By Ishani Sircar, Product Marketing Manager at CipherCloud
The Rise of the Unmanaged Devices
Most organisations are predicting an increased remote workforce and adoption of SaaS apps in the coming years. Remote work environments have led to a rapid adoption of data sharing and collaboration apps, BYOD devices on unsecured networks. This has introduced new risks that are compounded by the lack of visibility in the SaaS-Mobile environment. The math is simple, little visibility exposes organizations to a greater risk and inevitable data breach. An organization’s ability to detect, respond, and prevent a data breach in the remote environment begins with bringing this new norm back into the fold.
Traditional security alert and incident investigation tools are not designed for the SaaS- Mobile environment. Furthermore, alerts typically consist of obscure data in raw log files that resist full understanding, even for experienced security analysts. An incident investigation itself demands scripting, manual correlation of various log files, interpreting meaning, manually removing secondary data sources for clues, and spending considerable time trying to determine the root cause of an alert incident. To glean deeper insights, incident correlation needs to be backed by advanced machine learning. This blog will explore 4 use cases driven by UEBA for Incident investigation and response that can save organisations before an incident develops into a full-blown breach.
CipherCloud’s Insights Investigate functionality provides a rich set of tools for incident management enabling administrators to view incidents that involve policy violations, assign a level of severity to an incident, and specify the appropriate action. In addition, administrators can view information about incidents and their sources from several perspectives, and obtain additional details about each incident or source.
User and Entity Behaviour Analytics (UEBA)
CipherCloud’s UEBA engine performs continuous monitoring of users, devices and application activities, allowing IT security teams to identify anomalous behavior of users in real-time across multiple clouds and preventing accounts from getting compromised by malicious insiders and external threats. UEBA can dramatically improve the productivity of security analysts’ teams in conjunction with a modern security information and event management solution.
Fig. Insights Investigate
Key Use Cases Solved when Insights Investigate Meets UEBA
- Incident identification for compromised User Credentials
User account credentials are keys to legitimate access, and compromised credentials are the number one vector for data breaches. While most organisations track unauthorised access, legacy security tools track user behavior and stop monitoring once the user is successfully authenticated. UEBA detects any such compromised users and lock related credentials for blocking security threat as well as report it as an incident for further remediation.
- Incident Investigation for Anomalous Behaviour and Insider Access Abuse
UEBA monitors several vectors, including user accounts; servers; network devices, non-trusted communication sources, insecure protocols, and other signs of malicious behavior; and anti-virus/malware monitoring to detect protection disablement or removal, or status of threat updates. UEBA solution detects when a user (privileged or not) is performing risky activities that are outside of their normal baseline and enforces behavioral analysis of the incident to connect the dots between “unrelated” activities and ends these attacks before loss occurs.
- Incident Remediation for data exfiltration involving novel channels
Data exfiltration occurs when sensitive data is unwarrantedly transferred outside an organization. Exfiltration can be manual- when a user transfers data outside the premises or can be automatic as a result of malware infecting local systems. UEBA detects network traffic to control centers and identifies infected systems transmitting data to unauthorized parties raising a priority incident for remediation.
- Incident Investigation and Automatic Remediation for Account Lockouts
Account lockouts aim to protect an account from anyone or anything trying to guess the username and password. Responding to each account lockout request can consume hours of time for administrative research. UEBA automates risk profiling, assessment process and expedites the process of decision making on account risk expediting response to incidents and eliminating falsely reported incidents. At a large organisation, this could effectively save up to a significant man-hours efforts annually.
UEBA in conjunction with Insights Investigate provides the much needed holistic cloud security controls that secure the SaaS-mobile environment of an organisation’s remote workforce.
- Incident Management lists all the policy violated incidents occurring in the organization, and the administrator can filter the list based on time period (day, date, hour), cloud (managed or unmanaged), severity (low, medium, high) or status (open, under investigation, resolved).
- Incident Insights presents a graphical view of count of incidents by type of violation, including login, DLP, DRM, and external sharing violations, malware, geo anomalies, and location anomalies.
- Entity Insights presents a graphical view of the count of incidents by their source, including user, device, location, application, content, and external user.