Finding and Analyzing Users at Risk

View the data that Oracle CASB Cloud Service provides on users flagged as possible risks, and analyze that data to determine if you need to take action.

After you have uploaded your directory information, Oracle CASB Cloud Service generates a risk score for each user and agent that accesses one of your registered cloud apps or services. The risk score is based on how much a user's actions in a 24-hour period deviate from the norm for that user's activity history.

Initially, Oracle CASB Cloud Service compares each individual's activity against a set of internal benchmarks. After ten days, Oracle CASB Cloud Service compares each individual's activity in a 24-hour period with that individual's past behavior. The longer Oracle CASB Cloud Service monitors a particular individual, the more accurate its assessments become.

Oracle CASB Cloud Service monitors common risk factors such as failed logins and the total number of access IP addresses as well as factors that are specific to the cloud service being monitored.

Finding Users at Risk

Find users at risk, and information about their recent activities summarized on the Dashboard, with additional details available in the Risk Events and Users pages.

The Dashboard displays summary information regarding users at risk. For users with a high risk score, Oracle CASB Cloud Service also generates entries in the Risk Events page. Full details on each user’s recent activity is available on the Users page.

1. Select Dashboard from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click the Summary tab.

   The User risk levels card shows tallies of users and risk levels (normal activity or low, medium, and high risks assessments).

3. To view risk levels for all users, from the Oracle CASB Cloud Service console, select the Users page from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
   The users with the highest risk scores are shown at the top of the table by default. You can also click a segment of the User risk levels card to filter the Users page by risk level.
4. In the Users page, click a user name to view the details of risk factors for that user.

Processing Users with High Risk Scores

Take a few simple actions when you find a user with a high risk score.

In general, when you find a user with a high risk score, there are a few simple actions you can take in Oracle CASB Cloud Service to do additional investigation:

1. Run a full activity report on the user (a link to the full report is available on the risk details page).

2. Check whether the user shared their credentials. If not, consider the possibility of account compromise or an insider threat.

3. Check the Risk Events page for any other risk events related to this user.

4. Consider configuring a new Oracle CASB Cloud Service policy to generate alerts related to this user.

5. Consider implementing safeguards for user accounts, including multi-factor authentication and VPN access with endpoint verification and protection.

6. If you suspect the account has been compromised, force a password reset and consider blocking the account's access IP address.

Analyzing Users at Risk

Analyze the factors for a user with a high risk score and correlate that user with other risk events.

You can assess user risks from the user details view in the Oracle CASB Cloud Service console Users section and user activity reports. You can also find other risky events that involve a particular user in the Risk Events section of the console.

1. Select Users from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click the user name for a user with a high risk score.
3. In the user details page, click the links under Risk Factors (below the spedometer icon).
4. Determine whether any factors are of immediate importance:

   Risk Factor	What You Can Do
   IP address or proxy IP address	Use an IP reputation service to determine the trustworthiness of the user's access points.
   Failed logins	Check the login frequency, elapsed time for the failed login attempts, and login locations to see if there may be an attempt to hijack the user's account.
   Locations	Check whether the access locations match hubs on your corporate network.
   Access devices	If multiple devices are being used simultaneously, make sure they all belong to the user who owns the account (the account is not being shared).
   Operating systems	If multiple operating systems are being used simultaneously, make sure they all belong to the user who owns the account (the account is not being shared).
   File and folder activity (views, deletes)	If there is excessive activity related to corporate data, and other risk factors appear suspicious, this can be an indicator of account compromise or misuse.
   Role, password, access key, and access control updates	If there is excessive activity related to access privileges, and other risk factors appear suspicious, this can be an indicator of account compromise or misuse.

5. Click View log data for any item in the activity tables to get additional details related to each event.
   For example, HTTP request parameters, request URL, and user identity details.
6. To view all of this user's actions in for up to 30 days, click the link, Go to 30-day activity report.
7. Correlate a user with a high risk score with other risk events in Oracle CASB Cloud Service:
   1. From the Oracle CASB Cloud Service console, select the Users page, and copy the user name.
   2. Select Risk Events, and in the risk events page, Filter text field, paste the user name.

      If there are any additional risk events related to this user, the table will be filtered to only show the events related to them.

   3. Repeat these steps for other risk factors, such as this user's access IP addresses.