Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Save CASB Evidence

  1. Last updated
  2. Save as PDF
Limited Availability: To access Save CASB Evidence feature, you require additional entitlement. Contact Skyhigh Support or your account manager for assistance.

Secure Evidence Management for CASB Incidents

Problem: Imagine a scenario where your organization receives a high-severity Data Loss Prevention (DLP) alert for CASB incidents, immediately triggering an investigation. However, by the time security teams can respond,  the original content associated with the alert is modified, moved, or even deleted, complicating incident response. To effectively understand and remediate such DLP incidents, SOCs spend countless hours reconstructing context through interviews, log reviews, and manual data correlation. This strains valuable security resources and delays remediation. potentially exposing the organization to ongoing risks. 

Solution: To avoid such complications, Skyhigh now provides a comprehensive system for the secure storage and efficient management of evidence related to CASB incidents. When a CASB policy is triggered, the system automatically captures, encrypts, and securely stores the relevant files. This ensures that critical evidence is preserved instantly and remains protected from unauthorized access or tampering from the moment a violation occurs.

Overview of DLP Evidence

DLP evidence is a copy of the compromised content that violates a CASB policy detected during the policy evaluation. This copy of compromised content is linked to the relevant incident and saved in your data storage, enabling further forensic analysis of generated incidents.

DLP Evidence File Size Limits

Skyhigh allows you to save evidence files with a maximum limit of 250 MB for CASB incidents. This enables you to review large evidence related to potential data breaches, conduct in-depth analysis, and resolve incidents effectively. For details on the contents of CASB evidence, see CASB Evidence Contents section.

Getting Started 

Follow these steps to get started with the Save Evidence features:

  1. Configure your own data storage provider to store your evidence files. Currently, you can store your CASB evidence files on Amazon Web Services, specifically AWS S3 and Microsoft Azure. For details on setting up storage, see Data Storage.
     
  2. Create a Sanctioned DLP or CASB Policy with a Classification rule and select the response as Save Evidence. For details, see Configure Save Evidence for Sanctioned DLP/CASB Policy.

NOTE: You can save evidence for Sanctioned DLP/CASB policy incidents only when the DLP policy is configured solely with the Classification-based rules.

  1. Download the Saved Evidence files that are linked to Sanctioned DLP/CASB incidents using two ways:
    • Sanctioned DLP Policy Incident Cloud Card: Download evidence files linked to DLP incidents individually from the Sanctioned DLP Policy Incident Cloud Card on the Policy Incidents page. For details, see Download Sanctioned DLP/ CASB Evidence.
    • API: Download evidence files associated with DLP incidents via API. You can also download all the evidence files for DLP incidents in bulk via API. For details, see Retrieve Evidence API.

How does it work? 

On creating a classification-based rule in CASB Policy, you can set an additional response named Save Evidence. When a CASB Policy is violated, the Save Evidence response is triggered, and evidence files are saved on the generated incidents. Your own data storage provider must be configured to store the evidence files. If a DLP policy is deleted, the CASB evidence file stored in the policy is unaffected. A backup of the evidence file is retained and stored in the data storage provider (AWS and Azure). You can use the Sanctioned DLP Incident Cloud Card to download those evidence files from the data storage provider. The data stored in the provider is encrypted, and to decrypt the data, the user should:

  • Download evidence files linked to DLP incidents individually from the Sanctioned DLP Policy Incident Cloud Card on the Policy Incidents page. For details, see Download CASB or Sanctioned DLP Evidence.
  • Download evidence files linked to DLP incidents via API. You can also download all the evidence files for DLP incidents in bulk via API. For details, see Retrieve Evidence API.

CASB Evidence Contents 

CASB evidence covers various file types that are stored in your data storage provider (such as AWS and Azure) and are linked to specific DLP incidents. This evidence is crucial for understanding and investigating potential data loss events in sanctioned services. It represents the exact information at the point of detection, providing an unaltered snapshot of the possible data breach. It includes the following file types:

  • Source Files. These files contain the complete, raw, or unmodified data processed by the DLP classification engine.
    • Each source file is designed to include intricate headers and encoded content, making it potentially unreadable by humans, but it serves as an accurate and comprehensive record of the transferred data. This unreadable format is a security feature, protecting sensitive information from casual viewing while preserving its integrity for forensic analysis.
    • Files larger than 250 MB are not saved to your data storage provider.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. Save CASB evidence