Cisco Cloudlock utilizes various techniques to surface potential threats from various categories which focus on Locations, IPs and Users Login Activity. Cloudlock’s approach involves two phases: the Learning & Profiling phase and the Detection phase.
The detection of threats occurs in two phases:
Learning/Profiling- The creation of a model to represent what shapes normal behavior.
Detection- Activities are evaluated to determine whether they are part of the norm or are deviating.
The Learning & Profiling phase identifies patterns of use in the population using a customer’s platform. This process employs clustering algorithms such as k-means and mean shift.
K-means is an iterative method for identifying subgroups within a larger group based on some similarities that can be found to cluster around one or more “centers”. One of the original proposals of k-means can be found here.
Mean shift is, like K-means, an iterative method for identifying clusters of similarity within a very large collection of data. More information on mean shift is available here.
K-means and mean shift approaches are similar in some ways, but deliver results distinct enough to make it valuable to use both approaches. In addition, the Cloudlock solution uses various dimension reduction approaches to identify and focus only on important variables for the specific use case.
In the detection phase the Cloudlock solution employs various similarity techniques (both distance- and vector-based) to identify potential outliers among the activities for the user population. These are treated as potential sources of threats, which are then qualified using Cloudlock’s proprietary probabilistic scoring system which is based on historical data and customer feedback on known IPs and locations.
The Cisco Cloudlock machine learning system focuses on three general areas of potential threat: Suspicious Login Activity, Location-Based Anomalies, and IP Reputation.
Suspicious Login Activity monitoring captures high frequency login anomalies, such as login failures and login challenges from unusual devices, geographies and time periods for a given user, and indicate potential threats to corporate user accounts. While login challenges are relatively easy for attackers to overcome, Cloudlock’s threat analytics enables quick response times.
Location-Based Anomaly Detection exposes abnormal user activity where users attempt to login from locations that differ from the baseline (corporate headquarters, satellite offices, etc.) within short time frames. Activity outside of the normal baseline could signal an account compromise, requiring timely response to mitigate the situation.
IP Reputation Analysis surfaces user activities with high IP reputation risk scores based on Cisco Cloudlock CyberLab research enriched with multiple third party threat intelligence services. Security teams have real-time access to user activities that are statistical outliers based on frequencies (identifying users with exceptionally high counts of different IP addresses) as well as activities from IP addresses associated with malicious activities, such as spamming, zombie networks, and port scanning.
The Cisco Cloudlock machine learning system is not visible to Cloudlock users or administrators; it functions entirely transparently in the system background. Nevertheless it can come into play in realistic use cases such as the following:
Cloudlock’s threat detection capabilities help identify classic cases of account compromise attempts whether it’s failed attempts (indicated by a large number of failed and challenged logins) or successful logins characterized by abnormal login locations and/or times.
These will usually be surfaced via Cloudlock’s velocity policies but can also be detected on the basis of high usage from a variety of locations.
The Cloudlock solution will often surface a high level of failed login attempts that is being done by 3rd party applications that are trying to login on behalf of users that have already left the company.
Cloudlock customers often need to be able to identify users whose accounts experience login activity from locations that are atypical for that account. The customer employs users who travel frequently, work from home, or execute scripts from remote locations - this means that a static policy white (allow) and black (block) listing countries does not operate at the level of granularity needed. In this case, anomaly detection at the city level is required in order to be able to identify true threats. Cloudlock machine learning applies here because login events naturally cluster, and outliers can be detected based on the actual data without regard to specific physical boundaries, political or otherwise.
Suspicious login activity is a concern for many Cloudlock customers. However, basing actions on a single factor such as suspicious login alerts from Google produces too many false positives or “noise”. This is because such alerts are generated with a fairly simple approach, producing alerts that are too vague to warrant action in all cases. Cloudlock’s approach automatically combines these simple alerts with other datasets (e.g. frequency of alert within specific accounts, time, location, etc.). This combination is not predetermined, but is “learned” based on the characteristics found in the data itself for each customer. In this way, accounts can be identified that may actually be at risk of being compromised - even when the actual methods of compromise are not expected.
The Cloudlock machine learning system reports threats in plain English. For example:
User account belonging to <user first name> <user last name> has activity from abnormal locations: <location 1>, <location 2>, <location 3>,...
Risk: Account Compromise
The plain-English reporting system is designed to make it easy for Cloudlock administrators to respond to alerts quickly and efficiently. Threat reports include links for the administrator to follow to identify details about user accounts, locations, and other sources of relevant data in the Cloudlock Security Fabric interface.