Using Security Intelligence to Detect Insider Threats From Cloud-Based Applications

Using Security Intelligence to Detect Insider Threats From Cloud-Based Applications

Microsoft Office 365 is popular — very popular. In 2016, Gartner reported that 78 percent of enterprises surveyed used or planned to use Office 365. With access to a range of user activity events from a variety of sources, including Exchange Online, SharePoint Online and Azure Directory, how can Office 365 administrators correlate all this valuable data with other security events across their enterprises?

Applying Security Intelligence to Office 365 Audit Logs

Office 365 provides application program interfaces (APIs) that work in tandem with security intelligence platforms to deduce what’s occurring in your cloud installation and alert you to potential issues. It also includes forensic analysis features and, of course, event logging. However, security information and event management (SIEM) isn’t a core concept for Microsoft, so you’ll need to enlist a dedicated third-party offering such as IBM QRadar for the analytics you need.

The benefit of ingesting Office 365 audit logs into your IBM QRadar security intelligence platform is that you can perform powerful use cases. This integration enables you to:

  • Augment your enterprise’s security compliance posture by including Office 365 events into existing regulatory compliance reports and correlation rules.
  • Detect potential system breaches.
  • Identify possible data leaks.
  • Track user and admin activities for Exchange Online and Sharepoint Online. Activities include file and folder actions such as view, create, edit, upload, delete and download, in addition to file sharing and collaboration.
  • Report on Azure Active Directory authentications by users, and IPs for all of your Microsoft cloud apps such as Skype, Yammer, Exchange Online and others.

Watch the on-demand Webinar: How To Solve the Insider Threat Puzzle

Investigating Insider Threats With UBA

But IBM QRadar doesn’t stop there. In addition to correlating and analyzing cloud-based application logs with security analytics, it can be used within IBM QRadar User Behavior Analytics (UBA) to take user profiling to the next level. This process can help you:

  • Discover risky user behaviors and fraudulent activity.
  • Identify at-risk users, calculate risk scores and place users on a watchlist.
  • Understand the risk profile of the environment and the total of all user scores at a particular time.
  • Drill down into potential threats and gain insights for taking corrective action.

If you don’t think you need UBA as part of your security intelligence infrastructure, consider this: Insider threats account for roughly 60 percent of cyberattacks, many of which leverage phished or otherwise stolen credentials. By cross-referencing a baseline of normal activity, IBM QRadar UBA can alert analysts when anomalous behavior occurs and stop insider threats in their tracks.

To learn more about how QRadar can help you defend your network against insider threats, watch the on-demand webinar, “How To Solve the Insider Threat Puzzle.” You can also try a demo of UBA.

The post Using Security Intelligence to Detect Insider Threats From Cloud-Based Applications appeared first on Security Intelligence.

#Security,#cognitive,#awvi

Security

via Security Intelligence https://ibm.co/2p4xJdK

May 26, 2017 at 02:01AM

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s