business critical and honeypot resources with XDR tools
Turn on Defender for IoT

Design a Microsoft Sentinel workspace and ingest XDR signals

Proactively hunt for threats
Evolve SecOps as a discipline in your organization

Leverage automation to reduce load on your SecOps analysts

After Stage 4, the next phases are the Ready, Adopt, Govern and manage, phases.

For more information see: Implement threat protection and XDR