About Cloud Security Monitoring

Understand key concepts in security monitoring, and how Oracle CASB Cloud Service processes different types of risks.

Oracle CASB Cloud Service gives you visibility into the security of your cloud applications and services to help ensure that your critical data (for example, financial data, communications, and personal information) is secure.

Oracle CASB Cloud Service has a lightweight ticketing system for security incidents, and it can also delegate tickets to an external ticketing system.

Oracle CASB Cloud Service classifies the risks that it detects into one of these categories:

Risk Description

Weak or noncompliant Security control

These are security-related settings in the application. Examples: Short passwords, long idle session timeouts, permissions that need to be more restrictive, insecure Amazon Web Services (AWS) S3 bucket encryption settings, weak AWS network ACLs, and AWS security groups with sensitive ports exposed to the internet.

Oracle CASB Cloud Service identifies security control values based on either Oracle CASB Cloud Service's built-in recommended values or baseline values that you control by pushing your preferred values to the application instance.

Note:

Monitoring for weak security settings is only supported for Amazon Web Services, Box, and Salesforce.

For more information, see Weak Security Control Values in Your Cloud Applications.

Policy alert

A policy is a rule or a guideline (for example, "only people in Finance can view files in the Finance folder", or "any change to network access rules must be reviewed"). In Oracle CASB Cloud Service, you define policies based on particular cloud services (for example, Box), resources in the service (for example, a file or folder), actions (for example, share, download, or collaborate), and optionally items such as actors, recipients, whole groups of users, domains, and IP addresses.

Oracle CASB Cloud Service generates an alert when events that match the policy occur. The console displays a description of the policy violation and can provide recommendations for responding to it. You can also configure the alert to be sent to you through email or SMS.

Examples of conditions that generate an alert:

  • Terminating critical servers or services

  • Sharing files tagged as "Confidential" with someone outside of your organization's domain

  • Making changes to administrator profiles, access controls, or network routing

  • Changing data loss prevention (DLP) policies or mail routing

  • Assigning system administrator profiles

For more information, see Policy Alerts (Rule-Based Alerting).

Anomalous behavior

Oracle CASB Cloud Service identifies behavior that deviates from the usual patterns for each user, and assigns a risk score to the user based on how significant the deviations are and the type of activities the user is performing.

For example, a user who appears to be traveling larger distances than normal and accessing their applications from a large number of new IP addresses will have a higher risk score than a user who stays within the user’s usual locations and access IPs.

For more information, see Finding and Analyzing Users at Risk.

Suspicious behavior

Oracle CASB Cloud Service identifies unusual activity that it classifies as suspicious, regardless of the user's normal activity.

Oracle CASB Cloud Service also identifies suspicious IP addresses where activity originates using third-party IP reputation and network information feeds, as well as your own IP whitelist and blacklist data. Identifying suspicious IP addresses can be a key element in discovering threats.

For more information, see Managing Behavioral Anomalies and Threats

Weak Security Control Values in Your Cloud Applications

Understand the options available in Oracle CASB Cloud Service for detecting and remediating weak security controls.

Enterprise cloud applications have security-related settings, such as password complexity requirements and idle session timeouts. Oracle CASB Cloud Service can detect settings that aren’t strong enough.

Security settings protect both data and users. For example, when users are allowed to keep sessions idle for hours at a time, it increases the risk of their accounts being compromised.

Oracle CASB Cloud Service looks at cloud service configurations and identifies weaknesses in security both up front (at registration time) and on an ongoing basis to identify drift, or gradually increasing deviation, from the ideal configuration. There are two ways you can configure Oracle CASB Cloud Service to monitor for weak security controls:

  • Monitor-only. Oracle CASB Cloud Service reports on these security control values, but doesn’t change them in the cloud application.

  • Monitor and push preferred values to the cloud application. At registration time, Oracle CASB Cloud Service ensures that your cloud application has your preferred security configuration values. After registration, Oracle CASB Cloud Service reports on changes to these values.

Here are a few common settings:

Security Configuration Category Related Setting Types

User passwords

  • Required number of characters

  • Require one or more numbers

  • Require one or more special characters

  • Require users to reset passwords after a particular number of days

Links to files and folders, sharing, collaboration

  • Limit the ability of users to invite collaborators

  • Limit external user collaboration on folders and files

  • Limit use of external links

  • Automatically disable shared links after a particular amount of time

Infrastructure

  • Amazon Web Services (AWS) storage (bucket) encryption settings

  • Network access control lists (ACLs)

  • Secure ports for security groups (ports not exposed to the internet)

How Oracle CASB Cloud Service Helps with the Security Configuration of Your Cloud Applications

By default, Oracle CASB Cloud Service alerts you when your applications' security configurations deviate from a set of stringent values that Oracle CASB Cloud Service maintains for each supported cloud application.

As an alternative to using the default security configuration, you also can select the security configuration values that you want to standardize on, and have Oracle CASB Cloud Service set these values in the application. Oracle CASB Cloud Service subsequently monitors for changes to these values.

Security configuration monitoring can be especially important if you have many instances of an application. Oracle CASB Cloud Service can help you be sure that each application instance has the correct security controls in place.

Policy Alerts (Rule-Based Alerting)

Understand how you can use policy alerts to identify known risks to critical resources in the cloud.

Each cloud application you register to be monitored by Oracle CASB Cloud Service has predefined policies that alert you to the most common types of suspicious activity, specific to that application type. You can also define policies to alert you to any type of activity that you consider to be suspicious in your particular environment.

Application Known Risk Characteristics of the Risk

Amazon Web Services

Changes to highly privileged identity and access management (IAM) user groups

Amazon Web Services is a platform for mission-critical operations. Proliferation of highly privileged administrators puts your organization at risk because it increases the chances that the wrong people can access your critical infrastructure.

Box

Collaboration or sharing files that have confidential information

Organizations increasingly rely on Box for cloud storage.

When files and folders contain sensitive material (for example, financial statements or personal information), sharing and collaboration using Box have the potential to let the wrong people access this information.

Salesforce

Cloning a system administrator profile

Salesforce contains mission-critical data. Proliferation of highly privileged administrators increases the chances of the wrong people accessing this information.

ServiceNow

Administrators impersonating other users

ServiceNow administrators typically impersonate other users to conduct tests. However, impersonation of highly privileged user or administrator roles carries with it the same risks as proliferation of permanent profiles and roles.

Alerts Based on Policy Definitions

Oracle CASB Cloud Service can monitor for well-understood risks by comparing user activity in the cloud with policies (sets of rules) that you define.

When Oracle CASB Cloud Service detects behaviors that correspond to these rules, it produces alerts that describe the policy violation and can provide recommendations for responding to them.

Policy alerts are important because extremely sensitive operations should be watched closely. For example, you need to know immediately if someone performs any of the following actions:

  • Modifying AWS identity and access management (IAM) security groups, roles, SAML identity providers, and assets tagged as "production"

  • Sharing or inviting collaborators for sensitive files and folders in Box

  • Modifying Office 365 data loss prevention policies or email routing configurations

  • Modifying Salesforce system administrator profiles

Anomalous Behaviors and IP Addresses

Understand what behavioral risks are and how Oracle CASB Cloud Service detects them.

Because your employee base, business partners, and vendors change continuously, and because attack patterns can be complex, Oracle CASB Cloud Service automatically detects behavioral risks.

Oracle CASB Cloud Service monitors what every user is doing in and across your cloud applications. By doing this, it builds a behavioral baseline or profile of what’s normal for each user (end users, privileged users, and API identities) that connect to the clouds. Oracle CASB Cloud Service alerts you when it detects any user who performs actions that deviate from the baseline of what is normal for that user.

Even when Oracle CASB Cloud Service doesn’t have a baseline for a user (for example, when it starts to monitor a new user), it can compare the user's behavior with a set of initial baselines.

Examples of anomalous behavior and other user behavior risks:

  • A user logs in from multiple or unusual IP addresses and geographical locations within a short time. When a user or program accesses an application from unexpected geographical locations, this is an indicator that an attacker is moving (hopping) around to different locations. Typically, this type of hopping is done as a masquerade; the attacker is actually stationary.

  • The user has an unusual number of logins within a limited amount of time. When you combine access from diverse geographical locations with rapid successive logins to your cloud application, this could be a sign of trouble.

  • An administrator makes an excessively large number of changes to an application's settings.

  • A user logs in from an IP address that is on a public blacklist. It is known to be a source of malicious activity.

  • A user logs in from a network that protects the user's actual location through use of anonymizing proxies.

  • Users access your applications from locations where you know you don’t have any users.

  • There’s a dramatic rise in the rate of administrative changes within an application.

  • There’s a dramatic rise in the rate of access attempts by a user across geographically dispersed locations.

Oracle CASB Cloud Service notifies you of these behaviors, with supporting data, content, and graphics to enable you to further investigate these activities. In addition, Oracle CASB Cloud Service automatically detects when a blacklisted IP address accesses a monitored application. You also can define new IP address black- and whitelists in Oracle CASB Cloud Service. For more information, see Putting IP Addresses on Blacklists or Whitelists.

Finally, Oracle CASB Cloud Service can use directory metadata to track users across their different cloud applications as well as within a particular application.

Threat Categories

Oracle CASB Cloud Service threat categories include:

IP hopping. People and programs can make use of anonymizers that attempt to disguise the client computer that’s accessing a cloud application. Oracle CASB Cloud Service generates a threat event when it detects evidence of IP hopping, which is an indicator of anonymized access.

Brute force attacks. Failed logins are a common occurrence. However, a change in rate of failed logins or a very high number of them can indicate a common attack known as a brute force attempt to guess a user's password.

User behavior risk. A combination of factors can draw suspicion, including the apparent geographical distance traveled, number of accessing IP addresses, and failed logins in a particular time frame.

Administrator behavior risk. An unusual number of administrative changes can be indicative of an insider threat or a hijacked account.

About Risk Management and Incident Tracking

Understand how reports in Oracle CASB Cloud Service provide information on usage trends, independent of risk detection.

In addition to identifying risks to your cloud applications, you must manage those risks. Oracle CASB Cloud Service helps you manage them through a lightweight incident tracking system. You can export incident tickets from Oracle CASB Cloud Service to a central ticketing system. For more information, see Finding, Managing, and Resolving Incidents.

Automatically Generated Incident Tickets

When Oracle CASB Cloud Service detects a risk based on a threat, it automatically creates an incident ticket so that you can track the risk to its resolution. For more information, see Anomalous Behaviors and IP Addresses.

Manually Created Incident Tickets

You can manually create incident tickets in the Oracle CASB Cloud Service console for security control risks and policy alerts. When you create a policy, you can include instructions about what action to take when the policy triggers an alert. This can greatly reduce the time it can take to address the problem.

About Reports

Understand how reports in Oracle CASB Cloud Service provide information on usage trends, independent of risk detection.

In addition to giving you insight into risks to your cloud applications, Oracle CASB Cloud Service provides visibility into general usage patterns, regardless of whether an actual risk is detected. This insight helps you understand how your applications are being used.

You can run predefined global reports, plus reports on multiple indicators for registered applications. You can also create and run custom reports to analyze trends that aren’t provided in the built-in reports.

For more information on reports, see Creating and Running Reports.

About Data Retention

Understand the time period covered for data displayed in Oracle CASB Cloud Service, and what happens to older data.

Oracle CASB Cloud Service continuously ingests new data for all the cloud applications that you have registered. The time period for which you are viewing data in the console depends on how long ago you registered the application.

  • Initially you may see no data at all for an application, because events are being ingested only as they occur.

  • After a while you see data from the time at which you registered the application, up to the present.

  • After 90 days you see data from the past 90 days. Data older than 90 days is automatically archived.

If you want to obtain any of the data that has been archived, see Obtaining Archived Data.