According to US-based cloud security provider (and EveryCloud partner) CloudLock, the average organisation experiences 5,732 suspicious activities each month, with the top offenders “exhibiting up to 227 times more anomalous activities than average users”. That’s quite a lot more anomalous activity than the average but, in most cases, that suspicious behaviour isn’t being picked up. So, while app discovery is clearly an essential element in the early stages of any cloud access and identity access security project, user behaviour tracking and analytics also need to be given top priority. But how?

This subject matter is covered in a new CloudLock CyberLab report that offers a methodology for organisations to focus on the user behaviours that are “most indicative of true cyberthreats”. They call it the Cloud Threat Funnel. So what is this, and how can it help you target your own cloud security strategy and responses?

Into the funnel…

The methodology is founded on the premise that understanding what suspicious user behavior looks like is key “to preventing compromised accounts and protecting your organisation.” The funnel approach is therefore based on sifting through very large data sets to “identify anomalies, zero in on suspicious behaviuor, and ultimately pinpoint true threat.” This is what it looks like:

The funnel runs (left to right) from high fidelity information that is taken “from a broad array of data sources” through to sudden bursts of activity or “rare events” and then into genuinely suspicious activities, identified by “combining anomaly detection algorithms with custom-defined rules”, and finally to a true threat output designed to inform practical action. This means delivering a “signal-to-noise ratio” as high as possible via, in this case, an adaptive self-learning model designed to deliver far greater visibility and reduce the number of false-positives/alerts generated.

This threat funnel is, in essence, about being able to prioritise the real threats that you face, being even more aware and so taking more targeted action, focusing effort and resources on real dangers. I’ll leave you with a final infographic from the CloudLock report that illustrates the scale of the threat – and underlines the need for a more methodical approach to tracking, understanding and acting on suspicious user behaviour.

Source: CloudLock CyberLab

If you want to know more about the methodology, download the CloudLock Cyberlab Q1 2016 Cybersecurity Report here.