Skip to main content

New research helps identify the threats in suspicious user behaviour

Security teams often spend a lot of their time investigating anomalies and suspicious behaviour, leaving them less time to focus on true threats.

Cloud security specialist CloudLock is tackling this problem with research into what it calls a Cloud Threat Funnel. Based on analysis of user behaviour patterns it can isolate truly malicious threats from the noise of other potentially suspicious or unusual behaviours.

As the report's authors note, "Analysing user behaviour for signs of a breach is like searching for a needle in a haystack. Anomalous behaviours may be simply accidental missteps by careless users, or typical work-related actions that in the right (or wrong) context can become dangerous".

The funnel approach is based on research into the daily behaviour of 10 million users, 1 billion files and 140,000 cloud apps. It reveals that 99.6 per cent of users access cloud platforms from just one or two countries per week. Establishing this as the norm, the team was then able to isolate and reveal anomalies.

By adding user activity to third-party threat intelligence the algorithms reduce the likelihood of false positives. The Threat Funnel then moves into anomalies, recognising outliers that do not conform to expected patterns. Because it's a self-learning model, it reduces the number of alerts being generated to improve the signal-to-noise ratio and visibility. Using this approach allows security professionals to focus their efforts on true malicious threats.

In order to make use of the Cloud Threat Funnel, organisations need to deploy an adaptive security model that can provide security teams with predictive, preventive, detective and responsive capabilities. By narrowing the focus on top offenders and user activities that are the most indicative of a true threat, security teams can make confident decisions much faster and avoid costly breaches with less effort.

The findings and methodology behind Cloud Threat Funnel are available in a report which you can download from the CloudLock website.

Image Credit: Andrea Danti/Shutterstock