Threat Detection Technical Overview

Introduction

Cisco Cloudlock utilizes various machine learning techniques to surface potential threats from various categories focusing on Locations, IPs and Users Login Activity. Cloudlock’s approach involves two phases: the Learning & Profiling phase and the Detection phase.

Phased Approach

Typically, the detection of threats occurs in two phases: the Learning/Profiling phase in which the solution builds some kind of model that will represent how normal activity is shaped and the Detection phase in which activities are evaluated as they come in to determine whether they are part of the norm or are deviating.

Learning & Profiling Phase

The Learning & Profiling phase identifies patterns of use in the population using a customer’s platform. This process employs clustering algorithms such as k-means and mean shift.

K-means is an iterative method for identifying subgroups within a larger group based on some similarities that can be found to cluster around one or more “centers”. One of the original proposals of k-means can be found here.

Mean shift is, like K-means, an iterative method for identifying clusters of similarity within a very large collection of data. More information on mean shift is available here.

K-means and mean shift approaches are similar in some ways, but deliver results distinct enough to make it valuable to utilize both approaches. In addition, the Cloudlock solution uses various dimension reduction approaches to identify and focus only on important variables for the specific use case.

Detection phase

In the detection phase the Cloudlock solution employs various similarity techniques (both distance- and vector-based) to identify potential outliers among the activities for the user population. These are treated as potential sources of threats, which are then qualified using Cloudlock’s proprietary probabilistic scoring system which is based on historical data and customer feedback on known IPs and locations.

Threat Targets

The Cisco Cloudlock machine learning system focuses on three general areas of potential threat: Suspicious Login Activity, Location-Based Anomalies, and IP Reputation.

Suspicious Login Activity

Suspicious Login Activity monitoring captures high frequency login anomalies, such as login failures and login challenges from unusual devices, geographies and time periods for a given user, and indicate potential threats to corporate user accounts. While login challenges are relatively easy for attackers to overcome, Cloudlock’s threat analytics enables quick response times.

Location-Based Anomalies

Location-Based Anomaly Detection exposes abnormal user activity where users attempt to login from locations that differ from the baseline (corporate headquarters, satellite offices, etc.) within short time frames. Activity outside of the normal baseline could signal an account compromise, requiring timely response to mitigate the situation.

IP Reputation

IP Reputation Analysis surfaces user activities with high IP reputation risk scores based on Cisco Cloudlock CyberLab research enriched with multiple third party threat intelligence services. Security teams have real-time access to user activities that are statistical outliers based on frequencies (identifying users with exceptionally high counts of different IP addresses) as well as activities from IP addresses associated with malicious activities, such as spamming, zombie networks, and port scanning.

Use Cases

The Cisco Cloudlock machine learning system is not visible to Cloudlock users or administrators; it functions entirely transparently in the system background. Nevertheless it can come into play in realistic use cases such as the following:

Account Compromise

Cloudlock’s threat detection capabilities help identify classic cases of account compromise attempts whether it’s failed attempts (indicated by a large number of failed and challenged logins) or successful logins characterized by abnormal login locations and/or times.

Shared Credentials

These will usually be surfaced via Cloudlock’s velocity policies but can also be detected on the basis of high usage from a variety of locations.

Stale Applications / Off Boarding

The Cloudlock solution will often surface a high level of failed login attempts that is being done by 3rd party applications that are trying to login on behalf of users that have already left the company.

Atypical Logins

Cloudlock customers often need to be able to identify users whose accounts experience login activity from locations that are atypical for that account. The customer employs users who travel frequently, work from home, or execute scripts from remote locations - this means that a static policy white- and blacklisting countries does not operate at the level of granularity needed. In this case, anomaly detection at the city level is required in order to be able to identify true threats. Cloudlock machine learning applies here because login events naturally cluster, and outliers can be detected based on the actual data without regard to specific physical boundaries, political or otherwise.

Noise Reduction

Suspicious login activity is a concern for many Cloudlock customers. However, basing actions on a single factor such as suspicious login alerts from Google produces too many false positives or “noise”. This is because such alerts are generated with a fairly simple approach, producing alerts that are too vague to warrant action in all cases. Cloudlock’s approach automatically combines these simple alerts with other datasets (e.g. frequency of alert within specific accounts, time, location, etc.). This combination is not predetermined, but is “learned” based on the characteristics found in the data itself for each customer. In this way, accounts can be identified that may actually be at risk of being compromised - even when the actual methods of compromise are not expected.

Threat Reporting

The Cloudlock machine learning system reports threats in plain English. For example:
User account belonging to <user first name> <user last name> has activity from abnormal locations: <location 1>, <location 2>, <location 3>,...
Risk: Account Compromise

The plain-English reporting system is designed to make it easy for Cloudlock administrators to respond to alerts quickly and efficiently. Threat reports include links for the administrator to follow to identify details about user accounts, locations, and other sources of relevant data in the Cloudlock Security Fabric interface.