About Shadow IT Anomalies
The following are the anomalies tracked for Shadow IT Services. They should not be confused with the three Sanctioned IT Service anomaly categories: Access Anomalies, Administration Anomalies, and Data Anomalies.
Data Transfer Anomaly
The Data Transfer Anomaly monitors all data transferred by the user in every action. Each event from the logs is compared to pre-defined thresholds and an anomaly is generated if the data transfer exceeds the threshold.
Multiple anomalies observed for the same user, cloud service, and user-action (download or upload) combination within a short period (typically two hours) are collapsed into one anomaly. A similar count and risk score of the anomaly are then appropriately adjusted. Anomalies are generated for upload and download separately.
This anomaly threshold can be adjusted.
Service Category-based Data Transfer Anomaly
All cloud services in the Skyhigh CASB Registry are characterized (based on the features and use cases that the cloud service addresses) into an appropriate Service Category. Service Category-based Data Transfer Anomalies are generated when cloud service-specific thresholds are not available (typically due to lack of sufficient historical data) or when the observed user-action exceeds data transfer thresholds specified at the Service Category level.
This anomaly threshold can be adjusted.
MIME Type Anomaly
MIME Type captures the nature of the content or file that is associated with a data transfer. Using domain knowledge and historical data, accepted data transfer associated with specific MIME types has been identified along with appropriate anomaly thresholds. MIME Type Data Transfer Anomalies are generated when the observed user-action exceeds data transfer thresholds specified for the MIME type associated with the observed user-action.
This anomaly threshold can be adjusted.
IMPORTANT: You can't adjust the threshold for a MIME Type anomaly that was created before Skyhigh CASB 5.5.1, (Sept. 23, 2021). To adjust the threshold for an anomaly created before this date, contact Support.
Service Access Count Anomaly
To generate a Service Access Count Anomaly, the total number of times that a user accesses a particular cloud service over 24 hours (in one calendar date) is compared to pre-defined thresholds. If the total access count exceeds the thresholds, an anomaly is generated.
This anomaly threshold can be adjusted.
Repeat Offender Anomaly
The Repeat Offender Anomaly is generated by users who trigger repeated denials across cloud storage providers. This "service knocking" is the modern-day equivalent of "port knocking", an older hacking technique used to determine which ports were open and vulnerable on a firewall. Similarly, service knocking allows an attacker to discover which cloud services are open outbound on a proxy or firewall to exfiltrate data.
Skyhigh CASB identifies these repeated data exfiltration attempts. Currently, we review the past seven days to identify the number of unique service denials for a user using cloud storage services. The count of denials is compared to a pre-defined threshold and an anomaly is generated if the total number of denials exceeds the threshold.