Compromised Accounts and the Netskope Active Platform

April 14, 2015 Jamie Barnett

Today we released our Cloud Report for this quarter – global  and Europe, Middle East and Africa versions. The industry’s only report that examines active cloud usage rather than static log data, its goal is to highlight what’s happening in the cloud right now, where organizations’ real risks lie, and help IT and security professionals know where to focus their attention.

This report builds on January’s in which we highlighted research on compromised user accounts. In it, we estimated based on our research that 15 percent of enterprise users have had their credentials stolen in a prior data breach. This quarter, we report that that number is 13.6 percent, and that those breaches have almost always occurred outside of users’ workplaces.

We now have this capability available in the Netskope Active Platform. Unlike other solutions that may offer static data about how many compromised accounts are in the customer environment, the Netskope Active Platform lets users understand how those accounts are acting in their own cloud environment. Here’s a view of our Risk Dashboard, in which we’ve included an organization’s compromised accounts and what those accounts’ access looks like for top-used apps. Shortly we will provide the ability for admins to take action to remediate these accounts in a few short steps.

Where the “active” – and the data science – part comes in is the ability to truly understand what users are doing, where, and with all of the rich context that’s available in the Netskope Active Platform. In the report, we share a couple of statistics about these accounts based on aggregate, anonymized analysis. One key finding is that 23.6 percent of cloud Customer Relationship Management (CRM) logins are by users who have had their accounts (personal or corporate) compromised in a prior major data breach. Another is that 70 percent of data uploads by such users are to apps that are rated “poor,” as compared with 30 percent for an average user. These kinds of queries will provide significant insight into where organizations’ primary cloud risks lie, and provide admins the ability to take action, such as increase authentication with a short-term token or look for failed logins and blacklist offending IP addresses.

The above findings from this Cloud Report are just a couple of examples to show what’s possible, but imagine for your own environment if you could pinpoint the following types of insights and then take action to remediate:

  • All data policy-violating uploads (for your key DLP profiles) by users with compromised accounts (to identify data exfiltration, possibly associated with a breach)
  • All apps that have SSO hooks that are being accessed by users with compromised accounts (to identify apps that you should bring into your SSO fold)
  • All downloads from risky apps to users with compromised credentials (to identify potential malware activity)

These few examples are certainly not exhaustive, but they highlight the importance of understanding not just how many users with compromised accounts you have in your environment, but also how those users are interacting with your cloud apps and business-critical data.

About the Author

Jamie Barnett

From her experience in various management roles at Zenprise, Citrix, McAfee, RSA Security and InfoArmor, Jamie Barnett brings more than 15 years of experience to Netskope as the chief marketing officer. Coffee notes: Jamie fuels her relentless energy with Peet’s House Blend.

Follow on Twitter
Previous Article
RSA Conference 2015: How would you explain Shadow your mother?
RSA Conference 2015: How would you explain Shadow your mother?

RSA Conference 2015: How would you explain Shadow your mother?

Next Article
Movie Line Monday Rewind: Mobile + Cloud = BFF's
Movie Line Monday Rewind: Mobile + Cloud = BFF's

“How can a mobile phone have an agenda and kill people?” - Aldous Snow...

Gartner Magic Quadrant for Cloud Access Security Broker

Get Your Copy