Understanding the results of cloud app analysis

Technical Library | Support

Go to the table of contents

Go to the previous page

You are at the end of the document

View or print as PDF

Using RiskVision to Investigate Cloud App Use : Understanding the results of cloud app analysis

Understanding the results of cloud app analysis

Investigate Cloud App Use | TRITON RiskVision | 01-June-2016

When a transaction is analyzed, the Cloud Apps Plugin:

1.

Identifies transactions that include communication with a known cloud app (like Salesforce or Dropbox)

This identification takes into account both the URL and the IP address of the site that was accessed.

2.

Reports the risk level (from low to high) associated with the cloud app

The risk level is based on several risk factors, described in What risk factors does cloud app analysis look for?.

3.

If the risk level associated with the app is high enough, reports a threat score

The threat score is used in conjunction with results from other plugins to assign an overall threat level (suspicious, malicious) to the incident.

If the Cloud Apps Plugin returns a threat score that exceeds a minimum threshold, the transaction is flagged as an incident and recorded.

If no malware activity or data loss was found, the incident does not appear in the Transaction Viewer by default.

Mark Show hidden incidents to see these records.

If both cloud app analysis and another type of analysis determine that an incident occurred, the incident is displayed in the Transaction Viewer by default.

Information about low risk cloud apps (those below the threshold for creating an incident) appears in the Transaction Viewer only when both of the following are true:

1.

An incident is created based on, for example, content analysis or data analysis.

2.

The transaction includes communication with a known cloud app that is classified as low risk.

Only the cloud app name (shown in the Cloud App column) and risk level (Shown in the Cloud App Risk column) are displayed in the Transaction Viewer table, but additional information is available in the Details pane. See How do I find out more about the cloud app associated with an incident? for more information.

How do I find out more about the cloud app associated with an incident?

To find more information about the cloud app associated with an incident, and to find out more about the risk level assigned to the cloud app:

1.

Select an incident in the Transaction Viewer that includes cloud app data.

2.

Click View Details.

3.

In the Details pane, select the Cloud App tab.

The Cloud App tab lists information about the app provider, as well as a list of risk factors associated with the site.

For each risk factor described, an icon indicates whether it reduces risk (green circle) or increases risk (yellow triangle).

Because different risk factors carry different weights, a cloud app may be attributed medium or high risk, even when it has more risk-reducing factors than risk-increasing factors. This reflects the relative severity of the risk-increasing factors.

See What risk factors does cloud app analysis look for? for a list of all of the risk factors that cloud app analysis considers.

What risk factors does cloud app analysis look for?

The risk factors considered when rating a cloud app include whether the app supports:

Content posting

Content sharing with users who do not have accounts within the application

File or content sharing with a group of users (applies, for example, to storage services and social apps)

Sharing data as a direct link

The ability to immediately revoke access for internal or external users

The ability for users to track their own usage history

The ability for a third-party (like an employer) to track a user's usage history

The ability for users to determine who accessed a particular object

Two-factor authentication

An applicative permission model (role-based permissions)

Access restriction to specific endpoint devices, verified by certificate or other method

The ability of users to save (remember) the app password on their endpoint device

Additional risk factors include:

Who owns uploaded data

What happens to a user's data in the app when the account is terminated

The forms of authentication supported by the app provider

Whether the app encrypts user data at rest

Whether the company providing the app complies with the ISO 27001 standard

Whether the company providing the app complies with the PCI DSS standard

Whether the company providing the app complies with the HIPAA standard

Whether the company providing the app complies with the SSAE-16 standard

Whether the company providing the app complies with the SOC-1 standard

Whether the company providing the app complies with the SOC-2 standard

Whether the company providing the app complies with the ISAE-3402 standard

Go to the table of contents

Go to the previous page

You are at the end of the document

View or print as PDF

Using RiskVision to Investigate Cloud App Use : Understanding the results of cloud app analysis

Copyright 2016 Forcepoint LLC. All rights reserved.