MVISION Cloud's Threat Protection enables real-time threat and anomaly detection and remediation for security, compliance, and data governance across all Sanctioned Cloud Services such as Salesforce, Box, Microsoft Office 365, and more. With a canonical Cloud API EngineTM powering it, Threat Protection delivers the following capabilities:
- Threat Protection User Interface. A unified Threat Protection dashboard at Incidents > Threats with an incident-response workflow for security risks arising from potential insider threats, compromised accounts, privileged user access, flight risk, and other risky data uses.
- Activity Monitoring. An immutable, comprehensive Activity Monitoring user interface that displays all user, admin, and third-party application activities for investigations and forensics.
- User Behavior Analytics. Uses data science to build a self-learning model of normal user behavior based on role, department, geo, and other heuristics across multiple CSPs to identify anomalies pointing to data exfiltration arising from potential Privileged Access, Compromised Accounts, or Insider Threats.
- Geo-Location Analytics. Visualizes global access patterns in a Geo Location View and analyzes activity to identify cross-region accesses, failed, and successful attempts indicative of compromised accounts.
- Privileged User Analytics. Monitors use and access to data from Privileged Users. Recommends options to minimize risk arising from misconfigured or excessive permissions granted to privileged users. Identifies "zombie" administrator accounts, data access patterns, inappropriate access to data, unwarranted escalation of permission, and user provisioning.
Definition of Terms
- Activity. An activity is an action taken by a user within a cloud service. When MVISION Cloud is used to broker security for a cloud service, all activities can be accessed for investigation using MVISION Cloud's Threat Protection.
- Anomaly. An anomaly is a set of activities that exceeds a threshold for “normal” behavior. Anomalies in your system can indicate inconsistent use across users, undefined policies around security, or unusual behavior. Not all anomalies represent threats or even represent malicious behavior.
- Date. The dates and times listed in Threat Protection are based on the time zone of the system accessing the Threat Protection interface, not the time zone where the activity occurred.
- Threats. Threats are collections of anomalies in normal behavior that point to potential security incidents happening within your organization for data on a cloud service. Because threats are only triggered when specific anomalies occur in concert, they are more likely to represent real breaches to your system to investigate.
- Anomaly Thresholds. The activity limits used to detect anomalies. Each type of activity has its own detection thresholds. Thresholds can either be set based on the individual behavior of each user (behavior-based thresholds) or keyed to pre-determined thresholds (organizational thresholds). Behavior-based thresholds can change based on the time of day or day of the week. Five hundred record downloads on Monday morning might be normal for a user but, the same number of record downloads on a Saturday night can trigger an anomaly. When the threshold is exceeded, an anomaly is generated.
Examples of thresholds include:
- Download or Upload Counts. Users who download many files as part of their responsibilities are less likely to trigger an anomaly than a user who downloads 50,000 files the first time they log into the service.
- Administrative Actions. A user who creates several new accounts each month is less likely to generate an anomaly than a brand-new administrative account who creates 50 new users and deletes them all that day.
Threat Protection Pipeline
The Threat Protection back-end pipeline processes events in two separate streams: the real-time stream and the batch stream. User activities relevant to data exfiltration are processed in the real-time stream, and everything else is processed in the batch stream. For details, see Activities Processed in Real-Time.
Threat Protection Workflow
Identifying and resolving threats is one of the main purposes of the MVISION Cloud Threat Protection platform. Threats alert you to potential security breaches by recognizing when multiple anomalies occur in concert to suggest a significant event. Understanding how threats are generated and how to respond to them is vital to success with Threat Protection.
McAfee MVISION Cloud Threat Protection uses the following workflow steps:
- Threat Protection analyzes activity occurring within your Sanctioned Cloud Services.
- This activity is compared to the threshold for that activity. This threshold is either based on the user's specific behavior or leveled out to the normal behavior of your entire organization.
- If the activity does not exceed the threshold, the activity is recorded to the Activity Tab, and no further action is required.
- If the activity exceeds the threshold, an Anomaly is generated.
- When specific anomalies appear at the same time (for example, if there are significant Brute Force anomalies occurring at the same time as unusual Data Access) a threat is generated.
- Because Threats only occur when a specific pattern of Anomalies are generated, your team should investigate each threat, determining if the threat represents a valid security concern that should be addressed and resolved or if the threat was generated incorrectly and should be marked as a false positive. Either way, once a threat is marked, it will be removed from the Threats table.