Defender for Cloud Apps - Lock Down Your Cloud Apps & Protect Data

00:00

is there a way that you can block

00:01

certain applications that you don't want

00:03

people to use well yes there is if

00:06

you're using Microsoft 365 there's a

00:08

product called Defender for cloud apps

00:11

and it can do just that plus much more

00:15

and that is the topic for today's video

00:18

but before we start just a quick intro

00:20

my name is jonath Edwards also known as

00:23

the be 365 guy I help businesses all

00:27

over the world with their Microsoft 365

00:30

5 you can get more information at the

00:32

bid 365 guy.com now I always have a

00:36

really interesting conversation with

00:38

business owners is there a way that we

00:41

can know what cloud applications people

00:44

are actually using inside of the

00:46

business and more than that is there a

00:48

way that we can block certain

00:49

applications if we really don't want to

00:52

use them well there is a product called

00:54

Defender for cloud apps and it's part of

00:57

the Microsoft Defender for business

00:59

Suite and it can do just that but it can

01:02

do even more than that it can also

01:05

monitor your Cloud applications for

01:08

security problems and it can automate

01:11

responses it's a really great tool so

01:15

that is what today's video is all about

01:17

but before I start launching into the

01:19

product demo I think it's best to talk

01:22

about licensing how much does all this

01:25

cost now if you're a regular Watcher of

01:27

my channel you will know that that my

01:30

favorite Microsoft 365 license is

01:33

business premium now unfortunately with

01:36

business premium you don't get the full

01:39

version of Defender for cloud apps you

01:41

get kind of a dumb down version and I'm

01:44

going to show you in a minute the

01:45

differences now if you want the full

01:47

version of Defender for cloud apps

01:49

you're going to have to buy Microsoft

01:51

365 E5 which costs a whopping

01:56

5030 per user per month now there's

01:59

another way around it you can also buy

02:02

Enterprise mobility and security E5

02:05

which costs about £

02:07

1390 per user per month so you could

02:10

bolt that on to a Microsoft 365 business

02:13

premium so you'd have business premium1

02:15

1810 and then £ 1390 for the Enterprise

02:19

mobility and security still expensive

02:22

but that will give you the full Defender

02:24

for cloud App Suite now enough of my

02:28

talking about licensing let's start

02:30

talking about the product so the first

02:32

feature of Defender for cloud apps that

02:34

I want to talk about is something called

02:37

Cloud app Discovery now what is this

02:40

well it's very Nifty as the name implies

02:44

what Cloud app Discovery does is

02:46

discover the cloud apps in your business

02:50

now I know what you're thinking you're

02:52

sat there thinking I know what

02:54

applications people are using in my

02:56

business I bet you don't now when I

02:59

initially roll this out for customers

03:01

most of the time they're always pretty

03:03

shocked who's using Dropbox what's this

03:06

application here I didn't know about

03:08

that now by using Cloud app Discovery

03:11

you can change all of that now there are

03:13

two ways that you can use Cloud app

03:16

Discovery the first way and this is the

03:19

only way that works with business

03:21

premium is to upload your log files from

03:24

your local firewall yes and no I don't

03:28

like it either and the second way which

03:30

you need full Defender for cloud apps

03:32

for is that you integrate it with

03:34

Microsoft Defender for endpoint so once

03:37

all your devices are an InTune and using

03:39

Defender for endpoint it integrates

03:42

really nicely with Defender for cloud

03:44

apps this means you can get continuous

03:48

automated reports now what we'll do now

03:51

is jump over to that PC and I'll show

03:53

you both ways okay so this tency is one

03:56

that has Microsoft 365 business premium

04:00

as the base license I'm in the admin

04:03

Center I'm logged in as a global admin

04:05

if I go down to admin centers and

04:07

security and down the left hand side if

04:10

I scroll down you can see that I've got

04:12

Cloud apps here so this is where the

04:14

defender for cloud apps lives now I've

04:17

just got these options with the business

04:18

premium and you'll see in a minute how

04:20

that differs from the full Defender for

04:23

cloud apps license but if I click on

04:26

cloud Discovery this is all the option I

04:28

have with my business business premium

04:30

so what I can do here is I can create a

04:32

new report which I'll show you now I'll

04:35

click on there I'll click on next I'll

04:37

give the report a name and then I've got

04:40

to select a source so whatever firewall

04:42

whatever security appliance that I'm

04:44

using I've got to basically upload the

04:46

log files whether it's a barracuda a

04:48

Cisco they've got watch guard in here

04:51

they've got a load of different options

04:52

plus if you scroll down to the bottom

04:54

you can choose other or generic and then

04:57

I can click on next and what will happen

04:59

at the end is I will get a report like

05:01

this and it'll show me all the apps that

05:04

has been discovered via the appliance

05:07

now a lot of our customers don't really

05:09

use appliances like this and this report

05:12

is just a point of time it's a point in

05:14

time as to when you upload the log files

05:16

it's not any continuous reporting going

05:18

on but as I said a lot of our customers

05:21

they don't have those kind of appliances

05:23

anymore they are remote workers they

05:25

don't have an office so this in a

05:28

nutshell is pretty useless to them so

05:31

what does it look like when we've got

05:33

the full version of Defender for cloud

05:35

apps well let me hop over to a tenant

05:38

now and I'll show

05:39

you okay this is a tency which has the

05:43

Microsoft 365 E5 license I'm in the

05:46

security portal again and you can see

05:48

under Cloud apps we've got a lot more

05:51

options now if I click into Cloud

05:53

Discovery what I get here is a nice

05:56

dashboard and at the top you can see

05:58

that this has been in integrated with

06:00

Defender for endpoint so I've got 61

06:03

apps that have been identified 107 IP

06:06

addresses 56 users 57 devices we can

06:10

scroll down here and we can see all the

06:13

apps that Defender for cloud apps has

06:15

discovered we can click into any of

06:17

these things so I can drill down into

06:19

discovered apps and it gives me a list

06:21

of all the discovered apps so you can

06:24

see already we get a lot more options

06:27

with the full version of Defender for

06:29

cloud apps now in a moment we're going

06:31

to talk more about all these options

06:33

here cuz we've got quite a lot going on

06:35

we've got loads of different options but

06:37

before I do that I mentioned earlier

06:39

that Defender for cloud apps has been

06:42

integrated with Defender for endpoint so

06:44

what we've done and what we recommend is

06:46

that all your devices are in in tune and

06:49

they're all running Defender for

06:51

endpoint once that's in place there's a

06:53

few things you need to do so if I scroll

06:55

down to here go into settings firstly go

06:58

into end points here Advanced

07:01

features and if we scroll down we need

07:04

to make sure that custom Network

07:06

indicators is switched on we also need

07:08

to make sure that Microsoft Defender for

07:10

cloud apps is switched on and it just

07:13

point out here that we need an E5

07:14

license or an Enterprise mobility and

07:17

security once we're happy with that go

07:19

back to settings go to Cloud apps and

07:23

you'll see if we scroll down here you

07:25

will see we've got a Defender for

07:27

endpoint option here and we're we're

07:29

going to talk more about these options

07:31

later in the video now the next feature

07:33

that I want to talk about is the Cloud

07:35

app catalog now Micosoft have done a

07:38

pretty good job here they've assessed

07:41

over

07:42

30,000 different Cloud applications and

07:46

they've scored these Cloud applications

07:48

based on 90 different factors so what

07:51

you can do with the Cloud app catalog is

07:53

you can do one of three things you can

07:56

sanction an application for use in your

07:59

business this means the application will

08:02

be allowed or you can

08:10

unsanctioned or there's a bit of a

08:12

middle ground you can set an application

08:15

to be monitored so you'll monitor that

08:17

application and people might get a

08:19

warning before they use it I think it's

08:22

time to take a look at the Cloud app

08:25

catalog okay so I'm just in my test

08:27

tency that we use for a of these videos

08:30

if I just head over now to the Cloud app

08:33

catalog you can see this is what it's

08:35

like as I mentioned earlier we've got

08:37

over

08:38

33,000 applications that Microsoft have

08:41

assessed now a lot of these you can see

08:43

the RIS score here it's green and they

08:46

score 10 out of 10 lot of these are

08:48

obviously Microsoft applications but

08:51

what I can do I can drill into these and

08:53

it tells you why they've scored it 10

08:55

out of 10 so we're talking about the

08:57

general settings the headquarters of the

08:59

company we're looking at security

09:01

whether they allow multiactor

09:03

authentication admin audit trials lots

09:06

of different things here and also

09:09

compliance so which accreditations and

09:11

Microsoft aligned to you can see they've

09:13

got a lot of different things going on

09:15

here and also some legal things as well

09:17

gdpr data ownership so Microsoft have

09:20

scored themselves 10 out of 10 which is

09:23

pretty good now you can see here again

09:25

we've got lots of different categories

09:27

as well so if I go on to he maybe you

09:30

can see I'm going to have lots of

09:31

different

09:32

applications and a lot of these of

09:34

course aren't Microsoft ones if I do the

09:37

risk score the other way around so I I

09:39

start with the the ones that I've scored

09:40

a low risk score you can see Microsoft

09:43

have found lots of different ones let's

09:44

look at this one here and you can see

09:47

that this company I don't know who it is

09:49

but they don't score too highly on the

09:51

Microsoft score so for example if you

09:54

found that this application was being

09:57

used in your business via

09:59

Discovery you could come in here you

10:01

could have a look at it and then you

10:03

could make a decision about it so what

10:05

decision could you make about it well

10:08

this is where we use these options here

10:10

so we can click on here and we can

10:12

sanction this app that means that this

10:14

app is allowed to be us in our business

10:17

the opposite of that is obviously

10:19

unsanctioned so if we

10:21

unsanctioned and we can't use it in the

10:23

business and then we've got another

10:25

option here where we can monitor this

10:27

application so when we we monitor an

10:29

application it can be used in the

10:32

business but what we can do is we can

10:34

educate users on that application so how

10:37

does this all work in the real world

10:39

well let's have a look let's go back to

10:41

the cloud Discovery application here

10:43

we'll go to the discovered apps now

10:46

Microsoft have discovered that we are

10:48

using Dropbox I'm not too happy about

10:51

this but people might need to use it so

10:54

what I've done you can see here this is

10:56

been monitored so I went into here and

10:59

are selected monitored okay what I can

11:02

also do is I can sanction these

11:05

applications because I'm happy with

11:06

these happy with all these happy with

11:09

that happy with Cloud flare I'm happy

11:12

with all these so that just those catch

11:14

up Dropbox is set to monitored now one

11:18

app that I don't want to be use in the

11:20

business it's not been picked up on

11:22

discovered apps yet but I've heard

11:24

really bad things about box okay now I'm

11:27

just making this up I'm sure box are a

11:29

very nice company but if I search in

11:31

here and look for box you can see boxes

11:34

here now it guesss 10 out of 10 I don't

11:36

want people in my business using it so

11:38

what I'm going to do here I'm going to

11:39

tag this as unsanctioned and it's just

11:42

going to be heads up here that apps with

11:44

an unsanctioned tagged will be blocked

11:46

by Microsoft Defender for endpoint I can

11:49

click on

11:50

save you can do all kind of things with

11:52

this so you can block certain groups and

11:54

things like that now the final thing I'm

11:57

going to do is I'm going to go to

11:59

settings here I'm going to go to Cloud

12:02

apps I'm going to go down to Defender

12:05

for

12:06

endpoint and I would take this I've

12:09

already ticked it but you can see here

12:11

enforce app access enabling this will

12:14

block access to apps that marked as

12:17

unsanctioned and it will deliver the

12:19

warning message on access and allow

12:22

bypass to apps marked as monitored now

12:26

I've got some more settings here look

12:27

user notification

12:30

so I can direct people to a different

12:32

URL so I can say look we're blocking

12:34

Dropbox and I can direct them to a URL

12:37

with information as to why we're

12:39

blocking Dropbox and there's also a URL

12:41

for Block Taps as well so war war apps

12:44

and block Taps so how does this look in

12:47

the real world well let's hop over to my

12:50

Fred Finance virtual Windows 11 PC and

12:53

see what

12:54

happens okay I'm on a virtual PC this is

12:57

a Windows 11 comp computer used by our

13:00

fictitious character Fred Finance so

13:04

Fred started work today and what he's

13:05

going to do he going to go log into

13:07

Dropbox because he wants to do some work

13:10

now as you can see he's now got this

13:12

message this website is blocked by your

13:14

organization you can see it says up here

13:16

block content contact your administrator

13:19

for more information but Fred's also got

13:22

an option here to click on allow now if

13:25

he clicks on allow what will happen is

13:28

it will allow him to go to Dropbox it'll

13:31

still say block content up there but

13:34

it's allowed him to bypass it so how

13:37

does that bypass work well if I just

13:39

minimize this virtual machine go back to

13:41

here the bypass duration is set to 1

13:44

hour so after that if Fred goes back to

13:46

Dropbox he'll get that message again and

13:49

he'll have to bypass it again so we're

13:51

just warning people we're not

13:53

disallowing them from using it so Fred's

13:56

finished with Dropbox he comes out of

13:58

there but then remembers is got some

14:00

data in box.com and if you remember we

14:03

didn't like box.com did we so we banned

14:05

it so going on to box it just says this

14:09

website's been blocked but the

14:11

difference is Fred can't bypass this so

14:14

box.com is in an unsanctioned

14:16

application and unfortunately Fred just

14:19

cannot access it so hopefully you can

14:22

already see that Defender for cloud apps

14:24

could be a really valuable tool for your

14:27

business but there's more to this

14:29

platform than just sanctioning

14:31

applications there's the security

14:34

monitoring which I find incredibly

14:36

useful now imagine this scenario you've

14:39

got a busy chief executive and she's

14:41

working really hard but at Microsoft 365

14:45

account gets compromised by a hacker in

14:48

a different country imagine now if

14:52

Defender for cloud apps could

14:54

automatically spot this and it could

14:56

disable the chief Executives account

14:59

before the hacker does any real damage

15:02

but Defender for cloud apps goes further

15:05

it also sends an email to the IT team so

15:08

they know about it straight away we can

15:11

do that with Defender for cloud apps or

15:14

let's imagine a different scenario

15:16

you've got a disgruntled employee who

15:19

starts sharing company data with their

15:21

personal email address Defender for

15:24

cloud apps could immediately notify

15:26

their line manager Plus it could make

15:29

sure that the data that they're sharing

15:31

with their personal email address wasn't

15:33

accessible outside the office you can do

15:37

all that with policies in Defender for

15:39

cloud apps let's take a off so we're

15:41

back in at Cloud Discovery at the bottom

15:44

of cloud apps here you can see there's a

15:46

policies section so if I click on policy

15:49

management now you can see these are all

15:52

the policies there's 28 of them that

15:54

Microsoft have baked into their solution

15:57

so at the moment I'm selecting all es

15:59

but I can minimize it by these

16:01

categories if I want if I just scroll

16:04

down you can see there's some really

16:05

interesting ones here firstly let's have

16:08

a look at impossible travel so what I

16:10

can do then I can go into here and I can

16:13

edit the policy and editing the policy

16:15

it'll just give me some more information

16:17

about it so you can see this is a

16:19

built-in detection policy and it gives

16:22

you a description so this profile I'll

16:25

tell you what impossible trouble is

16:26

basically if I log into my Microsoft 365

16:29

in London and then 10 minutes later I

16:32

log into my Microsoft 365 in New York

16:36

that is what is class as impossible

16:38

travel I can't get from London to New

16:40

York in 10 minutes so there might be an

16:42

issue there might not be an issue I

16:45

could be maybe logging into a VPN or

16:47

something but there might be an issue

16:49

and we can now set within Microsoft 365

16:52

what we want to do with that issue so

16:54

the first thing obviously is the scope

16:56

do we want this policy to apply to all

16:58

you users and groups or specific users

17:01

and groups then we can go on to alerts

17:03

so what do we want to do we can send an

17:05

alert to an email so if you're an IT

17:08

department you could send this to the IT

17:10

department email so it can get picked up

17:11

really quickly if you're an MSP maybe

17:14

your services email again so someone can

17:17

get hold of it and act on it also we can

17:20

go further than that because we've got

17:22

some governance actions if I click on

17:24

the drop down here what we can do we can

17:27

notify users so I can notify the end

17:31

user that this has happened so if it's a

17:33

busy executive we can send them an

17:35

automatic email to say The Impossible

17:37

travel is this you we can go further

17:40

than that we can go and suspend the user

17:43

in Azure ad so it can stop them from

17:46

logging on if that's a busy executive

17:49

they might get a little bit annoyed by

17:50

that but it's an option plus what we can

17:53

also do is confirm that the user has

17:55

been compromised so in Azure active

17:57

directory entry ID

17:59

the users risk level will go to high so

18:02

that could kick in some additional

18:04

conditional access policies and then

18:06

once I'm happy with all that I can

18:08

simply just update it all I'll just come

18:10

back out of that cuz I want to show you

18:12

something else now we've got so many

18:14

other policies that are baked into 365

18:17

here Microsoft have also given these a

18:19

severity so you might as well go and

18:21

configure these look we've got

18:22

suspicious inex forwarding that's what a

18:25

lot of hackers do when they compromise

18:27

an email account they'll set up forwards

18:29

well wouldn't it be great if you could

18:30

be alerted to that as an IT provider as

18:33

it's happening you can then nip that in

18:36

the bud you can also if we just go into

18:38

that again the governance actions click

18:40

on here we can do the same things we

18:42

could suspend the account we could

18:44

confirm the user has been compromised

18:47

lots of great policies here but there's

18:50

also more policy templates here so these

18:53

are the ones baked into 365 these are

18:55

the ones that you can create your own

18:58

now there's lots of different ones here

18:59

the one that I want to show you because

19:01

a lot of our clients ask about this is

19:04

data shared with personal email

19:06

addresses I know a lot of business

19:08

owners that this is a bit of a concern

19:10

for so I could go into here I could

19:12

create a policy based on that that's

19:14

going to give it a a name we can change

19:16

that if we want we can give it a

19:18

severity and the category is sharing

19:21

control now we can build filters in here

19:24

so what we can do these are all kind of

19:26

policy templates but we can get a blank

19:29

policy and we can build filters so it's

19:32

really granular but what this policy is

19:36

saying this is a Microsoft suggested

19:37

policy is anything personal email

19:40

addresses so it's built all these in and

19:42

what we're saying is if files are shared

19:45

from one drive for business SharePoint

19:47

online to personal email addresses we

19:50

can do lots of different things so yes

19:53

we can send an alert but we can also do

19:55

things within Microsoft W drive for

19:58

business and

19:59

SharePoint we can notify specific users

20:03

we can put the user into quarantine this

20:05

one I like what we can do is apply a

20:08

sensitivity label so what we could do is

20:11

we could have a sensitivity label which

20:13

means that data can't be as access by

20:16

people outside the organization and we

20:18

could apply that sensitivity label when

20:21

someone tries to share some data to any

20:25

of these domains so it would kick in

20:27

that the person receiving that wouldn't

20:29

be able to access that data so that is a

20:32

really strong policy you can have so

20:35

there's the policies built into Defender

20:37

for cloud apps so there you have it

20:38

Defender for cloud apps an incredibly

20:41

useful security tool that you can get

20:44

with Microsoft 365 I hope you enjoyed

20:47

this video hope I'll see you again soon