Welcome to the second in a four-part series on how Cloud Access Security Brokers (CASBs) can help protect your organization from the top twelve threats to cloud computing in 2016. If you would like to review the first blog in the series just click here.
This blog series examines whether a CASB can protect your organization from the top cloud computing threats identified by a Cloud Security Alliance (CSA) working group. The four-part series includes:
- Part 1: CASB 101
- Part 2: CASBs and Threat Detection
- Part 3: CASBs and the Treacherous 1-6
- Part 4: CASBs and the Treacherous 7-12
CASBs and Threat Detection
In the area of threat protection, a CASB can help detect and prevent malicious behavior (including actions that put data at risk) by monitoring user activity within cloud services and the security configuration of the services. CASBs use various security technologies such as threat intelligence, malware detection, machine learning, and user behavior analytics (UEBA) to improve the accuracy of threat detection.
This diagram shows a typical architecture for a threat analytics engine in a CASB solution.
As shown in the diagram, the threat detection engine uses multiple data feeds:
Using activity and contextual data from various sources, the threat detection engine normalizes the data for event correlation, builds user behavior profiles, and applies machine learning techniques to better detect bad events, anomalous behavior, risky users, and immediate threats.
Examples of threats that CASBs detect include brute-force attacks against user credentials, high-risk user activity, malicious insider activity, misuse of session keys (for example SSH keys), overly-privileged administrators, too many privileged administrators, content malware, IP address hopping (traversing apparently large distances in extremely short time frames), data exfiltration, and public sharing of sensitive content.
In addition to threat detection, it is equally important for CASBs to automate incident remediation. If a user's credentials are compromised and a decision to lock the user's account is made, a CASB solution should also make sure that the user's cloud access is denied.
If you don't want to wait for the next two blog posts in the series, check out our white paper, "Can a CASB Protect You from the 2016 Treacherous 12?"