Boost Secure Score & Manage Third-Party Apps in Microsoft Defender for Cloud Apps

On Day 13 of Cybersecurity Awareness Month, we’re excited to share 5 Defender for Cloud Apps recommended actions that can boost your Microsoft Secure Score by around 10 points! Stay tuned for the upcoming blogs in our M365 Cybersecurity blog series.

The thing is: We all love the convenience of cloud apps, but not everyone sticks to the IT-approved apps or checks their security! Employees often grab whatever seems useful, even if it’s not secure. This can be risky, as unapproved apps can expose confidential data and more.

To prevent such incidents and regain control over cloud app usage, Microsoft has ‘Defender for Cloud Apps (MDCA), a robust Cloud Access Security Broker (CASB) solution. Securing with Cloud App Security is essential, but it gets even better when you act on Secure Score recommendations given for MDCA.

And that’s exactly what we’re here to explain in this blog.

Defender for Cloud Apps (DCA) is part of the Microsoft Defender suite, that lets you identify users using cloud applications, control how they’re used and protect your company data. Connecting Microsoft 365 to Defender for Cloud Apps, lets you stream all events to DCA and monitor user activity.

Benefits of Microsoft Defender for Cloud Apps:

• Defender for Cloud Apps integrates smoothly with Microsoft 365 and over 25,000 other cloud applications, giving you visibility and control across different cloud environments.

• Detects Shadow IT and provides real-time session monitoring using advanced techniques like anomaly detection, behavioral analytics, and machine learning.

Defender for Cloud Apps is part of the Microsoft 365 E5 tier, but it’s also bundled with other licenses – check the image for details. But I must say that organizations heavily reliant on cloud applications, MDCA is a valuable investment!

Now that we’ve covered what Defender for Cloud Apps is, let’s dive into the major part: Microsoft Secure Score! This is a security analytics tool from Microsoft that assesses your organization’s overall security posture. It calculates a percentage score based on your configurations and settings and suggests ways to improve security.

In this section, we’ll focus specifically on the Secure Score recommendations that protect your cloud apps.

NOTE: You’ll need to connect Microsoft 365 to Defender for Cloud Apps to access these new recommendations.

Here are the recommendations given by Secure Score for Microsoft Defender for Cloud Apps.

• Ensure Microsoft Defender for Cloud Apps is enabled
• Create an OAuth app policy to notify you about new OAuth applications
• Create an app discovery policy to identify new and trending cloud apps in your org
• Create a custom activity policy to get alerts about suspicious usage patterns
• Deploy a log collector to discover shadow IT activity

Now, let’s walk through how to set these up one by one to better monitor your cloud app activity and boost your Secure Score.

First, ensure you are a Security Admin in Microsoft 365 so that you can set up & manage Defender for Cloud Apps.

READ ME! To monitor and protect each user, you must have a Defender for Cloud Apps license for everyone you want to secure.

Once licenses are sorted, check that Cloud Apps in Defender is enabled. Then, connect your apps in the app connector settings and then start monitoring user activity across all your cloud apps.

Now that Defender for Cloud Apps is up, the next secure score recommendations list step revolves around a different context! All the recommended actions suggest deploying Defender for Cloud Apps alerts to notify admins about user activities. For this, there are six different Defender for Cloud App policy types available:

• Activity policy
• File policy
• App discovery policy
• Access policy
• Session policy
• OAuth app policy

Based on Secure Score recommendations, we’ll go over how to create and control cloud apps with these policies.

Since OAuth apps request access to sensitive data or act on behalf of users, it’s crucial to ensure you’re aware of these new OAuth app connections.

For this, creating an OAuth app policy can help you manage app permissions and get notified when a new OAuth app is authorized. This lets you investigate the app’s permissions and who authorized it.

While Microsoft Defender for Cloud Apps comes with several default policy templates (we can explore that on another day), there isn’t one specifically for OAuth app alerts. So, let’s create one.

1. Login to the Microsoft Defender portal and open the ‘Cloud Apps’ dropdown.
2. Under the ‘Policies’ dropdown, select ‘Policy Management’.
3. Click ‘Create Policy’ and choose ‘OAuth app policy’.

Note: By default, it will apply to all the connected apps in the ‘App Connector’ setting page. You can customize this as you wish on the policies page.

4. Name the policy, set the severity level, and add a description.

5. Since there’s no built-in alert for new app additions, here’s a quick workaround. Head to the “Create filters for the policy” section, choose the ‘Permissions’ filter, and select all the sensitive permissions you want to track. This way, you’ll catch any new apps that ask for high-level permissions.

6. In the ‘Alerts’ section, check the option to create an alert for each matching event. Opt to receive email alerts for easy monitoring.

7. Set the daily alert limit and save the policy.

This policy alerts you when new apps request sensitive data and boosts your security and Secure Score by 4 points. That’s what I said first, a double win! 😉

App discovery policies in Defender for Cloud Apps are your best friends when it comes to spotting new or unusual app usage based on traffic logs. Microsoft recommends enabling a cloud app discovery policy to catch any suspicious activity within your organization’s apps.

The good news? You don’t have to start from scratch. 😌Microsoft provides some handy default cloud app policy templates that you can deploy right away!

1. Log in to the Microsoft Defender for Cloud Apps portal.
2. From the ‘Policies’ dropdown, select ‘Policy Templates.’
3. Now, toggle the ‘Advanced Filter’ on the right side.
4. Set the filter to: Type equals ‘App discovery policy’.
5. You’ll see four built-in templates related to identifying popular apps:

• New popular app – Alerts you when new apps are used by over 500 users.

• New high-volume app – Alerts you when new apps have daily traffic exceeding 500 MB.

• New high upload volume app – Alerts you for new apps with significant daily upload traffic.

• New risky app – Alerts you when new apps score less than 6 and have over 50 users and 50 MB of daily traffic.

6. Preview all the above policies, edit as per your wish and click ‘Create’. This can get you 3 points in your Secure Score.

That’s it. You’ll have your finger on the pulse of user activity, even when they think they’re flying under the radar!

Defender for Cloud Apps activity policy lets you keep an eye on specific user actions and catch any unexpected spikes in activity. Admins can effectively make use of the cloud app activity policies to investigate anomaly detection alerts and identify different security threat scenarios.

Just like app discovery policies, you’ll find several activity policy templates in the Defender for Cloud Apps section. Each one focuses on a particular activity, helping you pinpoint areas of concern.

1. Log in to the Microsoft Defender portal and open the ‘Cloud Apps’ dropdown.
2. Next, select ‘Policy Templates’ from the ‘Policies’ dropdown.
3. Now, toggle the ‘Advanced Filter’ on the right side.
4. Set the filter to: Type equals ‘Activity policy’.
5. You will find the 7 built-in policy templates for this case.

• Mass download by a single user – Alerts when one user downloads more than 50 files in a minute.

• Multiple failed login attempts – Notifies you if a user fails to log in to an app more than 10 times within 5 minutes.

• Logon from a risky IP – This policy alerts you when a user logs into sanctioned apps from a risky IP address. By default, the Risky IP category includes addresses tagged as Anonymous proxy, TOR, or Botnet. You can add more IPs in the IP address ranges settings page.

• Administrative activity from a non-corporate IP – Alerts when an admin logs in from an IP not on your corporate list.

• Potential ransomware activity – Notifies you if a user uploads files that could be infected with ransomware.

• Log on from an outdated browser – Alerts when a user accesses the app from an outdated browser and notifies them.

• Activities from suspicious user agents – Sends an alert if an activity is detected from a suspicious user agent that may indicate an attack tool is being used.

Pick your preferred policy, deploy it, and you’re good to go to increase your Secure Score by 2 points!

A Log Collector is the best way to find shadow IT activities. 🤔Why, you ask? It offers automated, continuous monitoring of all network traffic without being limited to specific endpoints or a lot of hardware.

The Log Collector runs on your network and collects logs using Syslog or FTP. It processes, compresses, and sends the logs to the Defender for Cloud Apps portal.

1. To start, log into the Defender for Cloud Apps portal and click on ‘Cloud Discovery.’
2. Select the ‘Configure Automatic log upload’ page.
3. In the Data Sources tab, click Add Data Source to create a source for your appliance.
4. Then, in the Log Collector tab, click Add Log Collector to set up a new one.
5. Follow the instructions provided to deploy Docker and the log collector container.

And that’s a wrap on the Defender Cloud Apps Secure Score recommendations! 🎉Now, the ball is in your court, analyze & implement based on your preferences.

Plus, in honor of Cybersecurity Awareness Month, we’re giving you the gift of knowledge. 🎁

• First on the list: A collection of essential Microsoft 365 security settings that’s often missed by admins.
• Another is a collection of powerful advanced security configurations for Microsoft 365.

Consider these gifts as our way of helping you protect your organization. Feel free to reach out if you have any queries!