Risks to Users
Understand how to identify and analyze user risks.
Users pose a variety of different security risks that Oracle CASB Cloud Service can detect.
Identifying High Risk Users: User Risk Levels Card
Understand how to use the User risk levels card to identify high risk users.
In the Dashboard, the User risk levels card provides an overview of whether any users of your cloud services have an elevated risk score.
Oracle CASB Cloud Service typically collects 10 days of data before creating a risk profile for a user. It then generates a risk score for the user. This score is based on the degree to which the user's actions over the past day (24 hours) has deviated from their typical usage pattern. Oracle CASB Cloud Service doesn't analyze every action when calculating this risk score. Instead, it looks at actions that are often implicated in malicious insider or external hacker activity.
Typically, the longer Oracle CASB Cloud Service monitors a user's behavior, the more accurate the risk score will be.
Examples of behaviors that can generate a high risk score:
-
Downloading an unusual number of files, or deleting an unusual number of files, from IP addresses that the user hadn't used.
-
Traversing an unusually long geographical distance in a relatively short amount of time, particularly when benchmarked against the user's typical behavior.
-
Accessing a cloud service from new IP addresses and locations outside of typical work hours for that user.
-
Unusual application-specific activities for the user that might involve sensitive data.
This Dashboard card provides a summary of users and highlights which users are showing normal activity and which users have shown behaviors that put their account at risk.
Click the report icon in this card (the grid) to view a detailed report of users who are at risk (also accessible from the Users page).
Click any area of the chart to view details for the users at the corresponding risk level.
Analyzing User Risks: The Users Page
Understand how to use the Users page to analyze high risk users.
The Users page provides a risk profile for all users who access the cloud applications or services that Oracle CASB Cloud Service monitors.
Each risk profile is based on activity that Oracle CASB Cloud Service considers atypical. These activities can be generic (for example, an unusually high number of login attempts or access IP addresses) or specific to an application type (for example, sensitive administrative operations that are specific to Amazon Web Services).
For the first 10 days that Oracle CASB Cloud Service monitors a user, it bases its risk score on internal benchmarks. After 10 days of monitoring a particular user, Oracle CASB Cloud Service bases the risk score on significant changes in the user's behavior, relative to that user's previous behavior. The longer Oracle CASB Cloud Service monitors a user, the more stable Oracle CASB Cloud Service's model of the user becomes. Oracle CASB Cloud Service recalculates its risk score daily based on new input, and raises or lowers the risk score relative to the new risk factors detected:
-
Generic factors include the user's locations and IP addresses, file download activity, and number of operating systems used.
-
Service-specific factors include sharing content with external users; creating, updating, and deleting content; and administrative activity, such as creating, modifying, and deleting users.
These are the risk ratings in the Users page:
-
High. A risk score of 90 and above is categorized as high risk.
-
Medium. 80-89.
-
Low (some) risk. 60-79.
-
Normal activity. Below 60.
To View Users at Risk
Users with the Most Failed Logins Card
Understand how to use the Users with the most failed logins card to identify high risk users.
The Dashboard card for most failed user logins can give you insight into users who may need help with password creation and retrieval, and it can also indicate possible account hijacking attempts when the failure numbers are extreme.
To get more information about potential security issues, click the View Report icon and explore the overall pattern. If Oracle Identity Cloud Service (IDCS) is enabled in your Oracle CASB Cloud Service tenant, the report shows two additional columns:
-
ASSOCIATED CASB APP — the application instance registered in Oracle CASB Cloud Service that user accessed.
-
ASSOCIATED IDP APP — the name of the single sign-on application that was used to access the registered application instance.
To enable IDCS, Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets. As an alternative, you can also contact your Oracle CASB Customer Success Manager.
You can also run a user activity report and filter the report for the user in question to see if the multiple login failures are associated with other unusual activity (for example, login success, followed by a high number of file downloads or sensitive administrative operations).
In addition, you can click the Users page to see if this user appears to have a high-risk level, or search for the user name in the Risk Events section of the console to see if this user is an actor in any risk events.
Users with the Most Logins Card
Understand how to use the Users with the most logins card to identify high risk users.
The Dashboard card for most user logins can give you insight into user activity. Excessive numbers of logins on the part of a particular user can be an indicator of a compromised account.
To get more information about potential security issues, click the View Report icon and explore the overall pattern. If Oracle Identity Cloud Service (IDCS) is enabled in your Oracle CASB Cloud Service tenant, the report shows two additional columns:
-
ASSOCIATED CASB APP — the application instance registered in Oracle CASB Cloud Service that user accessed.
-
ASSOCIATED IDP APP — the name of the single sign-on application that was used to access the registered application instance.
To enable IDCS, Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets. As an alternative, you can also contact your Oracle CASB Customer Success Manager.
You can also run a user activity report, and filter the report for the user in question to see if the multiple logins are associated with other unusual activity (for example, a high number of file downloads or sensitive administrative operations).
In addition, you can select the Users page in the Oracle CASB Cloud Service console to see if this user appears to have a high-risk level, or search for the user name in the Risk Events page of the console to see if this user is an actor in any risk events.