Integrate Microsoft Defender for Endpoint with MCAS (MDE Series)
In this Microsoft Defender for Endpoint (MDE) series, we’re going to show, configure, discuss and simulate how Microsoft Defender for Endpoint can integrate and work with other Microsoft security control such as Microsoft Cloud App Security (MCAS), Microsoft Defender for Endpoint (MDI), Microsoft Defender for Office 365 (MDO), Azure Sentinel, and with other security controls.
This blog post will focus on Microsoft Defender for Endpoint (MDE) integration with Microsoft Cloud App Security (MCAS) and some tips from the field.
Concepts and acronyms for Microsoft Defender platforms:
- Microsoft Defender for Endpoint is MDE and previously known as Microsoft Defender for ATP (MDATP)
- Microsoft Defender for Identity is MDI and previously known as Azure ATP (AATP)
- Microsoft Defender for Office 365 is MDO and previously known as Office 365 ATP (OATP)
- Microsoft 365 Defender is M365D and previously known as Microsoft Threat Protection (MTP)
More information about Microsoft 365 Defender – Microsoft 365 security | Microsoft Docs
Before integrating Microsoft Defender for Endpoint with Microsoft Cloud App Security, a short description of each platform.
Microsoft Defender for Endpoint (MDE)
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to assist enterprise networks in preventing, detecting, investigating, and respond to advanced threats.
Microsoft Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks, identify data breaches, automates security incidents, and improves security posture.
This enables your users to access cloud services and on-premises applications with ease and allows modern management, including remote work capabilities for all devices.
We can use many advanced features such as Threat & Vulnerability Management, Attack surface reduction in the security features. Next-generation protection, Endpoint detection and response, and Automated investigation and remediation.
Microsoft Defender for Endpoint protects many platforms and devices, such as Windows Server, Windows Client, macOS, Linux, iOS, and Android.
The advantages of comprehensive protection are providing end-to-end identification and investigation for all KillChain processes from email to device in one place.
One of the great features that we can achieve is integrating Microsoft Defender for Endpoint with other security controls and components and providing end-to-end security. This means an enterprise can secure communication and data travel between applications and employees.
When one of these components that can collaborate with Microsoft Defender for Endpoint is the Microsoft Cloud App Security (MCAS).
This diagram shows the Microsoft Defender for Endpoint service architecture.
More information about Microsoft Defender Advanced Threat Protection – Windows security | Microsoft Docs
Microsoft Cloud App Security (MCAS)
Microsoft Cloud App Security provides a cloud app security broker (CASB) and gives you rich visibility into application usage, malware infection vectors, admin action, behavioral action, anomalies, and much more.
Microsoft Cloud App Security allows you to connect many apps and cloud providers such as AWS, Office 365, Okta, and many more. Once you joined the apps, you can discover any action made by the user or admin.
This provides visibility for anything that is occurring on the cloud, and from this point, it gives a full Shadow IT.
For example, once MCAS is connected to your apps, MCAS scans all the files stored in your business’s file storage solution, Dropbox, or OneDrive. Each time these files are modified, MCAS will rescan them.
This diagram shows the Microsoft Cloud App Security Architecture for file scanning.
The integration between MDE and MCAS provides many benefits, and one of the benefits is CASB Endpoint. The CASB Endpoint allows you to take your security a few levels ahead.
Once you’ve got integration with MDE and MCAS, you can control device and user’s action with apps, files and respond automatically to suspicious activity. Besides, you’ve got Cloud Discovery with a lot of information and rich content to work with users and devices.
The sensor on endpoints sending data and signals to Microsoft Defender for Endpoint, and the MDE preserves all data. In parallel, specific data and signals are sending to the MCAS – all data is available on Cloud Discovery.
Forwards Microsoft Defender for Endpoint signals to Cloud App Security, providing administrators deeper visibility into sanctioned cloud apps and shadow IT. It also allows them to block unauthorized applications when the custom network indicators setting is turned on.
Forwarded data is stored and processed in the same location as your Cloud App Security data.
How to integrate MDE with MCAS
The MDE and MCAS integration is straightforward and can be done quickly, and once the integration is set on both MDE and MCAS, you can start to work with the dashboard.
- Microsoft Cloud App Security license
- Microsoft Defender for Endpoint license
- Windows 10 Supported Operating System
- Managed Device and Supported browsers
- Microsoft Cloud App Security deployed and running
- Microsoft Defender for Endpoint deployed and running.
To configure the integration between MDE and MCAS, do the following actions:
Enable Microsoft Cloud App Security – Go to the MDE portal at the bottom of the left side panel, click on settings and advanced features and enable Microsoft Cloud App Security.
Enable Custom network indicators – Go to the MDE portal, click on settings and advanced features, and enable Custom network indicators at the bottom of the left side panel.
Once the configuration is enabled with Microsoft Defender for Endpoint, you’re good to go, and from here, all data forwarding to Microsoft Cloud App Security.
TIP: Once the integration is done with MDE and MCAS, every app that marked as unsanctioned will be populated on custom indicators
Note: the settings on Microsoft Cloud App Security can be done later because the MCAS settings respond to action and block unsanctioned apps.
Block Unsanctioned Apps – Go to the MCAS portal, on the top right click on settings, on the cloud discovery option, click on Cloud app control.
Note: It’s imperative to note that any exiting unsanctioned apps in the organization will be marked as blocked at your endpoints at this phase.
The integration between MDE and MCAS is a milestone in defining a ZERO TRUST solution that addresses the entire KILL CHAIN process.
Once the integration is performed, you can view the information in another interface and, from the same information, perform investigations between different signals.