Microsoft Cloud App Security is a powerful reporting and alerting tool that provides deep analytics into your Microsoft 365 tenant. Combined with other agents it can be a central place to bring all your reporting and alerting together and even incorporate information from endpoints, servers and firewalls. Come and learn why Microsoft Cloud App Security provides administrators power beyond their wildest dreams when it comes to managing Microsoft 365.
2. #M365May @M365May M365May.com
ROBERT CRANE
MEGAN & LORYAN STRANT | STRANT CONSULTING
HOW TO GET DEEPER ADMINISTRATION
INSIGHTS INTO YOUR TENANT
@directorcia
http://about.me/ciaops
3. Detect ProtectClassify Monitor
C L O U DD E V I C E S O N P R E M I S E S
Comprehensive protection of sensitive data throughout the lifecycle – across
devices, apps, cloud services and on-premises
Microsoft’s approach to information protection
4. User browses to a
website
Phishing
mail
Opens
attachment
Clicks on a URL
+
Exploitation
& Installation
Command
& Control
Brute force account or
use stolen account credentials
User account
is compromised
Attacker
attempts lateral
movement
Privileged
account
compromised
Domain
compromised
Attacker accesses
sensitive data
Exfiltrate data
Protection across
Azure AD Identity Protection
Identity protection &
conditional access
Cloud App Security
Extends protection & conditional
access to other cloud apps
Azure ATP
Azure AD Identity Protection
Identity protection &
conditional access
Identity protection
Windows Defender
ATP
Endpoint protection
Office 365 ATP
Malware detection, safe links,
safe attachments
Attacker collects recon
and config data
5. Phishinglllllllll
Password
Spraylllllllll
Breach
Replay
attacker-driven sign-ins
detected in October 20191.7B
high-risk enterprise sign-in
attempts flagged in October 2019901K
compromised enterprise
accounts detected in
October 2019
162K
Phishinglllllllll
Password
Spraylllllllll
Breach
Replay
of hacking breaches leverage
stolen or weak passwords
81% Verizon 2017 Data Breach
Investigation Report
300%
increase in identity attacks
over the past year.
2017: 10M/day 2018: 100M/day 2019: 300M/day
2.5% definitively password spray; 1.6% definitively breach replay; 95.9% indeterminate
20. #M365May @M365May M365May.com
COMPETITION WEEK 1
REGISTERED PARTICIPANTS - SCAN THE QR CODE TO ENTER THE PRIZE DRAW
COMPETITION AND PRIZE RULES
m365may.com/competition-rules
22. Microsoft Cloud App
Security
What is Microsoft CAS ?
A multi-mode Cloud Access Security Broker
Insights into threats to identity and data
Raise alerts on user or file behavior anomalies in cloud apps
leveraging their API connectors
In scope for this engagement (with Office 365)
Ability to respond to detected threats, discover shadow IT
usage and configure application monitoring and control
Out of scope for this engagement
Requirements
Available to organizations with an Azure tenant or an Office 365
commercial subscription and who are in the multi-tenant and Office
365 U.S. Government Community cloud
23. Malicious Insider
Protect against disgruntled
employees before they cause
damage
Ransomware
Identify ransomware using
sophisticated behavioral analytics
technology
Rogue Application
Identify rouge applications that
access your data
Compromised Accounts
Combat advanced attackers that leverage
compromise user credentials
Malware
Detect malware in cloud
storage as soon as it’s
uploaded
Data exfiltration
Detect unusual flow of data outside of
your organization
32. Unusual file share activity
Unusual file download
Unusual file deletion activity
Ransomware activity
Data exfiltration to unsanctioned apps
Activity by a terminated employee
Indicators of a
compromised session
Malicious use of
an end-user account
Suspicious inbox rules (delete, forward)
Malware implanted in cloud apps
Malicious OAuth application
Multiple failed login attempts to app
Threat delivery
and persistence
!
!
!
Unusual impersonated activity
Unusual administrative activity
Unusual multiple delete VM activity
Malicious use of
a privileged user
Activity from suspicious IP addresses
Activity from anonymous IP addresses
Activity from an infrequent country
Impossible travel between sessions
Logon attempt from a suspicious user agent