Saas sales process for security made easy with airSlate SignNow

How to create outlook signature

hello everyone thank you for attending the sas security webinar summer session my name is azadeh ahadian in today's session we will talk about the basics of sas security api and what we need to know to start monitoring sas applications efficiently we look at the architecture supported applications some definitions and main concepts best practices for using and defining policies remediation approaches and required initial setting sas security solution protects the growing number of both sanctioned and unsanctioned applications it prevents threats to sensitive resources and maintain compliance in the cloud there are two components working together to provide these functions sas security api what once was called prisma sas is the component that scans assets in the cloud for detection and inspection across all users and also provides remediation options currently about 26 applications are supported sas security inline add-on handles risks posed by unsanctioned sas applications it covers about 24 000 applications sas security online and sas security api provide an integrated casb solution that eliminates the complexity of third-party integrations sas security inline provides comprehensive visibility by discovering and control of new applications the enterprise data protection features provide data loss prevention and compliance across sas applications network and users this is done by managing user access and controlling user privileges in addition to automatically discovering classifying and protecting sensitive information consistent security by enabling safe cloud adoption and user mobility and preventing threats in real time using machine learning attack preventions it is very easy to deploy and cost effective sas security api secures sanctioned cloud applications by providing data classification and visibility into sharing and permissions by connecting directly to the sas applications using api you will have complete insight into user folder and file activity and can determine any risk of data exposure or any compliance related policy violation it is a great help in governing your data and the data usage for sas applications one of the advantages is that there is no configuration required on the endpoint from now on in this presentation when we talk about sas security we will be talking about sas security api and cloud apps refer to sanctioned and approved cloud apps by your company we know that sas applications are cloud apps owned and managed by a service provider but the user has and keeps control of the data now the important thing to remember is that because of the nature and behavior of cloud app and the control they provide to the user supported remediation action provided by prisma sas vary by sas application as mentioned before we support more than 26 cloud apps and the number is growing rapidly now let's talk about some terminologies and concepts sanction applications are critical to business and usually allowed with no restrictions unsanctioned application are harmful and can be dangerous and are blocked with no exceptions some of these reason might be known threats being hosted in a dangerous geographic region with poor or no security and governance control or it might be because of a bad end user agreement or service level agreement tolerated applications are important but are not visible completely to the security infrastructure and cannot be controlled properly collaborator a collaborator is someone who can access view download comment or edit an asset we have internal to the company and external collaborators the next concept is essential to understand when starting to work with sas security api we will look into it again later an internal domain list is a list that needs to be defined by the user before adding and scanning a cloud app this list is used to determine internal and external users and also the asset exposure level the collaborator email address domain name is compared against this list if it matches it means the con collaborator is internal to the company trusted and untrusted are attributes used to distinguish trusted user this way you can add internal collaborator to the trusted user list this is important in policy definition and hop policies trigger violations by defining these attributes precisely you can reduce false positives now let's talk about exposure level the exposure level is the attribute that classifies how an asset is shared assets are considered public if they are either have a public shared setting or have a shared link public share setting example could be assets find in a public repository or being indexed publicly on google a shared link can be a public link vanity link or a password protected link created by the owner of the asset an asset is considered external if the owner has given the right to external users to participate and collaborate the company level exposure is when the owner creates a company-wide url giving access to everyone in the company internal is the asset that either not shared or only shared with the users within the company with an email address in the company domain name shared by custom url is only for the box asset and is hidden if you are not scanning a box app in this case the owner created a custom link vanity link or password protected link for direct access to the asset and shared this asset directly or indirectly using the custom link prismasas comes with a large number of predefined out-of-the-box policies which covers all different kinds of security risks some of these policies are disabled another important step before adding your cloud apps is to first understand your company's security policy guidelines and what policy rule you need for each app second you need to decide which approaches best fit your needs you can start adding your cloud apps with all default out of the box policies enabled this approach helps you understand and analyze your cloud app security posture as a whole then you go through all incidents and alerts and resolve them gradually this can be overwhelming as you have to deal with a large number of alerts at once the second approach is disabling default policies and enabling them gradually after studying them and adding your cloud apps this way you will better understand the risks each policy is designed to prevent and avoid being overwhelmed by a sudden increase in the number of alerts different policy types allow you to manage assets user activities third-party apps and security controls across all supported sas applications you can enable generating the log for events that match a policy rule asset rules help you with identifying issues with data the content and who has access to it content security rules use data patterns and match criteria to discover activity in your cloud apps and provide remediation for incidents related to sensitive data user activity rules help you with identifying abnormal user behaviors with a group based policy you can enforce asset rules based on the active directory group of course you must integrate azure active directory to use this type of policy security control rules are specifically designed to define rules that monitor email activity in sas application or monitor configuration in ies infrastructure as service applications this type of policy rule is designed to focus on administrators of the cloud apps instead of users of such applications and third-party app rules help you with detecting and remediating non-compliant third-party applications some notes on best practices wildfire default policies are very important and required for all enterprises so leave them enabled and leverage the autoremediation feature for these rules make sure to select all file types and regularly check these settings as we add the support for the new files make sure untrusted user policies are up to date and update the list of untrusted users and untrusted domain regularly customize out-of-the-box policies to better match your regulations and policy requirements you can also create a policy from scratch make sure all default data patterns are enabled and remove duplicate policies let's review some use cases one thing to do to enrich data identifiers in each policy is to add additional keywords this reduces false positives these keyboards are matched within a 100 bytes distance before and after the original identifier for example if your company uses mc for the master card add that as an identifier another thing you can do is validate that each data identifier suits your business need otherwise remove them for example you can remove the uk taxo idea identifier if that does not make sense to your company you can also add additional regular expression to find more sensitive content for example you can add additional expression to match aws sensitive content such as aws access qid the other thing you can do is change the exposure level in policies not always exposing sensitive data to internal users is considered a risk in these cases you may want to remove the internal and company exposure from the policy another good practice is to differentiate bulk and non-bulk sensitive content exposure this can be done by having two policies with similar conditions and adding one condition to one of them to detect at least one occurrence of data specific sensitive data this way you can track documents that have a large number of sensitive contents again it always is good to add your own custom policies to track your unique sensitive data it is best practice to create application specific policies for each risk for example having pii data in the salesforce might not be risky as your company wants to keep customer specific data in the salesforce but keeping the same data in box might be risky sas security api provides detailed information about issues it detects as it scans the assets you can use this information to decide if these incidents are a real threat to your organization it also provides you with options on how to eliminate these risks you can either manually remediate this for a smaller set of incidents or choose automatic remediation for larger sets after the initial assessment of the incidents you have a better understanding of what approach is best for your organization several elements can affect this such as the organization's risk tolerance the volume of incidents identified and your sub team's resources you can choose automatic remediation manual remediation or a hybrid of both approaches the important thing to remember is that the remediation capabilities are different for each app and it depends on the remediation support provided by the app in the incident dashboard you see incidents sorted by severity and the high severity ones are shown at the top if you drill down into an incident it takes you to the asset detail page and there from the drop down menu you can choose different actions in this case the asset is stored on the box application and available actions are open the file on box download explore quarantine and send an email to notify people these are suggested actions and workflow the first thing you need to do is review and assess the incidents and get help from the wildfire report close the ones that are not a trip assign the risk to administrators to take necessary actions you have the options to quarantine assets also you can change the state of an incident automatic remediation is best when you have a large number of similar incidents again the remediation options depend on the specific cloud the first option is quarantine when an asset poses a thread we can quarantine which is either user quarantine or admin guarantee user currently sends the file to a quarantine folder in the file owner root directory in the admin quarantine option it sends the asset to an admin parenting folder that only users with admin privilege has access to it you can also notify the file on air by sending a remediation digest email to the file owner notifying via board is an option too so instead of using the administrator account you can use a machine account the other options are creating incidents or sending an email alert to the administrators we talked about the importance of some initial settings and configurations such as defining an internal domain list here is a list of important settings that need to be done we go through each of these first we must change the time zone to local time zone to display the local date and time stamp only a super admin can change the default time zone globally admins who have access to all apps can change the time zone for their sessions you can change the default language for better team collaboration note that default language applies to all cloud apps and only a super admin or an admin with access to all cloud apps can modify this setting sas security allows you to configure an email to enable sending email when a policy violation happens you must define a name for the sender it is a good practice to choose a name that indicates this email is from sas security and related to an incident you should also have an email address for communication you should use a distribution list or an alias with a group of admins or auditors the next setting is choosing login restrictions you have three options allowing admin to login from any ip address specific ip addresses or deny access from a specific ip addresses the next set of settings is related to the cloud app and a scan setting the first setting is defining your internal domains we discuss this in detail at the beginning of our presentation and emphasize that this need to be done before adding a cloud app and scanning your cloud the second setting is to choose how you want your sensitive data to be masked you have three options no mask partial mask and full mask the next one is defining external collaborators here is where you can define trusted and untrusted user domains we mentioned earlier that sas security api uses a domain name in the user's email address to determine if the user is internal to the organization there are several predefined rules that you can select when defining your admins you can also create a custom role to enable more granular access super admin allows full functionality within sas security including global account setting creating administrator accounts and assigning administrator roles admin role cannot change the global setting but have full functionality including automatically or manually remediating risks and creating additional admin accounts the incident management admin role allows grand lore access to investigate and remediate incidents limited admin can also assess incidents and remediate risks the read-only rule allows only viewing information on sas security and generating reports this rule cannot change anything it can access incident but cannot remediate risks custom roles with specific permissions allow a specific task tailored to your organization's need group administrators and assign them to the appropriate teams some action you can take to be proactive and eliminate the risks are regularly checking cloud apps status by logging in and checking the main dashboard there are several filters that you can use to narrow down your search when reviewing the risks pay attention to the content of the risk the category the exposure level of the risk and the audit trail of activities on file or folder send an email to people exposing the risk and if they don't take action and fix the problem remove the file link for malware risks ensure an endpoint a scan runs on every endpoint take proper action to clean up the dashboard and reduce the number of incidents for example resolve the incidents that are false positives and not real threats always revisit policies and keep them up to date with your company's security rules to avoid false positives give admin and super admin credential to only a few people so only those can control policy creation risk mitigation and reviewing other admin activities create more review or read-only accounts for other employees who need to review risks and contents thank you everyone for your time now we will have our q a session