Hiding in Plain Sight: How a CASB with Built-In UBA Unmasks Insider Threats
With a new threat landscape brought on by cloud pervasiveness and BYOD, many CISOs focus on external threats and overlook the most active threat to their cloud environment — the insider. The statistics vary, but industry experts consistently state that a majority of threats come from insiders: employees, contractors, consultants, and unprovisioned ex-employees.
Many of the controls put in place to mitigate cloud security threats fail to protect the enterprise against a user with valid credentials. What can be done?
Update Your Security Approach to Assume Insiders are a Threat
Balancing data protection and data accessibility relies on a deep understanding of your users and how they interact with your services. The traditional approach to security focuses more on the perimeter and data than the user. The data-centric approach to security scrutinizes technology and processes to ensure that the data, your “gold mine,” is secured.
Data-centric security relies heavily on authentication as a key control. While these controls are necessary, they are insufficient against an insider threat. If someone already has legitimate credentials, many identity management controls will not prevent that user from taking action, whether malicious or benign. A cloud access security broker (CASB) with built-in user behavior analytics (UBA) turns this view sideways and adds a user-centric approach to security, allowing CISOs to secure the “gold mine” and the “miners.”
“Trust But Verify” the Actions of Your Employees
Classifying, tagging, and encrypting your data may help you secure data at rest and in use, but it won’t protect your organization against actions of the users who already have authorization to use that data. A CASB with built-in UBA complements security solutions and security measures that are built into cloud services. With intelligent analysis of user behavior, UBA can detect suspicious activities, malicious activities, and even identify risky user behaviors before a breach occurs.
Monitoring user behavior plays a critical role in your organization’s information security strategy, providing CISOs the ability to engage in the “trust but verify” model. A CASB with built-in UBA increases the ability of your security operations to view threats from the user, separating the use of account credentials from the actor using the account credentials. User behavior focuses on the actor and the transactions that he executes, which provides context beyond account credentials. There is no way to detect a compromised account from your data manually. But this additional context can surface patterns of abnormal behavior and act as a fourth factor of authentication: something you know, something you have, something you are, and the pattern of things you do.
How a CASB with Built-In UBA Enhances Security
A CASB that utilizes machine learning monitors user behavior and looks for abnormal usage patterns of cloud applications. The CASB sets a baseline of standard user behavior per user by monitoring all user and service account activity. Without this baseline of normal behavior, your security operations team won’t be able to detect anomalous usage to address an insider threat. UBA continuously compares user behavior against the baseline to detect anomalous activity. Abnormal usage may indicate a malicious insider, a compromised account, or completely innocuous user behavior.
A CASB is a powerful tool in the CISO’s toolkit that can identify compromised accounts and insider threats. To learn more about how a CASB unmasks insider threats in the cloud, download the full white paper.