Security "Bits"

Adding UEBA and Step-up 2FA to Cloud Apps

By Rich Campagna | November 1, 2016 at 11:44 AM

ueba.pngCredential compromise and malicious insider activities show up as top priorities in report after report on the state of cloud security in the enterprise. Fortunately, leading Cloud Access Security Brokers (CASBs) offer a set of tools to not only detect, but also prevent these (and other) potential security incidents. Specifically, CASBs offer User and Entity Behavior Analytics (UEBA) to help detect suspicious activities, and a variety of remediation technologies, such as step-up multifactor authentication and login blocking/delay. In Bitglass' case, we can add these functions to any your cloud applications even if the app (or your identity provider) don't support them. 

The first step is to detect suspicious activity. CASBs can accomplish this not only within a given application, but across your global cloud app deployment. Kevin gives a few good examples in a recent blog post. You can boil his examples down to two main questions:

  • Context - Is the context by which this user is accessing her/his apps deviating from what is expected? Context may include several variables including role, location, device(s), apps, access method, time-of-day, and more.
  • Data - Is this user accessing data that is relevant to their job and aligned to their typical behavior, as well as behavior typical of his/her peers? Data might include DLP pattern matching, volume of data being accessed, sensitive data being downloaded to a new or unmanaged device, and more.

The second step is to apply the appropriate remediation action. Depending on the CASB, those actions might include a variety of 2FA mechanisms (SMS, email, etc), delayed authentication, challenge questions, or even outright blocking of a login (used sparingly, of course).

In Kevin's UEBA post, he talked about a user's credentials being used simultaneously to log into distinct cloud applications from different geographies. In this case, a reasonable remediation would be to step-up to multifactor authentication for both devices, quickly ferreting out the offending party. At the same time, you'll probably want to force the (legitimate) user to reset his/her password upon successful two factor login. 

Another, more sophisticated example would be to restrict the user's data access in suspicious situations. If a user logs in to Office 365 from an unmanaged device and new location, you might want to block a mass data sync app like OneDrive, and apply DRM to any sensitive data being downloaded to that device through other access methods. 

CASBs can help you counter these, and the broad range of security and compliance concerns you'll encounter on your voyage to the cloud. Why not take a test drive?

Start My Free Trial



see all