Risks to Users

Understand how to identify and analyze user risks.

Users pose a variety of different security risks that Oracle CASB Cloud Service can detect.

Identifying High Risk Users: User Risk Levels Card

Understand how to use the User risk levels card to identify high risk users.

In the Dashboard, the User risk levels card provides an overview of whether any users of your cloud services have an elevated risk score.

Oracle CASB Cloud Service typically collects 10 days of data before creating a risk profile for a user. It then generates a risk score for the user. This score is based on the degree to which the user's actions over the past day (24 hours) has deviated from their typical usage pattern. Oracle CASB Cloud Service doesn't analyze every action when calculating this risk score. Instead, it looks at actions that are often implicated in malicious insider or external hacker activity.

Typically, the longer Oracle CASB Cloud Service monitors a user's behavior, the more accurate the risk score will be.

Examples of behaviors that can generate a high risk score:

• Downloading an unusual number of files, or deleting an unusual number of files, from IP addresses that the user hadn't used.

• Traversing an unusually long geographical distance in a relatively short amount of time, particularly when benchmarked against the user's typical behavior.

• Accessing a cloud service from new IP addresses and locations outside of typical work hours for that user.

• Unusual application-specific activities for the user that might involve sensitive data.

This Dashboard card provides a summary of users and highlights which users are showing normal activity and which users have shown behaviors that put their account at risk.

Click the report icon in this card (the grid) to view a detailed report of users who are at risk (also accessible from the Users page).

Click any area of the chart to view details for the users at the corresponding risk level.

Related Topics:

• Users with the Most Failed Logins Card

• Users with the Most Logins Card

• Finding and Analyzing Users at Risk

Analyzing User Risks: The Users Page

Understand how to use the Users page to analyze high risk users.

The Users page provides a risk profile for all users who access the cloud applications or services that Oracle CASB Cloud Service monitors.

Each risk profile is based on activity that Oracle CASB Cloud Service considers atypical. These activities can be generic (for example, an unusually high number of login attempts or access IP addresses) or specific to an application type (for example, sensitive administrative operations that are specific to Amazon Web Services).

For the first 10 days that Oracle CASB Cloud Service monitors a user, it bases its risk score on internal benchmarks. After 10 days of monitoring a particular user, Oracle CASB Cloud Service bases the risk score on significant changes in the user's behavior, relative to that user's previous behavior. The longer Oracle CASB Cloud Service monitors a user, the more stable Oracle CASB Cloud Service's model of the user becomes. Oracle CASB Cloud Service recalculates its risk score daily based on new input, and raises or lowers the risk score relative to the new risk factors detected:

• Generic factors include the user's locations and IP addresses, file download activity, and number of operating systems used.

• Service-specific factors include sharing content with external users; creating, updating, and deleting content; and administrative activity, such as creating, modifying, and deleting users.

These are the risk ratings in the Users page:

• High. A risk score of 90 and above is categorized as high risk.

• Medium. 80-89.

• Low (some) risk. 60-79.

• Normal activity. Below 60.

To View Users at Risk

1. Select Users from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.

   This page displays all monitored users, sorted by default according to their risk scores.

   Note:

   Some AWS users can have the key HIDDEN_DUE_TO_SECURITY_REASONS instead of a user name. This is because AWS hides the names of users who have errors during login that could expose potentially sensitive information (for example, accidentally entering a password in the user name field).
2. To view details related to an individual risk factor for a user, click the risk factor name (for example, Failed login IP addresses).
3. To view all details related to a user's risk score, click the user name.
4. In the user details page, click a link in the Risk Factors section to view the details related to specific risk factors for a user.

   Note:

   For risk factors related to new items (for example, new IP addresses), you must manually compare the recently detected items with the items listed as previously seen.
5. If there are more than ten lines of data for a particular risk factor:

   • Click the See More link at the bottom of the table, and in the risk factor details dialog box, page through all of the events related to the risk factor.

   • To view the raw event data for a particular risk in this table, click the View log data button in each table row.

6. To close the risk factor details dialog box, click the close icon in the upper right corner.
7. To close the user risks details page, click the close icon in the upper right corner.

   Note:

   You can do additional investigation of this user by generating an activity report, and by searching for risk events related to this user in the Risk Events page.
8. To view a report of all activity related to a user:
   1. Select Users from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
   2. Locate a user and then click the user name.
   3. In the user details page, click the link for All Activities Report.
   4. To save the data in this report, cick the Export to CSV button.

Users with the Most Failed Logins Card

Understand how to use the Users with the most failed logins card to identify high risk users.

The Dashboard card for most failed user logins can give you insight into users who may need help with password creation and retrieval, and it can also indicate possible account hijacking attempts when the failure numbers are extreme.

To get more information about potential security issues, click the View Report icon and explore the overall pattern. If Oracle Identity Cloud Service (IDCS) is enabled in your Oracle CASB Cloud Service tenant, the report shows two additional columns:

• ASSOCIATED CASB APP — the application instance registered in Oracle CASB Cloud Service that user accessed.

• ASSOCIATED IDP APP — the name of the single sign-on application that was used to access the registered application instance.

To enable IDCS, Oracle Support (http://support.oracle.com).  If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets.  As an alternative, you can also contact your Oracle CASB Customer Success Manager.

You can also run a user activity report and filter the report for the user in question to see if the multiple login failures are associated with other unusual activity (for example, login success, followed by a high number of file downloads or sensitive administrative operations).

In addition, you can click the Users page to see if this user appears to have a high-risk level, or search for the user name in the Risk Events section of the console to see if this user is an actor in any risk events.

Related Topics

• Identifying High Risk Users: User Risk Levels Card

• Users with the Most Logins Card

• Finding and Analyzing Users at Risk

Users with the Most Logins Card

Understand how to use the Users with the most logins card to identify high risk users.

The Dashboard card for most user logins can give you insight into user activity. Excessive numbers of logins on the part of a particular user can be an indicator of a compromised account.

To get more information about potential security issues, click the View Report icon and explore the overall pattern. If Oracle Identity Cloud Service (IDCS) is enabled in your Oracle CASB Cloud Service tenant, the report shows two additional columns:

• ASSOCIATED CASB APP — the application instance registered in Oracle CASB Cloud Service that user accessed.

• ASSOCIATED IDP APP — the name of the single sign-on application that was used to access the registered application instance.

To enable IDCS, Oracle Support (http://support.oracle.com).  If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets.  As an alternative, you can also contact your Oracle CASB Customer Success Manager.

You can also run a user activity report, and filter the report for the user in question to see if the multiple logins are associated with other unusual activity (for example, a high number of file downloads or sensitive administrative operations).

In addition, you can select the Users page in the Oracle CASB Cloud Service console to see if this user appears to have a high-risk level, or search for the user name in the Risk Events page of the console to see if this user is an actor in any risk events.

Related Topics:

• Identifying High Risk Users: User Risk Levels Card

• Analyzing User Risks: The Users Page

• Users with the Most Failed Logins Card