Compromised Accounts and Cloud Activity
Published 04/23/2015
By Krishna Narayanaswamy, Founder and Chief Scientist, Netskope
Last week, we released our Netskope Cloud Report for this quarter – global as well as Europe, Middle East and Africa versions.
This report builds on our January Netskope Cloud Report in which we highlighted research on compromised user accounts. In it, we estimated based on our research that 15 percent of enterprise users have had their credentials stolen in a prior data breach. This quarter, we report that that number is 13.6 percent over the report’s time period. We also correlate that data with the active usage data in our cloud. When you marry activity-level security analytics with data on compromised accounts, the risk picture becomes significantly more clear.
Among the more interesting findings from the report is that 23.6 percent of logins to Customer Relationship Management apps are by users who have had their account credentials (personal or corporate) compromised in a prior major data breach. While many IT and security organizations ensure that these important corporate apps are monitored and secured with an identity management solution, it’s an important reminder that users re-use logins and passwords across multiple accounts. It’s also important to note that for every one of these types of corporate apps, there can be dozens of ecosystem apps connected to it. So even if an app is well-secured, what about the apps that integrate with it?
Another key finding is that 70 percent of data uploads by users with compromised accounts are to apps that are rated “poor,” as compared with 30 percent for an average user. Monitoring cloud activity at the intersection of compromised users and risky apps goes a long way toward understanding security threats related to cloud apps – uploads to risky apps could signal data exfiltration, downloads could be malware, excessive activity could be a hijacked account. Looking at these pockets of activity can help you suss problems out quickly.
These are just a couple of examples to show the importance of understanding not just how many users with compromised accounts you have in your environment, but also how those users are interacting with your cloud apps and business-critical data.