Identifying Suspicious User Behavior

Providing visibility into human and entity behavior in SaaS applications over time, and detecting anomalies and suspicious behavior (based on various methods) that may oppose risk, is crucial to maintaining a high SaaS security posture.

Existing Challenge

The expansion of SaaS usage is a fertile ground for attackers to take advantage of weaknesses created due to misconfiguration/accidental changes.

Data breaches, such as the Okta breach by the LAPSUS$ group, demonstrate a need for an additional essential Behavior Analytics layer to enforce the SaaS security posture management. That layer is needed to continuously monitor, alert, and remediate suspicious activities in the cloud.
The value of behavior analytics capabilities, then, is not that it prevents hackers or insiders from accessing critical systems. Instead, it informs investigations into SaaS app activity and accelerates incident response efforts.

How Axonius Analyzes Patterns of Human and Entity Behavior in SaaS Applications

Axonius SaaS Management’s behavior analytics capabilities have the following key components:

• Logs and events' aggregation from multiple sources - collecting and normalizing various SaaS application logs and the data within Axonius SaaS Management over time.
• Data visualization and analysis - presenting and visualizing the normalized data to provide a broader context that allows in-depth investigation.
• Behavior analytics engine to generate findings - Using various methods (rules, statistical models, and machine learning) to identify suspicious activities, events, and complex patterns, and provide alerting, actionability, and automation of those.

The product fetches and normalizes logs from various sources, such as SSO providers (i.e. Okta). Then, it runs its Behavior analytics engine to generate findings of abnormal and suspicious use cases, such as the following:

• New suspicious Okta admin
• The user that got admin permissions
• New Okta admin user that has been created and logged in to an app in less than 24 hours since its creation

Discovering Anomalies that Indicate Potential Threats

First, from the Findings module we filter the ‘Logs and analytics’ module findings generated by the behavior analytics engine.

Findings include an effective date field which indicates the point in time the finding is relevant. It may be different from the creation date of the finding, as displayed in the datetime field.
Hover the desired finding (e.g. ‘New suspicious Okta admin’ OR any of the mentioned above), and use the action menu to show the logs and events related to that findings. You can also export the filtered findings to a CSV file for additional analysis.

The Logs and Analytics module opens up, already pre-filtered by the events associated with the examined finding.

Each event includes the following information:

• Actor - the entity performed the action.
• Name and description - the event details (e.g. action name and description).
• Account and affected user - the impacted entity, i.e. the affected user account.
• Additional attributes - special attributes of the events, e.g. whether the event has been classified as an important event, or whether it has failed.
• Related findings - The number of findings the event is associated with. You can click to view the related findings the event is associated with.
• Location - the IP address and the geo-location of the actor.

The Logs and Analytics module provides the log of filtered results.

It allows zooming into within a specific timeframe across the timeline of the events,

and then shows events relevant for that selected timeframe.