As the worldwide spending on SaaS spending will make up more than half of all public cloud services spending through 2019, it is critical to have end-to-end visibility into threats across your SaaS and on-premise applications.
Sumo Logic and Netskope are collaborating on a technical integration that will help joint customers use Sumo Logic to correlate, validate and investigate Netskope alerts into their overall security incident investigation process and understand SaaS application usage patterns. Netskope is a CASB (cloud access security broker) used to address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control.
Those capabilities combined with Sumo Logic’s cloud-native machine data and security analytics platform empower enterprises to identify and remediate the root cause behind new security threats.
The Sumo Logic App for Netskope provides the following benefits:
- Centralized solution for aggregating CASB security alerts along with those from on-premise systems to maintain visibility for audits and compliance throughout your hybrid IT and security infrastructure
- Comprehensive incident investigation for determining the root cause and effect of compromised users or machines across Netskope and other security products
- Use Sumo Logic to better understand cloud application usage to optimize costs
How does it work?
Netskope aggregates all cloud and web data from disparate resources. Sumo Logic provides a collector agent for pulling all the events and alerts from Netskope in real time via API calls and ingests them into Sumo Logic platform through our hosted collector. For more details on setting up collection, please check the documentation for the Collect Logs for Netskope App
The Sumo Logic App for Netskope
The following sections goes deep into how the new Sumo Logic app for Netskope helps solving above use cases.
Understanding Application Usage insights
“Netskope - Application Overview” provides the view of the current state of your applications like
number of users, sessions, applications and sites in last 24 hours.
This data can be combined with data from other on-premise sources showing how many users are using legacy on-premise applications vs. those in the cloud.
Now in order to trace the user activity go to the “Netskope - Application Users” dashboard and look at “User Locations by Source IPs” and “User Locations by Destination IPs” panels to find out access patterns of users. By default count shown is by user count.
Looking at the distribution pie charts one can find valuable insights on the browser, devices, and os used by majority of the users.
Use the SORT USER BY filter to find top users by upload bytes, download bytes, app count, site count and session count. You can combine it with appcategory filter Ex appcategory=Social and SORT_USER_BY=upload_bytes_sumMB to give top users with upload events in Social media.
Let’s go to “Netskope - Application Detail”. Here one can find where the users are spending most of their time from “Top 10 application by Avg Page Duration” panel. To understand the network usage patterns of the users over time one needs to go to “Network Usage Over Time” panel.
One can use app and appcategory filters to analyze the upload/download pattern in a particular application or category
Similar to “Top 10 users” panel in “Netskope - Application User dashboard“ we have a “Top 10 Applications” panel in this dashboard where one can use SORT BY filter to find out top applications by download/upload/total bytes, session_count/user_count and cloud confidence level. By default the list is sorted by Total Bytes
Monitoring Security Alerts and Maintaining Visibility
Starting with “Netskope - Alerts Overview” dashboard one can view the overall security posture with single value panels. One can also look at how the different types of alerts trend in “Alerts Over Time panel” and which find out which applications and users are generating most alerts from “Top 10 Alerts by Users” and “App by Alerts - Distribution” respectively.
Let’s now go to “Netskope - Alerts Details” dashboard here the top two panels gives the source and destinations location of generated alerts. Scrolling down to the bottom one finds
“Alerts Outlier Over Time” which shows anomaly when the numbers of alerts in last 24 hours exceeds a threshold compared to yesterday as shown in the figure below.
Similarly in order to see one’s progress to reduce alerts one can time compare the number of alerts generated over time with last week’s average
Let’s now delve deeper into Alert specific dashboards. Starting with “Netskope - Anomalies”, this dashboard shows total anomalies, anomalies by risk level, by app category and activity.. There is a table that show recent anomalies with High Risk Level.
To find out users with high risk using Google Gmail select the app filter from drop down and choose Google Gmail and look at “Top users by Anomaly Risk level” panel which show the list of users as shown below.
Now let’s look at a dashboard which is based on Data Loss Prevention one of the primary use cases of CASB. “Netskope - Data Loss Prevention” shows total DLP incidents, count of users affected, DLP incidents by severity, by app category, by activity, by browser and by os. There are tables showing “Top 10 DLP Policy Violations”, “Top 10 DLP Profiles” and “Top 10 DLP Rules”. One can track down the source ip with “Top 10 UserIP violating DLP Policy” panel and the critical objects in your network with high or critical severity using “Objects with High and Critical Severity” panel.
This dashboard also comes with a wide range of filters on DLP Rules(dlp_rule), DLP Profiles(dlp_profile), DLP Policy(policy)
One can also combine different panels of other security products like Firewall, Incident Response, Identity and Access Management with Netskope to build dashboards thus providing organizations comprehensive view and analysis of their security posture.
Incident Investigation
Let’s now go to “Netskope - Compromised Credentials” dashboard. This dashboard has tables showing “Recently compromised Credentials” and “Top 10 breaches by breach score” for identifying critical breaches. After the credentials are leaked one can monitor “Apps used by User after Credentials Breach” and “User Activities after Credentials Breach”
tables to identify any abnormal usage of applications or data exfiltration cases possibly associated with a breach.
One can look into PCI Compliance for Linux panels and correlate the breach activity with user activity on linux box.
Lastly we go to “Netskope - Malware”, this dashboard gives count of affected users, apps, file and total malwares detected and distribution of malwares by category, activity, app and severity. To determine the affected file types use the “Top 10 Affected file types” panel and to find out source IPs inflicted by multiple malwares use the “UserIP affected by Unique Malware Name” panel. To investigate the ransomwares affecting Google Drive use the app and malware_type filters to get a list of such type of alerts in “Recent Malwares” panel as shown below.
Once the malware inflicts a machine, one can track the user activities and applications access on the affected machines with “User Activity on Infected machines” and “Apps used on affected machines” panels respectively to monitor the spread of malware activity.
Get Started Now!
The Sumo Logic App provides visibility into key security data with preconfigured dashboards for page events, application events, malware alerts, DLP incidents, compromised credentials alerts, and anomalies.
To get started check out the Sumo Logic Netskope app help doc. If you don’t yet have a Sumo Logic account, you can sign up for a free trial today.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.