Anomaly detection is an important component of any security solution. Based off of data at login and user activity in the application post login, a complete solution can provide real-time alerts and enable IT to enforce actions when an anomalous event is detected.
Let's take an example of a user logging into Office 365 from North America and uploading or downloading corporate data. If another malicious outsider were to log in from Asia using the same credentials at the same time, it would be flagged as anomalous behavior since the user could not have flown half way around the world in that time. As an admin you want to be alerted immediately so that you can take appropriate action.
Limitations of other solutions
While detection of anomalous activity can also be done natively through the cloud app itself, as your organization starts rolling out multiple apps, it gets difficult to pull out logs from each and correlate events to determine what is anomalous and what is not.
IdP/IAM solutions can tell you who logged in/out, when and from where. However these solutions do not have visibility into what the user does after logging into the application.
Only a CASB
Inline Cloud Access Security Brokers (CASBs) like Bitglass are in front of cloud applications and thus offer complete visibility and control over the data. As data is uploaded to and downloaded from the cloud, CASBs can alert over irregular user behaviors, such as activity over weekends/holidays or downloading/uploading data that is 3 standard deviations from the normal i.e. the company average or the user group average.
Bitglass Policy Enforcement
Once you have detected an anomalous activity you need to take action to make sure that your data is secure. With Bitglass you can create those alerts in case of anomalous activity so that the admin and user are notified and force actions such as re-authentication, two factor authentication, or simply log users out from all sessions.