CASB solutions can help your business in addressing risk in cloud-based services, consistently enforce security policies and comply with regulations, even when these services reside beyond your perimeter and out of your direct control. The value stems from the ability to identify high-risk applications, users, and other key risk factors across cloud platforms - a potential blind spot for many businesses.
With the various acronyms used in cyber security and networking, let us take a moment to define what a CASB truly is. CASB stands for Cloud Access Security Broker, its primary function is to act as a secure gateway between cloud operations and how users interact with the data. While various vendors have similar functionality, the core operations allow for visibility, compliance, data security and threat protection.
As organizations across verticals work to reduce costs of computing and operating on premise and provide a more flexible work environment due to the ongoing pandemic, the criticality of having a proper CASB in place is rising in importance for security teams to consider. There are two primary methods in which security teams interact with the data available from these tools, which are either having the data fed into a SIEM or log manager such as Splunk, or teams will dedicate time everyday to log into the console directly to review alerts and activity observed.
With these solutions in place, incident response teams can take advantage of the wealth of information it provides for threat hunting and investigations of ongoing incidents.
The following are some of the key benefits of implementing and managing a CASB:
While Cloud access security brokers do an excellent job at mitigating threats, enforcing security policies, and alerting on violations either in policy or malware events, there are threats that can and do make it past these solutions. As threats can spread across various cloud environments, incident response teams need solutions such as this to help them quickly identify the scope and breadth of the incident.
Having these solutions in place can also help identify which endpoint was involved with the breach if it originated from a user machine or server. With CASB in place, all activity is passed through these nodes and typically have a central management console which allows for quick identification and remediation of malware infections, user account compromises and gaps identified within cloud containers.
Considering Microsoft has established itself asa large player within the cloud space as well as their ecosystem which includes Defender for endpoints, and now they have implemented a security and compliance dashboard which allows teams to review alerts for users at risk, cloud applications at risk among other key data points of interest. Incident response teams can log into the Microsoft portal to review threats identified and, through playbooks and automation built in, can streamline, and expedite remediation of discovered issues.
For a direct example of what CASB’s such as Microsoft’s provides, see the following overview taken from Microsoft’s documentation:
Shows the number of open alerts, a graph of the alert status distribution, and recent alerts
Other platforms offer similar insights into your distributed cloud environment and incident response teams can gain immense value and insight with minimal effort with what comes out of the box from these vendors.