<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>CASB - RiskInsight</title>
	<atom:link href="https://www.riskinsight-wavestone.com/en/tag/casb-en/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.riskinsight-wavestone.com/en/tag/casb-en/</link>
	<description>The cybersecurity &#38; digital trust blog by Wavestone&#039;s consultants</description>
	<lastBuildDate>Fri, 09 Feb 2024 15:51:02 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	

<image>
	<url>https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/Blogs-2024_RI-39x39.png</url>
	<title>CASB - RiskInsight</title>
	<link>https://www.riskinsight-wavestone.com/en/tag/casb-en/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Microsoft Defender for Cloud Apps: how to secure cloud applications use </title>
		<link>https://www.riskinsight-wavestone.com/en/2024/02/microsoft-defender-for-cloud-apps-how-to-secure-cloud-applications-use/</link>
					<comments>https://www.riskinsight-wavestone.com/en/2024/02/microsoft-defender-for-cloud-apps-how-to-secure-cloud-applications-use/#respond</comments>
		
		<dc:creator><![CDATA[Sebastien Corradini]]></dc:creator>
		<pubDate>Fri, 09 Feb 2024 15:51:00 +0000</pubDate>
				<category><![CDATA[Cloud & Next-Gen IT Security]]></category>
		<category><![CDATA[Focus]]></category>
		<category><![CDATA[CASB]]></category>
		<category><![CDATA[cloud access security broker]]></category>
		<category><![CDATA[microsoft defender cloud apps]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=22424</guid>

					<description><![CDATA[<p>Data and collaborative spaces migration to the cloud has created new data breach possibilities and has particularly extended the attack surface of companies. Furthermore, cloud applications increasing utilization and new ways of working have considerably widened &#8211; whether voluntary or...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2024/02/microsoft-defender-for-cloud-apps-how-to-secure-cloud-applications-use/">Microsoft Defender for Cloud Apps: how to secure cloud applications use </a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<div class="wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex">
<p style="text-align: justify;"><span data-contrast="auto">Data and collaborative spaces migration to the cloud has created new data breach possibilities and has particularly extended the attack surface of companies. Furthermore, cloud applications increasing utilization and new ways of working have considerably widened &#8211; whether voluntary or not &#8211; Shadow IT, that is to say cloud applications</span><span data-contrast="auto"> that are</span><span data-contrast="auto"> not validated by the organization,</span><span data-contrast="auto"> managed by IT teams </span><span data-contrast="auto">or approved by security.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">One of the solutions to these new use cases is the implementation of a Cloud Access Security Broker (CASB), e.g. Microsoft Defender for Cloud Apps (MDCA). What is the real contribution of these solutions? The first part of the article introduces CASB general features, the following parts focus</span><span data-contrast="auto"> on Microsoft solution, MDCA.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h2 style="text-align: justify;" aria-level="1"><span data-contrast="none">Cloud Access Security Broker (CASB), a way to reduce cloud applications related risks</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h2>
<h3 aria-level="2"><span data-contrast="none">A solution to secure cloud environment</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p style="text-align: justify;"><span data-contrast="auto">A Cloud Access Security Broker (CASB) is a security checkpoint between company IS users and cloud applications. Analyzing internet flows from and to cloud services, CASB enables the organization to extend its security beyond its own infrastructure.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">CASB have several key features:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<ul>
<li data-leveltext="o" data-font="Courier New" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1068,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Apply security policies on cloud applications uses (granular access policies, authorized activities…)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li data-leveltext="o" data-font="Courier New" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1068,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">Detect Shadow IT, categorize and identify risk level associated to “Shadow” in-use applications</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li data-leveltext="o" data-font="Courier New" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1068,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><span data-contrast="auto">Control Bring Your Own Device (BYOD), that is to say personal devices (laptops or phones) owned by collaborators.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
<p> </p>
<h3 aria-level="2"><span data-contrast="none">A solution built on 4 pillars</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p><span data-contrast="auto">To provide these key features, CASB is built on 4 major pillars:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-ccp-props="{&quot;134245418&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> <img fetchpriority="high" decoding="async" class="aligncenter wp-image-22412 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/1Screenshot-2024-02-09-145619.jpg" alt="" width="546" height="278" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/1Screenshot-2024-02-09-145619.jpg 546w, https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/1Screenshot-2024-02-09-145619-375x191.jpg 375w, https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/1Screenshot-2024-02-09-145619-71x36.jpg 71w" sizes="(max-width: 546px) 100vw, 546px" /></span></p>
<p style="text-align: center;"><i><span data-contrast="none">Figure </span></i><i><span data-contrast="none">1</span></i><i><span data-contrast="none">: CASB pillars</span></i><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:200,&quot;335559740&quot;:240}"> </span></p>
<ul>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="2" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><b><span data-contrast="auto">Visibility: </span></b><span data-contrast="auto">in order to manage cloud applications that are not supervised by IT tools, CASB provide visibility on cloud activities of collaborators, enabling the identification of unauthorized usages, associated data volumes, and business needs requiring other coverage</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="2" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><b><span data-contrast="auto">Compliance:</span></b><span data-contrast="auto"> many cloud applications are not compliant or not enough protected. A role of CASB is to inform about application compliance and security, as a way to evaluate risks and thus to take wise decisions (addition to the app catalog, application blockage and associated communication to users…)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="2" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><b><span data-contrast="auto">Data security: </span></b><span data-contrast="auto">enhanced DLP strategy (Data Loss Prevention) through CASB bring stronger control on sensitive data breaches from cloud sources, securing company-authorized use cases</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="2" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><b><span data-contrast="auto">Threat protection: </span></b><span data-contrast="auto">CASB provide defence against malware from cloud storage services and thus prevent threat spreading over enterprise network from cloud environments.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h2 aria-level="1"><span data-contrast="none">Microsoft CASB solution: Microsoft Defender for Cloud Apps (MDCA)</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h2>
<h3><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span><span data-contrast="none">Microsoft Defender for Cloud Apps, a tool among an enriched security ecosystem</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p style="text-align: justify;"><span data-contrast="auto">As Microsoft is aware of cybersecurity challenges, they have massively invested in their security solutions in order to improve features and their management, resulting in the release of the unified security portal </span><b><span data-contrast="auto">Microsoft Defender XDR</span></b><span data-contrast="auto"> (formerly Microsoft 365 Defender). This portal meets the common issue of security teams – which was information scattering – by gathering 4 major tools features:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<ul>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="3" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><b><span data-contrast="auto">Microsoft Defender for Office 365: </span></b><span data-contrast="auto">secure messaging and collaborative spaces (e.g. incoming mails analysis, especially sender, content, attached files…)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="3" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"><b><span data-contrast="auto">Microsoft Defender for Endpoint (Microsoft EDR): </span></b><span data-contrast="auto">manage endpoint and prevent associated attacks, apply security policies, block possibly malicious programs</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="3" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="7" data-aria-level="1"><b><span data-contrast="auto">Microsoft Defender for Identity: </span></b><span data-contrast="auto">manage identity access and lateral movement attempts to compromise privilege account</span><span data-contrast="auto">s</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="3" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="8" data-aria-level="1"><b><span data-contrast="auto">Microsoft Defender for Cloud Apps:</span></b><span data-contrast="auto"> enhance</span> <span data-contrast="auto">visibility and control over data transiting from and to the IS and cloud applications.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
<p style="text-align: justify;"><span data-contrast="auto">In addition to access to content facilitation for security administrators, Microsoft strengthens the correlation between pieces of information included in each tool. This correlation brings two major advantages:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<ul>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="4" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">The expansion of the number of detection points, that increase the likelihood to promptly detect attacks, as several tools must be encountered to succeed an attack</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="4" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">The correlation between tools and signals, that not only eases the understanding of the kill chain, but also provides a better incident contextualization and an easier sorting of numerous alerts from these 4 different tools. </span><i><span data-contrast="auto">Figure 2</span></i><span data-contrast="auto"> shows the solicitation of each Microsoft security tool according to the attack steps:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
<p><span data-ccp-props="{&quot;134245418&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> <img decoding="async" class="aligncenter wp-image-22414 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/2Screenshot-2024-02-09-145723.jpg" alt="" width="834" height="385" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/2Screenshot-2024-02-09-145723.jpg 834w, https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/2Screenshot-2024-02-09-145723-414x191.jpg 414w, https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/2Screenshot-2024-02-09-145723-71x33.jpg 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/2Screenshot-2024-02-09-145723-768x355.jpg 768w" sizes="(max-width: 834px) 100vw, 834px" /></span></p>
<p style="text-align: center;"><i><span data-contrast="none">Figure </span></i><i><span data-contrast="none">2</span></i><i><span data-contrast="none">: Several detection points of an attack in Microsoft Defender suite</span></i><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:200,&quot;335559740&quot;:240}"> </span></p>
<p><span data-contrast="auto">As MDCA ecosystem is now explained, let’s look deeper into the tool.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h3 aria-level="2"><span data-contrast="none">Microsoft Defender for Cloud Apps, a set of additional strategies to configure to protect cloud applications and their utilization</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p style="text-align: justify;"><span data-contrast="auto">Microsoft Defender for Cloud Apps deals with the notion of protection and detection rules, also called policies. Policies produce alerts when targeted events are logged to detect suspicious behaviour, they also can take pre-configured actions conditioned by these events. A MDCA committed menu gathers policies and alerts management. Several MDCA security policies exist, categories are detailed below:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<ul>
<li data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><b><span data-contrast="auto">Threat Detection:</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span>
<ul>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="4" data-aria-level="2"><b><span data-contrast="auto">Activity Policy:</span></b><span data-contrast="auto"> collect and monitor</span> <span data-contrast="auto">audit logs for embedded applications, through session control alerting when suspicious activity is triggered, detecting compromission or an internal user malicious activity</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="5" data-aria-level="2"><b><span data-contrast="auto">OAuth app</span></b><b><span data-contrast="auto">1</span></b><b><span data-contrast="auto"> policy:</span></b><span data-contrast="auto"> manage application and user permissions on the environments to alert about OAuth applications at risk or overprivileged, in order to apply least privilege principle and improve detection on riskiest applications </span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
</li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"><b><span data-contrast="auto">Information Protection:</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span>
<ul>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="7" data-aria-level="2"><b><span data-contrast="auto">File policy:</span></b><span data-contrast="auto"> review and label files according to specified rules (creation date, modification date, contributors…) to protect data stored in the Cloud, e.g. by alerting when a file is dangerously shared on unauthorized domains, or when a sensitive data is detected on the Cloud</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
</li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="8" data-aria-level="1"><b><span data-contrast="auto">Conditional Access:</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span>
<ul>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="9" data-aria-level="2"><b><span data-contrast="auto">Access policy:</span></b><span data-contrast="auto"> real-time monitoring of cloud applications accesses (users, localisations, endpoints), enhancing Entra ID Conditional Access with granular filtering capacities</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="10" data-aria-level="2"><b><span data-contrast="auto">Session policy:</span></b><span data-contrast="auto"> real-time management of user activities in order to immediately take action against suspicious or unauthorized activities, such as malicious files download, sensitive files download from specified risky areas</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
</li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="11" data-aria-level="1"><b><span data-contrast="auto">Shadow IT:</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span>
<ul>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="12" data-aria-level="2"><b><span data-contrast="auto">Cloud Discovery anomaly detection policy:</span></b><span data-contrast="auto"> alerts triggering when unusual behaviour is detected on managed cloud applications, based on machine learning capacities</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="5" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="13" data-aria-level="2"><b><span data-contrast="auto">App Discovery policy: </span></b><span data-contrast="auto">application flows analysis and data sorting (by user, by resource…) to associate a secure and compliance score to applications, to send alerts when a new application tagged popular or dangerous is used by specific groups of users inside the organization.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
</li>
</ul>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h3 aria-level="1"><span data-contrast="none">Which mechanisms are providing these diverse policies?</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p style="text-align: justify;"><span data-contrast="auto">MDCA is composed of </span><b><span data-contrast="auto">3 major building blocks</span></b><span data-contrast="auto"> to be optimally integrated into</span><span data-contrast="auto"> an</span><span data-contrast="auto"> organization’s information system. </span><i><span data-contrast="auto">Figure 3</span></i><span data-contrast="auto"> points out the block </span><b><span data-contrast="auto">“Cloud Discovery”</span></b><span data-contrast="auto">, being an interface between MDCA and company firewall that </span><b><span data-contrast="auto">analyse application flows inside the organization.</span></b><span data-contrast="auto"> “Cloud Discovery” also allows </span><b><span data-contrast="auto">script configuration to restrict some uses</span></b><span data-contrast="auto">. </span><b><span data-contrast="auto">“Reverse proxy”</span></b><span data-contrast="auto"> block is placing MDCA between the IS and cloud applications, in order to </span><b><span data-contrast="auto">continuously</span></b> <b><span data-contrast="auto">analyse sign-ins and policies</span></b><span data-contrast="auto"> (session, access…). Finally, </span><b><span data-contrast="auto">“App connectors”</span></b><span data-contrast="auto"> block </span><b><span data-contrast="auto">directly links MDCA to cloud applications</span></b><span data-contrast="auto"> to enable their analysis.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-ccp-props="{&quot;134245418&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> <img decoding="async" class="aligncenter wp-image-22416 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/3Screenshot-2024-02-09-145759.jpg" alt="" width="513" height="375" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/3Screenshot-2024-02-09-145759.jpg 513w, https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/3Screenshot-2024-02-09-145759-261x191.jpg 261w, https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/3Screenshot-2024-02-09-145759-53x39.jpg 53w" sizes="(max-width: 513px) 100vw, 513px" /></span></p>
<p style="text-align: center;"><i><span data-contrast="none">Figure </span></i><i><span data-contrast="none">3</span></i><i><span data-contrast="none">: Monitoring mechanisms on cloud applications</span></i><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:200,&quot;335559740&quot;:240}"> </span></p>
<p> <br /><b><span data-contrast="auto">Cloud discovery:</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">Cloud discovery operates with</span><span data-contrast="auto"> the</span><span data-contrast="auto"> logs collector of the company firewall, proxy or Microsoft Defender for Endpoint, which must thus be installed on every endpoint. Network logs contributes to cloud applications and associated network traffic analysis by MDCA. Then, this tool rates these applications based on current knowledge of several tens of thousands of applications, scoring being established from about 100 security and compliance criteria. Cloud discovery and cloud application</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><b><span data-contrast="auto">Reverse Proxy:</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">Session control relies on federated authentication. Once the Identity Provider is connected to Entra ID and the application to the environment, session is automatically captured and network traffic is routed towards a reverse proxy, when users log in using their credentials. Thus, some features can be implemented, such as blocking downloading, text copy, or asking for a multi-factor authentication before any action. Associated features are audit logs and session control mechanisms.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><b><span data-contrast="auto">App connectors:</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">These are APIs connecting to most-used applications (particularly cloud storage services: AWS, Azure, GCP). Thanks to these connections, MDCA is able to regularly scan files online files, but also users reaching those documents. Provided features goes from accounts information and governance to application permissions through data analysis.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h3 aria-level="2"><span data-contrast="none">A wide range security &amp; compliance use cases covered by MDCA</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p style="text-align: justify;"><span data-contrast="auto">Many suspicious behavioural detection’s use case are enabled through the different MDCA’s strategy. Those detections can only raise one alert or trigger an instant remediation (e.g. blockage) according to the event’s gravity. Here are a few examples of those use cases:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="6" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><b><span data-contrast="auto">Creation of an alert</span></b><span data-contrast="auto">:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
<ul>
<li style="list-style-type: none;">
<ul>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="6" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="2"><span data-contrast="auto">When connecting from an anonymous IP address (via Activity policy)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="6" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="2" data-aria-level="2"><span data-contrast="auto">When downloading a large quantity of data with an unusual user’s behaviour (via Cloud Discovery anomaly detection policy)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="6" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="3" data-aria-level="2"><span data-contrast="auto">When downloading a file with sensitive data (credit card number, passport number…) (via File policy)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
</li>
</ul>
<ul>
<li style="list-style-type: none;">
<ul>
<li style="text-align: justify;" data-leveltext="o" data-font="Courier New" data-listid="6" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="2"><span data-contrast="auto">When an abnormal number of connections to a business application is observed (via App Discovery policy).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
</li>
</ul>
<ul>
<li style="text-align: justify;" data-leveltext="" data-font="Symbol" data-listid="6" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><b><span data-contrast="auto">Request of an MFA confirmation</span></b><span data-contrast="auto"> when a user tries to download</span><span data-contrast="auto"> a</span><span data-contrast="auto"> highly confidential file while being connected via Azure AD (via Session policy)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="" data-font="Symbol" data-listid="6" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><b><span data-contrast="auto">Mandatory labelling </span></b><span data-contrast="auto">before allowing a user to drop a file with sensitive information which isn’t labelled on the Cloud (via Session policy)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="" data-font="Symbol" data-listid="6" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><b><span data-contrast="auto">Blocking the sending of a message </span></b><span data-contrast="auto">from a user trying to send sensitive information to another user (e.g. bank account number) via instant messaging (via Session policy)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="" data-font="Symbol" data-listid="6" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><b><span data-contrast="auto">Blocking the download from a cloud storage application </span></b><span data-contrast="auto">of a confidential file if the user is connected with its personal computer (via Session policy)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> <img loading="lazy" decoding="async" class="aligncenter wp-image-22418 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/4Screenshot-2024-02-09-145839.jpg" alt="" width="698" height="241" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/4Screenshot-2024-02-09-145839.jpg 698w, https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/4Screenshot-2024-02-09-145839-437x151.jpg 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/4Screenshot-2024-02-09-145839-71x25.jpg 71w" sizes="auto, (max-width: 698px) 100vw, 698px" /></span></p>
<p style="text-align: center;"><i><span data-contrast="none"> Figure 4: Example of Session policy for controlling the use of an application</span></i><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:708,&quot;335559731&quot;:708,&quot;335559739&quot;:200,&quot;335559740&quot;:240}"> </span></p>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h3 aria-level="2"><span data-contrast="none">MCDA, a complex solution to implement</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p style="text-align: justify;"><span data-contrast="auto">As seen previously, MCDA is a tool that offers several features that complement other of Microsoft’s security tools like DLP Purview or Microsoft Defender making the prioritisation of features to activate and to use a requirement. These features and the “policies” organization lead to a complex configuration which needs to be considered. It is then mandatory to target which use case needs to be covered and to test the effectiveness of the defined policies to ensure that on one side the risk coverage is effective and on the other to prevent the generation of too many false positives, as it can be seen when implementing some DLP rules.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">Finally, the implementation of MDCA requires some non-trivial prerequisites such as:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<ul>
<li style="text-align: justify;" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><span data-contrast="auto">MDCA interconnection with the different Cloud applications used</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"><span data-contrast="auto">The implementation of mechanism to force passage through the CASB (blocking not compatible browser)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
<li style="text-align: justify;" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="7" data-aria-level="1"><span data-contrast="auto">Learning models’ formation and refining detection’s rules, whether they are provided by Microsoft or customised by the organisation to reduce the number of false positives.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h3 aria-level="2"><span data-contrast="none">As a conclusion, MDCA, as another CASB is a promising tool which need an advanced level of maturity</span><span data-ccp-props="{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p style="text-align: justify;"><span data-contrast="auto">Microsoft Defender for Cloud Apps is naturally integrated to services and Microsoft security tools, has suspect activity detection strategies by default and allows you to get a first global view with a first assessment of the risks and of the interconnections between the organisation’s IS and cloud applications (Microsoft 365 included).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">However, its apparent ease of implementation should not hide the need to setup some prerequisites like the refining of rules and the management of interconnections between the IS and the cloud’s environments (browsers’ management, interconnection of third-party applications…). It shouldn’t hide the efforts needed to implement detection’s strategies for the organisation (creation of rules, tests and corrections of false positives / negatives). Its implementation should be carried out as a part of a project and the creation of new strategies must be subject of a special attention and an iterative approach.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p style="text-align: justify;"><span data-contrast="auto">In summary,  MDCA should be considered as a powerful security tool, which will need time to configure, refine and integrate to other additional features like data classification or conditional access rules. It will require a significant amount of time for configuration, which will only be possible after setting up a first level of security and acquiring a certain maturity level on the cloud applications and CASB’ use cases.</span></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p style="text-align: justify;"><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><em>Thanks to Mathias COULAIS for his contribution to this article.</em> </span></p>
</div>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2024/02/microsoft-defender-for-cloud-apps-how-to-secure-cloud-applications-use/">Microsoft Defender for Cloud Apps: how to secure cloud applications use </a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.riskinsight-wavestone.com/en/2024/02/microsoft-defender-for-cloud-apps-how-to-secure-cloud-applications-use/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>SOAR, UEBA, CASB, EDR and others: which tools do you need for you SOC? (1/3)</title>
		<link>https://www.riskinsight-wavestone.com/en/2019/04/new-tools-soc-13/</link>
		
		<dc:creator><![CDATA[Amaury Coulomban]]></dc:creator>
		<pubDate>Thu, 18 Apr 2019 09:00:30 +0000</pubDate>
				<category><![CDATA[Cybersecurity & Digital Trust]]></category>
		<category><![CDATA[Ethical Hacking & Incident Response]]></category>
		<category><![CDATA[AD]]></category>
		<category><![CDATA[CASB]]></category>
		<category><![CDATA[détection]]></category>
		<category><![CDATA[EDR]]></category>
		<category><![CDATA[innovation]]></category>
		<category><![CDATA[SOC]]></category>
		<category><![CDATA[supervision]]></category>
		<category><![CDATA[tool]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=11826</guid>

					<description><![CDATA[<p>SOC teams are finding it more and more difficult to detect increasingly complex attacks that take place over ever larger perimeters. At the same time, they are bearing the full brunt of the explosion in the number of alerts to...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2019/04/new-tools-soc-13/">SOAR, UEBA, CASB, EDR and others: which tools do you need for you SOC? (1/3)</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>SOC teams are finding it more and more difficult to detect increasingly complex attacks that take place over ever larger perimeters. At the same time, they are bearing the full brunt of the explosion in the number of alerts to process (especially due to the myriad of technologies in use and the false positives they generate), the strengthening of the regulatory framework, and the need for more granular and rapid detection&#8230;</em></p>
<p><em>Against a backdrop of an acute shortage of cybersecurity skills, these issues cannot be addressed solely by increasing the size of SOC teams. The use of <strong>new tools</strong>, based on <strong>four strategic areas</strong>, is essential in enabling SOCs to stay ahead of threats.</em></p>
<p>&nbsp;</p>
<figure id="post-11844 media-11844" class="align-none"><img loading="lazy" decoding="async" class="aligncenter wp-image-11844 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image-0-1.png" alt="" width="1464" height="318" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image-0-1.png 1464w, https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image-0-1-437x95.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image-0-1-768x167.png 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image-0-1-71x15.png 71w" sizes="auto, (max-width: 1464px) 100vw, 1464px" /></figure>
<p>&nbsp;</p>
<p><em>Here, <strong>extending the scope of detection</strong> enables the protection of new areas of the IS that are not sufficiently secure (such as the cloud) and of resources that are increasingly being chosen as targets (through ransomware attacks on terminals, targeted attacks using ADs, etc.).</em></p>
<p><em>At the same time, <strong>new approaches need to be adopted</strong> to detect targeted attacks (0-day, &#8220;low signal&#8221;, etc.), whose increasing sophistication is undermining existing security measures.</em></p>
<p><em>In addition to these new detection tools, <strong>an</strong> <strong>advanced knowledge of threats</strong> <strong>and attackers</strong> can improve existing detection capabilities, help prioritize incidents to be dealt with, and increase the effectiveness of the response.</em></p>
<p><em>But SOC teams are already struggling to process the events generated by existing tools. As a result, it’s essential to <strong>standardize and automate</strong> interactions between teams and systems, and, wherever possible, <strong>the sequence of analysis and response</strong>.</em></p>
<p><strong><em>Follow our series on the topic and learn how to tool up in these four strategic areas!</em></strong></p>
<p>&nbsp;</p>
<h2>Extending the scope of detection to new perimeters</h2>
<h3>A unique solution to secure all clouds: CASB</h3>
<p>Cloud Access Security Brokers (CASBs) address an area of the IS that is poorly served by traditional security measures: <strong>the cloud</strong>. The very nature of the cloud means that protection in this area requires a different approach to that used for a conventional IS; <strong>there is little or no control of resources</strong> (infrastructure, OSs, or applications—depending on the type of offering), <strong>assets are located outside the IS</strong>, etc.</p>
<p>CASBs aim to <strong>centralize </strong>and <strong>ensure that security policies are applied</strong>. Some <strong>cloud providers offer their own</strong> CASB security services (for example, Microsoft’s <em>Cloud App Security</em>); but, depending on the needs, it may be preferable to use <strong>third-party solutions</strong>, even though there is a cost to adding in another player. While CASBs aim to ensure security levels in the cloud, relying on the cloud service providers to perform this monitoring role can be counterproductive: it’s preferable to make use of a &#8220;trusted third party&#8221;.</p>
<p>In all cases, CASBs offer a diversity of solutions that can include a very large number of services—their degree of maturity depending on the solution&#8217;s publisher, the cloud provider, and the type of hosting (IaaS, PaaS, SaaS, etc.).</p>
<p>On the one hand, CASB solutions make it possible to deal with <strong>specific cloud issues</strong>, by <strong>addressing the lack of visibility in these environments</strong> (through shadow IT detection, usage statistics, etc.) and ensuring that they are <strong>compliant</strong> (verification of configurations, etc.).</p>
<p>On the other hand, they play a part in the application of traditional security measures in this cloud. In particular, <strong>data security</strong> issues (such as DLP and encryption measures, which are of special concern to regulators) and <strong>threat detection</strong> (centralization of cloud logs for transmission to SIEM, detection of abnormal behavior using UEBA (see our dedicated article on this), etc.) are parts of a CASB traditional capabilities. In addition, some stakes associated with <strong>IAM</strong> can also be addressed by these solutions (SSO, access contextualization, etc.).</p>
<p>There are two main modes of deployment when putting these features in place, each with its advantages and disadvantages. <strong>Proxy-type</strong> <strong>solutions</strong> are placed between users and the cloud service.</p>
<p>In contrast, when using <strong>API-type solutions</strong>, which are sometimes called “out-of-band”, the cloud service’s consumers communicate directly with it. Each time it’s accessed, the service queries the CASB’s APIs to evaluate the risks and authorize (or prohibit) the consumption of the service. However, to operate, API solutions rely on the interfaces offered by the cloud provider, which may limit the options.</p>
<p>At present, CASBs are relatively new and immature solutions, and their deployment is limited. However, given the increasingly broad adoption of cloud services (already well advanced), CASBs undoubtedly have a bright future. They’ll enable SOC teams to extend their surveillance to this area, which will soon represent a large proportion of any IS.</p>
<p><strong><u>Examples of CASB publishers:</u></strong></p>
<p><img loading="lazy" decoding="async" class="size-medium wp-image-11827 aligncenter" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image1-437x119.png" alt="" width="437" height="119" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image1.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image1-71x19.png 71w" sizes="auto, (max-width: 437px) 100vw, 437px" /></p>
<p>&nbsp;</p>
<h3>The new Swiss army knife for securing terminals: endpoint detection and response (EDR)</h3>
<p>Endpoint Detection and Response (EDR) solutions are set to enhance SOC’s detection and response capabilities <strong>for terminals</strong> (PCs, servers, etc.).</p>
<p>As the name implies, EDRs play a part in <strong>detecting</strong> attacks. In fact, they are plugging the gaps in anti-virus solutions (and other HIPSs) which make use of specific attack signatures and are therefore unsuited to detecting certain attack types—in particular advanced attacks (APTs). EDRs are based on other detection methods, with publishers generally offering a combination of techniques commonly used elsewhere.</p>
<p>Among these techniques, a large number of solutions <strong>detect the exploitation of known vulnerabilities</strong> or <strong>attack patterns</strong> (the opening of suspicious ports to dubious addresses, etc.), the <strong>analysis of files</strong> using a sandbox (local emulation, submission in the cloud, etc.), and <strong>behavioral approaches</strong> based on Machine Learning (in particular UEBA solutions—see the dedicated chapter on this). Depending on the SOC’s needs, the alerts produced can be integrated as SIEM sources, or made available directly from the solution management console.</p>
<p>In addition to their advanced detection capabilities, EDR solutions also result in a considerable <strong>increase in visibility on devices</strong>: lists of processes and services launched, lists of files in certain system directories, as well as other information that <strong>facilitates investigation</strong> in cases where an alert is raised. Some solutions go beyond mere recovery of the state of the terminal at the time of the request, enabling its history to be recovered too: generation of logs, recovery of deleted files, etc.</p>
<p>But EDRs’ features don’t end at the detection and analysis phase. In fact, these solutions enable <strong>remote remediation</strong> actions to be performed, and the complexity of these depends on the publisher: deleting or quarantining files, ending processes, quarantining the terminal from the network, modifying registry keys, etc.</p>
<p>EDRs, thus, are comprehensive solutions that come into play at every stage of the process: from detection, through analysis, to response. However, they are <strong>not intended to replace anti-virus solutions</strong>: it’s always more effective to block known attacks, even though publishers are increasingly offering solutions that combine these two types of functionality.</p>
<p><em>For more details on EDR solutions, read our dedicated article <a href="https://www.riskinsight-wavestone.com/en/2018/03/edr-nouveau-challenger-dans-la-protection-des-endpoints/">here</a>.</em></p>
<p>&nbsp;</p>
<p><strong><u>Examples of EDR publishers:</u></strong></p>
<p><img loading="lazy" decoding="async" class="size-medium wp-image-11829 aligncenter" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/Image2-1-333x191.png" alt="" width="333" height="191" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/Image2-1.png 333w, https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/Image2-1-120x70.png 120w, https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/Image2-1-68x39.png 68w" sizes="auto, (max-width: 333px) 100vw, 333px" /></p>
<p>&nbsp;</p>
<h3>Protecting the keys to the kingdom: Active Directory supervision</h3>
<p>Directories are among an <strong>IS’s</strong> <strong>most critical</strong> components. They provide the authentication and authorization functionality for almost all IS resources—both technical and business function—including the most critical ones. It’s therefore not surprising that compromising the AD is one of the most frequent attack methods used, since it opens numerous doors to an attacker.</p>
<p>Despite this criticality, and the fact that AD architectures are well known and have evolved little in recent years, <strong>their security has scope to improve</strong>. This is due, in particular, to their specific mode of operation (OUs, domains, trees, forests, users, etc.), which renders traditional protection and surveillance methods ineffective; a significant concern given that any vulnerability can represent a major risk for the rest of the IS.</p>
<p>AD surveillance solutions aim to overcome this problem by supervising (in real time, or during an audit) the specificities of directories (configuration, status of accounts, etc.) and <strong>detecting vulnerabilities </strong>that could result in them being compromised. To do this, AD supervision solutions have a highly detailed knowledge of how ADs function, and, in particular, the associated security issues.</p>
<p>When the solution detects a vulnerability, <strong>it raises an alert</strong> (via the SIEM, or directly) and can provide <strong>remediation advice</strong> to facilitate the work of the teams responsible for rectifying the problem.</p>
<p>AD supervision tools also enable the SOC to <strong>detect any changes in configuration</strong> (legitimate, accidental, or malicious) and continuously assure security levels for these critical components. In doing so, they make the task of numerous attackers decidedly more complex.</p>
<p>In addition to directly strengthening the AD’s security levels, such solutions can also be used to ensure <strong>compliance with standards or regulatory requirements</strong> (for example PCI DSS, etc.).</p>
<p>These solutions are not widely applied today, and their use is generally limited to one-off audits. However, given the considerable security improvements associated with the provision of detection and remediation advice, and their ease of use, such solutions have strong potential and are likely to find their place among the tools used by SOCs.</p>
<p><strong><u>Examples of AD supervision publishers:</u></strong></p>
<p><img loading="lazy" decoding="async" class="size-medium wp-image-11831 aligncenter" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image3-1-437x111.png" alt="" width="437" height="111" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image3-1.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2019/04/image3-1-71x18.png 71w" sizes="auto, (max-width: 437px) 100vw, 437px" /></p>
<p><em>You can find our second article in the series <a href="https://www.riskinsight-wavestone.com/en/2019/04/new-tools-soc-23/">here</a>.</em></p>
<p>&nbsp;</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2019/04/new-tools-soc-13/">SOAR, UEBA, CASB, EDR and others: which tools do you need for you SOC? (1/3)</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
