Leipzig, 02/08/2018 – As Microsoft has conversations with Security Operations (SecOps) teams, they’re seeing a notable shift in the approach to threat detection and protection: moving from a technology-driven, product-focused approach to a use-case driven approach. These teams define their pain points carefully and invest in solutions that address these key needs.
As we all know, the more visibility you gain into your user’s activities, the better control you have. To this extent, Microsoft constantly innovate to provide better visibility, control, and protection to your cloud apps. Today Microsoft shares exciting new enhancements in threat protection capabilities that their investigation and remediation for cloud apps to the next level.
Microsoft Cloud App Security is a component of Microsoft’s suite. Enterprise Mobility + Security
What are the new enhancements in the threat detection?
Over the last year, Microsft re-designed the threat protection and anomaly detection engine in Microsoft Cloud App Security and Office 365 Cloud App Security, leveraging knowledge from Microsoft’s Intelligent Security Graph. Cloud App Security now helps detect the most sophisticated threats in your cloud apps faster. In addition, it allows to expose more data from the detection engine, to help you speed up the investigation process and contain ongoing threats.
So, what are these changes specifically?
For an enhanced admin user experience, Microsoft introduced several new policies. Each of these policies represents a different detection and a use-case scenario. For example impossible travel, multiple failed login attempts, activity from suspicious IP. This aligns Cloud App Security with the use-case driven approach SecOps teams demand, as each detection represents a key security use case.
All the new policies include learning mechanisms to reduce false positive alerts, so you can focus on what is most important. These policies will replace the “General Anomaly Detection” policies, but you will still be able to see all the historic alerts that you currently have.
You also want to have all the information possible, so you can triage the different alerts quickly and decide which ones need to be taken care of first. To do this, you’ll need the context for the alert so you will be able to see the bigger picture and understand whether something malicious is indeed happening.
To help with this, Microsoft has made improvements to the alert investigation capabilities in the activity log with the newly added “User Insights.” This includes information like number of alerts, activities, and where they have connected from, which is important in an investigation.
Cloud App Security Activity log, User Insights (Source: https://cloudblogs.microsoft.com/enterprisemobility/2018/02/08/cloud-app-security-threat-protection-just-got-better/)
Now you can easily understand the suspicious activities that the user was performing and gain deeper confidence as to whether the account was compromised. For example, an alert on multiple failed logins may indeed be suspicious and can indicate potential brute force attack, but it can also be an application misconfiguration, causing the alert to be a benign true positive. However, if you see a multiple failed logins alert with additional suspicious activities, then there is a higher probability that the account is compromised.