Gurucul Cloud Security Analytics (CSA) utilizes API-based cloud access security broker (CASB) architecture to deliver advanced security analytics for SaaS cloud applications – including IaaS, PaaS, and IDaaS. The flexibility of this approach enables Gurucul to ingest data directly from applications on cloud provider platforms as well as consume data feeds from CASB proxy gateways. CSA leverages cloud infrastructure and platform data alongside cloud application activity data for a complete view of user/entity behavior analytics and identity access intelligence.
Gurucul Cloud Security Analytics provides cloud API data connectors out-of-the-box as well as delivering the capability for developing custom connectors. Get visibility into cloud applications and infrastructure including: Amazon AWS, Box, Concur, Dropbox, Google Cloud, G-Suite, IBM, Microsoft Azure, Microsoft Office 365, Okta, Oracle, Ping, SalesForce, SAP, ServiceNow, Splunk Cloud, and Workday.
Gurucul Cloud Security Analytics works on its own for cloud-only deployments and joins seamlessly with Gurucul UEBA and Gurucul Identity Analytics on-premises for hybrid environments. Having Cloud, UEBA and Identity Analytics holistically integrated is essential for a comprehensive hybrid environment risk analytics implementation. With Gurucul, you get full hybrid visibility of identities, accounts, access and activity for on-premises and cloud.
Who isn’t moving some portion of their business to the cloud? A continually expanding range of users are accessing on-premises and cloud applications from desktops, mobile phones, and tablets 24/7. It has become fundamentally impossible for humans to effectively manage and assure the security of all their data. Only Gurucul provides full 360-degree visibility and context of users accessing applications and data both in the cloud and on-premises.
Gurucul Cloud Security Analytics Use Cases
Cloud Privileged Access Abuse
Discover cloud privileged access and provide visibility on who has the “keys to the kingdom. Once privileged cloud accounts are identified, cloud analytics models can detect suspicious behavior or misuse. This would include: assigning special or elevated privileges to the user’s own account followed by an activity, odd checkout and check-in timeframes, access to resources or transactions outside normal behavior profiles, abnormal access to classified or sensitive documents, multiple concurrent sessions from the same account with different IPs, devices, locations, etc. Find anomalous outliers for predictive risk scoring to drive alerts, actions and case tickets. Detect and eliminate privileged access entitlements assigned erroneously to regular user accounts. Reduce privileged access cloud account abuse and eliminate shared cloud admin accounts.
Cloud Data Exfiltration and IP Protection
Baseline cloud data access and activity to detect anomalous events with self-learning and self-training machine learning models. Analyze data sources in CASB proxy gateways, email gateways, web gateways and network gateways with DLP features. Quickly identify known patterns with out-of-the-box anomaly models such as: sensitive documents downloaded and copied to USBs, large amounts of source code checked out from source code repositories and file uploads to cloud storage, emails to personal accounts, access to competitor and/or job websites, etc. Prioritize DLP alert investigation; identify and monitor high-risk users in all environments and low-severity DLP alerts associated with departing users. Significantly reduce DLP alerts, time to investigate, and false positives through predictive risk scoring.
Cloud Insider Threat Detection and Deterrence
Utilize machine learning models with the context of big data to detect anomalies and apply predictive risk scores. Leverage machine learning behavior models developed, tested and refined from an extensive insider threat database of real-world incidents. Find high-order interactions and patterns in data to detect insider threats by leveraging useful and predictive cues that are too noisy and highly dimensional for human experts and traditional software to detect. Highlight insider threats early and organize in common risk groups, along with watch lists via a predictive risk analytics dashboard.
Cloud Self-Audit & ID Theft Detection
Deputize end users into a collaborative relationship to quickly identify anomalous behavior and ID compromise. Deputize users into a collaborative relationship with security analysts to provide context and relevance not available to SOC teams. This multiplier of “eyes on glass” applies to employees, business partners and suppliers, agents in hub-spoke organizations, and in some cases, customers. All these parties are likely to have one or more cloud accounts with access entitlements to critical cloud applications and data. A frequent self-audit report provides visibility for access, devices, locations and risk-scored anomalous behavior. This works both as a detection and deterrence for end users.
Cloud Step-up Authentication (Adaptive Authentication)
Leverage the CSA risk score of an identity or entity to determine the levels of authentication for cloud access. A low-risk score may result in a simple password challenge, while a high-risk score may result in three authentication challenges (e.g., password, access code, and answering questions). This use case supports bidirectional integration with industry standard adaptive authentication solutions by employing ready-to-use connectors and API interfaces. The net effect raises security awareness to end-users when they have high-risk situations. It also provides a heightened probability of disrupting external intruders that have compromised the cloud account password and may not have compromised the end user’s smartphone where an access code is required.
Cloud Anomalous Behavior and Watch Lists
Quickly profile high-risk user groups from watch lists to monitor their risk scores and anomalies. Leverage pre-defined watch lists within Cloud Security Analytics for common high-risk groups like new hires, departing users, terminated users, and high-risk users. These groups are easily accessed in dashboard drop-down menus to analyze risk scores, anomalies, accounts, access, activity and timelines. CSA also supports explicitly adding or removing identities within watch lists. Control who has visibility to watch lists and for what data fields through role-based access controls (RBAC) and data masking features.
Cloud Application License Metering
Provide a savings to customers by metering cloud applications at the account level based on access and activity. Remove orphan and dormant accounts, plus rogue accounts operating under the radar for potential data exfiltration. Save on licensing fees for SaaS cloud applications. Reduce cloud application and infrastructure license fees with metering based on user and entity behavior analytics. Deliver true step-up licensing in contracts based on normal behaviors, not peak loads or abnormal use.
Cloud to SIEM Integration for Alerts
Deliver bidirectional API integration with SIEM solutions for CSA alerts, risk scores and event details. Enterprises have built detection and incident response programs around SIEMs to centrally locate SOC alerts. Deploying Cloud Security Analytics (CS) provides the ability to send alerts for cloud identities, accounts, access and activity to SIEM solutions. While the SIEM itself may not be analyzing SaaS cloud applications, IaaS, PaaS and IDaaS, the SIEM can be utilized for central alert notifications with predictive risks scores for prioritization.
Cloud to On-Premises DLP Closed-Loop
Send alerts, risk scores and event details from CSA to on-premises DLP solutions. Leverage existing DLP detection and incident response processes for Cloud Security Analytics, plus case ticket management. Provide DLP alert prioritization with predictive risk scores to make security analysts more productive and efficient for investigations and response. Provide monitoring and alerting for cloud environments where legacy DLP may have restricted visibility. Maintain a closed-loop for all CSA alerts concerning data exfiltration and protection including SaaS cloud applications and IaaS/PaaS.
Cloud Access Outliers and Excess Access
Identify cloud access considered high-risk by consuming access entitlements data from SaaS, IaaS, PaaS and IDaaS. Identify access that is considered high-risk including: privileged access entitlements, access not properly segregating duties, dissimilar access compared to peers, and infrequent access to cloud accounts. Detect access outliers leveraging peer groups of users to trigger certifications for outlier access. Reduce segregation of duties (SoD) conflicts for cloud access, plus optimize manager time with high-risk access certifications. Eliminate rubber-stamping associated with Sarbanes-Oxley and other compliance related access reviews.
Cloud Risk-based Access Compliance
Automatically send risk-based certifications to the business when outlier access is identified. Include several context points such as access risk rating, peer group metric, outlier risk score, and status recommendation. Send built-in certifications or use APIs to integrate with other enterprise solutions to send certifications to users for review. Enable the business (managers, data owners, role owners) to make decisions about removing or retaining outlier access to their cloud assets and data. Deliver a configurable context-rich UI for making decisions about access. Eliminate the need for training end users on a new certification platform with integration for most enterprise certification systems.
Cloud Account Compromise, Hijacking and Sharing
Detect account compromise, hijacking and sharing for cloud application accounts and privileged accounts for IaaS and PaaS. Detect anomalous behavior beyond rules, patterns and signatures utilizing advanced machine learning behavior models.
Cloud Dormant and Orphan Accounts
Automate the identification of risky orphan and dormant cloud accounts, potentially used for data exfiltration. Enable cloud account and system owners to take action by identifying cloud account owners or marking the cloud account for review.
Gurucul Cloud Security Analytics Benefits
Produces 360° View of Identity, Access, and Activity. Correlate data across multiple cloud applications to create contextual identity – who is the user, what access they have, and what is their activity.
Delivers Insight into all Anomalous Behaviors – Access and Activity. Machine learning algorithms are executed on access and usage attributes to build cloud-centric anomalous behavior profiles across the enterprise.
Identifies Behavior Anomalies. Self-training algorithms are tailored to identify learned anomalous behaviors immediately upon technology deployment.
Provides Context-Aware Visibility of an Attack Lifecycle. Out-of-the-box timeline view highlights the anatomy of an advanced attack whether, it be an insider or outsider.
“Leveraged for hybrid deployments of on-premises and cloud behavior analytics, Gurucul has prevented data exfiltration with risk-scored timelines through predictive security analytics.”
– Cloud Security Market Analyst