Embed Size (px)
Citation preview
11
Security for Today's ThreatsThe Avanan CASB
11
Em ail is t he # 1 at tack vector. Cloud Account Takeover is the # 1 at tack target .
Should a CASB p rot ect against t hese t h reat s?
11
Cont ent sExecutive Summary
What is a CASB?
The Avanan Platform
Overview
Visibility
Data Security
Threat Protection
Compliance
SaaS Email Phishing and Threat Protection
SaaS Account Takeover and Breach Protection
Conclusion
.....1
.....2
.....3
.....3
.....4
.....5
.....6
.....7
.....8
.....10
.....12
11
The Avanan Platform expands what it means to be a CASB
If you are considering a Cloud Access Security Broker (CASB), Avanan offers the most complete solution in the industry. The Avanan cloud security platform provides the four pillars of CASB functionality as a stand-alone product and has partnered with top vendors in data security and threat protection to offer the best-of-breed solution in every category.
Feature for feature, Avanan?s CASB is both easier to deploy and offers a greater level of protection. In some categories, it offers capabilities not found in any other solution. Two of these are critical:
- SaaS Email Anti-Phishing and Threat Protection- Account Takeover and Breach Protection
What these have in common should make them a vital part of any CASB decision criteria.
- Email is the #1 threat vector for enterprise breaches,- Account takeover has become the #1 target for malicious attacks,- The best architecture for defending against both of these threats is an API-based CASB.
Any CASB that does not protect against the top threat target from the leading vectors is not a complete solution. Email and account takeover solutions that do not integrate completely with the cloud provider, cannot offer complete protection.
Execut ive Sum m ary
1
11
What is a CASB?
Gartner first defined the term Cloud Access Security Broker (CASB) in 2011, when most IT applications were hosted in the data center and few companies trusted the cloud. Most online services were primarily aimed at the consumer. At the time, CASB products were designed to provide visibility for this Shadow IT and limit employee access to unauthorized cloud services.
Today, organizations have embraced the cloud, replacing many of their datacenter applications with Software as a Service (SaaS) or moving much of their IT into infrastructure (IaaS) providers like Amazon or Azure. Instead of limiting access, CASB's have evolved to protect cloud-hosted data and provide enterprise-class security controls so that organizations can incorporate SaaS and IaaS into their existing security architecture.
Fundamentally, CASB's provide four primary security services:
1VisibilityA CASB identifies all the cloud services (both sanctioned and unsanctioned) used by an organization's employees. Originally, this only included the services they would use directly from their computer or mobile device, often called "Shadow IT". Today, it is possible for an employee to connect an unsanctioned SaaS directly to a an approved SaaS via API. This "Shadow SaaS" requires more advanced visibility tools.
2Data SecurityA CASB enforces data-centric security policies by offering granular access controls or encryption. It incorporates role-based policy tools, data classification and loss prevention technologies to monitor user activity and audit, block or limit access. Once, these were stand-alone systems. Today it is vital that they are integrated into the organization's data policy architecture
3Threat ProtectionA CASB protects cloud services from unwanted users or applications. This might include real time malware detection, file sandboxing or behavior analytics and anomaly detection. New threats require new protections, so the list should include anti-phishing, account-takeover detection and predictive (A.I.) malware technologies.
4Compliance Regulated organizations require auditing and reporting tools to demonstrate data compliance and a CASB should provide all the necessary auditing and reporting tools. More advanced solutions offer policy controls and remediation workflows that enforce regulatory compliance in real time.
2
11
The Avanan CASB Platform | Overview
The Avanan platform is a complete CASB solution, providing the full feature set that you would expect from a next-gen cloud access security broker. Avanan has partnered with the industry's best security vendors to provide more advanced data security and threat protection than is available from any other solution. What sets it apart, however, is Avanan?s own anti-phishing and account-takeover protection.
- Avanan?s SmartPhish and Email Threat Protection catch what traditional email gateways cannot.- Avanan?s Breach Detection identifies compromised IaaS, SaaS and SaaS-email accounts.
Feature Provided by Avanan Provided by Third Party
Visibility
Shadow IT Email AnalysisFirewall/Web Gateway IntegrationDNS Integration
Shadow SaaS API/App Manager
Risk Reporting SaaS Permissions Risk Score
Real-time Event Monitoring User/File/Config Monitoring
Data Security
Data Classification SmartText Pattern Matching Data Classification/DLP*Optical Character Recognition*
Data-centric Audit/Protection Cross-SaaS Policy Engine
Permissions Management Role-based Policy Engine Integrates with existing idM
Remediation Policy Enforcement Workflow
File Encryption Integrates with existing EDRM
Threat Protection
SaaS Email Security SmartPhish, BEC Detection Real-time Antivirus*Malware Sandboxing*URL Filtering*
Malware Virtual-inline Enforcement Real-time Antivirus*Malware Sandboxing*URL Filtering*
Account Takeover UEBA/Breach Detection
Admin Monitoring Insider Threat Detection
Compliance
SIEM Integration SIEM Reporting
Audit Real-time MonitoringCompliance Reporting
Enforcement Role-based Policy EnforcementRemediation Workflow
Compliance Regulatory ReportingRequired Controls
*Cloudified versions from multiple third-party vendors are available for this category
3
11
The Avanan CASB Platform | Visibility
Avanan provides both Shadow IT and Shadow SaaS monitoring to identify unapproved cloud applications without the need to reroute traffic through a proxy or install an additional appliance. It also adds additional layers of visibility into each user?s use of the cloud.
Shadow IT Monitoring Avanan connects to any existing enterprise firewall to monitor all outbound traffic for unapproved SaaS applications. It can capture data from your DNS or DNS management systems or connect to advanced perimeter gateways via API to capture real-time web activity. Avanan's email filtering solutions also monitor your user's inbox for rogue SaaS communication, providing additional admin and user information, even making it possible to find unapproved accounts on an approved cloud services. Shadow SaaS Monitoring
The Avanan platform connects to your approved SaaS and IaaS provider to monitor third party SaaS applications that users might connect to their account. It identifies both the service as well as the level of access the user has provided.
Risk ReportingAvanan sets a level of risk for each Shadow IT/Shadow SaaS connection, including the level of access each service might request (i.e. read-only access to a calendar might be appropriate, read-write access to email might not.)
Event MonitoringAvanan captures both real time and historical information about every user, file, configuration and permissions event.
4
11
The Avanan CASB Platform | Data Security
The Avanan platform, by itself, is a complete data security solution that provides a full suite of policy enforcement tools to protect confidential information. By partnering with leading security vendors, it offers additional capabilities that make it the most advanced solution available today.
Data Classification
Avanan's SmartSearch tools identify personally identifiable information (PII) and other confidential text within every file, email or message. If you have already deployed a Data Security/Data Leak Prevention tool in your own network, Avanan has partnered with every major vendor so you can apply the same policies across all your cloud services.
Data Centric Access ManagementAvanan can manage granular file permissions based upon the user's role and the type of data the file contains using cloud-aware enforcement options that work within the context of the cloud service. Remediation workflows ensure that securing data does not affect business, offering real time enforcement that does not require IT intervention.
Policy Based Encryption
Avanan makes it simple to deploy your choice of encryption across all your cloud services using role-based, context-aware policies that eliminate the need to encrypt everything, but ensures data security, even after files leave the cloud.
5
11
The Avanan CASB Platform | Threat Protection
Avanan is the most complete threat protection solution for the cloud, with its own security technology as well as multiple tools from the top vendors in the industry. With its ?virtual inline? capabilities for email, it can quarantine a malicious file before it reaches the user?s inbox.
Anti-Phishing ProtectionPhishing attacks are the #1 source of data breaches every year, but only Avanan offers phishing protection for cloud-based email. Machine learning algorithms combine with role-based, contextual analysis of previous conversations to identify threats that Google, Microsoft and external mail gateways miss.
Account Takeover ProtectionAvanan monitors every user event (not just logins) to identify anomalous behavior, permission violations, misconfiguration or ?malconfiguration? changes that indicated a compromised account.
Malicious URL DetectionEvery email, file and chat message is checked for malicious links.
Real-time Malware DetectionEvery email and file is instantly scanned for active code and malicious content using multiple analysis engines before it reaches the inbox.
Advanced Threat SandboxingSuspicious files are tested in emulation to stop zero-day threats.
Predictive Malware AnalysisNext generation tools can identify zero-day threats without the delay of emulation.
6
11
The Avanan CASB Platform | Compliance
Because of its tight integration with each of the SaaS, Avanan provides real time compliance auditing and enforcement for every file and user decision.
SIEM IntegrationAvanan collects and correlates user, file and configuration events from each cloud provider and security tool to stream them to an organization?s existing reporting infrastructure.
AuditEven on first connect, Avanan has access to historical event data for retrospective compliance auditing as well as real time real time reporting.
EnforcementAvanan?s policy engine can move and encrypt files, change permissions, filter messages or use any number of cloud-native tools to ensure compliance.
Compliance ControlsNo matter the regulatory regime, Avanan offers the tools and infrastructure for every industry, from GDPR and SOX to PCI and HIPAA.
7
11
SaaS Email Phishing and Threat Protection
No matter the motivation, email continues to be the most common vector for enterprise breaches. Phishing and pretexting represented 98% of social incidents and 93% of breaches last year. Protection for the cloud must include protection for cloud-based email.
Traditional email security gateways, even if offered as a cloud-based service, are deployed as an external proxy, limiting their visibility into SaaS email solutions like Office 365 and Gmail.
Comprehensive Information, Comprehensive Control
Avanan?s email/ anti-phishing protection is unique in the cloud security industry. Typically, when organizations move their email to the cloud, they either rely exclusively on the email provider?s built-in security or supplement it with a traditional MTA proxy. External mail gateways, however, may not be sufficient to detect and block today?s threats. Avanan?s unique architecture provides protection that is impossible for an external gateway solution.
- Monitors inbound, outbound and internal email: Avanan?s SaaS integration can scan and quarantine every email before it reaches the user?s inbox, whether it is coming from outside the organization or from a compromised internal account.
- Scans historical messages for threats: On first connect, Avanan scans historical messages (even closed accounts) for potential breaches or compromised accounts.
- Global Email Retraction: Malicious messages can be edited or retracted at any time, whether they are malicious, contain confidential information or due to an employee?s accidental reply-all.
Because Avanan?s email protection is applied before the inbox but after the native Microsoft or Google filters (as well as any external MTA gateway that might be deployed), its machine-learning algorithms are uniquely tuned to identify threats that they miss. Avanan is also able incorporate the results of the native scans into its own detection algorithms.
8
11
SaaS Email Phishing and Threat Protection
Avanan's Own SmartPhish Technology Catches What Others Miss
The strength of the Avanan platform is the ability to integrate the industry?s best technology for threat protection. While email phishing was the #1 cause for corporate breaches last year, none of the of existing vendors offered significantly better protection than offered by the built in Microsoft or Gmail filters.
- Creates role-based profile for each user: Historical analysis of inbound and outbound conversations offers a relationship map to to compare future messages. It also includes behavior outside the email environment.
- Integrates company-specific SaaS information: Access to the full SaaS account to create role-based user profile maps against which to identify BEC attacks. This wealth of additional information, provides over 300 threat indicators per message.
Beyond Just Email
Messaging is more than just email. Organizations are moving to new collaboration tools like Slack and Teams for internal and partner conversations. Because these tools are typically only shared between trusted individuals, users tend to treat them as more secure, often ignoring basic security practices that they would normally apply to their email inbox. Because these platforms offer no threat protection or data leak prevention, they are prime targets for insider threats and compromised accounts.
9
11
SaaS Account Takeover and Breach Protection
In 2017, online email and other SaaS applications, especially Office 365 and Amazon, overtook financial institutions as the #1 phishing target (26% vs 20%), indicating a focus on enterprise user credentials. The profit is less direct, but the payout is often much higher.
It is impossible to prevent every form of credential loss. While many account breaches might be preceded by an email, it is possible for an attacker to gain credentials from a number of sources like an external password database breach, a keylogger or a well-placed phone call. An attacker might connect with the proper password on the first try.
The efficacy of any breach detection technology is directly related to the amount of event data it has available, the timeliness of that data and the tools it can use to respond to a breach.
Login-to-login, SaaS-to-SaaS Event Information
The Avanan platform connects to each protected SaaS via API, capturing a wealth of user information:
- Every failed and successful login including geography, client metrics and device information,- Every user event from login to logout--upload, download, permission or file change,- Every account configuration change, forwarding rule, administrative updates,- Every non-user connection: SaaS (API), app, external account connection (POP, IMAP, app
password login), etc.- The content of every document and email (including internal and outbound), file share or chat.
Some solutions might see a login but not see what happens after the connect. Others might see the document share, but not know the content of the file. A system that monitors email might not know if an outbound attachment is confidential or includes a malicious script. More importantly, a combination of all of these tools may not correlate all of these suspicious behaviors to make an accurate determination of an account breach. Any account takeover solution must capture all these types of information and correlate them for each user and across all an organization?s cloud.
Real-time Data, Real-time Decisions
Breach detection requires comprehensive information. How that information is gathered can determines the time to detection. Syslog/ ICAP/OpSec feeds each have their own inherent latencies. Avanan has partnered with each SaaS vendor to enhance and optimize the platform?s API connectivity to capture real-time, event-based information.
10
11
SaaS Account Takeover and Breach Protection
Real-time Analysis Leads to Real-time Response
Avanan?s event correlation engine combines current and historical events from each SaaS as well as analysis from the suite of security tools to identify all the signs of a compromised account. Unlike uni-directional event feeds, API-connectivity makes it possible to take immediate action in response to an account breach, for example disconnecting users and forcing secondary authentication.
Sometimes a single event is enough to make a decision. Often, suspicious activity can only be identified over time. Where a user?s suspicious behavior might indicate a threat, Avanan?s API interactivity makes it possible to interact with the user or the administrator to validate the activity. This provides a middle ground between security and business continuity.
11
11
Avanan Of fers t he Em ail Securi t y a CASB RequiresThe CASB industry is tasked with defending the enterprise cloud against data loss, malicious files and direct hacker attacks. When comparing cloud security products, it is important to match the technology against the most likely security threats.
The Avanan Cloud Security Platform offers a complete CASB solution. It offers the visibility, data security, threat protection and compliance requirements to protect enterprise SaaS and IaaS environments and the enhanced-API ?virtual inline? technology offers detection and enforcement controls without the need for an inline proxy.
Because an API-based CASB captures more information about each user, file, configuration and history, it can offer better anti-phishing and breach detection than is possible with the limited visibility of a mail gateway or event-log analyzer. By including these features in its cloud security platform, Avanan addresses the #1 attack vector and #1 attack target: email phishing and cloud account takeover.
Start a Free Trial of Avanan Todaywww.avanan.com/trial
Conclusion
12
