What needs improvement with Microsoft Cloud App Security?

The fidelity of the signal in Microsoft Defender for Cloud Apps has been a challenge in some areas. There have been instances where the alerts generated have been false positives. A lot of work has to go into scoping and tuning the policies so that actual value can be achieved, especially when not doing outright blocks. When monitoring is the approach, it can be overwhelming for security teams to review all of the alerts and determine which ones require action. When a legitimate alert is found that requires action, the tools are available to take that direction, but it can take considerable time to determine if an alert is real or not, and that represents a problem. There is uncertainty about how well Microsoft is keeping up with the changing landscape of threats, as new artificial intelligence services and software as a service applications appear every day.

Microsoft could improve Microsoft Defender for Cloud Apps by adjusting the logs that are flowing, as they seem to be excessive. They are direct raw logs, so if the logs were coming in a bifurcated way with different columns to help create new use cases, that would be better instead of manually parsing the logs to extract the needed data. Additionally, the graph displayed in the Defender portal mostly doesn't capture the full picture as we see in endpoint-related or identity-related alerts; we can see a complete graph of what is happening there, but Microsoft Defender for Cloud Apps still falls short in capturing that whole aspect in the graph. Microsoft Defender for Cloud Apps would benefit if Microsoft allows users to fine-tune false positives, enabling us to dismiss alerts or make adjustments so that such things don't trigger multiple times in the future.

Licensing cost is a significant concern. With Defender Plan 1, Microsoft Defender for Cloud Apps comes with a pay-per-use model. Each feature has its own pricing when activated on VMs. For example, the vulnerability assessment has separate pricing, the base model including encryptions has separate pricing, and the compliance features have separate pricing. This applies to each VM and Azure resource individually. It is not straightforward where you can take one license and apply it to everything. Each feature has its own pricing model which can be tedious, as the costs keep accumulating. The only lacking feature currently is XDR (extended detection and response). Apart from that, I have only positive experiences with the whole Microsoft suite, except for the pricing structure.

An area of Microsoft Defender for Cloud Apps that needs to be improved or enhanced is the reporting function. In the beginning, there was a good reporting function which gave us a sort of monthly overview report. But that has gone away. Unfortunately, I loved that because I don't need to create a report myself, which we do now. We do that weekly, but it was very handy when it was available to us. Microsoft withdrew that capability. Nevertheless, overall, I am very satisfied with the solution.

The areas of Microsoft Defender for Cloud Apps that need improvement are related to IAM, as they do not provide much support for local users. Defender typically connects to Entra ID, but we have local users on the cloud for database access, SSH, or RDS, and there is nothing produced by Defender regarding those local IAM users. Defender largely integrates with Entra ID, leaving a gap for local IAM users.

The documentation could be improved as it is not updated immediately when Microsoft makes changes. Users must wait a few weeks for the changes to be reflected in the documentation.

The insights could be improved, especially in reporting. While it is possible for me to see the usage from different cloud apps, determining if critical data has been uploaded or if it is just normal transport data is difficult. Previously, I could drill down into data uploaded by specific users or IP addresses from a cloud app, however, this is no longer available. For data loss prevention, it would be useful to be able to drill down into the kind of data being transferred over CloudApp. Additionally, the info boxes are sometimes misleading. Guided assistance would be helpful.

We are having trouble with our continuous reporting configuration and struggling with configuring the collector properly with our log parsing. We've also faced difficulties getting support for this issue. It's taken us months to figure this out after going through a couple of different support channels.

The product is very good so far, however, it would be better if it could include more up-to-date threat protection.

Microsoft has been high on implementing Copilot. If it is already integrated for using Copilot for security, that would be great.

I would like more customization of notifications. Currently, you either get everything or you get limited information. I would like to have something in between where we can customize the data that is included in notifications. That is one thing. The comment field also needs improvement. If you want to generate a workflow within the organization for a notification that occurs, the comment field is not visible to the next person who logs in. They should make that a little more visible. They should make the history more available to the next person I assigned a task to.

There could be more granular roles that are out of the box included in the product. I guess it would help people who aren't as savvy. Right now, I have to create many custom models for different use cases. It would be great if roles were more geared towards specific use cases to cover multiple aspects. In a case where a role is for a security admin, it could grant roles that are needed and not too many unnecessary roles. For example, it gives the security admin some access to the compliance portal, but the executive may not need that access. So it could be more granular.

The technical support team has room for improvement. Their response time is slow.

Defender for Cloud Apps is primarily useful for Azure apps. It has limited capabilities for applications based on other cloud platforms. Microsoft security products are excellent in the detection phase, but they should have more features for the response component. I would like to see a mobile app for managing Defender for Cloud Apps. We currently use the cloud dashboard, but it would be nice if Microsoft offered more solutions for managing the product.

Currently, we are only able to utilize the policies for blocking threats. I would prefer to have filtering options incorporated within the policies, enabling the solution to perform tasks beyond mere blocking or allowing.

Defender for Cloud Apps could come with more configured policies out of the box. Also, integration could be easier. Integration is moderately difficult because Microsoft hasn't developed a solution that unifies device onboarding and management. You have to use Intune to manage devices and Defender for Endpoint to enforce policies. They need to fix their integration, but I believe they will straighten it out by the end of the year.

Defender could integrate better with multi-cloud and hybrid environments. It requires some additional configuration to ingest data from non-Azure environments and integrate it with Sentinel.

We sometimes get errors when we create policies, which is somewhat annoying because some policies stop working due to misconfigurations. We find this challenging because it limits our options for troubleshooting an issue. A user policy might be disabled due to some minor issue, but it affects the policy for the entire group of users. It takes some time to troubleshoot it, find the issue, and correct it.

The visibility it provides is quite good. You get all the logs for investigation purposes. But there should be more clarity on what is happening with a file. Sometimes, we'll get false positive alarms. For example, when a SharePoint path has no file sharing, but there is an external user, it will trigger an alarm that the file has been shared with an external user. It happens because an external user has access to it but, in reality, he doesn't access it. But you need to check whether anyone has accessed the file and that takes some time. While giving the alert, if it could be more precise in terms of what happened with that file—why it is giving the alert—it would be more convenient for the investigation and save a lot of time. The alerting mechanism should be more precise when giving you an alert about what activity has been done with the file, whether it was shared or whether it was in a path where an external user had access to it. Also, Microsoft should provide more automation features. At this time, they are limited.

They need to improve the attack surface reduction (ASR) rules. In the latest version, you can implement ASR rules, which are quite useful, but you have to enable those because if they're not enabled, they flag false positives. In the Defender portal, it logs a block for WMI processes and PowerShell. Apparently, it's because ASR rules are not configured. So, you generally have to enable them to exclude, for example, WMI queries or PowerShell because they have a habit of blocking your security scanners. It's a bit weird that they have to be enabled to be configured, and it's not the other way around. Normally, you'd expect when something is not configured, it doesn't enable itself, but for the purpose of this, apparently, Microsoft has told us to enable them. So, you've got to enable them because they keep flagging and blocking products even when they're not configured. It was just an oversight in the design department when they deployed an update to the feature, but I'll live with it. I'd like to see them automate best-practice antivirus rules. If you search Microsoft best practice antivirus exclusions, there are virus scanning recommendations for antivirus computers running Windows or Windows Server. There is a whole list to exclude the most common things, which could be anything from NTFRS, check folders, temp.DB, or EDBs. There are a lot of things for group policy extensions, exclusion, etc. This is a list of best-practice antivirus rules, but they still have to be implemented manually. In Sophos, five or six years ago, if it was a SQL Server, they automatically included the rules to exclude certain folders or file extensions when doing on-demand scanning. I'd like Microsoft to do the same.

One challenge is integrating the cloud apps with third-party and on-premises systems. We have had some scenarios where some third-party systems were not compatible with them. Apart from that, it's quite easy to integrate. Microsoft has also been able to bring all the security features to a particular portal, so you don't have to look around. But I've heard about some negative effects as a result, as the portal is now cumbersome. You have a whole lot of products there and it makes the whole portal jumbled. It's not bad for me because I just have to go to that particular portal and check whatever I have to check. It doesn't actually decrease the time to respond. This has been an issue with Microsoft recently. Sometimes, there is a delay when it comes to getting an alert policy email. I can't stay on the portal all day looking through alerts that have been triggered. So we create a flow whereby, if an alert is triggered, an email should be sent. Sometimes it takes two or three hours for that email to be sent. The response time, sometimes, can be very slow.

The visibility is 85%. Sometimes, it takes too long to load your page because Microsoft is having issues. There are a certain amount of hours in a day to solve and rectify issues. If you deploy this solution for a client, you need to be able to respond or rectify issues. Because if the solution goes down, your clients won't be happy with you. We would like to get more information from the endpoint. I don't get enough detailed information right now on why something failed. There is not enough visibility. The cost could be improved when you need to pay for anything. For example, refreshing files takes time to load, though it may be my Internet. To improve the refresh time, Microsoft says that we need to pay for a Premium license, and I don't like paying for things that help make a solution better.

I would like to see them include more features in the older licenses. There are some features that are not available, such as preventing or analyzing cloud attacks. We have Defender P2 licenses and Microsoft proposed P3. If it included what was in the old package, such as the M365 license and Office, that would be very good.

We've had an issue where an in-session policy was not working. I want them to enhance the in-session policy. It's something I came across while adding the application into MCAS as I wanted to apply some MCAS policies on those applications.

There are some features, such as user navigation content filtering, that are disabled by default, and it probably makes sense to enable them by default.

It's not the cheapest. I believe it can be more reasonably priced. Sometimes the support is actually lacking. But we are talking about Microsoft.

If you have more elaborate needs or if you have some more sophisticated use cases, for example, if you need an in-line component, or if you need to distinguish between sanctioned and unsanctioned applications, this solution doesn't cut it. You need to have some other solution. Microsoft seems to want to mitigate that visible gap by deploying Microsoft DTP Defender for the in-line component. If you consume Microsoft, the more pieces you have, the better it is, although that's not necessarily true, technically speaking. They have limited deployment options. You have limited use cases for an endpoint with the firewalls port for IP tunnels for real-time traffic interception. You have to rule the endpoint. It's a less flexible deployment than the more mature players. There are challenges with detection and there are challenges with false-positive rates. They're improving it all the time. I haven't looked at it for six months or so, however, the last time I looked at it, they had to be configured in two different spots.

The integration with macOS operating systems needs to be better. The Cloud App Security integrates with Windows Defender for Endpoint, which is able to monitor the traffic from Windows 10 operating systems. When it integrates with Defender for Endpoints, the macOS capability does not let you directly see the shadow IT discovery. You have to be in your network, to be able to see if any activity from a macOS operating system is happening. If you're working from home without a VPN connection nowadays, which is the usual case for a remote workplace, you can't really monitor or track the activities in the shadow IT that users are using offsite on macOS operating systems. The Cloud App Security integration with external DLP solutions is not so seamless. There are solutions that you can integrate with Cloud App Security as an external DLP solution, however, it's not so seamless that you can have the integration with the endpoint. It's there, yet, it's not so seamless and integrable.

The response time could be better. It will be helpful if the alerts are even more proactive and we can see more data. Currently, the data is a little bit weak. It is not complete. I can't just see it and completely know which user or which device it is. It takes some effort and time on my part to investigate and isolate a user. It would be great if it is more user-friendly or easy for people to understand. If it is an Office 365 product, I expect it to be in the admin center. That way I would know that this is a part of Office 365. It feels like there is a mismatch, or they are trying to separate the product or do something like that. They should have streamlined the product. It is not always accurate. Sometimes, there could be some hiccups, and you see false positives, but security is not always reliable, and you cannot depend on one tool to give you all accurate results. It gives me a report that I can see, and if needed, I can act proactively on something. If it is a false positive, it is fine. If it is not, we know that we have done something about it.

It takes some time to scan and apply the policies when there is some sensitive information. After it applies the policies, it works, but there is a delay. This is something for which we are working with Microsoft. It cannot detect all the things that are required as per our bank's standards. We are working with Microsoft to see how they are going to help us resolve this, and based on NDA, which new features are coming in because we require a unified solution. We have other security solutions that are working on top of it, but we don't want to use multiple solutions and then end up with a human error. From a security perspective, the weakest link is human error. If certain features are monitored by MCAS, certain features are handled by Zscaler, and certain features are handled by Symantec DLP, it becomes difficult to synchronize from an operational standpoint. This is the situation we are in currently, but these issues come with new products or new cloud solutions. We have to slowly orchestrate and see how to unify the solutions. So, at present, it doesn't solve all the problems. There are many problems, but at least, we have other solutions that are currently providing some mitigation. It doesn't provide any way to scan Microsoft Teams when an external exchange of images is happening. You can always do the filtering on the documents during the chat, but if there is an image, then some kind of OCR capability is required to detect it. At present, there is no way MCAS can go and detect those kinds of images and alert us. They can maybe integrate it with an existing OCR-capable product. This is something that we are absolutely looking into. There should also be a feature to immediately increase the time to detect some PI information being exchanged via chat. Its reporting capabilities can be better. Currently, to generate reports, you need to have Power Automate in place. If such capabilities are built into the product, it would be easier because when we bring in Power Automate, we need to make sure that Power Automate also gets monitored from the DLP and governance standpoints. MCAS doesn't have many reporting capabilities, and it's really an operational nightmare to get all these things done at this point in time by using MCAS. These are some of the operational capabilities that our engineers require from this solution from the reporting perspective. Symantec and other solutions are more mature in this area. It could be because MCAS is still an upcoming product.

They should continue integration with all other Microsoft security-related products. The integration with all the other products is still ongoing. However, the solution has already begun scaling to meet the needs of getting visibility through from other products as well.

This service would be better if it had a separate license, only for this service, that could be used to track usage.

I would like for it to be available on Mac and for it to support all of the features of Microsoft financing products. It is really for Windows.

If this solution were more robust then it would be much more useful. The interface needs to be more user-friendly. Cloud App Security should be more lightweight.

Generally, the pricing can always be improved along with the management system. We are using new Apple products increasingly in our company, such as iPads and Mac computers. The integration with Apple products would be good. They have started with some implementation using Microsoft Softbox from Apple products in there.