How much data does your Microsoft CASB need to protect?
Well, how much data is stored in your Microsoft 365 ecosystem? Our clients typically have millions of assets in OneDrive alone; 1.5 million assets on average (as of the end of 2023), and 3.2 million on average for the organizations at the larger end of the scale. That’s not even counting other data from Sharepoint sites or Teams that isn’t housed in OneDrive.
Your Microsoft CASB would need to protect all those assets from security threats ranging from outsider (e.g. cyberattack) to insider (e.g. disgruntled former worker; employee negligence).
True data protection requires not just the ability to catch threats, but to catch them in time - before they cause irreparable damage.
The Time Factor in Data Security
When a physical object is stolen, the theft is remedied by recovering the object. If a thief breaks into the Louvre and steals the Mona Lisa, the goal is to get the Mona Lisa back, whether that is done by catching the original thief or by tracking the painting down after it passed from illegal hand to illegal hand.
At the end of the day, if the Mona Lisa is back in the Louvre looking none the worse for its adventure, one can say that the security breach has been effectively remediated.
Data is completely different.
Once someone “walks out the door” with your data, it can be copied and disseminated. Even if you “catch the thief” and get back “the original,” there can be irreparable harm done. For true data protection, you need to catch the thief before they walk out the door with your data.
That “time is of the essence” is true of all data security, but it takes on larger proportions in SaaS security. SaaS applications are designed to make data easy to share. So while downloading thousands of client records from an on-prem data system may take minutes or hours (giving information security time to notice and intervene), sharing those thousands of records from a SaaS app can be done instantaneously.
What can stop SaaS security threats with that level of speed?
CASBs and the Time Factor
The standard tool for SaaS data protection is a CASB (cloud access security broker). A CASB is a security policy enforcement solution for data moving through cloud applications.
CASBs monitor user access and behavior, detect and protect against data exfiltration or exposure, and often also protect against over-permissioned or data-leaking OAuth apps.
How fast can CASBs detect when something is amiss? It depends on the type of CASB.
Agent-based CASBs work by deploying software agents on user devices to monitor and control access to cloud services. All traffic must pass through the agent on its way from the device to the SaaS application or vice versa. An agent-based CASB is effectively a real-time virtual security checkpoint, so if it identifies an action as a threat, it will definitely stop it in time.
But all that checking and identification takes a lot of extra time. (Just think about the last time you went through airport security during a peak traveling season.) The primary reason organizations implement SaaS is to streamline workflows and increase efficiency and productivity. Data traffic delays undermine the whole purpose of SaaS, and so, unfortunately, the real-time protection afforded by agent-based CASBs is just not relevant when it comes to effectively securing SaaS applications.
API-based (agentless) CASBs integrate directly with cloud service providers via APIs to monitor and secure data. API-based solutions are non-intrusive, monitoring the data going back and forth between user device and cloud application without impeding the flow of information. Because API-based CASBs are an observer, and not a security checkpoint, knowledge of a security threat will always happen after the threatening action has taken place. The question becomes how long after the fact the CASB becomes aware of it, and if that time lag gives the thief time to really get the data out the door or not.
The “how long” factor varies tremendously across API-based CASBs. CASBs with a “pull”-style API architecture poll the SaaS application at regular intervals to “ask” which files have changed and then to request the contents of those files. Intervals can range from minutes to hours to days. (And even weeks. Yes, really.) That time gap is the time in which a bad actor could be making off with your data and making it available for more unauthorized users to see, copy and expose further.
API-based CASBs with a “push”-style API architecture get updates from the SaaS applications themselves whenever any significant event (e.g. viewing, editing, downloading, sharing) happens to any SaaS asset. Because the changes are reported as soon as they happen, the CASB’s awareness of the changing attack surface and ability to detect and respond to emerging threats is much nearer to real-time.
Which type of CASB is the Microsoft CASB - or the Microsoft CASB you would want to be protecting your Microsoft 365 ecosystem?
The Microsoft CASB: Defender for Cloud Apps
Microsoft’s native CASB solution is Defender for Cloud Apps, an API-based CASB platform that covers:
- data access control
- data loss prevention
- SaaS security posture management (SSPM)
- identifying SaaS-to-SaaS shadow apps
- multiple other Microsoft 365 security functions
Defender for Cloud Apps has a pull-style API architecture, and relies for its event awareness on Microsoft Sentinel’s ingestion of logs. Until Sentinel has processed the log containing an event, this Microsoft CASB cannot detect or respond to it. Since Sentinel can take between minutes and hours to ingest and analyze logs, that leaves a large window (SaaS-wise) in which bad actors can make off with your data before Defender for Cloud Apps knows enough to respond.
This is not an ideal situation. What can you do about it?
How to Speed Up Detection and Remediation with the Microsoft CASB
There are two ways in which you can give Defender for Cloud Apps a bit of a boost in its reaction time:
- Sentinel near-real-time analytics rules
- Integration with Microsoft Insider Risk Management
Let’s take a look at each.
Sentinel near-real-time analytics rules
Microsoft Sentinel offers the ability to set query rules that will run once a minute and look for events that were ingested in the preceding minute. If you use these near-real-time analytics rules, the Microsoft CASB should get information faster than with regular Sentinel query rules.
Limitations:
- These near-real-time analytics rules don’t come configured out-of-the-box. They require a considerable amount of setup.
- You have a limited number of Sentinel audit logs and rules that you can include in near-real-time analytics. So it’s helpful for what you can include, but it doesn’t let you monitor everything that could be a data security risk for your organization.
Microsoft Insider Risk Management
Microsoft Insider Risk Management is a native Microsoft solution that helps detect, investigate and act on insider risks. It leverages various signals and intelligence from Microsoft 365 services, and can also integrate some business context with a select set of HR info, such as “departing users.”
If you have Microsoft Insider Risk Management set up, you can integrate it with Defender for Cloud Apps to prioritize alerts. That way these higher data security risks (as defined by a greater insider risk score) can be seen and addressed sooner by your security team.
Limitations:
Like Defender for Cloud Apps itself, Microsoft Insider Risk Management is still limited by Sentinel’s log ingestion speed. So once an event makes it through and is identified as an insider risk, it can be given higher alert priority. But it has to make it through Sentinel - and that’s where it can get delayed.
Use a third-party CASB with push-style API architecture
Okay, you’re right - this is not a way to speed up detection with the Microsoft CASB. It is a way to speed up detection and remediation; it is, in fact, the reason why we built DoControl: because we saw how pull-API CASBs just don’t do the trick, no matter how many band-aids you put on.
Slow and Steady Doesn’t Always Win the Race
As long as the Microsoft CASB continues to use pull-style API architecture, its awareness of and reaction to SaaS security risks will be slowed down. The more important your organization’s data is and the easier it is to share it, the more it may pay to pass over the native Microsoft CASB and look for a CASB solution with a push-style API architecture, like DoControl, that can turn on a dime when it comes to detection and remediation in your Microsoft environment.