The Reveal Platform
Within the domain of mature advanced security analytics, industry analysts have observed the broadening adoption of user and entity behavior analytics (UEBA) integrated with identity analytics (IdA). Drawing from the context of big data and driven by advanced machine learning to deliver invaluable visibility, they provide the only realistically effective method to comprehensively manage and monitor identity based risks and threats across all of an organization’s environments. More recently, leading UEBA and IdA vendors have fused these capabilities to address the emerging requirements of cloud security. Cloud security analytics (CSA) has greatly expanded the breadth of use cases within advanced security analytics. This range of use case categories within advanced security analytics supported by a vendor should be one of the first factors prospective customers examine when considering adoption of an advanced security analytics solution. Customers must assure the use cases offered by a vendor align with their specific needs and varied requirements today and into the future. This white paper explores a comprehensive and optimal set of use cases for cloud security analytics.
The rising complexity of risk from access planes, excess access and access outliers within emerging enterprise environments has left security leaders in an everaccelerating race to confront this problem. The list of their challenges only continues to expand. Today, trends reveal the growing preponderance of specialized cloud adoptions in larger companies, where 82% of enterprises larger than 1000 employees have a multi-cloud strategy, with 71% hybrid cloud (RightScale 2016 State of the Cloud Report), all trending up from the previous year.
With an organization’s sensitive data in both on premises and the cloud, and with business applications on mobile phones, tablets, etc., being used 24/7 from everywhere, by a continually expanding range of users, it has become fundamentally impossible for humans to effectively manage and assure the security of that data. Security information and event management (SIEMs), by themselves, are ineffective at detecting threats that originate from the inside. These outdated security solutions, driven fundamentally by rules and signatures, deliver only partial detection. In addition, there is simply too much data in the SIEM, and it doubles every year. Compounding these challenges is an awareness gap for IAM. This gap exists between what access rights have been provided by an IAM solution and how the rights are being utilized by users. For too many organizations, a risk and threat plane continues to grow unabated.
With the compromise and misuse of identity emerging as a serious threat plane, the prospect of preventing data exfiltration, through phishing and social attacks, has become an amplified and urgent concern. Heightening security leaders’ alarm is the realization that a serious discovery gap exists with cloud privileged access, where the majority of these access entitlements are unaccounted for in most organizations. As a result, this creates a vast gray area of unmonitored behavior in an organization’s hybrid environment which represents a serious unknown and a growing threat plane. Security analytics in the cloud are fast becoming a standard requirement for a growing number of organizations. The question organizations must answer is, however, are they holistic, across an enterprises’ entire environment, both on-premises and in the cloud?
CSA utilizes API-based cloud access security broker (CASB) architecture to deliver advanced security analytics for SaaS cloud applications, including IaaS, PaaS, and IDaaS. The advantage of API integration, versus proxy cloud access gateways, is that it provides users with a transparent experience in any location or network, with any device. A proxy-based CASB has the advantage of being a chokepoint to monitor shadow IT or unsanctioned cloud applications. However, device access control must be in-line for monitoring. CASB proxy gateways are a crucial data source into UEBA and IdA machine learning models as part of the overall behavior analytics solution architecture to deliver predictive risk scores for cloud environments. In addition, web, email, cloud and network gateways are also important data sources for machine learning behavior models.
Cloud security analytics should work on its own for cloud-only deployments and also be capable of synchronizing seamlessly with threat activity analytics (UEBA) along with identity and access analytics (IdA) on-premises and for hybrid environments. Having cloud, threat and access analytics holistically integrated and synchronized is essential for comprehensive hybrid environment risk analytics solution success. Cloud environments differ from on-premises, as SaaS cloud applications deliver less data variety via API. They are, however, more consistent in data quality. Whereas on-premises data variety can be much wider, the data quality is often lower, and this impacts machine learning behavior models. Using a machine learning model originally developed for on-premises requires adjustments for cloud environments.
Currently the field of UEBA vendors offering an API-based CASB solution for cloud security analytics as part of an umbrella platform addressing hybrid environments is quite small. Separate and unintegrated UEBA features (found with on-premises and cloud security solutions) from multiple vendors, restrict visibility and diminish the ability to provide comprehensive risk scores from the full context of an identity, account entitlements, as well as access and activity, across an organization’s entire hybrid environment. CSA only available within a specific CASB vendor is limited to cloud environments and data in the same manner as UEBA features dedicated solely to a SIEM from another vendor with an on-premises focus. Optimally, users’ access applications and data in both cloud and on-premises, and providing full 360-degree visibility and context, maximize machine learning models. In summary, cloud security analytics are part of a solution with comprehensive hybrid visibility for on-premises and cloud environments, not divided, within separate solution silos or limited for data context.
“Gurucul really stood out because the analytics engine was the most powerful. I don’t think there’s a day that goes by where we don’t have a new interesting use case. we didn’t think of before. We’re down to the level of ingesting physical security logs from our parking ramp to determine who is here. Could they really have done what they did? They weren’t even at the building. These types of use cases, there’s really no end to it.”
– William Scandrett, CISO, Allina Health
The scope of this white paper addresses the specific use cases of cloud security analytics. An optimal list of use cases for CSA is found directly below:
A more detailed description of each cloud security analytics use case follows.
Cloud security analytics address cloud account compromise, hijacking and cloud account sharing via API integration with SaaS cloud applications, plus IaaS and PaaS. Visibility into Office 365 cloud applications leverages Microsoft Azure visibility for cloud infrastructure and platform information alongside cloud application activity data. The same applies to other popular cloud applications in AWS cloud environments. Identity and access management as a service (IDaaS) also plays a role for cloud environments. The benefits of big data infrastructure with a flexible data model come into play to develop API data connectors for cloud data ingestion that may mimic on-premises functions in numerous ways. Utilizing advanced machine learning behavior models, cloud analytics leverages this capability for cloud environments to detect account compromise, hijacking and sharing on-premises. The basic concepts of clustering and outlier algorithms to find anomalies based on normal baselines of the user and peers for predictive risk scores remains consistent. The data sources differ, and data ingestion is API-based for cloud environments.
Benefits
Cloud security analytics addresses privileged access abuse via API integration with IaaS, PaaS and IDaaS solutions. This provides visibility to high privileged access (HPA) accounts. This also includes instances where privileged access entitlements are assigned to non-HPA accounts creating a high risk situation. SaaS cloud applications and other activity data sources, including CASB proxy gateways for shadow IT detection, enable machine learning models to find anomalous outliers for predictive risk scoring to drive alerts, actions and case tickets. Shared HPA cloud accounts are also included in this analysis. Once HPA cloud accounts are identified, cloud analytics models can detect suspicious behavior or misuse. This would include: using HPA to assign special or elevated privileges to the user’s own account followed by an activity, transactions outside the window of password value, checkout and check-in timeframe, access to resources or transactions outside normal behavior profiles, abnormal access to classified or sensitive documents, multiple concurrent sessions from the same account with different IPs, devices, locations, etc.
Benefits
Cloud analytics addresses data exfiltration and intellectual property (IP) protection for cloud environments through API integration with SaaS cloud applications, IaaS, PaaS and CASBs. CASB proxy gateways, email gateways, web gateways and network gateways with DLP features are also key data sources for cloud security analytics software to analyze with machine learning models. DLP in the cloud cannot always leverage data fingerprints from on-premises deployments. This makes UEBA an important platform for data risk monitoring and protection. Identity provides the ‘keys to the kingdom’ with cloud applications and data access, so its compromise and misuse are critical to detect as early as possible. Analysis by a behavior analytics platform should include on-premises and cloud applications for a 360-degree view of data access and activity. This hybrid approach helps customers prioritize DLP alert investigation, identify and monitor even the low-severity DLP alerts associated with departing users or high-risk users in all environments. In addition, CSA software should provide OOTB anomaly models which can identify known patterns such as: sensitive documents downloaded and copied to USB, large amounts of source code checked out from source code repositories and file uploads to cloud storage, emails to personal accounts, access to competitor and/or job websites, etc. Some solutions also extend risk score alerts beyond SOC analysts to managers, given their depth of context and relevance regarding employees, data and projects. Self-audits also provide deterrence and detection for data access and activity.
Benefits
Well-developed cloud insider threat detection and deterrence leverages research drawing from an extensive insider threat database of real-world incidents to develop, test and refine machine learning behavior models. Identifying high-risk profiles with abnormal behaviors in conjunction with data risk monitoring, machine learning, and statistical analysis, finds anomalies in data that humans would not otherwise recognize or detect. It also far surpasses human capability and software engineering for managing large volumes and variety of data. Machine learning also has the ability to find high-order interactions and patterns in data for complex problems such as insider threats, compromised accounts and data exfiltration by leveraging useful and predictive cues that are too noisy and highly dimensional for human experts and traditional software to detect. A 360-degree dashboard provides visibility of an identity’s accounts, access and activity for on-premises and cloud hybrid environments. A self-audit feature may support this use case. Both access and activity are risk-scored for anomalous events visible to managers and SOC analysts.
Benefits
A self-audit feature for ID theft detection deputizes users into a collaborative relationship with security analysts that provides context and relevance not available to SOC teams. This multiplier of ‘eyes on glass’ applies to employees, business partners and suppliers, agents in hub-spoke organizations, and in some cases, customers. All these parties are likely to have one or more cloud accounts with access entitlements to critical cloud applications and data. A frequent self-audit report provides visibility for access, devices, locations and risk-scored anomalous behavior, providing both detection and deterrence for end users. A case in point: a self-audit feature utilized by an insurance company. They had an employee out of office on a Wednesday to attend to a sick child. This employee never logged into their accounts on that day. A self-audit report sent to this individual on the following Friday showed account activity on Wednesday when they knew they had not logged in that day. Upon investigation, security analysts discovered the account had been compromised for over three-and-a half years and this employee had high privileged access to critical applications and data.
Benefits
The compromise and misuse of identity lies at the heart of modern threats. The use of passwords to authorize users is core to the problem. Deploying multi-factor authentication takes time, resources and expenses and can impede high-productivity users in low-risk environments. Step-up authentication (also referred to as adaptive authentication) leverages the UEBA risk score of an identity or entity to determine the levels of authentication for cloud access. A low-risk score may result in a simple password challenge, while a high-risk score may result in three authentication challenges (e.g., password, access code, and answering questions). This use case supports bidirectional integration with industry standard adaptive authentication solutions by employing ready-to-use connectors and API interfaces. The net effect raises security awareness to end-users when they have high-risk situations. It also provides a heightened probability of disrupting external intruders that have compromised the cloud account at the password level only, and may not have compromised the end user’s smartphone where an access code is provided. Even with step-up authentication, a cloud account may still be compromised or hijacked, and the use of UEBA for detection is advised.
Benefits
Cloud analytics addresses cloud anomalous behavior with watch lists to quickly profile and maintain an eye on escalating predictive risk scores. Advanced machine learning behavior models are designed to find unknowns and apply predictive risk scores. Feedback on false positives and negatives update self-learning and self-training models to adapt to time-based norms and conditions unique to each customer deployment. For example, an IaaS/PaaS administrator may create a script that runs several commands with security implications at 2 a.m. each evening. This user is an innovator working to improve the enterprise’s productivity. However, models will see these commands during non-business hours as an anomaly and risk score accordingly. Feedback from the models can note the situation is benign. Nonetheless, the IaaS/PaaS administrator should be put on a watch list to monitor further innovations. Pre-defined watch lists are also provided within cloud security analytics for common high-risk groups like new hires, departing users, terminated users, and high-risk users. These groups should be easily accessed in dashboard dropdown menus to analyze risk scores, anomalies, accounts, access, activity and timelines. Cloud security analytics also supports explicitly adding or removing identities within watch lists.
Benefits
Cloud security analytics software provides RESTful APIs for integration with other security solutions on-premises and cloud, plus alerts via email or SMS (short message service). Enterprises have built detection and incident response programs around SIEMs to centrally locate SOC alerts. Deploying CSA for cloud environments provides the ability to send alerts for cloud identities, accounts, access and activity to SIEM solutions. While the SIEM itself may not be analyzing SaaS cloud applications, IaaS, PaaS and IDaaS, the SIEM can be utilized for central alert notifications with predictive risks scores for prioritization. Mature CSA solutions also offer a case management feature plus integrate with Remedy, ServiceNow and Salesforce for case ticket management.
Benefits
Cloud security analytics provides alerts via email or SMS, plus a RESTful API infrastructure, for integration with other security solutions such as on-premises DLP. Alerts, risk scores and event details from cloud security analytics software can be provided to DLP solutions to create a closed-loop for data exfiltration, IP data protection and data risk mining. The integration of DLP with UEBA and CASB architecture is a requirement to protect data in hybrid environments with existing on-premises DLP solutions and incident response processes. Cloud security analytics provide DLP alert prioritization with predictive risk scores to make security analysts more productive and efficient for investigations and response. CSA integration with SaaS cloud applications, IaaS/PaaS and IDaaS provides monitoring and alerting for cloud environments where legacy DLP may have restricted visibility. As previously noted, mature CSA solutions have case management features and integrate with Remedy, ServiceNow and Salesforce for case ticket management.
Benefits
Cloud security analytics identifies cloud access considered high-risk by consuming access entitlements (rights) data from SaaS, IaaS, PaaS and IDaaS. CSA also identifies access that is considered high-risk including: privileged access entitlements, access not properly segregating duties, dissimilar access compared to peers, and infrequent access to cloud accounts. The average user has more than 100 entitlements making certification a time-consuming process for managers. Certifications are typically a quarterly or yearly process. Organizations realize managers are too often approving all certification requests without actually validating each one. This leaves organizations at risk with employees having extended access to which they should not be entitled. Using cloud security analytics integrated with cloud IDaaS, organizations can detect access outliers leveraging peer groups of users to trigger certifications for outlier access.
Benefits
Cloud security analytics outlier access capabilities can be extended to automatically send risk-based certifications to the business when outlier access is identified. The system should be able to be configured to include several context points such as access risk rating, peer group metric, outlier risk score, and status recommendation. The solution can send built-in certifications, or use APIs
to integrate with other enterprise solutions to send certifications to end users for review.
Benefits
Cloud security analytics identifies dormant and orphan cloud accounts. These cloud accounts can be sent to system owners or administrators for review. Based on their response, action can be taken to assign the cloud account to an end user, or remove the cloud account from the system.
Benefits
Cloud security analytics can also provide a savings to customers by metering cloud applications at the account level based on access and activity. Removing orphan and dormant accounts, plus rogue accounts operating under the radar for potential data exfiltration, saves on licensing fees for SaaS cloud applications. Date of last activity or inactive accounts are compared to baselines and peer behaviors to determine abnormal conditions. As enterprises migrate to cloud applications, the licensing topic becomes more critical to minimize costs. The cloud security analytics CASB API integrates with SaaS cloud applications, IaaS/PaaS and IDaaS to monitor identities, their accounts, access and activity.
Benefits
Having a broad selection of cloud security analytics use cases provides customers with the assurance that their behavior security analytics requirements will be addressed. Assuring a vendor can support these use cases across both on-premises and in the cloud, as well as being vendor agnostic, provides the strongest assurance that solution objectives are achieved. The overall benefits of cloud security analytics use cases include:
Empowered security capabilities and quality – With the mature capabilities of UEBA and IdA integrated together to create CSA, they provide robust and optimal advanced security analytics across a range of hybrid environments, scoring the gray areas of unknowns and minimizing false positives. The result is improving the focus of ‘find fix’ resources, and optimizing the time of security analysts, efficiency in the SOC, making operations and people more productive.
Extended and optimized, discovery, monitoring and visibility – This includes the baseline ability to view the full context of a user’s access entitlement risks and anomalous activities. In addition, this also includes the prime threat plane of privileged access with the risk scoring of privileged access entitlements and user activity for any incident in question. A mature solution also includes cloud security analytics for hybrid environments, providing a combined 360-degree view for identity, and risk-scored behavior anomalies, driven by machine learning as part of a newly recognized state-of-theart CSA/UEBA-IdA standard.
Improved productivity and cost savings – By having holistic visibility across all an organization’s environments, both on-premises and in the cloud, users and devices, SOC teams’ efficiencies are maximized, delivering cost savings. In addition, as enterprises migrate to cloud applications, the licensing topic becomes more critical to minimize costs. Removing orphan and dormant accounts, saves on licensing fees for SaaS cloud applications.
Enhanced security with self-audit capabilities – With the self-audit feature, the time-consuming investigation requirements associated with vetting
false positives is eliminated, plus providing security awareness and deterrence.
The depth and range of use cases fundamentally defines the areas of expertise and functionality for advanced security analytics vendors. This factor represents an important qualification when choosing a solution partner. Having a broad selection of cloud security analytics use cases provides customers with the assurance that their behavior security analytics requirements will be addressed comprehensively.
