Research on cloud adoption trends indicates that 15.8% of corporate data in the cloud is sensitive – meaning that it contains personal, payment, health, or confidential data that is governed by internal policies or compliance regulations. While enterprise cloud services have implemented security controls to prevent compromise of their platforms, high-risk user behavior can still expose data to theft or loss. The average organization experiences 19.6 cloud-related security incidents each month, including insider threats (malicious and accidental) and compromised accounts.
In this whiteboard walkthrough, Skyhigh’s Santosh Raghuram explains how a cloud access security (CASB) detects and remediates these common types of threats, and how a CASB is different from the threat protection capabilities available within cloud services and standalone UEBA solutions.
Hi. I’m Santosh Raghuram. I head up threat protection for Skyhigh Networks, and I’m here to talk to you about how you can leverage our CASB to address threat protection to your enterprise data on the cloud. So, when it comes to addressing threats for your enterprise data on the cloud, there are two common use cases that we need to first understand. The first one is insider threats, and the second one is compromised accounts.
So, let’s first understand what an insider threat really means. So, our customers often come to us and say, “Hey, you know? We hired a person, a salesperson, who in the very last few days of his being with us, downloaded a lot of data from Salesforce and uploaded it to some person’s service and took it out of the company.” That is a classic case of an insider threat.
What’s a compromised account? One case of compromised accounts that our customers have told us, amongst a lot of them, is that of phishing. So, an employee gets an email which is a phishing email, and he clicks on that, and that phishing email is then used to compromise his account credentials, and those account credentials are then used to exfiltrate a lot of data that is confidential to your enterprise.
Now, having answered these two common use cases, let’s dig deeper and understand how an enterprise can leverage a cloud access security broker, commonly known as a CASB, to address this challenge. What is a CASB, and how does it provide threat protection?
A CASB is essentially a control point where you can put in all your policies for securing data on your cloud. It provides threat protection by firstly understanding your event feeds from the APIs of sanctioned cloud services, and then monitoring for visibility on all data across all cloud services using a proxy. In this example, let’s see how it mitigates these two use cases.
The first one is that of the insider. So, you have a malicious insider who is downloading a lot of data from a sanctioned service like Salesforce, and uploading it to, let’s say, a personal service like Gmail. In this case, firstly, our CASB helps you identify normal versus abnormal user patterns using inbuilt user behavior analytics. For example, it will tell you that this person is downloading a lot more data than he normally does.
You can put in policies in the CASB to say that this anomalous behavior you want to mitigate by limiting the amount of data that is being downloaded per day, for example. And then you can come back, review what happened, what data was downloaded, and then allow the user to resume downloads, or you can say, “Hey, you know that’s not permitted.” If you don’t want to put a policy at this place, what our CASB allows you to say that, “Hey, a large download from a service like Salesforce followed by a large upload to a shadow service, with signature detection, is captured and then remediated” We can do that with services like Gmail, Dropbox, etc. This is how we address a common case of insider threats.
Now, let’s take a look at how our CASB can be used to address compromised accounts. In this case, let’s assume he is the outsider who is using compromised account credentials to access data. All of this is firstly visible to our CASB in terms of account access, what data is being accessed. Not only that, our CASB is also detecting frequency of access and locations from where the data is being accessed. For example, if this user is accessing data from a distant location of the user who had the credentials in a very short span of time, it’s an easy way to detect a compromised account.
Similarly, if he is exhibiting behavioral patterns which are very different from this user, and accessing records that the user usually does not, then that’s a very easy catch for a compromised account. These are all ways in which a compromised account can also be caught using a CASB. Again, you can put policies in place to ensure such abnormal behavioral patterns can be mitigated by various methods. You can have the user account being disabled, you can have multi-factor authentication enabled in real time, called stepped-up identification. Or you could say it sends a notice to your SOC team for immediate incident response. This is how a CASB essentially addresses these two use cases.
Let’s look at one more approach enterprises use to capture or address this challenge. They essentially also try to do so using cloud service providers, known as CSPs. Take the example of CSPs such as Salesforce, Box and Office 365. They will give you event feeds as an enterprise, and these event feeds will tell you who has logged in, when did they log in, and what did they do. It can give you complete visibility on this part of the picture, but it will not give you any remediation, it will not give you any visibility on this piece. In the case of the insider threat, you will not be able to differentiate an insider, a malicious insider, downloading a lot of data and uploading it to a sanctioned service with another insider who is doing it for business reasons. And hence, you can’t put the right policies in place without impacting business productivity.
That’s how a CSP essentially provides limited functionality or capabilities to address this challenge. Let’s now move to a third approach taken by enterprises to address this challenge. This one is known as UEBA, and stands for user and entity behavioral analytics. These sorts of tools essentially help you understand normal versus abnormal user behavior. The way they do it is by leveraging event feeds from your proxies, firewalls, and the APIs from sanctioned cloud services. However, that gives them full visibility, but they don’t have any form of remediation in the case of detecting an actual threat.
Not only that, because they are having to process all of these logs post facto, their approach to threat protection is also not real time. So, that’s how, essentially, a UEBA provides threat protection.
To summarize, if you were to look at the benefits that a CASB provides to threat protection, they are four fold in nature. The first one is that it’s cross-cloud, and this is absolutely necessary for you to understand, which is, “How can you remediate the example of a salesperson downloading a lot of data from Salesforce and uploading it to a shadow service or a personal service like Gmail?” The second one is, how can you distinguish normal versus abnormal user behavior, and alert yourself on that? That’s key because a CASB provides user behavioral analytics inbuilt and integrated into its product. The third one is that a CASB is at a unique point in the cloud where it can provide remediation end to end across all your cloud services. And the fourth one is that it does this, all of this, in real time, which is highly critical, because even if there is a threat or an incident that has happened, you want to be sure that you are able to detect it in real time and mitigate it and nip it in its bud when the loss is minimal.
That’s the summary of how our CASB can be used to provide threat protection for an enterprise. If you have any questions or suggestions regarding chalktalk topics, please write to us at email@example.com. Thank you so much, and have a nice day.