Defender for Cloud Apps - Lock Down Your Cloud Apps & Protect Data
Summary
TLDRIn this video, Jonath Edwards, known as the '365 Guy,' discusses Microsoft Defender for Cloud Apps, a tool that helps businesses monitor and block certain cloud applications. He explains how it integrates with Microsoft 365, detailing features like Cloud App Discovery, which uncovers cloud apps in use, and the ability to sanction or block apps for security purposes. Edwards also highlights licensing options and the added benefits of security monitoring and automated responses to potential threats, providing a comprehensive guide on using this tool to safeguard business data.
Takeaways
- 🛡️ Microsoft Defender for Cloud Apps helps businesses block and manage cloud applications they don't want employees using.
- 💼 It's part of the Microsoft Defender for Business suite and can also monitor apps for security issues and automate responses.
- 💸 The full version of Defender for Cloud Apps requires a Microsoft 365 E5 license, which costs about £50.30 per user per month, but there are alternatives like the Enterprise Mobility and Security E5 license.
- 🔍 One key feature, Cloud App Discovery, identifies all cloud applications being used in a business, even if the owner is unaware.
- 📈 The full version offers continuous, automated reports by integrating with Microsoft Defender for Endpoint, whereas the business premium version only provides point-in-time reports.
- 📊 The Cloud App Catalog evaluates over 30,000 cloud applications, scoring them based on 90 different factors like security and compliance.
- ✅ Businesses can sanction, unsanction, or monitor applications. Monitored apps will trigger a warning, but employees can still use them if necessary.
- 🚫 Unsanctioned apps will be blocked completely from usage within the organization using Microsoft Defender for Endpoint.
- 🔔 Defender for Cloud Apps includes security monitoring and can detect suspicious activities like account compromises or data sharing with personal emails, sending alerts to IT and taking immediate action.
- 📜 Policies can be customized to fit business needs, such as blocking suspicious forwarding or restricting data shared with personal email addresses.
Q & A
What is the main topic of the video?
-The video focuses on Microsoft Defender for Cloud Apps, a tool that helps businesses monitor and control the use of cloud applications, block unwanted apps, and enhance security.
What is Cloud App Discovery and what does it do?
-Cloud App Discovery is a feature of Defender for Cloud Apps that identifies and monitors the cloud applications used in an organization. It helps business owners see which apps are being accessed and offers insights on their usage.
What are the two ways to use Cloud App Discovery?
-The first method, available with Microsoft 365 Business Premium, involves uploading log files from local firewalls. The second, available with the full Defender for Cloud Apps, integrates directly with Microsoft Defender for Endpoint, providing continuous and automated reporting.
What licensing options are available to access the full version of Defender for Cloud Apps?
-To access the full version, businesses need either the Microsoft 365 E5 license or the Enterprise Mobility and Security (EMS) E5 license. The E5 licenses provide more comprehensive features compared to the limited version in Microsoft 365 Business Premium.
How does the Cloud App Catalog help businesses manage cloud applications?
-The Cloud App Catalog evaluates over 33,000 cloud apps based on 90 factors, allowing businesses to sanction, unsanction, or monitor applications based on their security and compliance features. This helps companies control app usage effectively.
What happens when an app is unsanctioned in Defender for Cloud Apps?
-When an app is unsanctioned, users are blocked from accessing it. If the business uses Microsoft Defender for Endpoint, the system can automatically prevent access to unsanctioned apps across all connected devices.
Can users bypass a blocked application, and how does the system handle this?
-Yes, if an app is set to 'monitored,' users can bypass the block for a certain period (e.g., 1 hour). However, for unsanctioned apps, the system fully blocks access without an option to bypass.
How does Defender for Cloud Apps enhance security by monitoring user behavior?
-Defender for Cloud Apps can detect security risks, like suspicious user behavior (e.g., impossible travel or data sharing with personal email addresses), and automatically take action, such as suspending the user or sending alerts to IT.
What is the 'impossible travel' policy in Defender for Cloud Apps?
-The 'impossible travel' policy detects when a user logs in from two geographically distant locations in a short time, which could indicate a security breach. The system can alert IT or suspend the user’s account if necessary.
Can Defender for Cloud Apps prevent data from being shared with personal email addresses?
-Yes, businesses can set policies that restrict or monitor data being shared with personal email addresses. For instance, a policy could automatically apply sensitivity labels to files, preventing external access to sensitive data.
Outlines
🔒 Introduction to Blocking Applications with Microsoft 365 Defender
The speaker introduces the topic of using Microsoft Defender for Cloud Apps within Microsoft 365 to block unwanted applications. They explain its significance and broader capabilities beyond just blocking apps, such as monitoring cloud apps and automating security responses. The speaker, Jonathan Edwards, also briefly mentions his background and the value this tool brings to business owners.
💡 Cloud App Discovery and Licensing for Microsoft Defender
The video moves on to describe the first feature of Defender for Cloud Apps, Cloud App Discovery, which helps businesses identify applications in use. Two methods are explained: using firewall logs (available with Business Premium) and integrating with Defender for Endpoint for continuous reports (requires E5). The speaker discusses licensing options, emphasizing the significant differences between Business Premium and the full version in Microsoft 365 E5.
📝 Continuous Monitoring with Microsoft Defender for Cloud Apps
The speaker demonstrates how the full version of Defender for Cloud Apps provides more features, such as continuous monitoring and a comprehensive dashboard. They walk through how Cloud Discovery shows apps, IP addresses, users, and devices. Additionally, the speaker explains how integrating with Defender for Endpoint streamlines cloud app monitoring across devices.
📊 Sanctioning, Unsanctioning, and Monitoring Cloud Apps
Microsoft's Cloud App Catalog, which assesses over 30,000 cloud apps based on security, compliance, and legal factors, is introduced. The speaker explains how businesses can sanction, unsanction, or monitor apps. They demonstrate by showing how to monitor Dropbox and block Box, emphasizing the flexibility of the platform in managing app access and educating users.
🚫 Blocking Unwanted Applications in Real Time
In this section, the speaker shows the practical application of blocking apps. They walk through a real-world example where a user tries to access Dropbox (monitored) and Box (blocked). They demonstrate how monitored apps allow a temporary bypass, while unsanctioned apps like Box remain inaccessible. The importance of setting user notifications and customized messages is also highlighted.
🛡️ Automated Security and User Activity Monitoring
This segment dives into the advanced security features of Defender for Cloud Apps, such as monitoring compromised accounts and preventing data sharing with personal email addresses. The speaker explains how policies like 'Impossible Travel' and email forwarding detection can help safeguard the organization, automatically notifying IT and taking governance actions, like suspending accounts.
🔍 Policy Management and Granular Controls
The speaker details how Defender for Cloud Apps includes pre-built and customizable policies that address various security needs, from suspicious forwarding to sharing with personal emails. They showcase how businesses can create granular policies, like applying sensitivity labels to data shared externally, to enforce security in real-time.
🔔 Conclusion: Defender for Cloud Apps as a Security Tool
In the conclusion, the speaker reinforces the value of Defender for Cloud Apps as an essential tool within Microsoft 365 for monitoring, managing, and securing cloud applications. They encourage viewers to explore its features for safeguarding their business data.
Mindmap
Keywords
💡Defender for Cloud Apps
💡Cloud App Discovery
💡Microsoft 365 E5 License
💡Business Premium
💡Enterprise Mobility and Security E5
💡Integration with Defender for Endpoint
💡Sanctioning and Unsanctioning Apps
💡Cloud App Catalog
💡Impossible Travel Detection
💡Data Shared with Personal Email Addresses
Highlights
Introduction to Microsoft 365 Defender for Cloud Apps as a tool for blocking unwanted applications and more.
Defender for Cloud Apps is part of the Microsoft Defender for Business Suite, offering capabilities beyond just blocking applications.
Discussion on licensing: Full version of Defender for Cloud Apps is only available with Microsoft 365 E5 or Enterprise Mobility and Security E5.
Cloud App Discovery feature allows businesses to discover which cloud applications are being used within the organization.
Comparison of Cloud App Discovery using log files in Business Premium versus full Defender for Cloud Apps with continuous, automated reporting.
Cloud App Catalog assesses over 30,000 cloud applications, scoring them based on 90 different factors such as security, compliance, and risk.
Capability to sanction, unsanction, or monitor applications within the Cloud App Catalog, offering control over app usage in the business.
Integration with Microsoft Defender for Endpoint allows for advanced management and security features, including automated responses.
Demonstration of blocking and monitoring applications like Dropbox and Box using Defender for Cloud Apps.
Introduction to policy management in Defender for Cloud Apps, enabling the creation of custom policies for app usage and security.
Highlight of the 'Impossible Travel' policy, which detects suspicious logins from different locations within an unrealistic timeframe.
Explanation of alerting and governance actions within policy management, including suspending users and sending notifications.
Example of a custom policy for detecting and managing data shared with personal email addresses, applying sensitivity labels, and quarantining users.
Emphasis on the practical applications of Defender for Cloud Apps in protecting businesses from security breaches and unauthorized data sharing.
Final thoughts on the overall value of Defender for Cloud Apps as a comprehensive security tool within the Microsoft 365 ecosystem.
Transcripts
is there a way that you can block
certain applications that you don't want
people to use well yes there is if
you're using Microsoft 365 there's a
product called Defender for cloud apps
and it can do just that plus much more
and that is the topic for today's video
but before we start just a quick intro
my name is jonath Edwards also known as
the be 365 guy I help businesses all
over the world with their Microsoft 365
5 you can get more information at the
bid 365 guy.com now I always have a
really interesting conversation with
business owners is there a way that we
can know what cloud applications people
are actually using inside of the
business and more than that is there a
way that we can block certain
applications if we really don't want to
use them well there is a product called
Defender for cloud apps and it's part of
the Microsoft Defender for business
Suite and it can do just that but it can
do even more than that it can also
monitor your Cloud applications for
security problems and it can automate
responses it's a really great tool so
that is what today's video is all about
but before I start launching into the
product demo I think it's best to talk
about licensing how much does all this
cost now if you're a regular Watcher of
my channel you will know that that my
favorite Microsoft 365 license is
business premium now unfortunately with
business premium you don't get the full
version of Defender for cloud apps you
get kind of a dumb down version and I'm
going to show you in a minute the
differences now if you want the full
version of Defender for cloud apps
you're going to have to buy Microsoft
365 E5 which costs a whopping
5030 per user per month now there's
another way around it you can also buy
Enterprise mobility and security E5
which costs about £
1390 per user per month so you could
bolt that on to a Microsoft 365 business
premium so you'd have business premium1
1810 and then £ 1390 for the Enterprise
mobility and security still expensive
but that will give you the full Defender
for cloud App Suite now enough of my
talking about licensing let's start
talking about the product so the first
feature of Defender for cloud apps that
I want to talk about is something called
Cloud app Discovery now what is this
well it's very Nifty as the name implies
what Cloud app Discovery does is
discover the cloud apps in your business
now I know what you're thinking you're
sat there thinking I know what
applications people are using in my
business I bet you don't now when I
initially roll this out for customers
most of the time they're always pretty
shocked who's using Dropbox what's this
application here I didn't know about
that now by using Cloud app Discovery
you can change all of that now there are
two ways that you can use Cloud app
Discovery the first way and this is the
only way that works with business
premium is to upload your log files from
your local firewall yes and no I don't
like it either and the second way which
you need full Defender for cloud apps
for is that you integrate it with
Microsoft Defender for endpoint so once
all your devices are an InTune and using
Defender for endpoint it integrates
really nicely with Defender for cloud
apps this means you can get continuous
automated reports now what we'll do now
is jump over to that PC and I'll show
you both ways okay so this tency is one
that has Microsoft 365 business premium
as the base license I'm in the admin
Center I'm logged in as a global admin
if I go down to admin centers and
security and down the left hand side if
I scroll down you can see that I've got
Cloud apps here so this is where the
defender for cloud apps lives now I've
just got these options with the business
premium and you'll see in a minute how
that differs from the full Defender for
cloud apps license but if I click on
cloud Discovery this is all the option I
have with my business business premium
so what I can do here is I can create a
new report which I'll show you now I'll
click on there I'll click on next I'll
give the report a name and then I've got
to select a source so whatever firewall
whatever security appliance that I'm
using I've got to basically upload the
log files whether it's a barracuda a
Cisco they've got watch guard in here
they've got a load of different options
plus if you scroll down to the bottom
you can choose other or generic and then
I can click on next and what will happen
at the end is I will get a report like
this and it'll show me all the apps that
has been discovered via the appliance
now a lot of our customers don't really
use appliances like this and this report
is just a point of time it's a point in
time as to when you upload the log files
it's not any continuous reporting going
on but as I said a lot of our customers
they don't have those kind of appliances
anymore they are remote workers they
don't have an office so this in a
nutshell is pretty useless to them so
what does it look like when we've got
the full version of Defender for cloud
apps well let me hop over to a tenant
now and I'll show
you okay this is a tency which has the
Microsoft 365 E5 license I'm in the
security portal again and you can see
under Cloud apps we've got a lot more
options now if I click into Cloud
Discovery what I get here is a nice
dashboard and at the top you can see
that this has been in integrated with
Defender for endpoint so I've got 61
apps that have been identified 107 IP
addresses 56 users 57 devices we can
scroll down here and we can see all the
apps that Defender for cloud apps has
discovered we can click into any of
these things so I can drill down into
discovered apps and it gives me a list
of all the discovered apps so you can
see already we get a lot more options
with the full version of Defender for
cloud apps now in a moment we're going
to talk more about all these options
here cuz we've got quite a lot going on
we've got loads of different options but
before I do that I mentioned earlier
that Defender for cloud apps has been
integrated with Defender for endpoint so
what we've done and what we recommend is
that all your devices are in in tune and
they're all running Defender for
endpoint once that's in place there's a
few things you need to do so if I scroll
down to here go into settings firstly go
into end points here Advanced
features and if we scroll down we need
to make sure that custom Network
indicators is switched on we also need
to make sure that Microsoft Defender for
cloud apps is switched on and it just
point out here that we need an E5
license or an Enterprise mobility and
security once we're happy with that go
back to settings go to Cloud apps and
you'll see if we scroll down here you
will see we've got a Defender for
endpoint option here and we're we're
going to talk more about these options
later in the video now the next feature
that I want to talk about is the Cloud
app catalog now Micosoft have done a
pretty good job here they've assessed
over
30,000 different Cloud applications and
they've scored these Cloud applications
based on 90 different factors so what
you can do with the Cloud app catalog is
you can do one of three things you can
sanction an application for use in your
business this means the application will
be allowed or you can
unsanctioned or there's a bit of a
middle ground you can set an application
to be monitored so you'll monitor that
application and people might get a
warning before they use it I think it's
time to take a look at the Cloud app
catalog okay so I'm just in my test
tency that we use for a of these videos
if I just head over now to the Cloud app
catalog you can see this is what it's
like as I mentioned earlier we've got
over
33,000 applications that Microsoft have
assessed now a lot of these you can see
the RIS score here it's green and they
score 10 out of 10 lot of these are
obviously Microsoft applications but
what I can do I can drill into these and
it tells you why they've scored it 10
out of 10 so we're talking about the
general settings the headquarters of the
company we're looking at security
whether they allow multiactor
authentication admin audit trials lots
of different things here and also
compliance so which accreditations and
Microsoft aligned to you can see they've
got a lot of different things going on
here and also some legal things as well
gdpr data ownership so Microsoft have
scored themselves 10 out of 10 which is
pretty good now you can see here again
we've got lots of different categories
as well so if I go on to he maybe you
can see I'm going to have lots of
different
applications and a lot of these of
course aren't Microsoft ones if I do the
risk score the other way around so I I
start with the the ones that I've scored
a low risk score you can see Microsoft
have found lots of different ones let's
look at this one here and you can see
that this company I don't know who it is
but they don't score too highly on the
Microsoft score so for example if you
found that this application was being
used in your business via
Discovery you could come in here you
could have a look at it and then you
could make a decision about it so what
decision could you make about it well
this is where we use these options here
so we can click on here and we can
sanction this app that means that this
app is allowed to be us in our business
the opposite of that is obviously
unsanctioned so if we
unsanctioned and we can't use it in the
business and then we've got another
option here where we can monitor this
application so when we we monitor an
application it can be used in the
business but what we can do is we can
educate users on that application so how
does this all work in the real world
well let's have a look let's go back to
the cloud Discovery application here
we'll go to the discovered apps now
Microsoft have discovered that we are
using Dropbox I'm not too happy about
this but people might need to use it so
what I've done you can see here this is
been monitored so I went into here and
are selected monitored okay what I can
also do is I can sanction these
applications because I'm happy with
these happy with all these happy with
that happy with Cloud flare I'm happy
with all these so that just those catch
up Dropbox is set to monitored now one
app that I don't want to be use in the
business it's not been picked up on
discovered apps yet but I've heard
really bad things about box okay now I'm
just making this up I'm sure box are a
very nice company but if I search in
here and look for box you can see boxes
here now it guesss 10 out of 10 I don't
want people in my business using it so
what I'm going to do here I'm going to
tag this as unsanctioned and it's just
going to be heads up here that apps with
an unsanctioned tagged will be blocked
by Microsoft Defender for endpoint I can
click on
save you can do all kind of things with
this so you can block certain groups and
things like that now the final thing I'm
going to do is I'm going to go to
settings here I'm going to go to Cloud
apps I'm going to go down to Defender
for
endpoint and I would take this I've
already ticked it but you can see here
enforce app access enabling this will
block access to apps that marked as
unsanctioned and it will deliver the
warning message on access and allow
bypass to apps marked as monitored now
I've got some more settings here look
user notification
so I can direct people to a different
URL so I can say look we're blocking
Dropbox and I can direct them to a URL
with information as to why we're
blocking Dropbox and there's also a URL
for Block Taps as well so war war apps
and block Taps so how does this look in
the real world well let's hop over to my
Fred Finance virtual Windows 11 PC and
see what
happens okay I'm on a virtual PC this is
a Windows 11 comp computer used by our
fictitious character Fred Finance so
Fred started work today and what he's
going to do he going to go log into
Dropbox because he wants to do some work
now as you can see he's now got this
message this website is blocked by your
organization you can see it says up here
block content contact your administrator
for more information but Fred's also got
an option here to click on allow now if
he clicks on allow what will happen is
it will allow him to go to Dropbox it'll
still say block content up there but
it's allowed him to bypass it so how
does that bypass work well if I just
minimize this virtual machine go back to
here the bypass duration is set to 1
hour so after that if Fred goes back to
Dropbox he'll get that message again and
he'll have to bypass it again so we're
just warning people we're not
disallowing them from using it so Fred's
finished with Dropbox he comes out of
there but then remembers is got some
data in box.com and if you remember we
didn't like box.com did we so we banned
it so going on to box it just says this
website's been blocked but the
difference is Fred can't bypass this so
box.com is in an unsanctioned
application and unfortunately Fred just
cannot access it so hopefully you can
already see that Defender for cloud apps
could be a really valuable tool for your
business but there's more to this
platform than just sanctioning
applications there's the security
monitoring which I find incredibly
useful now imagine this scenario you've
got a busy chief executive and she's
working really hard but at Microsoft 365
account gets compromised by a hacker in
a different country imagine now if
Defender for cloud apps could
automatically spot this and it could
disable the chief Executives account
before the hacker does any real damage
but Defender for cloud apps goes further
it also sends an email to the IT team so
they know about it straight away we can
do that with Defender for cloud apps or
let's imagine a different scenario
you've got a disgruntled employee who
starts sharing company data with their
personal email address Defender for
cloud apps could immediately notify
their line manager Plus it could make
sure that the data that they're sharing
with their personal email address wasn't
accessible outside the office you can do
all that with policies in Defender for
cloud apps let's take a off so we're
back in at Cloud Discovery at the bottom
of cloud apps here you can see there's a
policies section so if I click on policy
management now you can see these are all
the policies there's 28 of them that
Microsoft have baked into their solution
so at the moment I'm selecting all es
but I can minimize it by these
categories if I want if I just scroll
down you can see there's some really
interesting ones here firstly let's have
a look at impossible travel so what I
can do then I can go into here and I can
edit the policy and editing the policy
it'll just give me some more information
about it so you can see this is a
built-in detection policy and it gives
you a description so this profile I'll
tell you what impossible trouble is
basically if I log into my Microsoft 365
in London and then 10 minutes later I
log into my Microsoft 365 in New York
that is what is class as impossible
travel I can't get from London to New
York in 10 minutes so there might be an
issue there might not be an issue I
could be maybe logging into a VPN or
something but there might be an issue
and we can now set within Microsoft 365
what we want to do with that issue so
the first thing obviously is the scope
do we want this policy to apply to all
you users and groups or specific users
and groups then we can go on to alerts
so what do we want to do we can send an
alert to an email so if you're an IT
department you could send this to the IT
department email so it can get picked up
really quickly if you're an MSP maybe
your services email again so someone can
get hold of it and act on it also we can
go further than that because we've got
some governance actions if I click on
the drop down here what we can do we can
notify users so I can notify the end
user that this has happened so if it's a
busy executive we can send them an
automatic email to say The Impossible
travel is this you we can go further
than that we can go and suspend the user
in Azure ad so it can stop them from
logging on if that's a busy executive
they might get a little bit annoyed by
that but it's an option plus what we can
also do is confirm that the user has
been compromised so in Azure active
directory entry ID
the users risk level will go to high so
that could kick in some additional
conditional access policies and then
once I'm happy with all that I can
simply just update it all I'll just come
back out of that cuz I want to show you
something else now we've got so many
other policies that are baked into 365
here Microsoft have also given these a
severity so you might as well go and
configure these look we've got
suspicious inex forwarding that's what a
lot of hackers do when they compromise
an email account they'll set up forwards
well wouldn't it be great if you could
be alerted to that as an IT provider as
it's happening you can then nip that in
the bud you can also if we just go into
that again the governance actions click
on here we can do the same things we
could suspend the account we could
confirm the user has been compromised
lots of great policies here but there's
also more policy templates here so these
are the ones baked into 365 these are
the ones that you can create your own
now there's lots of different ones here
the one that I want to show you because
a lot of our clients ask about this is
data shared with personal email
addresses I know a lot of business
owners that this is a bit of a concern
for so I could go into here I could
create a policy based on that that's
going to give it a a name we can change
that if we want we can give it a
severity and the category is sharing
control now we can build filters in here
so what we can do these are all kind of
policy templates but we can get a blank
policy and we can build filters so it's
really granular but what this policy is
saying this is a Microsoft suggested
policy is anything personal email
addresses so it's built all these in and
what we're saying is if files are shared
from one drive for business SharePoint
online to personal email addresses we
can do lots of different things so yes
we can send an alert but we can also do
things within Microsoft W drive for
business and
SharePoint we can notify specific users
we can put the user into quarantine this
one I like what we can do is apply a
sensitivity label so what we could do is
we could have a sensitivity label which
means that data can't be as access by
people outside the organization and we
could apply that sensitivity label when
someone tries to share some data to any
of these domains so it would kick in
that the person receiving that wouldn't
be able to access that data so that is a
really strong policy you can have so
there's the policies built into Defender
for cloud apps so there you have it
Defender for cloud apps an incredibly
useful security tool that you can get
with Microsoft 365 I hope you enjoyed
this video hope I'll see you again soon
5.0 / 5 (0 votes)