Cloud security has come a long way over the last few years. Today, most enterprise cloud service providers (CSPs) take responsibility for the security of the underlying application and its infrastructure. They protect against intrusions and attacks against their systems. However, securing the usage and data in the service is the customer’s responsibility, including how the service is used, who has access to data, and who is sharing what with whom. This model, known as the shared responsibility model, is employed by most enterprise cloud service providers, including Salesforce, Box, Microsoft, and Amazon.
Threats arising from insider activity or negligent employees are the customer’s responsibility. For this reason, enterprises invest in cloud threat protection solutions to protect their data. Gartner’s latest research predicts that by 2020, 60% of enterprise information security budgets will be allocated towards rapid detection and response solutions, up from less than 10% in 2014. These solutions must incorporate some form of User and Entity Behavior Analytics (UEBA) along with machine learning algorithms to build behavior models for cloud service users and detect anomalous activities indicative of a threat. To do this effectively, they will need to have the following five components:
- Visibility into cross-cloud threats
- Self-learning without human input
- Reduction of usage data to a mathematical model
- Grouping users based on behavior
- Awareness of distinct usage across hour/day/week/month
1. Visibility into cross-cloud threats
Cloud threat protection can only be effective when it has visibility into activity and threats that span multiple cloud services. Evaluating user activities beyond an initial login to include user movement across cloud services and the context with which that movement occurs allows a solution to protect corporate data across cloud systems. While several failed login attempts within a single cloud service, as an example, might not be cause for concern, if a user is suddenly triggering failed logins across multiple cloud services, it could be a sign of a real threat. Another example would be when a user downloads a large report from Salesforce and subsequently uploads it to an unsanctioned file sharing service. Detecting this activity as a potential threat can only be done with a cross-cloud threat protection solution.
2. Self-learning without human input
Activity patterns in the cloud, even for a specific user, are constantly evolving as employees take on new roles within the organization and change their habits. What this means is that once an environment has been observed, the behavioral models determined, and baselines established, the software should continue to evolve its models as it observes new and often dissimilar behavior without excessive human guidance. This characteristic sets UEBA apart from traditional heuristics and static models in that these traditional approaches require an unreasonable amount of manual updates to ensure accurate threat detection while UEBA-driven approaches evolve on their own.
3. Reduction of usage data to a mathematical model
Consider a Salesforce user whose activity has been captured in three years’ worth of audit trails. This user likely has created numerous data points stored in the system. As the system registers new activity by this user, it could compare it to three years’ worth of raw data to determine whether their activity is anomalous, which would greatly tax the processing capability of the machine running the algorithm. Alternatively, it can convert the three years’ worth of raw behavioral data into a mathematical model, which greatly simplifies the process of comparing new activity against prior activity to detect anomalous activity while retaining an information-dense representation of user behavior using higher-order polynomials.
4. Grouping users based on behavior
Take the example of four employees at an organization who take vacations on a regular basis every few months (not at the same time), and upon coming back from their vacations, all four upload a large amount of data (vacation photos) to personal folders in their corporate Box account. By automatically grouping these four users and their particular behavior together, a pattern can be drawn from their behavior that might not be evident if their behavior was observed in isolation. Grouping users helps improve the accuracy of threat detection, especially when usage data is scarce. In cases where usage of a particular service or time period is scarce for a user, their activity can be compared to that of similar users to infer whether it is anomalous.
5. Awareness of distinct usage across hour/day/week/month
Let’s go back to our imaginary Salesforce user. At the beginning of the quarter, she performs a lot of activity on the accounts she owns as she prepares for the upcoming quarter. Near the end of the quarter, she will again display a flurry of activity. But in between, she may exhibit little activity. If a system averages her activity over the whole quarter, it would infer a low level of usage and trigger numerous false positive alerts at the beginning and end of the quarter. Instead, if the system drew seasonal and cyclic patterns of behavior across time frames, then it would automatically correlate the amount of account activity to the period of time within a quarter to accurately differentiate normal behavior from a true threat.