Back to Blog
24 Sep 2022

Got M365? Then you’ve got Microsoft MCAS for data loss visibility

Like many organisations you may have adopted Microsoft 365. But just because a business is licensing 365 doesn’t mean they are leveraging its full potential. Microsoft MCAS (now called ‘Microsoft Defender for Cloud Apps’) is an example. Here’s how we deployed it for one of our clients and the benefits they reaped.

It’s surprising that given the cost of licensing Microsoft 365 (M365) more organisations are not switching on all of its functionality. Typically it’s because of poor training on all the tools, and sometimes it’s because senior management is just unaware of the entire toolbox.

To learn more, we asked CEOs and Founders what M365 tool benefits their company the most. The results are in the chart, and you can see that Word, PowerPoint and Excel got 50% of the vote. We would argue that while these apps used frequently, they are not necessarily the most beneficial.

What Microsoft 365 tool benefits your organisation the most?

OneDrive and Microsoft Defender probably benefit companies more, yet they each got only 8% of the vote. Senior management perhaps needs to be made aware of the role these tools play in the efficient running and security of their organisation.

Thankfully, our clients are very aware. One client wanted advice on how to better protect their company from data loss and asked for our advice. MCAS was our answer.

What can Microsoft MCAS do?

MCAS is primarily designed to limit, prevent and monitor data loss. It does this by ingesting your cloud apps and monitoring staff activity on them. In this case, we monitored SharePoint, OneDrive, Teams, Dropbox, and Slack.

Alerts were set up to raise the alarm if company data was compromised. For example, users send emails with attachments to a personal email address. Also, if the attachment extension is a source code (python, java, C++, etc.), alerts are sent regardless of whether the email is personal or a company address.

Adam Weldon-Ming, Cloud Solution Architect Team Lead at OryxAlign, highlighted the flexibility “Who receives the alerts and what happens to the suspicious emails depends on how you want to skin it. Emails can be held until released by the IT team or sent but with a warning to the user and alert to your IT leader. You create the rules.”

The alerts can also include if users download large data files from SharePoint or OneDrive and monitor external applications such as GitHub, Slack, etc. The possibilities seem endless.

MCAS gave our client visibility. We then layered DLP and Sensitivity Labelling to help prevent unauthorised sharing, plus Conditional Access to restrict entry based on management defined criteria.

DLP and Sensitivity Labelling

We applied the Sensitivity Label to our client’s finance library. The system will block users’ attempts to share documents outside the company. It can also restrict internal sharing to only nominated individuals within the company.

Adam explained “Let’s say Sandra downloads restricted files to a USB key and passes it to John. John would have to log in with Sandra’s details using 2FA, which makes things really difficult.”

Data Loss Prevention (DLP) adds yet another layer of security. It restricts the sharing of highly sensitive data (such as credit card details, passwords, etc.) with external organisations as well as other internal departments. It creates an information barrier.

Conditional Access

Conditional Access de-risks access to data. Using Microsoft Endpoint Manager or Azure Active Directory prevents individual staff members from printing or downloading data to their device (or any other device where they are signed in).

Adam continued “We created a security group. If our client has a person they are concerned about they can drop that user into the Conditional Access Security Group. This locks them down so they can only view corporate data in a web browser.”

Prevention is better than cure

Adam is convinced of the benefits Microsoft MCAS can bring, “It gives IT leaders visibility on how their staff are sharing and downloading data. A lot of companies already have the licence for it, so it seems sensible to spend a couple of days setting it up.” Combined with DLP and Sensitivity Labelling, as well as Conditional Access, he believes the full suite can give organisations peace of mind.

He also highlighted that data loss is not always malicious. Sometimes it is as simple as employees forgetting to delete a shared link. But without visibility of what people are doing with your data, you cannot implement relevant training or block suspicious activity.

Full visibility of cloud apps – a hidden benefit

To prepare for the deployment of MCAS, Adam suggests an audit of what cloud apps your employees currently use. This can be very revealing, as many organisations are not aware their staff are using unapproved apps.

The result of this discovery is that new apps, like Zoom, might be added to your list or further training given on the advantages of the sanctioned alternative (Microsoft Teams?). Adam believes this is good for staff relations, “If management adds a new and regularly used app to the list, your staff will see that you notice how they prefer to work. You’re listening.”

Want to learn more? Book a Microsoft MCAS consultation with one of our experts; no charge, no obligation.

Photo by mostafa meraji

Graham Smith

By Graham Smith