In the most recent McAfee Cloud Adoption and Risk Report, research showed that the average organization experiences 5.1 incidents each month in which an unauthorized third party exploits stolen account credentials to gain access to corporate data stored in a cloud service. To address these threats, enterprises are leveraging Cloud Access Security Brokers (CASBs) to analyze cloud usage data and alert on anomalous behaviors before they result in a security incident. In one such case, McAfee MVISION Cloud’s CASB solution successfully detected and remediated a threat that could have resulted in the exfiltration of sensitive data due to the compromise of a Salesforce account.
McAfee MVISION Cloud’s Threat Protection analyzes cloud activity across multiple heuristics, develops a behavioral model for each user, and flags an anomaly when the user shows a departure from this model. McAfee MVISION Cloud analyzes user activity across multiple cloud services using machine learning techniques to identify anomalous usage and then goes one step further and correlates multiple anomaly data points to determine which anomalies most likely represent real threats versus false positives. This way, the solution ensures that IT and security teams receive timely alerts on high-likelihood threats so they can avoid the impact of potential threats on the company without being overwhelmed with a constant chorus of alerts.
Because Salesforce houses so much valuable customer information, it is often a target for attackers. Here’s a recent and illustrative example. Within a short time, the solution flagged multiple anomalies for one particular user account.
- Service usage anomaly – Skyhigh first found that the user’s data downloads in a given timeframe increased beyond a defined threshold, leading to an anomaly. The employee appeared to be making multiple small downloads of data related to customers, opportunities, and contacts. The Skyhigh team commonly observes threats where employees make a couple of large downloads, which may indicate an employee leaving the company. But in this case, the user was downloading smaller chunks of data more frequently, which also flagged an anomaly because of the abnormally high download frequency.
- New access location anomaly – Skyhigh analyzes the geolocation data to determine trusted locations for users such as their home and office. So, when a user logs in from a new location, Skyhigh flags this as an anomaly. In the case of this customer, the user logged in from a new location that was nowhere near this user’s usual trusted locations.
- Superhuman anomaly – Skyhigh then detected a login from the user’s trusted location in a timeframe that indicated an impossible travel anomaly. Essentially the user logged in from the new untrusted location and their trusted location (two different countries) within 1.5 hours, confirming at least one of the logins was unauthorized.
While these behaviors, at least the first two, in isolation may not represent a high severity anomaly, when taken together they were appropriately flagged as a ‘Severe’ threat by McAfee MVISION Cloud. When IT investigated the usage anomalies, they found that the activities that were taking place in the account were not performed by the employee, leading to the conclusion that the login credentials were compromised and that a malicious third party user was extracting sensitive CRM data from the corporate Salesforce account.
For further investigation, the IT teams captured the indicators of compromise (IOCs) provided by McAfee MVISION Cloud and sent them to their on-premises SIEM. Skyhigh’s support for STIX and TAXII protocols allowed IT to migrate threat data from McAfee MVISION Cloud to other security systems in order make a holistic risk assessment. After analysis, they found that the user’s credentials were likely compromised due to a phishing attack. The employee received an email that appeared to be sent from an automated Salesforce service ID and provided a link to an invoice that needed immediate action. The employee clicked the link and was directed to a phishing website and provided Salesforce login credentials, which were accessed by the attackers.
According to McAfee’s Cloud Adoption and Risk Report, the number of cloud-related threats experienced by enterprises hit an all time high last quarter. 76.3% of the organizations experienced at least one threat associated with compromised accounts. But it’s not just compromised accounts companies need to be worried about. In fact 89.6% of the organizations experienced at least one insider threat per month and nearly 50% of companies saw data exfiltration via malware each month.
Gartner research predicts that by 2020, 95% of cloud security failures will be the customer’s fault. As Salesforce continues to make investments in improving its security controls, enterprises are deploying CASBs to address their portion of the shared responsibility model and secure their data, users, and devices. CASB threat protection capabilities play a crucial role in securing enterprise cloud usage as they alert on impending security threats and allow the company to preempt a breach. McAfee’s threat protection solution is deployed by hundreds of enterprise customers with over 30 million total users and leverages the network effect to build increasingly robust data models to continuously improve it’s threat detection capabilities.