Trend Micro Cloud App Security Best Practice Guide
Trend Micro Cloud App Security Best Practice Guide
Trend Micro Cloud App Security Best Practice Guide
Contents
Purpose ....................................................................................................................................................... 4
Deployment ............................................................................................................................................... 4
Provision CAS to Protect Exchange Online .................................................................................. 4
Provision CAS to Protect SharePoint, OneDrive ........................................................................ 5
Provision CAS to Protect Microsoft Teams.................................................................................. 8
Provision CAS to Protect Gmail..................................................................................................... 10
Provision CAS to Protect Box, Dropbox and Google Drive ..................................................... 10
How to Verify Provision Status ..................................................................................................... 11
For Office365 services .................................................................................................................. 11
For Gmail ........................................................................................................................................... 13
Key to Success ....................................................................................................................................... 16
Configure ATP Polices ......................................................................................................................... 17
Configure Advanced Spam Protection ......................................................................................... 18
Malware Scanning .............................................................................................................................. 19
File Blocking ........................................................................................................................................ 20
Web Reputation .................................................................................................................................. 21
Virtual Analyzer ................................................................................................................................. 22
Displaying Detection Results ............................................................................................................ 23
Perform a Manual Scan .................................................................................................................... 23
Check the Manual Scan Result ....................................................................................................... 24
Dashboard View .................................................................................................................................. 24
Manage the widgets to show CAS’s detections ....................................................................... 24
Overall Threat Detections ............................................................................................................. 25
Log Console.......................................................................................................................................... 26
Export the Logs .................................................................................................................................. 27
Generate the Report .......................................................................................................................... 27
Switch the Log View .......................................................................................................................... 27
Appendix................................................................................................................................................... 28
TMCAS Related Documentations .................................................................................................. 28
CAS Writing Style Best Practice Guide ...................................................................................... 28
Apply for a Trial Account................................................................................................................. 28
Purpose
This document serves as a guideline to help customers develop a set of best practices when provisioning and
managing Cloud App Security (TMCAS).
Deployment
Provision CAS to Protect Exchange Online
To Provision, hover the mouse to the Exchange Online service in the Dashboard of CAS console and click
Provision.
NOTE We suggest that the customer use a testing environment to run a POC first. Afterwards,
we can contact the backend team to help move this account to production environment.
Follow the Steps in Provisioning CAS to protect Exchange Online using Access Token:
For SharePoint:
For OneDrive:
NOTE We suggest that the customer use a testing environment to run a POC first. Afterwards,
we can contact the backend team to help move this account to production environment.
For SharePoint:
It is VERY IMPORTANT to do the instructions in Step 4 by clicking “Learn More” for CAS to receive any
file changes notification from Microsoft for Real-time Scanning on your SharePoint sites.
For OneDrive:
It is VERY IMPORTANT to do the instructions in Step 3 by clicking “Learn More” for CAS to receive any
file changes notification from Microsoft for Real-time Scanning on your OneDrive sites.
NOTE Currently, Cloud App Security scans and protects only files stored on a SharePoint
team site.
It is VERY IMPORTANT to do the instructions in Step 3 by clicking “Learn More” for CAS to receive any
file changes notification from Microsoft for Real-time Scanning on your Teams sites.
NOTE Currently, Cloud App Security can only do Real-Time scanning for Microsoft
Teams and running Manual Scan is not in option.
Provisioning a Service Account for Gmail Provision a service account for Gmail to allow Cloud App
Security to scan emails in Gmail.
You have the administrator's credentials for your cloud application, for example, Box.
You have not logged on to the cloud application using any other user account.
Provisioning a Service Account for Box Provision a service account for Box to allow Cloud App
Security to scan files stored in Box.
Provisioning a Service Account for Dropbox Provision a service account for Dropbox to allow Cloud
App Security to scan files stored in Dropbox.
NOTE Dropbox provision needs extra steps to input the team admin account for the provision.
Provisioning a Service Account for Google Drive Provision a service account for Google Drive to
allow Cloud App Security to scan files stored in Google Drive
Exchange Online provision using an access token includes three steps, two of which are to grant
required permission for the O365 Graph API and EWS API, and the other is to synchronize all users
and groups.
Step 1: After this step is done, the status of “Provisioning the service account for Exchange
Online” displayed under Notifications is Pending. This step takes only a few seconds.
If it lasts for more than one minute, there must be something wrong with this task.
Step 2: After this step is done, the status of “Exchange Online protected” displayed under
Notifications will indicate that the backend progress is successful. This step takes only
a few seconds. If it lasts for more than one minute, there must be something wrong.
Step 3: CAS synchronizes users and groups from the customer’s Office 365. The time
required will depend on the scale of the O365 tenant. An estimated time will show for
this task, like “Update users and groups for Exchange Online. ** completed, About **
remaining”. If the status is “pending” and keeps for a long time, for example over 30
minutes, there should be something wrong with this synchronization task. If the task
status is running but for much more time than the estimated time, for example over
10 hours, there should be something wrong in CAS.
During the automatic SharePoint/OneDrive provision, two statuses display under Task, which will
indicate the backend progress:
“Creating the delegate account” means that CAS is creating a delegate account for the customer.
Normally it does not take too long, no longer than 30 minutes. If this status keeps pending for
more than 30 minutes, there should be something wrong in CAS.
“Updating SharePoint Online site collections” and subsites” and “updating OneDrive for
Business users and groups” mean that CAS is synchronizing the SharePoint/OneDrive sites
from the customer’s Office 365. The time required will depend on the scale of the O365 tenant.
An estimated time will show for this task, like “this may take about xxx minutes”. If the status is
“pending” without estimation time displayed and keeps for a long time, for example over 30
minutes, there should be something wrong with this synchronization task. If the task status is
running but for much more time than the estimated time, for example over 10 hours for a
company whose size is less than 10,000 users, there should be something wrong in CAS.
For Gmail
After the Gmail App installed, Admin can confirm the following settings:
1. Make sure necessary access privileges are granted to CAS in the G Suite admin console: Apps >
Marketplace apps and locate Trend Micro Cloud App Security. Make sure the Data access section
status is “Granted”.
4. Check Google Admin page about the advanced G Suite API setting. On the Google Admin console,
go to Security > Settings.
6. Ensure Trend Micro Cloud App Security has permission for Gmail.
During the Gmail provision, one status display under Task, which will indicate the backend progress:
Updating Gmail users and groups means that CAS is synchronizing the mailboxes and groups from the
customer’s G Suite organization. The time required will depend on the scale of the G Suite organization. If
the task status is running but for much more time than 2 hours for a company whose size is less than 10,000
users, there should be something wrong in CAS.
Key to Success
The key to success is how to maximize Cloud App Security protection. Below product settings are strongly
recommended during POC testing.
Enable most of the Cloud App Security features (such as: advanced spam prevention, malware
scanning etc.)
After new user is created, suggest to firstly clock the “click here” to sync new users before testing
In the case when mailbox migration from on-prem to cloud, a manual cloud mailbox scan is
needed.
After done the RMS protection provision, go to the policy to enable the RMS protection.
Customers will NOT take risks when enabling more testing users or more protections during POC, due to its
architecture advantage—Cloud App Security have “Zero” impact to customer’s mail, SharePoint/OneDrive
and Box/Dropbox/Google Drive flow.
NOTE In order to run a successful POC, we suggest our customer selecting the target
group which can contains several hundred users. It’s NOT RECOMMENDED select
only individual users for POC customers.
In order to reduce the FP, we suggest the customer to add the trust sender into CAS Approved Sender
List.
Malware Scanning
Setup a malware policy to detect malicious files, which uses the virus scan engine to detect emerging threats.
User can set a scan for all file types, and enable all of Trend Micro’s technology.
File Blocking
Setup a File Blocking policy to block according to the file type.
NOTE Normally, we’d like to suggest the customer blocking exe files, but this depends
on the customer’s company’s specific security policy.
Web Reputation
Setup a web reputation policy to detect the bad URLs. (Especially, we have ability to detect the O365
credential phishing URL.)
It is also highly recommended the customer add “internal domains to the approved URL List”.
Virtual Analyzer
Setup a virtual analyzer policy to test sand boxing capability. A cloud-based virtual environment designed for
analyzing suspicious files.
NOTE In order to make our customer understand this feature better, we suggest the
customer to use monitor mode first. In this mode, CAS’s VA feature will only record
the VA detection result, but will not take any action.
Show details
Dashboard View
Manage the widgets to show CAS’s detections
NOTE Select the right time range for the detection result that will be displayed on dashboard.
(You can select “Apply to all widgets”).
Log Console
On CAS console, the user is provided with a place to view the scan logs that are collected from different CAS
server roles and detections.
NOTE Select the right time range for the detection result on log view console.
Appendix
TMCAS Related Documentations
CAS Writing Style Best Practice Guide
NOTE CAS trial license will expire within 2 months. You can contact product team to
extend trial license.
Trend Micro Incorporated, a global leader in security software, strives to make the world safe
for exchanging digital information. Our innovative solutions for consumers, businesses and
governments provide layered content security to protect information on mobile devices,
endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based
global threat intelligence, the Trend Micro™ Smart Protection Network™, and are
supported by over 1,200 threat experts around the globe. For more information, visit
www.trendmicro.com.
©2020 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or
registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners.
Information contained in this document is subject to change without notice.