Trend Micro Cloud App Security Best Practice Guide

Best Practice Guide
Trend Micro Cloud App Security

CAS Best Practice Guide
Contents
Purpose ....................................................................................................................................................... 4
Deployment ............................................................................................................................................... 4
Provision CAS to Protect Exchange Online .................................................................................. 4
Provision CAS to Protect SharePoint, OneDrive ........................................................................ 5
Provision CAS to Protect Microsoft Teams.................................................................................. 8
Provision CAS to Protect Gmail..................................................................................................... 10
Provision CAS to Protect Box, Dropbox and Google Drive ..................................................... 10
How to Verify Provision Status ..................................................................................................... 11
For Office365 services .................................................................................................................. 11
For Gmail ........................................................................................................................................... 13
Key to Success ....................................................................................................................................... 16
Configure ATP Polices ......................................................................................................................... 17
Configure Advanced Spam Protection ......................................................................................... 18
Malware Scanning .............................................................................................................................. 19
File Blocking ........................................................................................................................................ 20
Web Reputation .................................................................................................................................. 21
Virtual Analyzer ................................................................................................................................. 22
Displaying Detection Results ............................................................................................................ 23
Perform a Manual Scan .................................................................................................................... 23
Check the Manual Scan Result ....................................................................................................... 24
Dashboard View .................................................................................................................................. 24
Manage the widgets to show CAS’s detections ....................................................................... 24
Overall Threat Detections ............................................................................................................. 25
Log Console.......................................................................................................................................... 26
Export the Logs .................................................................................................................................. 27
Generate the Report .......................................................................................................................... 27
Switch the Log View .......................................................................................................................... 27
Page 2 of 28| Trend Micro

Appendix................................................................................................................................................... 28
TMCAS Related Documentations .................................................................................................. 28
CAS Writing Style Best Practice Guide ...................................................................................... 28
Apply for a Trial Account................................................................................................................. 28

Purpose
This document serves as a guideline to help customers develop a set of best practices when provisioning and
managing Cloud App Security (TMCAS).
Deployment
Provision CAS to Protect Exchange Online
To Provision, hover the mouse to the Exchange Online service in the Dashboard of CAS console and click
Provision.
NOTE  We suggest that the customer use a testing environment to run a POC first. Afterwards,
we can contact the backend team to help move this account to production environment.
Follow the Steps in Provisioning CAS to protect Exchange Online using Access Token:

Provision CAS to Protect SharePoint, OneDrive

To Provision, hover the mouse to the SharePoint/OneDrive service in the Dashboard of CAS console and
click Provision.
For SharePoint:
For OneDrive:

It is RECOMMENDED to use the Automatically Provisioning Delegate Accounts, because this is very
easy.
NOTE  We suggest that the customer use a testing environment to run a POC first. Afterwards,
we can contact the backend team to help move this account to production environment.

For customers who already deprecated Office365 legacy authentication, we recommend to Use Access Token
to Provision SharePoint/OneDrive.
For SharePoint:
It is VERY IMPORTANT to do the instructions in Step 4 by clicking “Learn More” for CAS to receive any
file changes notification from Microsoft for Real-time Scanning on your SharePoint sites.
For OneDrive:
file changes notification from Microsoft for Real-time Scanning on your OneDrive sites.
NOTE  Provisioning SharePoint/OneDrive using Access Token feature is currently in Pre-release

status and not yet an official release. Customers are encouraged to read the Pre-release
Disclaimer before using it.

Provision CAS to Protect Microsoft Teams

Provisioning a Service Account for Microsoft Teams to allow Cloud App Security to run advanced threat
protection and data loss prevention scanning on files in protected teams.
NOTE  Currently, Cloud App Security scans and protects only files stored on a SharePoint
team site.
file changes notification from Microsoft for Real-time Scanning on your Teams sites.

Since Microsoft Teams sites are basically located in SharePoint, CAS Policy scanning priority for Microsoft
Teams and SharePoint Sites are as follows:
Teams policy > SharePoint policy
Microsoft Teams Support Scope:
CAS only scans uploaded files in Microsoft Teams site.
NOTE  Currently, Cloud App Security can only do Real-Time scanning for Microsoft
Teams and running Manual Scan is not in option.

Provision CAS to Protect Gmail

 Before Provisioning, please make sure that:
 You have the administrator's credentials for G Suite.

 You have not logged on to G Suite using any other user account.
 Provisioning a Service Account for Gmail Provision a service account for Gmail to allow Cloud App
Security to scan emails in Gmail.
Provision CAS to Protect Box, Dropbox and

Google Drive
 Before Provisioning, please make sure that:
 You have the administrator's credentials for your cloud application, for example, Box.
 You have not logged on to the cloud application using any other user account.
 Provisioning a Service Account for Box Provision a service account for Box to allow Cloud App
Security to scan files stored in Box.
 Provisioning a Service Account for Dropbox Provision a service account for Dropbox to allow Cloud
App Security to scan files stored in Dropbox.
NOTE  Dropbox provision needs extra steps to input the team admin account for the provision.
 Provisioning a Service Account for Google Drive Provision a service account for Google Drive to
allow Cloud App Security to scan files stored in Google Drive

How to Verify Provision Status

For Office365 services
To evaluate the current provision status for Office365 services:
 Exchange Online Provision with access token
Exchange Online provision using an access token includes three steps, two of which are to grant
required permission for the O365 Graph API and EWS API, and the other is to synchronize all users
and groups.
Step 1: After this step is done, the status of “Provisioning the service account for Exchange
Online” displayed under Notifications is Pending. This step takes only a few seconds.
If it lasts for more than one minute, there must be something wrong with this task.

Step 2: After this step is done, the status of “Exchange Online protected” displayed under
Notifications will indicate that the backend progress is successful. This step takes only
a few seconds. If it lasts for more than one minute, there must be something wrong.
Step 3: CAS synchronizes users and groups from the customer’s Office 365. The time
required will depend on the scale of the O365 tenant. An estimated time will show for
this task, like “Update users and groups for Exchange Online. ** completed, About **
remaining”. If the status is “pending” and keeps for a long time, for example over 30
minutes, there should be something wrong with this synchronization task. If the task
status is running but for much more time than the estimated time, for example over
10 hours, there should be something wrong in CAS.

 Automatic SharePoint/OneDrive Provision with the delegate account
During the automatic SharePoint/OneDrive provision, two statuses display under Task, which will
indicate the backend progress:
o Creating a delegate account

o Updating SharePoint Online site collections and subsites
o Updating OneDrive for Business users and groups
“Creating the delegate account” means that CAS is creating a delegate account for the customer.
Normally it does not take too long, no longer than 30 minutes. If this status keeps pending for
more than 30 minutes, there should be something wrong in CAS.
“Updating SharePoint Online site collections” and subsites” and “updating OneDrive for
Business users and groups” mean that CAS is synchronizing the SharePoint/OneDrive sites
from the customer’s Office 365. The time required will depend on the scale of the O365 tenant.
An estimated time will show for this task, like “this may take about xxx minutes”. If the status is
“pending” without estimation time displayed and keeps for a long time, for example over 30
minutes, there should be something wrong with this synchronization task. If the task status is
running but for much more time than the estimated time, for example over 10 hours for a
company whose size is less than 10,000 users, there should be something wrong in CAS.
For Gmail
After the Gmail App installed, Admin can confirm the following settings:
1. Make sure necessary access privileges are granted to CAS in the G Suite admin console: Apps >
Marketplace apps and locate Trend Micro Cloud App Security. Make sure the Data access section
status is “Granted”.

2. Access the Google admin App page to ensure that the CAS App enabled for all uses.
3. Check whether the provisioned user has CAS App.
4. Check Google Admin page about the advanced G Suite API setting. On the Google Admin console,
go to Security > Settings.

5. Refer to the G Suite Admin help article to enable API access, then check the apps for Gmail.
6. Ensure Trend Micro Cloud App Security has permission for Gmail.
During the Gmail provision, one status display under Task, which will indicate the backend progress:
 Updating Gmail users and groups
Updating Gmail users and groups means that CAS is synchronizing the mailboxes and groups from the
customer’s G Suite organization. The time required will depend on the scale of the G Suite organization. If
the task status is running but for much more time than 2 hours for a company whose size is less than 10,000
users, there should be something wrong in CAS.

Key to Success
The key to success is how to maximize Cloud App Security protection. Below product settings are strongly
recommended during POC testing.
 Enable most of the Cloud App Security features (such as: advanced spam prevention, malware
scanning etc.)
 After new user is created, suggest to firstly clock the “click here” to sync new users before testing
 In the case when mailbox migration from on-prem to cloud, a manual cloud mailbox scan is
needed.
 After done the RMS protection provision, go to the policy to enable the RMS protection.
Customers will NOT take risks when enabling more testing users or more protections during POC, due to its
architecture advantage—Cloud App Security have “Zero” impact to customer’s mail, SharePoint/OneDrive
and Box/Dropbox/Google Drive flow.

Configure ATP Polices

We suggest our customer to create a new policy for the specific targets, instead of using the default policy.
 Create a new policy.
 Select the specific targets.
NOTE  In order to run a successful POC, we suggest our customer selecting the target
group which can contains several hundred users. It’s NOT RECOMMENDED select
only individual users for POC customers.

Configure Advanced Spam Protection

 Apply the Rules to the <All messages>.
 Enable the Writing Style Analysis
NOTE  Please click HERE to get the Writing Style BP.
 In order to reduce the FP, we suggest the customer to add the trust sender into CAS Approved Sender
List.

Malware Scanning
Setup a malware policy to detect malicious files, which uses the virus scan engine to detect emerging threats.
User can set a scan for all file types, and enable all of Trend Micro’s technology.
Click HERE to get testing sample.
NOTE  Predictive Machine Learning is disabled by default.

File Blocking
Setup a File Blocking policy to block according to the file type.
NOTE  Normally, we’d like to suggest the customer blocking exe files, but this depends
on the customer’s company’s specific security policy.

Web Reputation
Setup a web reputation policy to detect the bad URLs. (Especially, we have ability to detect the O365
credential phishing URL.)
NOTE  “scan message attachment for suspicious URLs” is disabled by default, we

suggest our customer enabling it for POC purpose.
It is also highly recommended the customer add “internal domains to the approved URL List”.

Virtual Analyzer
Setup a virtual analyzer policy to test sand boxing capability. A cloud-based virtual environment designed for
analyzing suspicious files.
Click HERE to get testing sample.
NOTE  In order to make our customer understand this feature better, we suggest the
customer to use monitor mode first. In this mode, CAS’s VA feature will only record
the VA detection result, but will not take any action.

Displaying Detection Results

Perform a Manual Scan
Running a manual scan performs an on-demand scan of targets based on the selected policy configuration. It
can detect the potential threat before the customer uses CAS.
Then there will be new pop-up window:
 The estimated completion time is shown during a scan.

 Refer to the Scan Result to see how long the manual scan took.
 Add Report Recipient to set users who will receive the notification when the manual scan is finished
 For trial account users, it allows you to select the Scope period as 1 day only. For example, you can select
“Scan recently: 1 day” or Scan between Sep 01, 2018 and Sep 02, 2018.
 Manual Scan does not contain the Virtual Analyzer scanning.

Check the Manual Scan Result

Click the scan history to get the manual scan result.
 Show details
Dashboard View
Manage the widgets to show CAS’s detections
Then, please select all:

Overall Threat Detections
NOTE  Select the right time range for the detection result that will be displayed on dashboard.
(You can select “Apply to all widgets”).

Log Console
On CAS console, the user is provided with a place to view the scan logs that are collected from different CAS
server roles and detections.
NOTE  Select the right time range for the detection result on log view console.

Export the Logs
Generate the Report
Switch the Log View

Appendix
TMCAS Related Documentations
CAS Writing Style Best Practice Guide
Apply for a Trial Account

Go to Cloud App Security Console to Apply a Trial Account
 For EU customers/partners go to https://admin-eu.tmcas.trendmicro.com/#!/

 For JP customers/partners go to https://admin.tmcas.trendmicro.co.jp/#!/
 Other region customers/partners go to https://admin.tmcas.trendmicro.com/#!/
NOTE  CAS trial license will expire within 2 months. You can contact product team to
extend trial license.
Trend Micro Incorporated, a global leader in security software, strives to make the world safe
for exchanging digital information. Our innovative solutions for consumers, businesses and
governments provide layered content security to protect information on mobile devices,
endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based
global threat intelligence, the Trend Micro™ Smart Protection Network™, and are
supported by over 1,200 threat experts around the globe. For more information, visit
www.trendmicro.com.
©2020 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or
registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners.
Information contained in this document is subject to change without notice.


Trend Micro Cloud App Security Best Practice Guide

Uploaded by

Copyright:

Available Formats

Trend Micro Cloud App Security Best Practice Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Trend Micro Cloud App Security Best Practice Guide

Uploaded by

Copyright:

Available Formats

Best Practice Guide

Trend Micro Cloud App Security

Page 2 of 28| Trend Micro

Page 3 of 28| Trend Micro

Page 4 of 28| Trend Micro

Provision CAS to Protect SharePoint, OneDrive

Page 5 of 28| Trend Micro

Page 6 of 28| Trend Micro

NOTE  Provisioning SharePoint/OneDrive using Access Token feature is currently in Pre-release

Page 7 of 28| Trend Micro

Provision CAS to Protect Microsoft Teams

Page 8 of 28| Trend Micro

Teams policy > SharePoint policy

Microsoft Teams Support Scope:

CAS only scans uploaded files in Microsoft Teams site.

Page 9 of 28| Trend Micro

Provision CAS to Protect Gmail

 You have the administrator's credentials for G Suite.

Provision CAS to Protect Box, Dropbox and

Page 10 of 28| Trend Micro

How to Verify Provision Status

 Exchange Online Provision with access token

Page 11 of 28| Trend Micro

Page 12 of 28| Trend Micro

o Creating a delegate account

Page 13 of 28| Trend Micro

3. Check whether the provisioned user has CAS App.

Page 14 of 28| Trend Micro

 Updating Gmail users and groups

Page 15 of 28| Trend Micro

Page 16 of 28| Trend Micro

Configure ATP Polices

 Create a new policy.

 Select the specific targets.

Page 17 of 28| Trend Micro

Configure Advanced Spam Protection

 Enable the Writing Style Analysis

NOTE  Please click HERE to get the Writing Style BP.

Page 18 of 28| Trend Micro

Click HERE to get testing sample.

NOTE  Predictive Machine Learning is disabled by default.

Page 19 of 28| Trend Micro

Page 20 of 28| Trend Micro

NOTE  “scan message attachment for suspicious URLs” is disabled by default, we

Page 21 of 28| Trend Micro

Click HERE to get testing sample.

Page 22 of 28| Trend Micro

Displaying Detection Results

Then there will be new pop-up window:

 The estimated completion time is shown during a scan.

Page 23 of 28| Trend Micro

Check the Manual Scan Result

Then, please select all:

Page 24 of 28| Trend Micro

Overall Threat Detections

Page 25 of 28| Trend Micro

Page 26 of 28| Trend Micro

Export the Logs

Generate the Report

Switch the Log View