Corporate Security Blog

Can a CASB Protect You From the Treacherous 12? - Part 2: CASBs and Threat Protection

Welcome to the second in a four-part series on how Cloud Access Security Brokers (CASBs) can help protect your organization from the top twelve threats to cloud computing in 2016. If you would like to review the first blog in the series just click here.

This blog series examines whether a CASB can protect your organization from the top cloud computing threats identified by a Cloud Security Alliance (CSA) working group. The four-part series includes: 

- Part 1: CASB 101
- Part 2: CASBs and Threat Detection
- Part 3: CASBs and the Treacherous 1-6
- Part 4: CASBs and the Treacherous 7-12

CASBs and Threat Detection

In the area of threat protection, a CASB can help detect and prevent malicious behavior (including actions that put data at risk) by monitoring user activity within cloud services and the security configuration of the services. CASBs use various security technologies such as threat intelligence, malware detection, machine learning, and user behavior analytics (UEBA) to improve the accuracy of threat detection.

This diagram shows a typical architecture for a threat analytics engine in a CASB solution. 

As shown in the diagram, the threat detection engine uses multiple data feeds:

  • User and programmatic access and activity. This data is collected from cloud services, as well as network services such as proxies, gateways, and firewalls. The data includes cloud service logins, logouts, and transactions (for example, sensitive files shared outside the organization and modifications of sensitive data).
  • Threat intelligence feeds. These are community and commercial intelligence feeds that include known vulnerabilities, malware, blacklisted IP addresses, and suspicious geographical locations.
  • Application context. Context includes time-of-day and date of transaction event, employee status, and possible employee travel.
  • Security configurations. This includes settings for multi-factor authentication, encryption, and management of logged-in sessions (for example, inactivity timeouts).
  • Enterprise baselines. An enterprise can have baselines or standards for IOCs, blacklisted IP addresses, sensitive events, and threat models. A threat engine can use this data to detect risks and reduce false positives.

Using activity and contextual data from various sources, the threat detection engine normalizes the data for event correlation, builds user behavior profiles, and applies machine learning techniques to better detect bad events, anomalous behavior, risky users, and immediate threats.

Examples of threats that CASBs detect include brute-force attacks against user credentials, high-risk user activity, malicious insider activity, misuse of session keys (for example SSH keys), overly-privileged administrators, too many privileged administrators, content malware, IP address hopping (traversing apparently large distances in extremely short time frames), data exfiltration, and public sharing of sensitive content. 

In addition to threat detection, it is equally important for CASBs to automate incident remediation. If a user's credentials are compromised and a decision to lock the user's account is made, a CASB solution should also make sure that the user's cloud access is denied. 

If you don't want to wait for the next two blog posts in the series, check out our white paper, "Can a CASB Protect You from the 2016 Treacherous 12?"

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Integrated Cloud Applications & Platform Services