Finding and Analyzing Users at Risk
View the data that Oracle CASB Cloud Service provides on users flagged as possible risks, and analyze that data to determine if you need to take action.
After you have uploaded your directory information, Oracle CASB Cloud Service generates a risk score for each user and agent that accesses one of your registered cloud apps or services. The risk score is based on how much a user's actions in a 24-hour period deviate from the norm for that user's activity history.
Initially, Oracle CASB Cloud Service compares each individual's activity against a set of internal benchmarks. After ten days, Oracle CASB Cloud Service compares each individual's activity in a 24-hour period with that individual's past behavior. The longer Oracle CASB Cloud Service monitors a particular individual, the more accurate its assessments become.
Oracle CASB Cloud Service monitors common risk factors such as failed logins and the total number of access IP addresses as well as factors that are specific to the cloud service being monitored.
Finding Users at Risk
Find users at risk, and information about their recent activities summarized on the Dashboard, with additional details available in the Risk Events and Users pages.
The Dashboard displays summary information regarding users at risk. For users with a high risk score, Oracle CASB Cloud Service also generates entries in the Risk Events page. Full details on each user’s recent activity is available on the Users page.
Processing Users with High Risk Scores
Take a few simple actions when you find a user with a high risk score.
In general, when you find a user with a high risk score, there are a few simple actions you can take in Oracle CASB Cloud Service to do additional investigation:
-
Run a full activity report on the user (a link to the full report is available on the risk details page).
-
Check whether the user shared their credentials. If not, consider the possibility of account compromise or an insider threat.
-
Check the Risk Events page for any other risk events related to this user.
-
Consider configuring a new Oracle CASB Cloud Service policy to generate alerts related to this user.
-
Consider implementing safeguards for user accounts, including multi-factor authentication and VPN access with endpoint verification and protection.
-
If you suspect the account has been compromised, force a password reset and consider blocking the account's access IP address.
Analyzing Users at Risk
Analyze the factors for a user with a high risk score and correlate that user with other risk events.
You can assess user risks from the user details view in the Oracle CASB Cloud Service console Users section and user activity reports. You can also find other risky events that involve a particular user in the Risk Events section of the console.