Yes you read that right, its now possible to block unsanctioned apps in Microsoft Cloud App Security directly at your Windows 10 Endpoints. Moving towards a Zero-Trust network away from the corporate firewalls and proxies you still want to maintain network control from the endpoint side, this new feature will give you the possibility to block applications, this is a great step forward in the area and its clear that Microsoft is taking Zero-Trust and Security seriously.
(Its important to note if you have marked apps as unsanctioned in the MCAS Portal already they will automatically be marked as blocked so before turning this on review your unsanctioned apps.)
Configuring Unsanctioned Apps
Once you have your requirements in-place we can start to configure unsanctioned apps, You can either select to maintain this manually or configure a policy to set all apps matching a certain criteria to be blocked. An example could be block all apps with a Risk Score Lower than 3.
If you go to your Cloud App Dashboard and find the App you want to block just click on the App and select unsanctioned.
To have apps marked as unsanctioned automatically can be done with a Policy. Below we have an example of blocking apps that meet the criteria Risk Score 1-3.
Its also possible to add other types of criteria if you want to refine your policy. It all depends what you want to limit and the purpose, is it to control Shadow IT or is it from a Security perspective. Some examples below of other criteria that could be useful depending on the use case.
App Category Productivity
Daily Traffic Below 5 MB
Number of Users Below 5
PRO TIP: When building your Policy its very good that you can play with the Preview Results, that gives you instant feedback on how well your query will perform so try that out.
When the unsanctioned app is marked as unsanctioned the back end integration between MCAS and MDATP exchanges data and Custom Indicators are being populated. You can find these under Settings > Indicators > URLs/Domains
Like in this example we did block WhatsApp and that would replicate over to the Indicators in MDATP. The whole flow depending on sync should not take longer than 3 hours. From that you have blocked in MCAS to that the Endpoint has the blocking instruction.
Once its available in MDATP the Endpoints should update their Indicators and should start blocking.
End User Experience
At the moment the end user experience is fairly limited the user would get a Toast Notification that something has been blocked unless you have turned notifications off.
Depending on the App you are trying to communicate with the blocked app/url the behavior would occur differently.
For WhatsApp it would look like this when Launching it (sorry message in Swedish)
And a Default Notification Message like this below
At the moment the tracking and reporting is also limited to whats available in MCAS and MDATP and its supported retention times.
Things I want to see and I have fed back to the Product groups I want this to evolve to going forward.
Support for X-Platform Devices
Block without Alerting like Block and Report
Having the possibility to do Exclusions and Custom Targeting of Devices/Users
Azure Sentinel—the cloud-native SIEM that empowers defenders is now generally available
Some of the new features are:
Workbooks are replacing dashboards, providing for richer analytics and visualizations
New Microsoft and 3rd party connectors
Detection and hunting:
Out of the box detection rules: The GitHub detection rules are now built into Sentinel.
Easy elevation of MTP alerts to Sentinel incidents.
Built-in detection rules utilizing the threat intelligence connector.
New ML models to discover malicious SSH access, fuse identity, and access data to detect 35 unique threats that span multiple stages of the kill chain. Fusion is now on by default and managed through the UI
Template playbooks now available on Github.
New threat hunting queries and libraries for Jupyter Notebooks
The interactive investigation graph is now publicly available.
Incidents support for tagging, comments, and assignments, both manually and automatically using playbooks.
The 2019 version of the Gartner Magic Quadrant clearly shows that Microsoft is in the game to provide extremely powerfull Endpoint protection platform (EPP). Microsoft is named a leader!
With built-in powerful capability which ties to Protect, Detect and respond, they have given us great tools for our security work.
Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection.
Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools.
The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP, Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.
Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.
Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints.
In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.
The benefit of the insights and protection these tools, and ability to use built-in SOAR capabilities, gives security teams around the globe a better and much faster understanding of the attacks for much fast response.
Many features like Exploit Protection, Network Protection, Attack Surface reduction, Firewall and more will provide a more reliable platform which is easy to manage.
The enriched alerts and incidents gives security teams a chance to put their effort to the critical incidents and avoid spending time trying to fight the noice in all different tools and manual tasks.
Build your playbooks
Take back the control with live response
We also have the threat and vulnerability management feature which gives you visibility on vulnerable software in your estate
When working with Incident Response you from time to time find artifacts that you need to block, IP Addresses or specific URLs. Instead of doing this on the proxies or firewalls its often more efficient to do this on the endpoint level to catch roaming machines where ever they are. In some cases you also work with other TI vendors and get IPs and URLs you want to block and build automation around. This feature is currently in preview
WDATP you can now block or allow IPs and Urls.
feature to work you need to have some prerequisites
10 1709 Pro, E3/E5 or Edu
Defender Network Protection
Delivered Protection Enabled
possible to enable Network Protection in several ways
There are still many companies using forward proxies and when analyzing traffic from endpoints this can be a bit challenging. This due to that the client connects to the forward proxy instead of the public endpoint like http://blog.sec-labs.com.
So instead of the public endpoint you would see that the process is connecting to the proxy.
Microsoft have engineers around this and by enabling the Network Protection feature in either Audit Mode or Block mode you can now see the public endpoint the process is actually communicating with behind the forward proxy.
Events that is coming from this type of detection is flagged with the a “NetworkProtection” tag.
If you want to use thees events generated when you do Hunting they are found under Network CommunicationEvents and if you know your proxy ip address you can get everything that has gone via the proxy with the following query.
| where ActionType == “ConnectionSuccess” and RemoteIP != “ProxyIP”