24/7 Monitoring is Critical to Comprehensive SaaS Risk Management

Looking at the current CASB landscape you will see that the focus of many vendors  is around visibility and control of SaaS usage within the enterprise. These tools are designed to mitigate the risk of SaaS activity by the employees. It’s about data loss prevention.

As more and more employees start to use SaaS applications that are both sanctioned and unsanctioned by the enterprise security teams, the risk associated with data loss increases. There is great need to both understand what data is being transferred and by whom, and also be able to control the data being transferred. I will discuss the control aspect in a different blog. The focus of this post is the visibility aspect of SaaS usage.

To be able to provide visibility into SaaS usage, one would have to look at the actual outbound and inbound traffic within the organization. The meta data linked to this traffic should include items such as destination SaaS application name and URL, size of data, type of data. It also needs to provide information regarding the payload content itself. (Because to manage risky activity one needs to have visibility into the content as well.)

Most CASB solutions take a snapshot of this traffic and provide a risk assessment based on that moment in time. They require logging to be turned on at the firewall or switch level and then provide an analysis of that log for that time period. But as we well know, enabling logging on these devices is very resource intensive and it’s not something that can be done in production for long periods of time. So any risk that is gathered by looking at the data in that snapshot of time has to be assessed statically.

In my previous post I spoke about different types of risk, and static risk is only part of a comprehensive risk assessment strategy for SaaS usage in the enterprise. To review, static risk for SaaS usage only pertains to the SaaS application itself, and not to the usage aspect of that SaaS application. These could include items such as security certification, encryption of persistent data, regulatory compliance, etc.

Log analysis will provide static assessment of risk, but to have a comprehensive risk strategy the solution will also need to provide an assessment of behavioral (dynamic) risk. To review, behavioral risk is calculated based on specific type of behavior of user’s usage of the different SaaS applications. For example, a file sharing SaaS application might score very well in the static risk category but since any user can transfer any type of data to these applications the behavioral risk could be higher at any given point in time. Behavioral risk gives the security team insight into the data. Since SaaS usage risk mitigation is about data loss prevention looking insight into the data is will be absolutely necessary. Therefore, behavioral risk has to be included in any risk management strategy for SaaS usage.

To calculate behavioral risk at any moment in time one needs to have visibility into traffic not just for a moment in time but continuously. This essentially means 24/7 visibility into traffic. 24/7 visibility has to be passive and not increase the load on any of the devices in the organization. That is precisely why continuous log analysis will not work for dynamic risk assessment. It puts too much unnecessary load on a device such as a firewall or a switch. Some firewall vendors to provide continuous logging but at an additional, notoriously high, cost.

The best solutions to behavioral risk management use packet analysis to provide visibility into traffic. Port mirroring is available in most devices and it comes at a very low resource cost. It’s very passive and it can provide visibility into both the header but also the full payload. Therefore it is an ideal solution for assessing behavioral risk.

Many of these commercial firewall also provide decryption capabilities, which is critical for assessing risk within the payload of traffic. At any point in time, it can provide historic reporting and alerting capabilities for dynamic SaaS usage risk mitigation.

Deep packet inspection of traffic can also provide meta data around SSL communication (both handshake and certificate verification) in addition to payload size and content information.

Please take a look at www.managedmethods.com for more information on SaaS access risk mitigation solutions using deep packet inspection.