CloudLock Unveils Breakthrough Method for Isolating True Security Threats From Among Billions of Suspicious User Activities

When is a security alert not a real security alert? With hacks and breaches a daily reality for businesses, security teams deal with a barrage of suspicious and anomalous user behaviors and have little time to isolate and focus on the true threats. Today, CloudLock’s security intelligence arm, The CloudLock CyberLab announced its breakthrough discovery that solves this challenge — the "Cloud Threat Funnel." Following its extensive research of the daily behavior of 10 million users, 1 billion files and 140,000 cloud apps, CloudLock CyberLab detected distinct patterns of user behaviors and developed a new process for isolating truly malicious threats from the noise of other potentially suspicious or unusual behaviors. CloudLock’s findings and methodology are presented in its Q1-16 cloud cybersecurity report published today, "The Cloud Threat Funnel: Suspicious User Behavior That Matters."

The report reveals that 99.6 percent of users accessed cloud platforms from just one or two countries per week. Establishing this as the norm, the team was then able to isolate the long tail revealing anomalies: 1 in 20,000 users, for example, logged in from six or more countries and, within this group, the CyberLab found some users logging in from as many as 68 different countries in a given week — real needles in the haystack. By applying the Cloud Threat Funnel methodology, the CyberLab was able to correlate these anomalous behaviors with other high-risk suspicious user activities and pinpoint compromised accounts.

How the Cloud Threat Funnel Works
It starts with all user behavior — looking at high-fidelity information from an array of sources. This data set can be enriched with third-party threat intelligence resources and run through anomaly detection algorithms to reduce the likelihood of false positives. The threat funnel then moves into anomalies, recognizing outliers that do not conform to expected patterns, like a sudden burst of activity. Anomalies are then distilled down to high-risk, high-impact suspicious activities, by coupling the results of anomaly detection with custom-defined rules and correlating access to sensitive assets and applications. An adaptive, self-learning model, the threat funnel reduces the number of alerts being generated to improve the signal-to-noise ratio and visibility. Using this approach allows security professionals to focus their efforts on true malicious threats.

Identifying Patterns of High-Risk Behaviors
CloudLock’s research determined the following user behavior patterns that are representative of the signal-to-noise challenge faced by security teams:

• The activities of top offenders are significantly higher than the average user. Top offenders exhibit up to 227 times more anomalous activities than average users.
• Only 0.02 percent (1 in 5,000) of all user activities represent suspicious behaviors.
• Eight percent of all user logins fail or get challenged. Of these, 1.3 percent originate from risky countries.

What Now?
To embrace the Cloud Threat Funnel, organizations need to deploy an adaptive security model that can provide security teams with predictive, preventive, detective and responsive capabilities. Key components of an adaptive security model include threat intelligence, cloud vulnerability insight, cyber research, community intelligence, centralized policies, and contextual analysis. Leveraging these factors in unison will help avoid alert fatigue and improve the precision of identifying threats.

Starting with the highest impact incidents is the key to success. By narrowing the focus on top offenders and user activities that are the most indicative of true threat, security teams can make confident decisions much faster than ever before and avoid costly breaches with little effort.

To download the full report, visit https://go.cloudlock.com/ebook-cloud-threat-funnel-report.html.