By Salvatore Stolfo on Jan 16, 2019 1:55:00 PM
The relentless move by enterprises to cloud storage comes at a price: a lack of visibility. Although all cloud storage providers log (almost) all actions by users with access credentials, tracking capabilities and log analysis is limited. This is especially true after a document is downloaded, copied or shared with a third party. While stored and accessed in the cloud, document activity is logged. But once a credentialed user downloads documents, all bets are off. Cloud logs provide no visibility into where this data goes after it leaves the cloud. No amount of DLP, DRM or CASB, will change this.
Allure Document Beacons change this dynamic by continuing to track and log file data even after a document leaves a cloud share. This plugs a visibility gap organizations have been struggling with for years, and provides proprietary telemetry and geofence insights that have historically not been accessible.
Risk is fueled by the unknown
During our onboarding process, a recent analysis performed for a customer based on three days worth of cloud log datasets showed about 400 document downloads to unknown locations by unknown users. Not only was the organization not aware of the large volume of downloads, which alone indicates a violation of policy, but there is no way of knowing what happened to those documents once they left the cloud share. So the level of risk will remain unknown for the entire lifecycle of those documents, even after the suspicious activity is uncovered.
In another case, a cloud log revealed a large flow of documents to a remote foreign location. The enterprise noted in its SIEM’s acquisition of NetFlow data that there were a lot of bytes transferred to this remote foreign location. However, the company had no knowledge of what was contained in those bytes. The cloud logs revealed that a large collection of videos, or what appeared to be video files, were transferred. It is not uncommon for attackers to exfiltrate data to a public staging server, such as Youtube, after bundling documents and changing the file extension from Word or PDF to a video file type. Was this what happened? Unfortunately, the trail went cold without the ability to further analyze the document activity. Document beacons continue logging activity, even if bundled into a deceptive package and exfiltrated as deceptive video files.
Document beacons pierce through the fog of cloud security
This missing insight provided by Allure Document Beacons after a document leaves the control of the organization can result in high-severity alerts based on a single event, or can inform larger incidents as they unfold. Certain document beacon events are clear-cut security breaches. For example, documents opened in known bad countries, or documents opened from a competitor’s network indicate clear, malicious data loss that requires immediate responses. Appropriate actions include shutting down credentials, revoking access to files, folders or cloud shares, or deploying countermeasures to hold hackers accountable. Document beacon insights help law enforcement officers do their jobs, and provide leverage for legal teams in attempts to recoup lost data.
Other analytic benefits are more subtle, and are surfaced overtime based on ongoing monitoring and assessment. For example, viewing daily document flows can reveal policy violations, or common sharing errors as a result of human error. These findings can better inform policy and training initiatives to reduce data loss risk. Additionally, document beacon data can reveal credential theft or insider threats, and help narrow suspects and identify bad actors when correlated with other threat indicators in a SIEM.
What unknowns can Allure Document Beacons help you reveal?