B E C O M E A N O M N I P O T E N TF O R C E W I T H O 3 6 5

C L O U D A P P S E C U R I T Y

C O M B AT I N G T H R E AT S , P R OT E C T I N G D ATA

Jim DanielsWilliamson County, TexasCGCIO, MCT, MCSE, MSCA, CAMS, CIAMhttps://www.linkedin.com/in/jim-danielsJim Daniels is currently the Solutions Architect and Active

Directory/Identity Manager for Williamson County. He is

active in the Office 365 community, particularly in the

government tenant, Exchange Online, management, governance, and collaborative areas.A graduate

of the TAGITM CGCIO program, Jim is also a Microsoft Certified Trainer (MCT) and holds Microsoft

Certified Professional (MCP), Microsoft Certified Solutions Associate (MCSA), and Microsoft Certified

Solutions Expert (MCSE) certifications in Office 365 and Server Platform and Infrastructure. Active in

the identity space, the Identity Management Institute recognizes him as a Certified Access Management

Specialist (CAMS) and a Certified Identity and Access Manager (CIAM).

Office 365 Government Cloud Community Tenant Overview• Separate Cloud built out specifically for U.S. State and Local Government Customers only• Certain areas and features disabled due to compliance concerns –Yammer, SfB file sharing, Teams

third party add ins• Increased security and compliance capabilities boundaries with delayed release of new features by

6-12 months compared to Commercial O365 Tenants• O365 Roadmap details feature parity differences between GCC and Commercial O365 TenantsWilliamson County O365 GCC Tenant Summary• 2,100 users, 400 are deskless/kiosk• Mix of F1, E1, E3, E5 core licenses with EMS E3, EMS E5, ala carte ATP,Visio Pro, Power BI Pro Gov.

Incorporating complete experience with Windows 10 Enterprise (M365).

OFFICE 365 GCC ROADMAP ( AS OF APRIL 2019)

Suite Office 365 Roadmap (GCC - Government Community Cloud) Target Release DateO365 GCC E1 or Greater Microsoft Teams Avail. since 8/2018O365 GCC E1 or Greater Teams: Recording Q3CY19O365 GCC E1 or Greater Teams: Live Events (Quick Start & External Encoder) Q3CY19O365 GCC E1 or Greater Teams: OneNote Tab Q4CY19O365 GCC E1 or Greater Yammer: Enterprise social network xO365 GCC E1 or Greater Flow: Automate processes and tasks Q2CY19O365 GCC E1 or Greater PowerApps: Build custom business apps Q2CY19O365 GCC E1 or Greater Sway: Interactive presentations Not PlannedO365 GCC E1 or Greater To-Do: Manage, prioritize, and complete tasks TBDO365 GCC E1 or Greater Bookings: Simplify appointment scheduling TBDO365 GCC E1 or Greater StaffHub: Firstline worker scheduling, communicating, and sharing Not PlannedO365 GCC E1 or Greater Service Communication API: Display change and incident notifications in external systems Not plannedO365 GCC E1 or Greater Add-On - Workplace Analytics TBDO365 GCC E1 or Greater Whiteboard TBDSuite Enterprise Mobility and Security Roadmap (GCC - Government Community Cloud) Target Release DateEMS GCC E5 Cloud App Security: Visibility, control, and protection for your SaaS ecosystem xEMS GCC E5 Azure Advanced Threat Protection: Detect and investigate advanced attacks and insider threats x

Microsoft Office 365 GCC Tenant Summary• GCC = Government Community Cloud

• SaaS

• DISA Level 2

• FedRAMP Moderate

• ITAR = N

• DFARS = Y (No – CDI)

• FIPS 140-2 = Yes

• Microsoft U.S. Citizen Only Admins = Yes

• Non-US Customer users = Yes (Customer assumes risk)

• CJIS Compliant = Yes (Controls need to set)

LIFE WITHOUT CAS

C L O U D A P P

S E C U R I T Y( C A S )

Microsoft Cloud App Security (MCAS) provides enterprise-grade security for your cloud apps, bringing the security of your on-premises systems to your cloud applications for deeper visibility, comprehensive controls, and enhanced protection against cloud security issues.

ARCHITECTUREApp connectors - use API to extend control and protection to other SaaS application. Without an app connector, discovery can still occur.

Discovery – use traffic logs to dynamically discover and analyze cloud apps in use (shadow IT).

Conditional access – use reverse proxy architecture to see and control activities performed. Avoid data leaks, set rules and policies, gain visibility into unprotected endpoints and non-organization network access.

MICROSOFT CAS ≠ O365 CASFeature Microsoft Cloud App Security Office 365 Cloud App Security

Discovered apps 16,000 + cloud apps 750+ cloud apps similar to O365

Deployment for discovery analysis Manual and automatic log upload Manual log upload

Log anonymization for user privacy Yes

Cloud usage analytics per app, user, IP address Yes

Ongoing analytics, reporting, and anomaly detection Yes

Data Loss Prevention (DLP) support Cross-SaaS DLP and data sharing control Uses existing Office DLP (E3+)

App permissions and ability to revoke access Yes Yes

Policy setting and enforcement Yes

Integration with AIP and third-party DLP solutions Yes

Anomaly detection and behavioral analytics For Cross-SaaS apps including Office 365 For Office 365 apps

Manual and automatic alert remediation Yes Yes

SIEM connector Yes. Alerts and activity logs Yes. Office 365 alerts only

Activity policies Yes Yes

ROCKING THE 'CAS'BAH

DISCOVERY

Upload

• Manual• Automatic• Firewall• Defender ATP

Process

• Parse• Analyze

compare against MSFT’s app catalog

Assess

• Discovery area

• Reports• Alerts

D E F E N D E R A T P I N T E G R A T I O N• Turn on in Windows Defender Security Center – https://securitycenter.windows.com

• Allows filterable segment for discovery

• Continue to monitor organization devices regardless of network or location

• Elimination of “Unknown” user data

• “Machine” meta data ONLY populated from the Defender ATP integration

• Similar integration for InTune devices

DISCOVERY• Information about each application is pulled from the catalog

• Applications are given various metadata to use for filtering, alerts, and categorization

– Tags (Sanctioned/Unsanctioned, custom), safety scores, notes,

• Can view based on application, IP addresses, users, and machines

• Remember policies are more flexible the better data you have, and the more organized and tagged that data is

REAL WORLD DISCOVERY USAGEWhich users are still using “Application X”?

Our organization just implemented a new collaboration file share suite. We need the ability to tell who is still using the previous (no longer supported) suite so we can engage them in additional training or remediation.

REAL WORLD DISCOVERY USAGE1. Search for the application in the “Discovered apps”2. Click on the application name to bring up the app specific info3. Click on the “Users” tab4. Sort, filter, export as needed

REAL WORLD DISCOVERY USAGEWhich applications are the most popular?

In Discovered apps, you can sort each column. This allows a view of the highest traffic usage, transaction volume, users, machines, etc…

APP CONNECTORSApp connectors use the APIs of app providers to enable greater visibility and control by Microsoft Cloud App Security over the apps you connect to. App connectors are available for Office 365, Azure, Box, Gsuite, and more.

INVESTIGATE > ACTIVITY LOG• Visibility into all activities from connected apps

• Powerful filtering and query capabilities– Pre-built queries for popular audits

– Failed login, sharing, admin activities, download, password, etc…

• API based, not tied to specific platform, network, or geo location

SAMPLE ACTIVITY

Can view activities by user, IP address, device type, location, app, user group, and tag

DISCOVERIES & ACTIVITIES ARE GOOD, WHAT NEXT?Data enrichment – define custom IP ranges, user groups

CAS Policies – define how users behave in the cloud

Alerts – get notified when certain policy thresholds are triggered

Actions – perform automated actions based on policy

Remediation – mark policy triggers as ‘dismissed’, ‘resolved’, or adjust policy entirely

DATA ENRICHMENT

CAS POLICIESAvailable policy types depend on data sources and features enabled within CAS.

IDENTIFYING & CONTROLLING RISKCAS policies and alerts can be associated with defined risks• Access control – access what from where with what• Configuration control – monitor changes• Cloud discovery – shadow IT, app usage• Privileged accounts – monitor admin activity• Sharing control, DLP, & Compliance – monitor permissions, file

types, content, labels, sharing activity• Threat detection – machine learning detection of data misuse

How to control risk

1.Create a policy from a template or a query.2.Fine-tune the policy to achieve expected results.

3.Add automated actions to respond and remediate risks automatically.

POLICY CREATION SCENARIOVisibility into administrative activity from non-corporate IP addresses. *Requires corporate IP addresses (range) to be defined to function.

1. Create activity policy2. Select template

“Administrative activity from non-corporate IP address”

3. Customize policy as needed1. Alerts2. Governance actions

GOVERNANCE ACTIONSAvailable governance options depend on policy type, connected apps, and features enabled within CAS.

CAS ALERTSThe alerts section shows all policy triggers (when the policy is flagged to generate an alert)

Each alert can be expanded to show additional detailsResolution status = open, dismissed, resolved

DISCOVERED APP SECURITY BREACH

DISCOVERED APP SECURITY BREACH

M I S CF E A T U R E S

/O P T I O N A L

I N T E G R A T I O N S

• Conditional access app control – real-time monitoring and control capabilities

• DLP – integrate CAS with external DLP solution• Playbooks – leverages flow for more robust

governance capabilities• Admin quarantine – specified location for file based,

DLP, and sharing policy triggers• Azure Information Protection (AIP) – use data

labels for queries, discovery, and governance

CLOUD APP SECURITY IN GCC • In order to add Cloud App Security to your Office 365 GCC Tenant Environment, you would

need to add one of the following SKU’s to your EA or Microsoft Licensing Vehicle (all users):

Description SKUCloudAppSecGCC ShrdSvr ALNG SubsVL MVL AddOn toEMSE5GCC MRA-00001Enterprice Mobility and Security E5 SKU/Pricing varies dependent upon your current licensing level

What is Microsoft 365 GCC?• M365 is a per user subscription SKU that can be used at time of EA renewal only

• M365 includes the following components:

– Office 365 GCC

– Enterprise Mobility and Security GCC

– Windows 10 Enterprise

– On Premise Server Use Rights (Exchange, SharePoint, Skype Servers)

– CoreCALs

• M365 SKU's are available at the following levels:

– M365 GCC F1

– M365 GCC E3

– M365 GCC E5

REFERENCES• Microsoft CAS v/s O365 CAS

• CAS Overview

• Setup Cloud Discovery

• Investigation Overview

• CAS Information Page

• Microsoft FastTrack (Free over the shoulder EMS deployment support for150+ licenses)

• Brainstorm (Microsoft Partner option to ramp up quickly)– For a FREE Security Customer Immersion Experience (onsite workshop) and 90-day

Training Portal, contact molson@brainstorminc.com

Q U E S T I O N S / F E E D B A C K

J D A N I E L S @ W I L C O . O R G