To identify suspicious user and entity behavior in corporate SaaS
platforms, including third-party cloud applications, security teams must
sift through billions of user activities to define normal patterns of
user behavior in their organization's environment. They must look for
anomalies that fall outside those expected patterns. Then they need to
correlate suspicious activities to determine what might be a true threat
that requires investigation.
An example of suspicious activity
is excessive login activity from several countries in a short period.
Say that normal user behavior in a certain organization is for employees
to log in to a specific application from no more than one or two
countries per week. If one user starts logging in to that application
from 68 countries over the course of one week, a security team will want
to investigate that activity to confirm that it is legitimate.
to our analysis, only 1 in 5000 user activities—0.02 percent—that are
associated with connected third-party cloud applications is suspicious.
The challenge for security teams, of course, is pinpointing that one