Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
 
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
 
Keep calm and we will be with you shortly!

Blocking MCAS Unsanctioned Apps at the Endpoint with MDATP

*Note Preview Feature

Yes you read that right, its now possible to block unsanctioned apps in Microsoft Cloud App Security directly at your Windows 10 Endpoints. Moving towards a Zero-Trust network away from the corporate firewalls and proxies you still want to maintain network control from the endpoint side, this new feature will give you the possibility to block applications, this is a great step forward in the area and its clear that Microsoft is taking Zero-Trust and Security seriously.

So how to get started first of requirements! Last year we wrote about the Network Block Feature and it could be a good start before reading this article it can be found here. https://blog.sec-labs.com/2019/07/using-wdatp-network-block/

Requirements

  • MDATP and MCAS Integration Enabled
    • MDATP Portal > Settings > Advanced Features
  • Windows 10 with Network Block Enabled
  • MCAS Cloud App Control Enabled
    • MCAS Portal > Settings > Cloud App Control
      • (Its important to note if you have marked apps as unsanctioned in the MCAS Portal already they will automatically be marked as blocked so before turning this on review your unsanctioned apps.)

Configuring Unsanctioned Apps

Once you have your requirements in-place we can start to configure unsanctioned apps, You can either select to maintain this manually or configure a policy to set all apps matching a certain criteria to be blocked. An example could be block all apps with a Risk Score Lower than 3.

Manually

If you go to your Cloud App Dashboard and find the App you want to block just click on the App and select unsanctioned.


Automatically

To have apps marked as unsanctioned automatically can be done with a Policy. Below we have an example of blocking apps that meet the criteria Risk Score 1-3.

Its also possible to add other types of criteria if you want to refine your policy. It all depends what you want to limit and the purpose, is it to control Shadow IT or is it from a Security perspective. Some examples below of other criteria that could be useful depending on the use case.

  • App Category Productivity
  • Daily Traffic Below 5 MB
  • Number of Users Below 5

PRO TIP: When building your Policy its very good that you can play with the Preview Results, that gives you instant feedback on how well your query will perform so try that out.

Back-end Integration

When the unsanctioned app is marked as unsanctioned the back end integration between MCAS and MDATP exchanges data and Custom Indicators are being populated. You can find these under Settings > Indicators > URLs/Domains

Like in this example we did block WhatsApp and that would replicate over to the Indicators in MDATP. The whole flow depending on sync should not take longer than 3 hours. From that you have blocked in MCAS to that the Endpoint has the blocking instruction.

Once its available in MDATP the Endpoints should update their Indicators and should start blocking.

End User Experience

At the moment the end user experience is fairly limited the user would get a Toast Notification that something has been blocked unless you have turned notifications off.

Depending on the App you are trying to communicate with the blocked app/url the behavior would occur differently.

For WhatsApp it would look like this when Launching it (sorry message in Swedish)

And a Default Notification Message like this below

Reporting

At the moment the tracking and reporting is also limited to whats available in MCAS and MDATP and its supported retention times.

Future Asks

Things I want to see and I have fed back to the Product groups I want this to evolve to going forward.

  • Support for X-Platform Devices
  • Block without Alerting like Block and Report
  • Having the possibility to do Exclusions and Custom Targeting of Devices/Users
  • Expand this to URL Categories Block / Monitor
  • Better Historical Reporting
  • Customize Messages
  • End User Coaching
  • End User Exclusion Request

If you have other ideas feel free to tweet me at @stefanschorling and I will relay.