First published on CloudBlogs on Apr 17, 2018
With a growing adoption of SaaS apps to support business processes, it is key to ensure secure handling of data to protect your most valuable corporate assets. With Microsoft Cloud App Security, we are enabling customers to gain insight into and better control of their eco-system of SaaS apps, of and beyond native Microsoft applications. Today we want to share details around:![]()
![]()
![]()
With a growing adoption of SaaS apps to support business processes, it is key to ensure secure handling of data to protect your most valuable corporate assets. With Microsoft Cloud App Security, we are enabling customers to gain insight into and better control of their eco-system of SaaS apps, of and beyond native Microsoft applications. Today we want to share details around:
- Two new detection capabilities that we are beginning to roll out - Ransomware activity and Terminated-user activity
- The Public Preview of custom activities for deeper visibility and control of user actions via Conditional Access App Control
Enhancing Threat Protection Capabilities
Earlier this year, we announced new threat detection capabilities in Cloud App Security, that included multiple new use-case driven detections, as well as a user-centric investigation experience.Detecting Ransomware activity
Ransomware attacks remain a common attack vector that both nation-state attackers and financial cybercriminals are leveraging. Recent examples include NotPetya and BadRabbit - both large-scale, nation-state led campaigns, targeting enterprises. Cloud App Security can already detect Ransomware attacks in a deterministic approach (via activity policy templates), and today we’re extending this capability with anomaly detection to ensure a more comprehensive coverage against sophisticated Ransomware attacks. To detect ransomware attacks, we apply our security research expertise in Cloud App Security to identify behavioral patterns that reflect ransomware activity. For example, a high rate of file uploads or file deletion activities can represent an adverse encryption process. This data is collected iin the logs that we receive from the apps’ API, we then combine these behavioral patterns with Threat Intelligence capabilities, such as the detection of known Ransomware extensions. This interplay ensures that the detection is holistic and robust and will result in relevant alerts within the Cloud App Security alerts dashboard.
Figure 1. Ransomware activity alert - details view
Terminated-user activity
When looking at what can turn a former employee into an “insider threat” we often see that employees who left their company on bad terms pose the greatest risk. We’re seeing that as employees exit a company and their user accounts are de-provisioned from corporate apps as a result, in many cases they still retain access to some corporate resources. This becomes even more important when considering privileged accounts, as the potential damage a former admin can do is distinctly greater. With the new detection capabilities we’re introducing today, Cloud App Security (CAS) will be able to identify when a terminated employee continues to perform actions on your SaaS apps. This detection is possible due to CAS’s ability to monitor user behavior across apps, while user accounts are active. This allows us to profile the regular activity of the user, identify when the account is terminated, and determine activity on other apps beyond the suspension of credentials. For example, if an employee AAD account was terminated, but he or she continues to access the corporate AWS infrastructure, an alert will be triggered.Public Preview: Define custom activities for deeper visibility and control of user actions via Conditional Access App Control
In November 2017, we announced the public preview of Conditional Access App Control , a feature that works hand-in-hand with Azure Active Directory conditional access, to provide real-time visibility and control of risky user sessions - for example, sessions with external users or users coming from an unmanaged device. Today, we are excited to share the public preview of new and enhanced capabilities of this feature that facilitate deeper visibility into, and control of various applications. You can now create a Session Policy with an Activity type filter, to monitor and/or block a variety of granular, app-specific activities, such as those shown below. This new filter augments the existing file download control features, to provide you with comprehensive control of the applications in your organization.
Figure 2. Session Policy with various Activity types
When these policies are applied, and end-users come from a risky session, they will be monitored and/or blocked from performing the actions you have selected.
Figure 3. Block notification screen of a user when trying to perform a regulated activity
Marrying these new app-specific actions with the powerful download controls already available provides you with the deep level of control needed to keep your organization secure.