Threat Types
Skyhigh CASB protects against the following specific threat types.
Threat Name | Description |
---|---|
Compromised Account Threats | Compromised Account threats are made up of anomalies that point toward the loss of credentials for an account, potentially enabling access for people who are not authorized to access this data. These threats heavily suggest that a third party has gained access to your Sanctioned Cloud Services and may have access to your data. |
The following threats are part of the Compromised Account Threats category: | |
Excessive Usage from Anomalous Location | Unusual behavior following a login from a location that has not been previously detected. A user has logged in from a location anomalous to the user's normal behavior and the enterprise, followed by large data access and/or privileged access activity. This activity indicates a threat to the identity of the user's account and data exfiltration using that account. |
Land Expand Exfilterate | Unusual behavior following activity strongly indicates an attack on the user’s accounts has been launched, which manipulates the series of actions performed within the account. And subsequently, expands the access to valuable information through weakly configured or protected interfaces and exfiltrates that data from the user’s account to the attacker’s own storage location. This Threat category identifies and remediates these activities. |
Insider Threats | Insider Threats are made up of anomalies that point toward an internal enterprise bad actor accessing and exporting very large amounts of data. |
The following threats are part of the Insider Threats category: | |
High-Risk Data Exfiltration | The user has accessed or downloaded a very large volume of data within a short span of time. This is severe for two reasons, one, such a large volume of data has never been accessed by any of the enterprise users before now. Two, data volume is high even when referenced to a large pool of users (from multiple enterprises) accessing this cloud service |
Insider Data Exfiltration | The user has been accessing excessive volumes of data through multiple modalities (such as reports, contacts, etc.) and multiple actions (such as view, download, etc.), all at the same time and all of which are anomalous compared to the user's normal behavior. |
Privileged Access Threats | Privileged Access threats represent anomalies generated by users with additional privileges, such as administrators or users who otherwise have greater access within the Cloud Service. These users have the ability to access restricted files, add or edit users or compromise existing security controls. Many of these threats are comprised of anomalies that would not otherwise trigger a threat if they were generated by a user without this level of access. |
The following threats are part of the Privileged Access Threats category: | |
Privilege Access Misuse | Unusual behavior by users with administrative access. While this threat may represent behavior that would be suspicious by any user, it is called out separately because of the additional access available to the user. The user has been associated with an excessive number of administrative activities across multiple actions within a short span of time and all of which are anomalous compared to the user's normal behavior |
Privilege Access Exfiltration | This threat represents unusual download activity performed by a user with advanced privileges. Because privileged users often have unrestricted access to files, anomalous download behavior by privileged users carries with it an additional risk that may not be present from a standard user. The user has been associated with administrative activity and has been observed to access or download a large volume of data. This is severe for two reasons, one, such a large volume of data has never been accessed by any of the enterprise users before now. Two, data volume is high even when referenced to a large pool of users (from multiple enterprises) accessing this cloud service. |