31. What is CASB
Today’s IT operations are not limited to on-premises installations. They’ve relocated to the cloud. And that’s one very good reason why organizations need better ways to bring security and access controls from internal data centers to cloud operations. One of the tools that they found was CASB, which is Cloud Access Security. The brokers. The original purpose of CASB was to provide visibility into all the cloud services in the organization. There’s a war against the cloud and its use of unapproved practices in the cloud. The CASB was one of the first purpose-built weapons against the Shadow. Cabbies were traditionally physical appliances that sat on the premises.
They were sometimes delivered into the customer’s data center by the vendor as a virtual machine or something similar. So they were deployed as appliances. And then it used to sit there between the on-premises infrastructure and the cloud infrastructure, tracking everything that was going on between them. So there was a presence of CASB, but it was in the form of an appliance. Today’s CASB solutions have evolved, and specifically, they have moved to the use of APIs. Rather than just sitting there as a proxy, increase the visibility into the cloud.
Today’s Cabbies have gained the ability to look at the data that’s being moved from one cloud to another and at the data that’s going on between on-premises infrastructure and the cloud as well. Now, in addition to providing security teams with a better picture of an organization’s cloud infrastructure, it is also saying how the data is being stored and how the data is being processed in the cloud. So with that level of visibility into the state of data in the cloud, a CASB can take the next step towards protecting the data as well.
So it is acting through the API controls that allow the CASB’s visibility into the various transactions that happen between various endpoints. So what is a CASB? CASB acts as a gatekeeper between your on-premises users and cloud resources, regardless of where they are, what device they are using, or whether they are using an application in the cloud. CASB is there to address the security gaps in organisations that use cloud services. Protection is provided by many capabilities across various areas. So, number one, you get visibility to detect all kinds of cloud services. You get data security, threat protection, and compliance. And these capabilities represent the basis of the Cloud App Security Framework. So let’s go ahead and understand what the Cloud App Security Framework is. Yes, we will talk about Microsoft Cloud App Security, but we will only talk about CASB because MCAs, or Microsoft Cloud App Security, is a cloud access security broker from Microsoft. Let’s understand the Cloud App Security Framework in the next lesson.
32. The Cloud App Security framework
The cloud app security framework, MCAs MCAs are built on a framework that provides a lot of capabilities. Let’s talk about these. You can now detect and control the use of Shadow IT. There are a lot of applications that are built on infrastructure as a service and platform as a service within your organization. You can investigate the usage patterns, assess the risk levels, and assess the business readiness of more than 16,000 SaaS-based applications against more than 80 risks.
That’s a lot. You can absolutely safeguard your sensitive data in the cloud. That means that you can understand, classify, and protect the exposure of sensitive information and use out-of-the-box policies and automated processes to apply the controls in real time across all your cloud applications. Moreover, you can protect against cyberthreats and anomalies.
So you will be able to detect unusual behaviors across cloud apps to identify ransomware, compromised users, and rogue applications, probably analyse high-risk usage, and also remediate automatically to limit those risks. And finally, you can assess your cloud applications’ compliance. So that means that if your cloud applications meet relevant compliance requirements or not, that is something that you will be able to assess. You would be able to prevent data leaks to any kind of non-compliant application and limit access to regulated data. MCAs have a certain architecture, and we need to understand that in detail. Let’s go ahead and talk about that in the next section.
33. Microsoft Cloud App Security architecture
So far, we understand that cloud application security is there to strengthen and harden your servers so that any kind of cyberattack can be detected and prevented. But it’s not just that. Several things are revealed by cloud app security. For example, how each server connects to its neighbors, how the traffic is routed among the various instances, and how that will make a significant difference in the security model Cloud App Security integrates visibility with your cloud, and let’s understand how it does that. Cloud Discovery will use something called as traffic logs to dynamically discover and analyze the cloud apps that are being used. Apps in your cloud can be sanctioned and unsanctioned. That is, using the “Cloud App Catalog,” you can use cloud app security to sanction or unsanctioned apps in your organization. There are more than 16,000 cloud applications that are ranked and scored based on industry standards. There are a lot of connectors.
These connectors are pretty straightforward. You can use the providers’ APIs for visibility and governance, and app connectors will be using APIs from cloud app providers to integrate their cloud apps with MCAs and also extend the control and protection. Now, these connectors also give you information directly from cloud apps for cloud app security analysis. You already know about conditional access from one of the previous modules. So you can use conditional access and app control protection in order to get real-time visibility and control over access and the activities that are happening in your cloud applications. In cloud app security, you have a feature called “fine-tune policies.” So you will be able to have continuous control by using those finely tuned policies. That means you can use these policies to define how the user should behave in the cloud. Users’ policies can detect different kinds of risky behaviors, violations, and suspicious data points and activities as well in the cloud environment.
34. O365 Cloud App security And Azure AD Cloud App Discovery
There are two main components of Cloud App security.So you have Office 365, Five Cloud App Security, and Cloud App Discovery in Azure Active Directory, which are the critical components from which Cloud App Security obtains data. So the first one Office 365. Cloud app security As you may have guessed, this is a subset of Cloud App Security. And this is there to provide enhanced visibility and control of your Office 365 environment.
So you’ll be getting a lot of threat detection information based on the user activity logs, the discovery of shadow IT for applications, and the various permissions and controls we have in Office 365. As a result, the Office 365 cloud app security features are a subset of the core MCA features. Then there is cloud app discovery in AzureAD, which is part of the Azure AD P1 license. This feature is based on Microsoft Cloud App discovery capabilities. This will provide deeper visibility into your cloud applications’ usage in your organization. You will use Microsoft Cloud AppSecurity to intelligently and proactively identify and respond to threats across your organisation’s Microsoft and non-Microsoft Cloud Services.
35. Chapter Summary
Let’s go ahead and summarise this chapter. So what did we learn about here? You learned about various methods to improve security in your cloud using Microsoft Three Six Five Defender services. You now have a general understanding of Microsoft 365 Defender. So we got Defender for Identity, Defender for Office 365, and Defender for Endpoint, and finally, you saw how Microsoft cloud app security will support access and maintain control over critical data.
Today’s world has a lot of demand for cloud services and their access, and it’s very important to maintain strong security. But there needs to be a balance between strong security and allowing your users to access the data. And without tools like Microsoft Defender, you have to rely on different vendor solutions that might not integrate well or possibly leave gaps as well. Overall, you have the Microsoft Three Six Five Defender service, Microsoft Defender for Identity, Microsoft Defender for Office Three Six Five, Microsoft Defender for Endpoints, and finally, cloud app security to help protect your data and assets. Thanks for watching so far. See the next lesson, where we’ll go over Microsoft 365’s various security capabilities.
36. Security Management Capabilties of M365 – Introduction
Welcome to this next section, where we’ll talk about the security management capabilities of Microsoft 365. The last section was all about the threat-protection capabilities of Microsoft Windows six Five. But here we’ll focus more on the security management capabilities. Let’s get started. You know about the Microsoft 365 Defender, which is part of the Microsoft Soft Extended Detection and Response solution, which is the XDR. This is now an enterprise defence suite that natively coordinates detection, prevention, investigation, and response across multiple endpoint identities, emails, and applications to provide integrated protection against sophisticated malicious attacks.
The security management capabilities of Microsoft 365, which are done through the Security Center, provide a centralised site where you can manage security across different kinds of identities, different kinds of data, devices, and applications. So what are we going to talk about in this lesson? We’ll talk about Microsoft 365 Security Center, with a focus on the security score and the various kinds of reports and dashboards that can be generated. Plus, we’ll talk about incidents and incident management capabilities. Let’s get started with that point now. Thanks for watching so far, and I’ll see you in the next lesson.
37. Microsoft 365 Security Center – Intro
in your organization. You’ve got different kinds of identities, data, devices, applications, and infrastructure, and you need to monitor and manage the security across all of these entities. Microsoft 365 Security Center is a new home for monitoring and managing these. This is the place or one-stop snapshot where you can view the security health of your organisation, configure all your devices, users, and applications, as well as get alerts for suspicious activities.
The Microsoft 365 Security Center will help security administrators and the security operations team manage and protect your organization. So it’s like a single-page view of all the entities in your organization. With Microsoft 365 Security Center, you will have role-based access controls, giving granular permissions to people in different kinds of roles, which will give you meaningful information about their day-to-day jobs. A lot of administrators would love to customise their navigation pane in order to meet their day-to-day operational needs. Microsoft 365 Security Sensor lets you customise the navigation pane to show or hide functions and services based on your specific preferences.
Customization is specific to an admin as well, so other admins won’t see your changes. The 365 Security Center navigation pane will have a lot of information. For example, you can see a one-stop snapshot of the overall security health of your organization. You can see the incidents. That means that you can see the broader story of an attack. How do you connect all the dots? Where are those individual alerts coming from? So you can exactly mark where the attack started, what devices were impacted, who was infected, who was affected, and where the threat has gone. You can also get alerts. That means you can have greater visibility into all the alerts across the Microsoft 365 environment. That means that you can get alerts from the cloud. App security Microsoft Defender for Office 365 and Azure Active Directory, as well as Microsoft Defender for Identity and Endpoints. Keep in mind that this is available to E-3 and E-5 licenced customers.
Then you got the Action Center, which will reduce the volume of alerts your security team must manually address manually.That means that the security team now has to focus on more sophisticated threats and other high-value initiatives in your organization. The administrators can definitely generate reports and get the detailed views and information you need to better protect your users, devices, applications, and other entities.
You know where we stand when it comes to the overall security posture of the organization. The Security Score page provides a summary of the different security features and capabilities you have enabled and includes recommendations for areas to improve. You’ve got advanced hunting in place so you can proactively search for malware, search for suspicious files, and see what kind of activities are happening in your Microsoft 365 organization. You can also do data classification there. That is, you protect against data loss by labelling the documents. classify the email messages, the documents, and different kinds of sites.
So when a label is applied, the content or site is protected based on the settings you choose. For example, you can create labels that encrypt files, probably add content to markings, and control user access to specific sites. There are policies that you can setup in order to manage your devices, protect against threats, and also receive alerts about various activities in your organization. And finally, permissions. You can see who has how much access to which content and what tasks are being completed. And all of this can be seen in the Microsoft Three Six Five Security Center. Now, in order to access the Microsoft Three-Six-Five Security Center, you must be a global administrator, a security administrator, a security operator, or at least a security reader. A role must be assigned to your account. Clouds are a moving target. Similarly, the Microsoft 365 Security Center is always evolving, and it now includes a new specialised workspace tailored to the needs of security and compliance teams.
38. How to use Microsoft Secure Score
You’re not hearing about Secure Score for the first time. We have a similar term somewhere where we’re talking about the Azure Security Center Secure Score, but there is a difference. We’ll talk about the differences in the next section, but let’s try to understand what Microsoft Secure Score is. This is one of the tools in the Microsoft Security Center and a representation of a company’s security posture. Well, the higher the score, the better your protection is.
The Secure Score helps organisations report on the current state of their security posture. You can improve their security posture by providing discoverability, visibility, guidance, and control. You can compare various kinds of benchmarks and establish KPIs. Well, you get points for different kinds of actions that you do. Actions like configuring recommended security features, doing any security-related tasks, or taking action to address the improvement that is suggested by Azure Security Center Others will give you partial points if they are completed for a certain number of devices or users.
If you have a licence for one of the Microsoft-supported products, you will see related recommendations for those products as well. The security score will show all possible improvements for your product. Whatever the license, addition, subscription, or plan is, you will be able to see security best practises and improvements that can be made to your score.
Whatever licences your organisation owns for a specific product, your absolute security poster, represented by the Security Score, remains the same. Keep in mind that security should be balanced with usability, and not every recommendation can work for your environment. Currently, Microsoft Security Score will support recommendations for Microsoft 365 Azure Active Directory, Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Cloud App Security. And there are new recommendations that are being added all the time. Now, let’s talk about the difference between Azure and Microsoft Security Center. So there’s a score that’s given by Microsoft 365 Defender and Azure Defender as well. Let’s go ahead and talk about the subtle differences between these in the next section.
39. Differences between the Azure and Microsoft Secure Score
There is a subtle difference between the Microsoft Three Six Five Defender and the scores provided by the Azure Defender. The Secure Score in Azure Security Center is a measure of the security posture of your entire subscription. But if you look at the Secure Score in Microsoft’s Three Six Five Security Center, that’s a measure of the security posture of the organisation across your identities, applications, and devices. Both of these, the Azure Secure Score and the Microsoft Secure Score, provide you with a list of steps you can take to improve your score.
But if you look at Microsoft 365 SecureScore, these steps are called “Improvement actions.” But if you look at the Azure Secure Score, there are assessments for each of your subscriptions. So the steps you can take to improve your score are called “Security Recommendations,” and they are grouped based on the security controls. You will use the Microsoft Secure Score to understand and improve your organization’s security posture. If you are a Microsoft 365 administrator for your organization, you need to monitor and work on the security of your organisation’s identities, applications, data, and devices.
40. Managing Incidents
What is an “incident”? An incident is a collection of alerts that were created when something suspicious was found. Alerts are generated from different kinds of devices, both by users and mailbox entities, and they come from different kinds of domains. These alerts are automatically aggregated by Microsoft 360 by Defender, and then an incident becomes a grouping of all these related alerts. The incident provides a comprehensive view and context of an attack. The security personnel can then use an incident to determine where an attack started, what methods were used, and to what extent the attack has progressed within the network.
The incidents will also tell me the scope of the attack, how many users were affected, how many devices were impacted, and how many mailboxes were also affected. The severity of the attack can also be determined from the incident. Now you know that managing incidents is critical to ensuring that threats are contained and addressed. In Microsoft 365 Defender, you can manage incidents on devices, user accounts, and mailboxes. You can manage incidents by selecting one from the incident’s queue. Incidents are automatically assigned a name based on the alert. You can change the incident’s name, resolve it, and then set its classification and determination. You can also assign the incident to yourself and add incident tags and comments. When you investigate cases where you want to move alerts from one incident to another, you can do that in the Alerts tab. You can create larger or smaller incidents that include all relevant alerts.
41. Chapter Summary
So what did we learn in this chapter? Well, we learned about the various features of Microsoft’s Three Six Five Security Center. We then looked at the Microsoft Security Score, then reports and dashboards, and finally the incidents and incident management capabilities of the Microsoft 365 Security Center. We looked at the various features of this, where you can manage security across your identities, data, devices, and applications. Thanks for watching so far, and I’ll see you in the next lesson, where we’ll talk about endpoint security with Microsoft Intune.
42. Describe endpoint security with Microsoft Intune – Introduction
Microsoft Intune? What is it all about? How do we use it in conjunction with endpoint security to manage your devices? Let’s go ahead and learn this in this section so we’ll know what Intune is, what tools are available with Intune, and how you manage devices with Microsoft Endpoint Manager. Let’s get started with the first thing. What exactly is Intune?
43. What is Intune
with the “bring your own device” concept. There has been an influx of employees bringing devices into the organization. We need some kind of application that will help you manage those devices. Microsoft Intune is a cloud-based Microsoft service that focuses on mobile device management and mobile application management. You can control how your organization’s devices, including mobile phones, tablets, and laptops, are used. You can also configure specific policies to control applications. For example, you can prevent emails from being sent to people outside your organization.
Intune will also allow people in your organisation to use their personal devices for school or work on personal devices. Intune can help make sure your organization’s data stays protected and can isolate it from your personal data. So what is it that administrators can do? With Intune? Any kind of MDM device should be able to support a wide array of operating systems. Intunes can let you support a diverse mobile environment and manage iOS, iPad, Android, Windows, and macOS devices securely. You can also set the rules and configure settings on personal and organization-owned devices to access data and networks. You can deploy and authenticate applications both on premises and on mobile devices. You can then protect your company’s information by controlling the way users access and share their information. Rest assured, your devices and applications are compliant with your security requirements. Let’s go ahead and learn about mobile device management and mobile application management in the next section.
44. MDM and MAM
For devices that are owned by businesses, organizations can maintain full control, and those controls will include settings for those devices’ features as well as security. And when such devices are enrolled with Intune, they will receive rules and settings that are defined by Intune’s policies. For example, you can define password requirements. Administrators will be able to see the devices that have been enrolled and managed in Intune, as well as get an inventory of the ones that are accessing organisation resources, as well as configure devices to meet your security and health standards, now that they have been enrolled and managed in Intune. As an example, you probably want to block any kind of jailbroken device. You can push the certificates to devices so they can easily connect to their WiFi network or use VPN to do so.
Then you can see the reports and users to determine if they are actually compliant. Any kind of device that is lost, not compliant, or not being used anymore can be removed from the MDM, and before that, you can remove the organization’s data from it. You want to have control over the applications on the mobile application management side. Users with personal devices might not want their phones to be under full corporate control. Mobile application management, or Mam, gives administrators the ability to protect corporate data at the application level. Where users just want to access applications like email or Microsoft Teams, administrators can use application protection policies without requiring the device to be enrolled in Intune. That’s how you can support “bring your own device” scenarios. Mam can be used with custom applications and store applications as well. So when applications are managed in Intune, administrators will be able to add and assign mobile applications to users, groups, and devices. They can configure applications to start or run with a specific setting enabled and update existing apps already on the device. You can see reports on which applications are being used and track their usage as well. You can do a selective wipe by removing only the organization’s data from the application. Thanks for watching so far. I hope this has been informative to you. Let’s go ahead and learn about the security feature of Intune.
45. Endpoint Security with Intune
Endpoint security is customizable. Administrators can use Intune’s Endpoint Security Node to configure and manage security tasks for risky devices. Think about managing devices. Think about managing security baselines. How about using policies to manage the device’s security? The device compliance policies, as well as configuring conditional access with Intune, can also be integrated with Microsoft Defender for Endpoint. And finally, you can also do role-based access control with Microsoft Intune. Let’s go ahead and talk about each one of these points. The first one managed devices. The endpoint security node includes all the devices.
View now This is where you see a list of all devices from your Azure Active Directory that are available in Microsoft Endpoint Manager. From this view, you can select devices to drill into for more information, for example, if the device is compliant or not. You can also use access from this view to remediate issues on a device. Let’s say you want to start a scan for malware or rotate the BitLocker keys on the Windows 10 device. You can manage security baselines, which means that Intune can have security baselines for Windows devices. a growing list of applications, including Microsoft Edge, Microsoft Defender for Endpoint, and several others. Security baselines are preconfigured groups of window settings that help administrators apply recommended security. As an example, the MDM security baseline automatically enables BitLocker for removable drives. It will also automatically require a password to unlock a device.
Another example would be to automatically disable basic authentication. Administrators can also customise the baseline to enforce only those settings and values that are required. The following one is Manage device security with policies. Each endpoint security policy focuses on aspects of device security such as antivirus disc encryption, firewalls, and endpoint detection, response, and attack surface detection. Now, this is available through integration with Microsoft Defender for Endpoint. Endpoint security policies are one of the several methods in Intune for configuring settings on devices. Now, when you are managing the settings, it’s important to understand what other methods that are being used in your environment can be configured according to your device. The next one uses a device compliance policy. Now, this is done to establish the conditions under which the devices and users are allowed to access the corporate network and the company’s resources.
With compliance policies, administrators can set the rules that devices and users must meet to be considered compliant. Rules can be, for example, the OS version, what the password requirements should be, how high the device threat level should be, et cetera. Device compliance policies are one of the several methods in Intune for configuring settings on devices. When you are managing these settings, it’s important to understand what other methods are being used in your environment that would be helpful to configure the devices and to avoid any kind of policy conflict. Conditional access is a feature in Azure Active Directory, and Intunes can be integrated with AzureAd Conditional Access policies to enforce compliance policies. Intune will then pass these results of your device compliance policies to Azure ActiveDirectory, which will then use the conditional access policies to ensure which devices and applications can access your corporate resources. There are several common methods of using conditional access with Intune. You can either have device-based conditional access, where you ensure only managed and compliant devices can access network resources. Another one is application-based conditional access. And this is where application protection policies come in to manage access to network resources.
For example, users on those devices that are not managed with Intune So there is device-based conditional access and application-based conditional access. Then there’s integration with Microsoft Defender for Endpoint, which means Intune can work with Microsoft Defender for Endpoint, formerly known as Microsoft Defender ATP. Now, this is a mobile threat defence solution. Integration can help prevent security breaches and limit the impact of breaches within an organization. It’s great to hear that Microsoft Defender for Endpoint supports Android, iOS, iPad, and Windows 10 and later devices. So you will have a great capacity for integration between Intune and Microsoft Defender for Endpoint. And that means that organisations can take advantage of Microsoft Defender for Endpoints’ threat and vulnerability management features. You can then use Intune to remediate endpoint weaknesses identified by TVM. Finally, role-based access control with Microsoft Intune Who doesn’t know about RBAC? It’s for giving granular permissions to people who give permissions just as much as they want. So RBAC will help manage who has access to an organization’s resources and what they do with that access.
As a result, by assuming roles for tuned users, administrators can limit what they see and change. Each role has certain set of permissions that will determine what users with what role can access and change within your organization. Well, that’s all for now, folks. Now these are the various capabilities of Intune, and that’s how Intune integrates with several other security features in and around Azure Active Directory and Microsoft Endpoint Manager. Thanks for watching so far. I hope this has been informative to you, and I’ll see you in the next section.
46. Lesson Summary
By this time, you know that Microsoft Intune is there for your mobile device management and mobile application management. So in this lesson, we learned about the capabilities of Intune as they relate to endpoint security. We explored some of the tools that are available with Intune. And you needed to know how to manage devices with Microsoft Endpoint Manager. You learned about managing devices’ security baseline and using policies to manage device security. So what is in tune? What are the tools available with Intune? And how does it integrate with Microsoft Endpoint Manager to provide the best possible classes? Security is what we learned in this lesson. This also marks the end of module three. This module was all about learning the capabilities of Microsoft security solutions. So, different kinds of things So, we know about the security capabilities of Azure, Azure Sentinel, and Microsoft 365. We also looked at the security capabilities of Three Six Five and the threat protection capabilities of Microsoft 365. We also looked at endpoint security with Microsoft Intune. So, Microsoft Three Six Five is a suite of power-packed services that it provides for the end-to-end security of your identities, applications, and devices.