cloudsoc audit (shadow-it) - niwis.com · cloudsoc audit (shadow-it) poc master document 1....

TECHNICAL BRIEF

CloudSOC AUDIT (Shadow-IT)POC Master Document

1. Introduction1.1 ObjectivesThis Proof of Concept (POC) guide has been built by the SE Community for the SE Community with the aim to provide a single source of content and guidance around the high-level architecture, system requirements, prerequisites, and implementation details in order to prepare and conduct POCs for Symantec’s CASB AUDIT (Shadow-IT) solutions, by describing common use cases encountering during POCs.

1.2 Definition of CASB Cloud Access Security Brokers (CASBs) serve as a critical control point to ensure the secure and compliant use of cloud apps and services. Cloud service providers typically maintain a shared responsibility policy for security—they guarantee the integrity of their service infrastructure, but the customer is responsible for securing actual app usage. In addition to the growing cloud security challenges organizations face to safeguard data and protect against threats in the cloud, total volume of cloud app adoption is accelerating, with most of it being done by business units and employees without approval or security oversight from the IT organization. As a result, CASB functionality has become so critical that by 2020 it is projected that 80% of enterprises will use a CASB solution. (Gartner)

Symantec’s CASB solution is CloudSOC™, a CASB solution that integrates seamlessly with Symantec DLP, Endpoint Security (SEP), Secure Web Gateways (ProxySG, WSS), authentication (VIP), field- level Tokenization/Encryption (CDP), and file-level encryption (ICE). Together, these integrated solutions bridge the gaps between CASB and existing cloud and on-prem security solutions to protect customers apps and data, no matter where they or users reside.

At the time of writing this Guide, the Symantec CASB portfolio consists of the following core features

This document will focus on Cloud App Visibility or what is also called the AUDIT feature in Symantec’s CloudSOC™.

POC GUIDE: CLOUDSOC AUDIT | 02SHADOW-IT

1.3 Defintion of AUDITSymantec CloudSOC™ Audit discovers and monitors all the cloud apps being used in your organization and highlights any risks and compliance issues they may pose by supporting the following:

• Uncover Shadow IT

ο Gain visibility into all the cloud apps used within your company and their detailed Business Readiness RatingsTM.

• Monitor Risk and Compliance

ο Identify high-risk cloud apps and provide executive reports regarding your organization’s risk profile tailored to your unique security requirements.

• Make smart App Choices

ο Compare cloud apps side-by-side, consolidate on the most secure alternatives, and continuously monitor usage for compliance enforcement and cost containment.

• Integrate with Web Security

• Leverage integrations with Symantec Secure Web Gateways, including ProxySG and Web Security Service (WSS) to uncover Shadow IT in SWG traffic and apply granular policy controls to Shadow IT

The Audit application ingests logs from NG firewalls and other security proxy devices to perform its Shadow IT analysis. In order to meet privacy needs and regulations, customers can also anonymize and compress log information with Symantec’s on-prem virtual appliance SpanVA, prior to log streaming. Logs are processed and results are available in the CloudSOC Audit App.

1.4 Definition of Proof of Concept A Proof of Concept (POC) is an installation of our solution in the customer’s test environment with the aim to both demonstrate the compatibility with the customer’s environment as well as proving that the solution will cover the customer’s business needs that were previously discussed, either in the form of use cases or architectural requirements.

2. Related DocumentationCloudSOC provides an always up-to-date knowledge base and documentation repository (Tech Notes) about all features and functions. They can be accessed directly from the CloudSOC GUI:

All AUDIT related documentation can be found by selecting ‘Audit’ or directly following this deep link:

https://elastica.zendesk.com/hc/en-us/sections/200664540-Audit

All sections below will provide deep links to related Tech Notes where applicable. You need to be signed in and have the on-line help opened for these links to work.

3. AUDIT ArchitecturesTo perform a Shadow IT Audit we can offer several ways to meet the customer’s requirements and currently installed base. This section provides a brief overview of them.

3.1 Cloud based Architecture

Access logs will be directly uploaded to CloudSOC. If required PII related information can be tokenized within CloudSOC and revealed either by using roles based access control or a strict 4-eye-principle utilizing a DPO role (Data Protection Officer).

Related Tech Notes: Tech Note--Managing Data Sources for the Elastica Audit App.pdf

Tech Note--Managing CloudSOC User Privacy Features.pdf


https://elastica.zendesk.com/hc/en-us/articles/207540833-Managing-Data-Sources-for-the-Elastica-Audit-App

https://elastica.zendesk.com/hc/en-us/articles/208157693-Managing-CloudSOC-User-Privacy-Features


3.2 Hybrid Architecture

In this architecture an on-prem virtual appliance (SpanVA) is used to locally collect the access logs and after processing transmitting them to CloudSOC over a secure channel. SpanVA offers multiple communication options to local data stores and can act both as client or server for various protocols. In addition SpanVA can be used to perform local tokenization of PII with the advantage that PII is never being transmitted to CloudSOC. The same 4-eye-principle as mentioned above can be used to reveal user identities utilizing a DPO role. SpanVA can be downloaded from the customer’s CloudSOC tenant under Settings -> Elastica SpanVA:

Related Tech Note: Tech Note--Installing and Configuring SpanVA.pdf

3.3 On Premises Architecture

Existing ProxySG customers can leverage the integration of AUDIT into the ProxySG/ASG/VSWG and Reporter/Management Centre. These components can source the complete catalogue of rated cloud applications from the Symantec Global Intelligence Network (GIN) as part of the AUDIT subscription license and have been enhanced to provide Shadow IT analysis and control.

At the same time the customer can still use the cloud or hybrid architecture in parallel as described above.

In addition this architecture provides the following unique advantages:

• No need to send access logs to CloudSOC

• Use Management Centre as a ‘single pane of glass’ for all analysis and reporting including URL categories & risks, file reputation, AV & users

• Provides access to the raw access logs

• Control Shadow IT with enhanced policy options on ProxySG

To use this architecture a few firmware and license requirements must be met:

• ProxySG / ASG / VWSG

ο SGOS 6.6+

ο CASB AUDIT Subscription

ο If URL Filtering is also used: Standard or Advanced Intelligence Services (BCWF perpetual license is not supported)

• Reporter

ο Starting with Version 10.1.4.2

• Management Center

ο Starting with Version 1.7.1.2

Related Tech Note: Tech Note--Using Elastica Audit App Feed in Blue Coat ProxySG Policies.pdf

https://elastica.zendesk.com/hc/en-us/articles/207197406-Installing-and-Configuring-SpanVA

https://elastica.zendesk.com/hc/en-us/article_attachments/206554783/Tech_Note--Using_Elastica_Audit_App_Feed_in_Blue_Coat_ProxySG_Policies.pdf

https://elastica.zendesk.com/hc/en-us/article_attachments/206554783/Tech_Note--Using_Elastica_Audit_App_Feed_in_Blue_Coat_ProxySG_Policies.pdf


3.4 Integration with Symantec Cloud Web Security Service (WSS)

This integration allows new and existing WSS customers to automatically stream their WSS access logs to CloudSOC to perform Shadow IT analysis in their tenant. It is extremely easy to set up and requires no additional resources from the customer side.

Related WSS documentation: http://portal.threatpulse.com/docs/sol/Solutions/ManageWebApps/CASB/casb_audit.htm

4. POC PreparationBefore you engage in or commit to a POC, please engage with the customer to discuss the following points.

Confirm Scope; Environment/Boundaries

Check for supported Vendors/Logs

Check if their Proxy/NGFW Firewall and their log formats are supported by AUDIT. Since CloudSOC is updated very frequently check directly in the GUI by creating a new ‘Data Source’ in AUDIT-> Device Logs:

Select the vendor and check the available log formats:

Get detailed instructions on required log fields and any vendor specific special requirements from the applicable Tech Notes:


In the unlikely event that the customer’s vendor or log format is not listed, ‘Elastica Flex’ can be used which requires special parser configuration and verification. Please engage with a Symantec specialist in this case.

Agree on an AUDIT Architecture

Once vendor and log format support have been confirmed agree on one of the architectures discussed above.

Document Business drivers

While there is always great interest in getting a free Shadow IT analysis, it is important to discover any specific business drivers early on. This should ideally already have taken place in the demo that should have preceded the PoC where the advantages of AUDIT were presented.

Define Success Criteria and POC Goals

If business drivers are known define the success criteria for the PoC in order to meet these drivers. Help the prospect to understand the business value of AUDIT by discussing the points in section 1.3.

http://portal.threatpulse.com/docs/sol/Solutions/ManageWebApps/CASB/casb_audit.htm

http://portal.threatpulse.com/docs/sol/Solutions/ManageWebApps/CASB/casb_audit.htm




At this stage – without knowledge of the actual AUDIT results, prospects most likely want to have the following criteria included which may vary on the architecture chosen:

• Easy set-up and integration

• Expressive reports

• Automated reporting

• Anonymization and 4-eye-principle

• RBAC

• Minimal overhead operation

See below table for a more detailed list of test cases to choose from:

ID Test Case Description Benefit

1.1Import Firewall or Proxy logs into CloudSOC

Provide a data source for SaaS app usage analysis. This can be done via browser upload, SCP/SFTP or Elastica’s on-prem virtual appliance (Elastica SpanVA)

Ease and flexibility of deployment

1.2Anonymize PII in logs before import

Use the log anonymization option in the CloudSOC or the on-prem virtual appliance to clear user-identifiable information before processing.

Meet specific compliance or contractual regulations concerning personal information

1.3Inventory of all cloud apps that employees use

Use Audit application to inventory all SaaS apps - including unsanctioned apps (Shadow IT)

Visibility into all cloud apps used. Discover the scale and impact of Shadow IT. Help in creating a cloud app strategy for the organization based on cloud app usage and enterprise readiness of apps

1.4

Establish Business Readiness Rating™ and provide risk categorization of cloud apps

Detailed analysis of each cloud app reveals its Business Readiness Rating™ summarizing 60+

metrics across seven dimensions. Apps categorized into high, medium or low risk categories

Risk classification and enterprise readiness of cloud apps

1.5Overview of organization’s SaaS usage and Risk Profile

Audit Summary dashboard provides key metrics across different time horizons including a company-wide Audit Score

SaaS usage adoption summary, trends, and risk impact to the organization.

1.6Executive Summary Views

Views on Audit dashboard: Top risky apps and most used apps including top users and hosting locations of these apps

Access to key information provided right upfront

1.7Monitor cloud app use over time

View historical usage over time e.g. last week(s), month(s) or year(s) Continuous Shadow IT Audit and risk assessment to stay compliant.

1.8Discover apps that are risky and frequently used

Filter risky (high or medium risk) apps from the Services tab. Sort by traffic, count of users or sessions.

Uncover risky apps that can place company’s data security and compliance in jeopardy

1.9

Apply predefined and custom tags to discovered cloud apps individually or as a bulk

Filter and report on apps based on predefined or custom criteria Ease of analysis and data modelling

1.10

Identify apps that employees have recently adopted which may be risky

Filter new services that have appeared in your environment in a given time duration including any risky apps

Catch apps just-in-time and take further action to either monitor, sanction or define policies in the FW/proxy to block

1.11Identify most used apps that may not be sanctioned

Sort services by count of users, traffic or sessions in the Service TabUnderstand cloud adoption in the enterprise and determine if they may be safe to use

1.12

Discover most active users in the enterprise including ones that use the most number of services, risky services or drive the most traffic

Sort users by count of services, traffic or sessions in the Users Tab. Inspect the usage of top users.

Helps prioritize time and focus efforts

1.13

Discover apps that fail to meet security or compliance requirements

From Audit preferences, set the importance of a criteria that you require to Must-Have. Filter on Knocked-out services to identify apps that fail to meet your security requirements such as MFA

Help stay in regulatory compliance


ID Test Case Description Benefit

1.14

Discover apps that are hosted in locations that violate regulatory requirements

From Destinations tab, identify any such locations from the map. Apply filter on the location and discover apps or users of these apps from respective tabs.

Help stay in regulatory compliance.

1.15Identify multiple apps across the same category

Filter respective category in the Service Tab such as File Sharing.

Opportunities for streamlining and cost reduction. Reduce cost to monitor and secure multiple apps.

1.16Analytics and advanced visualization

Multiple pivot views or tabs (services, users, destinations), easy-to-use filters, time scale adjustments.

Aid in deeper analysis.

1.17Side by Side comparison of Cloud Appsnt reports

Use “Compare Services” within Audit to compare key SaaS apps. This functionality aids in developing a cloud app strategy.

Helps organizations decide which apps can be used as alternatives to risky apps. Proactively engage business to develop strategy for secure adoption of Cloud Apps.

1.18Comprehensive Shadow IT Audit risk assessment reports

Generate Cloud Services Risk Assessment Reports from Audit Summary dashboard. Reports include executive summaries along with a list of discovered services and recommendations.

Many benefits, including cloud app license monitoring, deciding on geofencing policies, determining which apps should be encouraged and which should be eliminated.

1.19Executive Summary Infographics

Generate summary infographics on-demand from Audit Summary dashboard.

Simple one-page summaries for business executives.

1.20Automated Shadow IT Reports

Delivers periodic customized reports via email to critical stakeholders in the organization containing tailored information for their specific role (e.g. new services within last 24 hrs, week etc.).

Keep multiple stakeholders from different departments informed on an on-going basis.

1.21

Predefined and custom Tags and Comments for Services

Tag services with predefined and custom tags for easier sorting and overview. Apply comments on services.

Work collaboratively on Shadow-IT analysis. Easier sorting and filtering.

1.22Custom Graphs and Reporting

Create custom graphs and reports that can be run and externalized by a schedule.

Zoom in on specific information and keep multiple stakeholders from different departments informed on an on-going basis.

1.23Export data for offline analysis and processing

Export available on multiple pages in Audit.Benefits include using the data to set access controls at the proxy/firewall through blocking of unsanctioned apps.

1.24Enable ProxySG/ASG with Audit App-Feed

Use the complete catalogue of cloud services, their BRR or just specific BRR attributes in granular access policies.

Efficiently control shadow IT and leverage automated updates to the catalogue of services and their ratings.

1.25

Evaluate cloud app that you are considering of adopting

“Find Services” under Audit and research and compare with other apps.

Dramatically reduce cloud service provider (CSP) vendor evaluation time.

1.26Central management of multiple virtual on-prem appliances

Monitor status and utilization from a central point. Automatically distribute upgrades to multiple on-prem appliances.

Ease administrative burden in large scale deployments.

1.27

Detect anomalous user behavior and correlate between multiple apps

Apply a threat score to user accounts based on static thresholds and behavioral analysis.

Pinpoint existing risks such as account take-over or data exfiltration.

Define Key Stakeholders and technical Decision-Maker

An AUDIT PoC involves several groups within an enterprise. Among all of them make these definitions. While the driver will usually be part of the security department, the people providing/uploading the logs and setting up SpanVA will usually be part of IT operations. In some instances a workers council or DPO might also need to be involved.


Determine Timescale: Clear Start & End Dates

In order to get results that represent normal cloud app usage the time frame covered by the logs should be at least one week but not to exceed four weeks.

Process some Sample Logs

Experience has shown that processing some sample logs before the start of the POC makes it a much better experience for you and the prospect. This specifically holds true if logs won’t be provided from ProxySG. Ask the prospect to provide one or two small log files that you can run in your CloudSOC tenant.

Make sure that the logs process without any error and all information shows up in the AUDIT screen. Here a list of items to check even if logs are processed successfully:

• Up- and downloaded bytes

• Correct identification of users / IP addresses

• Destinations

• Platforms

• Browsers

If needed ask the prospect to make changes to the logs so that all needed information will be present for the upcoming POC.

This step not needed for the WSS integration.

Establish Milestones

Typical milestones in an AUDIT POC would be:

1. Preparation call and documentation of outcome. The call should cover all of what has been discussed above (architecture, vendor, time frame, stakeholders, etc.)

2. Process sample logs

3. Request & creation of the prospect’s CloudSOC tenant following Symantec’s eval process

4. Quick webex with prospect to perform tenant base configuration & GUI walk through

a. Set time-zone (Settings -> General)

b. Create additional administrative accounts and RBAC if needed (Users)

c. Adjust ‘Privacy Settings’ (Settings -> Privacy)

5. Prospect’s preparations including:

a. Changes to log files, if needed

b. Installation and integration of SpanVA

c. Changes to firmware releases for on-prem architecture

6. Uploading logs and verification of correct parsing

7. Short review by yourself and clarification of some unclear results with the prospect

8. Result review and documentation

9. POC review meeting with the prospect

5. Selected Milestone DetailsThis section provides more details about some of the milestones mentioned above. Result Review & Documentation will be dealt with later in this document.

5.1 CloudSOC Tenant Creation and ActivationThe prospect’s tenant is requested based on the Symantec evaluation guidelines by a Symantec SE. The following information must be provided do so:

• Customer Domain (e.g. company.com)

• CloudSOC tenant geo location (US or EU)

• Contact details of the prospect’s CloudSOC system admin (name, email)

• Approximate number of users

Once the tenant is created the prospects admin (from above) will receive an email from ‘[email protected]’ to activate his account by setting his/her password.

Ask the admin to inform you when this has been performed and proceed to the next milestone.

5.2 Tenant basic ConfigurationEngage on a Webex with the prospect to perform basic configuration tasks.

Set the time zone:


Adjust Privacy Settings (for anonymization):

Related Tech Note: Tech Note--Managing CloudSOC User Privacy Features.pdf

Add additional administrators and create ‘Access Profiles’ (RBAC) and DPO account if needed:

Related Tech Note: Tech Note--Using CloudSOC Access Profiles.pdf

Note that any new user added needs to activate his/her account the same way that the initial admin had done.

Enable ‘Threats’ in Audit and adjust settings: Please see section 6.13 further down.

5.3 Sample Log VerificationThe easiest way to process some sample logs is by using a ‘Web Upload’ directly in the CloudSOC™ GUI. If, however, the prospect won’t allow to upload logs containing PII you will have to use SpanVA and tokenization instead and there are a few things to consider in this case:

• The combined minimum file size of logs must be 16 MB (compressed) or SpanVA will not upload data to CloudSOC™

• Monitor SpanVA that the files have been consumed and after processing uploaded to CloudSOC (SpanVA -> Monitoring)

As highlighted above, search for the lines starting with ‘Found new file’ and ‘Uploading file’.

In CloudSOC™ correct upload and processing of sample logs can be verified under Audit -> Device Logs:

Note: Log files arriving in CloudSOC™ will be queued for processing while PoC tenants might get lesser priority than those of paying customers. For this reason you should allow up to 4 hours (Web Upload) or even 8 hours (SpanVA Upload) until the status turns ‘green’.

5.4 Short Review after a few logs have been processedAfter some logs have been processed successfully please go on a Webex with the prospect and quickly review the results so far. This will help preparing the final review as you will get more knowledge on the prospect’s specific set-up.

Here are a few things you should be looking for:

• Dominant use of specific apps -> ask if these are sanctioned apps by the prospect

• Permanent massive cloud usage over all or specific applications by a single user -> this might be a technical user of some application

• Only a few destinations showing up as ‘Unknown’ but with massive data volume -> might be a next hop security device and not the location of the application’s data centres



https://elastica.zendesk.com/hc/en-us/articles/115002180306-Using-CloudSOC-Access-Profiles


In the ‘destinations’ case it might be needed to adjust the fields in the logs, delete the processed data sources and start anew.

Related Tech Note: Tech Note--Using the Audit App.pdf

6. Result Review and DocumentationAfter the agreed amount of logs (by time frame) have been uploaded and processed you can use CloudSOC or Management Centre (based on architecture chosen) to get answers on the following questions:

• Does my cloud strategy lag cloud usage?

• How many cloud services are in use in my organization?

• What is my Audit or risk score as an organization?

• What unapproved cloud services are being used most?

• Which cloud services introduce the most risk and who is using those services?

• What cloud services are consuming the most bandwidth?

• What alternative cloud services to the ones being used are available?

• Do the alternatives introduce more or less risk to the organization?

• Where are the applications beings hosted?

• Where should priorities be placed in embracing adoption and/or mitigating risk?

We will cover some steps involved as examples to answer these questions in this section.

The result should be presented to the prospect in a review meeting. You should agree with the prospect on the format of the results that handed over to them (Word style document or PPT).

This document will use CloudSOC AUDIT as the analysis tool and a Powerpoint presentation as a resulting document.

Note that the goal should be that the prospect learns to perform a Shadow IT analysis by himself under your supervision. This will create confidence in using our solution and will definitely add to our advantages. However, this might not always be in the interest of the prospect.

Related Tech Note: Tech Note--Using the Audit App.pdf

6.1 Prepare for AnalysisIn some cases it is good practise to exclude some of the discovered applications from further analysis.

A good example is the applications under the category

‘Advertising’ because they are not directly chosen by the users but can create substantial amounts of data, sessions and destinations in the background. As such they can lead to misleading results in application usage.

This example shows how to ‘ignore’ discovered apps in the category Advertising.

If you see more than one application of this category in the top ten under Audit -> Summary -> Top Used Services, you might want to exclude them all together.

Select the ‘Services’ Tab in Audit, open the filter menu and search for Category ‘Advertising’

You will then be presented with all detected apps that fall under this category.

Select all found services and ‘Tags’ under ‘Actions’

In the resulting pop-up menu assign ‘ignore’ to all the selected services and hit ‘Apply’.

https://elastica.zendesk.com/hc/en-us/articles/207540763-Using-the-Audit-App

https://elastica.zendesk.com/hc/en-us/articles/207540763-Using-the-Audit-App


Since the default filter will not list any ‘ignored’ services they will be exempted from further analysis.

The same procedure can of course be run with any other category, a combination of them or individual services.

Make sure that you include this information in the final documentation and discuss it in the review meeting:

6.2 Adjusting Business Readiness Rating (BRR) SettingsYou should at least discuss the options to adjust the weighting of BRR attributes with the prospect.

Adjusting BRR attributes allows the prospect to weigh in their preferences or requirements WRT cloud applications. As an example: Their requirements towards CRM applications might be much more stringent than to email applications. BRR profiles allow them to achieve this.

Note: This is often asked for and to some extend important to the prospects. Usually a full adjustment cycle while going through a number of service categories and their attribute ratings takes some time and might create more concern than good.

Global BRR Profile

CloudSOC comes with a default ‘Global’ BRR profile, accessible in Audit -> Preferences

When making changes to the Global profile all applications from the catalogue are affected!

When selecting ‘Edit’ under ‘Actions you can adjust the sliders behind the BRR attributes contributing to the application’s overall BRR.

In some instances only the BRR sub-category as a whole can be adjusted, in others each attribute by itself. It is also possible to completely neglect specific attributes by de-selecting them:


The slider to the right determines the ‘weight’ of the attribute or sub-category depending on the prospect’s requirements or preferences. The following importance settings can be selected with the slider and will affect application BRR values depending on if they are met or not met by the applications:

Note: Changes in the BRR profiles will cause some computational tasks for CloudSOC and the results will not show up immediately! Depending on the number of services discovered you should give it 30 minutes or more to complete.

Custom BRR Profiles

As mentioned above changes in the ‘Global’ BRR profile will affect all services ratings. Prospects might want to adjust their rating importance on a single application. We chose not to go this route for some reasons:

• becomes a cumbersome task if needed to be done for all applications

• an inherent risk to ‘cheat yourself’ and give single applications a high BRR

• defeats the side-by-side comparison of applications (discussed further below)

That’s why we introduced custom BRR profiles based on categories of applications. CloudSOC allows to choose application categories that custom profiles will apply to.

When creating a custom BRR profile you are asked to select the application categories the profile will apply to:

At the time of writing there are about 200 categories available to choose from.

The process to make changes to the importance of specific sub-categories and attributes is the same as described above.

Note: If multiple BRR profiles exist and are activated CloudSOC will always choose the lowest BRR from all profiles in determining the BRR of a specific application!

‘Knocking Out’ Services

A specific case of BRR adjustments is to ‘knock out’ a service.

When setting the slider to ‘Must have’ in a BRR profile all services that don’t fulfill these attributes are ‘knocked out’. This represents itself in a greyed out BRR value within all Audit screens:

Note: You can filter by ‘Knocked Out’ Services and may give them some ‘Tag’ them as explained previously in this document:


6.3 Predefined ReportsThe quickest and easiest way to get AUDIT results is running the predefined ‘Infographic’ and ‘Overview Report’.

In Audit –> Summary just click on the related buttons and once fully loaded click ‘Print’ to save as PDF:

While the ‘Infographic’ represents a very condensed single page graphic, the ‘Overview Report’ goes into much more detail.

Note: The Audit report will be created right at the time you click the button. It will honour any data sources that you selected (default is ‘All’), the time frame you picked as well as any filters you apply in ‘Configure’:

Use the default settings as shown in the above screenshot as a best practice approach!

The Cloud Services Risk Assessment Overview Report includes:

• Executive Summary

ο Risky Services

ο Most Used Services

ο New Services

ο Top Active Users

• Service Categories

• Service Hosting Locations & Data Centers

• List of Discovered Services

• List of Users

• Recommendations

The report and can easily span 100+ pages depending on the number of applications discovered and might take some time (usually less than a minute) to render fully.

The ‘Infographic’ as well as the ‘Overview Report’ should be handed out to the prospect.

Scheduled Reports

You can run the ‘Overview Report’ in a configurable schedule, let’s say once a week. For this select ‘Scheduled Reports’ within the Audit menu:

After selecting ‘Schedule New Report’ you can configure the recipients (must be defined Users with at least admin status in CloudSOC), the sections to be available in the report and the time frame of analysis.

The example below creates a weekly report on new services discovered on a weekly basis:


Use scheduled reports in POC’s that feature continuous upload of access logs like with the ‘WSS Integration’ architecture. It will make an excellent point for the need for ongoing Shadow IT analysis and should be included in the final documentation:

6.4 Top Used and top Critical ServicesRight from the ‘Audit -> Summary’ tab you can filter on these two criteria:

‘Top Used Services’ is the default setting. The lists are sorted by number of users.

This screenshot is used from a review presentation (as well as all others following in this section) to present the findings, present some statistics (from the ‘Overview Report’) and to already point out some findings that could be discussed in more detail. Here we see that obviously O365 is sanctioned by the prospect but a

considerable amount of users are using a ‘competing’ storage application (highlighted):

You should leverage on these findings to bring our ‘Side-By-Side Comparison’ feature into play. Explained in more detail below.

When selecting ’Most Risky Services’ you will be presented with a view on Apps with lowest BRR, again sorted by number of users:

6.5 Review of Services ‘Compromised in Last 90 Days’

We recently added very important information about discovered cloud services in terms of vulnerabilities or compromises disclosed for them (see first screenshot in section 6.4 above).


This information is constantly updated and provides valuable information about additional risks associated when using these services.

As a consequence you can have their BRR automatically drop by 50% by editing your BRR Profile(s) in Audit -> Preferences and make the following setting:

Note: This should be discussed with the prospect as some might object that this will have ‘negative’ impact on their ‘Audit Score’.

6.6 Review of ‘Top Denied Services’Audit also allows you to analyse logs that show denied or blocked by the Proxy or NGFW. This is a great tool to visualize where the currently implemented policies might fail or need adjustments. Just use the top level filter under ‘Configure’ and select ‘Denied’ for ‘Access Status’:

You can apply all other analysis as mentioned before or later on in this document with this setting.

A way to present this in the final review session could be:

Note: The ‘Do Not Enter’ Sign besides the application names.

6.7 Review by Services CategorySince there will be several hundreds of cloud applications discovered it is good practice to filter applications by their category to get a better overview.

Note: AUDIT categories are not the same as URL categories that you might be familiar with from Web Security solutions like ProxySG. At the time of writing the system features 200+ categories specifically created for cloud applications.

Start off with ‘Audit -> Services’ and invoke the filters to choose categories:

In the example above ‘Video Hosting’ might not be of much interest as the company’s network is open for private usage and watching videos is obviously one of their favoured pursuits.

Note: The percentage shown behind each category is based on total bytes transferred which makes ‘Video Hosting’ come up high in the list!

6.8 Review of Services in most used CategoriesYou should then filter out specific categories to examine what


applications are most popular in this space. Remember that one goal of AUDIT is to give suggestions for ‘sanctioned’ applications and the option to consolidate a large variety of used apps into a few or even a single one.

Review the list above and provide detailed application usage in the most used categories.

We will use ‘File Sharing’ as an example:

The slide above contains information about the data transferred throughout the period of the POC, a list of apps in the category sorted by data uploaded (we talk about file sharing!), a list of these apps by popularity among the users and a summary about the category at the bottom line.

With this combined information you will be able to present all relevant details in a single slide if you choose PPT as the delivery method for the final review session with the prospect.

Other categories of interest should be discussed with the prospect and dealt with in the analysis like the above example.

From experience the following categories should be covered:

• File Sharing

• File Storage

• Collaboration

• Online Productivity Suites

• Email

• CRM

6.9 Side-By-Side Comparison of ServicesComing back to the example in section 6.4 where O365 is sanctioned by the prospect but we also see a large portion of users going to ‘Google Cloud Storage’ as a ‘competing’ service.

CloudSOC allows customers to get detailed knowledge about all services in the catalogue right from the ‘Service Details’ screen. This will help the prospect to make intelligent decisions on choosing services that align most with their requirements. It will also allow to compare up to four services ‘side-by-side’ by listing all attributes and their ratings in a table.

First we will try to find out if ‘Google Cloud Storage’ is frequently used by going clicking on it in the list of mots used services which will take us straight to the ‘Services Details’ screen:

Here we see that it is used by almost 20% of all users and not showing any peaks in usage. So it is obviously used on a very regular basis.

Let’s compare the sanctioned and unsanctioned service from their BRR.

Here we select the category as ‘Storage’, search for service that contains ‘Google’ and select ‘Google Cloud Storage’ from the resulting list:


As a result we get a service comparison (screenshot truncated):

Bring these findings up in the review session and explain the advantages of a ‘Side-by-Side Comparison’.

6.10 Review UsersAudit lets you ‘slice and dice’ through the shadow IT findings from different perspectives. One of them is having a focus on users. Here you can find out if there are power users, the number of services per user encountered, amount of data up and downloaded, etc.

Click on the ‘Users’ tab in Audit and examine their shadow IT usage by filtering on different columns:

Note: This example features anonymization and the customer will need to engage the DPO to reveal the real identity of the user highlighted top right.

6.11 Review DestinationsProspects would like to see where their data is stored from the use of shadow IT. This is featured in the ‘Destinations’ tab of Audit. It also allows to quickly filter on suspicious destinations and what services have been used by which users and so forth.

Here we found and interesting fact that someone is obviously hosting a website in Panama:


As all the information in Audit is interlinked we can quickly gain more information about this service by just clicking on it and following the highlighted links:

Find similar suspicious locations, document them and include them in the final review session!

6.12 Reporting DashboardSo far we used predefined reports and the screens in Audit to perform our analysis. There is, however, a very versatile tool that lets you create custom graphs and reports based on virtually any information available in Audit: The Reporting Dashboard. Make sure you use this unique feature and present it to the prospect!

As you can see above you can create multiple dashboards with a number of ‘Widgets’ in them. There are predefined widgets and you can create custom ones.

To further ease the analysis we recently introduced ‘Factory Default Dashboards’ for various aspects of CloudSOC™ and of course a special one for AUDIT.

You will need to import these dashboards into your account by following this procedure.

Choose ‘All Dashboards’ as shown below:

Top right select ‘Import Dashboards’ and drop down to ‘Factory Default Dashboards’:

Note: There may be additional dashboards in the list that another administrator created and shared with you.

You will then see all the default dashboards imported in the list of dashboards and be able to select the ‘Shadow IT’ one:


This one is currently showing 21 preconfigured Widgets that provide additional best practice analysis on the use of shadow IT.

Nonetheless, we encourage you to create your own custom dashboards to perform analysis that the prospect is specifically interested in.

Here are a few examples:

Trend reports are useful to Organization looking for understand activity overtime to monitor for unusual or suspicious behavour. Below are three example of Shadow IT Trend Reports, the aim below is to demonstrate how filtering can provide more granular information, that can lead to identifying a specific incident for further identification.

• Widget 1: Presents the number of services on a daily basis, along with the number of users and amount of information in total bytes (Upload and Download).

• Widget 2: Filters have been applied to only display File Sharing and Cloud Storage Services, along with the number of users and with the amount of information uploaded. (leaving the organization)

• Widget 3: Filters have been applied to only display Email Services, along with the number of users and with the amount of information uploaded (leaving the organization)

Real World Use Case: Customer was monitoring the amount of information leaving their organization to File Sharing and Cloud Storage Applications. They noticed that on a specific day there was an unusual amount of information being uploaded, in what appeared to be a narrow window of time:

• They pivoted from the report into the Audit console and the Service Tab, then they timeframe view to the specific day and where able to see when and over what timeframe the information left the organization.

• They then where able to use the filters in the console to see the specific service that what used, and then from the user tab the specific user that had uploaded the information.

• From that point, they were able to select that user and look at the specific applications and usage patterns of that user over a 30-day period.

This all took a very short period of time and they were then able to do two things;

• Go to the specific proxy looks to look for more details information on what had left the organization

• Go to management with the detailed reports and visual information to make an informed decision on next steps.

Include these graphs in your review presentation and also create a PDF report from them to be handed out to the prospect.

Related Tech Note: Tech Note--Customizing CloudSOC Dashboards.pdf

https://elastica.zendesk.com/hc/en-us/articles/207239026-Customizing-CloudSOC-Dashboards


6.13 Uncover the UnexpectedBy now you certainly have gathered a lot of unexpected facts about the prospect’s shadow IT usage and associated risks. However, it is worthwhile to uncover some ‘incidents’ that are not too obvious from a quick glance.

As an example, search for large peaks in data uploads to specific file sharing or storage applications:

Here we see that a single user was responsible for this data exfiltration. We can find out when he was doing the transactions and who the user is.

Another example would be the use of cloud based VPN services. Why would someone try to hide his transactions?

Note: Obviously the category ‘VPN’ will not show up as a top category so you will need to search for it in the filters:

Apart from looking at categories you should filter out (the same way as above) and investigate detected services that can impose critical risks to the prospect, for instance ‘LastPass’ to identify users who may be hosting AD credentials in a Cloud based PW repository or the well known ‘Sorceforge’ where customer’s developers may be hosting code publicly which is being specifically written for them.

6.14 ‘Threats’ in AuditAnother way to uncover the unexpected is the ‘Threats in Audit’.

When enabled for the prospect’s CloudSOC tenant ‘Threats’ in Audit will apply a subset of the threshold and behaviour based detectors of the DETECT module to find anomalies within the access logs and also feature some detectors specific to Audit.

Check to see if this function is enabled in the GUI. If not, please contact the Symantec Cloud Security Specialist to have it enabled:

To see what is being detected select ‘Preferences’ as shown on the screenshot above and click on ‘Threats’:

Note: Not all detectors are enabled by default. For a POC it is recommended to enable these detectors, adjust them to some lower thresholds/durations and confidence levels (depending on the time frame of logs processed). Leave the ‘importance’ settings to default.


These are the default settings:

You can examine threats at the user or incident level:

In the ‘Users’ tab list them based on their accumulated ThreatScore’ resulting from their number and importance of incidents detected.

From here you can get the user’s ‘Threat Tree’ to see the detected incidents and their contributions to the ThreatScore:

To examine specific incidents, please use the ‘Incidents’ tab and select an incident. Filtering can and should be applied:

Note: Some caution should be used here as the ‘Too many accesses to low reputation websites’ rule seems to generate quite a few false positives. This will change once we will use the Symantec GIN as a more reliable threat intelligence source.

7. POC ClosureCross check with original Scope and Success Criteria and formally close POC

Throughout the ‘Result Review and Documentation’ process as detailed in section 6 above, make sure you meet the agreed success criteria. Once the documentation is finished agree with the prospect on a time and the form of the presentation of the results.

Copyright ©2017 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

350 Ellis St., Mountain View, CA 94043 USA | +1 (650) 527 8000 | 1 (800) 721 3934 | www.symantec.com

POC Master Document Symantec CloudSOC - v2

About SymantecSymantec Corporation (NASDAQ: SYMC), the world’s leading cyber security company, helps businesses, governments and people secure their most important data wherever it lives. Organizations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure. Likewise, a global community of more than 50 million people and families rely on Symantec’s Norton suite of products for protection at home and across all of their devices. Symantec operates one of the world’s largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. For additional information, please visit www.symantec.com or connect with us on Facebook, Twitter, and LinkedIn.

8. Communication and Commitment 8.1 ResultsSummary and full Report

Once you finished the steps in section 6 you will end up with a full report.

As agreed with the prospect it could be in the form of a PDF document (text based) or a PPT presentation.

Make sure that you also include information on how the solution could be implemented in the prospect’s environment. It is also very important to point out how CloudSOC enables the safe implementation and operation of cloud services with its other modules (DETECT, PROTECT, INVESTIGATE). Use the information gathered in the shadow IT analysis to bring up scenarios for the services that are already sanctioned and those the prospect is considering to implement.

Presentation to key Stakeholders

It is good practice to not only hand in the resulting documentation but also to present the results in a meeting with the customer. There will be quite some questions on the findings and you will gain more information on their current use of the cloud. Make sure that the key stakeholders are present.

Bring up the possibility to run a free ‘Shadow Data’ assessment if they use sanctioned services that we support.

8.2 Next steps to saleClose Technical Decision

In this step the chosen architecture for Audit will be discussed and chosen. It is likely to differ from the one used in the POC especially if the prospect is using Symantec Web Security solutions and can take advantage of the tight integrations we offer.

Some things to consider here are:

• Audit architecture

• Log volume

• Prospect’s network set-up and geographic presence

• RBAC and data privacy issues

• In case of ‘On-Premise’ architecture: Release level of ProxySG/ASG/SVWG and the need for the required versions of Reporter and Management Center

Change LogDate Person Comment

October-20-2017 Thomas Drews First Release based on CloudSOC 2.87

http://www.symantec.com

https://www.facebook.com/Symantec/

https://twitter.com/symantec?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor

https://www.linkedin.com/company-beta/1231/

cloudsoc audit (shadow-it) - niwis.com · cloudsoc audit (shadow-it) poc master document 1....

Documents