If your enterprise uses Microsoft 365, you’ll find you rarely need to leave your Microsoft bubble. Document creation with Office, storage and sharing with OneDrive, collaboration with Teams and Sharepoint, email with Exchange - and thousands of third-party apps you can connect for any function Microsoft 365 doesn’t offer natively.
It’s no wonder that so many enterprises depend on Microsoft 365, taking as an example the 280 million monthly active users in Teams. But the bigger you get, the more attention you attract - and not infrequently from threat actors who are bent on attack. In this light, what does platform popularity mean for Microsoft 365 security?
SaaS security threats usually fall into one of three categories:
Identity: the wrong parties gaining access to your systems and data
SaaS to SaaS apps: unauthorized or over-permissioned third-party OAuth apps
Microsoft 365 security is no exception.
In our analysis of DoControl clients of all sizes using Microsoft 365, the average organization had over 1.5 million assets in OneDrive by the end of 2023. The organizations at the larger end of the scale averaged 3.2 million assets. Moreover, a decent amount of it is sensitive data that may not be as protected as it should be. Our analysis found that 2.6% of total OneDrive assets contained sensitive data that was accessible by every employee in the organization (over 85K assets for our larger organizations!).
The ease of sharing and collaboration is one of the selling points of Microsoft 365, but simultaneously one of its weak points. The more hands in the pot, the easier it is to lose track of them, and Microsoft Enterprise customers have many, many hands in the pot. When we sampled several of the DoControl clients with over 1000 employees, we found that while the average company had 3073 employees, they had 6800 authorized users (employees + external users from trusted domains) in their Microsoft OneDrive application! That’s a risk that needs to be addressed if you want effective OneDrive security.
As with human users, it is also easy to lose track of the non-human agents with access to your system once they start burgeoning in number. And the Microsoft 365 ecosystem, with thousands upon thousands of third-party apps, is the perfect place for app proliferation to occur.
As of this writing, Microsoft’s App Marketplace boasts 2143 results for Microsoft 365 Teams apps and 1065 results for Microsoft 365 Sharepoint apps. In mid-2023, Microsoft boasted to its investors that the number of Teams third-party apps with more than 10,000 users had increased nearly 40 percent year-over-year. Microsoft investors may be happy to hear that, but so might threat actors who can now taste greater reward potential for a successful breach of Microsoft Teams security.
Microsoft is well aware of the potential threats, and they have introduced their own offering for Microsoft data security: Defender for Cloud Apps. The question is: will it fully ensure your Microsoft 365 security? Let’s get familiar with Defender for Cloud Apps and discover its advantages and disadvantages when it comes to your Teams, OneDrive and Sharepoint security.
Microsoft Defender for Cloud Apps is a API-based CASB (Cloud Access Security Broker) platform assembled from tech acquisitions and in-house Microsoft data protection tools. It includes modules for data access control, data loss prevention, SaaS security posture management (SSPM), identifying SaaS-to-SaaS shadow apps, and multiple other security functions.
Let’s take a look at how Defender for Cloud Apps addresses the categories of SaaS security threat discussed above.
You don’t want anything happening to your sensitive or valuable information without your permission. Defender for Cloud Apps includes a data loss protection (DLP) component. This DLP component will scan all files in your Microsoft 365 environment, including connected apps and apply sensitivity labels. You can set up workflows for different types of identified-as-sensitive data assets, such as blocking downloads or removing access permissions granted to external users.
Defender for Cloud Apps keeps track of what users are doing through its user entity behavioral analytics (UEBA) capabilities. It uses behavioral baselines to predict expected and acceptable behavior, and based on that classifies user actions and calculates a user risk score. Your information security team can see which users in the organization are most likely to be security risks (whether accidentally or intentionally) and choose what action to take in order to address or mitigate the problem.
Defender for Cloud Apps can identify more than 31,000 public cloud apps and keep an eye on their usage and traffic in your Microsoft 365 environment. If Defender for Cloud Apps spots risk indicators, OAuth credential problems or anomalous app behavior, it will alert your information security team.
Why use Defender for Cloud Apps? Well, the most obvious reason to use it is because it’s there. Defender for Cloud Apps comes bundled with the E5 Microsoft subscription. Using it means you don’t have to look for another vendor; you can use a single vendor for your SaaS and your SaaS security.
Beyond the convenience, the offering is robust. It’s a comprehensive Microsoft 365 security toolset with broad support for many SaaS apps.
When you take a close look at Defender for Cloud Apps’ capabilities, however, and compare that to the day-to-day Microsoft 365 security threats an enterprise faces, Defender for Cloud Apps falls short in a number of areas.
The time that passes between a user action and when a CASB platform becomes aware of it is an issue for all API-based CASBs. (An agent-based CASB solves that issue, but transfers the time lag to between when the user initiates the action and when the action actually happens, which is a major obstacle to productivity and functionality, especially in the world of SaaS.)
This delay affects all areas of security, and especially protection of data against exfiltration. A lengthy download might be identified as risky and stopped in time, but non-download channels like sharing or viewing can happen in near real-time on the part of the user, and by the time the CASB registers the issue, the data has already been exposed.
This time lag is exaggerated in Defender for Cloud Apps, which relies for its event awareness on Microsoft Sentinel’s ingestion of logs. Sentinel’s high latency when it comes to log ingestion (from minutes to hours) can cause risky delay when it comes to threat identification, alert and remediation. And if you’re not careful about how you configure log ingestion and analysis rules in Sentinel, the system can even miss events entirely.
Microsoft has attempted to address this issue with their Sentinel near-real-time analytics rules, although this requires a considerable amount of setup, and the number of audit logs and rules that you can include are limited.
Near-real-time analytics rules aren’t the only complicated thing to configure in Defender for Cloud Apps. Configuring most Microsoft data protection policies involve adjusting settings in between three and six different product consoles.
When the time and manpower of information security teams is limited (as it all too often is), higher configuration complexity means that less is configured and, therefore, less is protected.
The data protection components of Defender for Cloud Apps are content-driven, based on just-in-time scanning or on Azure Information Protection classification labels. Any data protection policies lack the business and security contexts that could refine alerts and reduce false positives and false negatives (e.g. is sharing this type of information typical for this department? Is the external collaborator being shared with part of an email domain that just signed a contracting agreement with the organization?).
Defender for Cloud Apps does include elements of user and identity context, which (as mentioned above) is summed up in a user risk score that can then be acted upon by information security. But this focus on risky user status (which is based on past actions) without taking into account the total context of the user’s current action, gives only a partial picture which can easily lead to false positives and negatives.
By leveraging the integration with Microsoft Power Automate, you can create automated remediation workflows for alerts generated by Defender for Cloud Apps. Unfortunately, the fact that you need another application with another interface does add to the complexity level and time required to set these automated remediations up.
The scope of what can be automatically remediated is also limited. For example, while Defender for Cloud Apps can identify risky or unapproved SaaS to SaaS apps in your Microsoft 365 environment, it cannot automate the removal of those apps or prevent them from being added again.
User-based automations are also limited. For most actions relating to risky users, you need to go into the Identities interface and take action from there.
One last downside that bears mentioning is the risk of putting all of your eggs in one basket. When you have Microsoft Defender for Cloud Apps responsible for your Microsoft 365 security, the chances of both systems being undermined is higher than if one of those systems is a third-party platform.
A Microsoft 365 security solution that will cover what Defender for Cloud Apps offers while also filling in the gaps should have:
Pull-API-based CASBs (like Defender for Cloud Apps) are built to query the SaaS application as to which files have changed, and query again to get the content of the change. In between every pull window, the SaaS attack surface is constantly changing by users.
A CASB designed to use push events will be informed of changes right after they happen, without needing to “ask” for it. This technical difference gives the CASB near-real-time awareness of every significant event in the Microsoft 365 environment.
User actions do not happen in a vacuum. If you knew that an employee was about to leave the company, you would want to be extra careful about their downloading any data assets or sharing with external parties. That’s even if the employee was never a particularly risky user, and these actions might have made sense in the context of their regular job responsibilities. But if they are leaving the company next week, this is not a regular situation, and that should be accounted for.
A SaaS security platform that can take into account the extra context across all apps and systems in the SaaS environment (e.g. HR systems, Teams, Zoom, Jira, Slack, Github, etc.) has the flexibility to decide if the action itself is risky, independent of the “user risk.”
Near-real-time information that includes insightful context doesn’t do much good if your rate of taking action on it is restricted to the reaction time of an information security team member.
Truly effective Microsoft 365 security requires a platform that allows monitoring for every kind of risk (i.e. data, identity, SaaS to SaaS apps) with the ability to do full remediation at scale. This would include (but certainly isn’t limited to):
Microsoft 365 productivity and security should complement, not contradict, each other. Choose a security platform that can provide comprehensive protection for your Microsoft 365 data, identities and SaaS to SaaS apps, and you’ll have taken the next critical step toward your enterprise’s success.
Research-based benchmarks to assess risk across critical threat model
Consider the advantages of a native CASB solution from your SaaS vendor versus an independent 3rd-party provider - and other crucial considerations when choosing a CASB.