Netskope Help

Behavior Analytics Detection Scenarios

There are two major areas that behavior analytics covers.

  1. Insider Risk: this is key for Risk compliance teams (verticals such as finance, healthcare) and remediation may involve specific actions outlined within the company’s employee compliance policy.

  2. Breach Detection: this is is key for the Security Operations team to detect a breach of the corporation’s defenses and requires remediation actions that include improving the company’s security posture.

The following table describes the scenarios, types of risk compliance, and enabled detections to address the risk.

Scenario

Scenario Description

Enabled Detections

Risk Compliance - Insider Risk

Malicious Insider: Data Exfiltration

A malicious insider who wants to take the organization’s intellectual property to their next employer decides to download a large amount of data and upload it to their personal Google Drive instance.

  • Spike in downloads from managed applications by the user

  • Spike in downloads with DLP policy violations from managed applications by the user

  • Spike in uploads to personal applications by the user

  • Spike in uploads with DLP policy violations to personal applications by the user

  • Potential corporate data movement by the user

  • Potential corporate data movement with DLP policy violations by the user

  • Spike in documents shared outside the organization from managed applications by the user

  • First access to an application by the user

  • First access to an application for your organization

  • First access for S3 bucket

Risk Compliance - Insider Risk

Malicious Insider: Data Destruction

An insider who is disgruntled and has decided to hurt the organization. They are deleting a bunch of documents in an attempt to disrupt operations.

  • Spike in files deleted by a user

Security Operations - Breach Detection

Compromised Credential: Strange Network Access

A user’s credential for Dropbox is compromised and used from a device outside the organization. The user is able to download data from the corporate Dropbox instance.

  • First access from an IP block for the user

  • First access from an IP block for your organization

Security Operations - Breach Detection

Compromised Device: Malware Distribution

A user’s device is infected with malware and is being used to distribute malware to the rest of the organization. The user’s credentials are used to upload malware to Google Drive for others to load.

  • Spike in malware uploads for your organization

  • Spike in malware uploads by the user

  • Spike in malsite alerts by the user

  • Spike in malsite alerts for your organization

Security Operations - Breach Detection

Compromised Device: Lateral Movement

A user’s device is infected with malware and is being used to brute force into cloud application environments, generating a large number of failed log in attempts.

  • Spike in failed log ins attempts by the user