When we founded Skyhigh five years ago, we recognized that security was the biggest barrier to cloud adoption. But we also saw the promise of cloud to transform how organizations conduct business. We wanted to turn security into the biggest driver of cloud adoption so that organizations adopt cloud not only because it enables faster time to market, higher productivity, and lower cost compared with on-premises applications running in the datacenter, but also because cloud is more secure. We built Skyhigh Security Cloud to make this vision a reality, helping launch the Cloud Access Security Broker (CASB) market in the process.
Data is your most valuable asset
Today, data moves faster than ever. The advent of cloud has eroded national borders and the corporate perimeter. Employees access data from the home and office, when on-network and off-network, and using managed and unmanaged devices. Data sharing and collaboration are now a click away. At the same time, in every industry data is becoming an organization’s most valuable asset. Take Caesars Entertainment as an example. The company owns over 50 resorts worldwide, including the famous Caesars Palace in Las Vegas. Yet their most valuable asset, valued at over $1 billion, isn’t one of their resort properties, it’s the data from their customer loyalty program that tracks every interaction with every customer.
Today’s cloud security challenges
Despite advancements in cloud security, enterprises still face a number of challenges.
More than half of enterprises today use more than five security tools that generate alerts. The growing number of alerts is leading to “alert fatigue” among overwhelmed security analysts who miss the signal because of all the noise, who ignore alerts because there are too many to properly review. Cloud is making the alert fatigue problem worse due to the massive volume of events and violations that occur within cloud services. Today, at the average enterprise there are 387 cloud incidents each month for every analyst in the SOC (Security Operations Center). 10.1% of organizations plan to hire more SOC analysts to deal with this problem, but with the number of alerts growing exponentially, hiring more SOC analysts cannot be the answer.
The typical incident remediation process requires SOC analysts to manually review each alert. But SOC analysts lack essential context for what happened, which requires them in many cases to contact the end user to understand the incident. This is problematic because there is a small SOC team in relation to thousands of end users in the enterprise who generate an increasing flood of incidents through their cloud usage. The problem is frustrating for end users as well, because when they unintentionally violate a policy and a remediation action is automatically taken (e.g. quarantine of file) it interrupts their work and they must wait until the SOC analyst tries to resolve it.
Email is changing
Even in today’s cloud world, email is still the killer app. Exchange Online has grown rapidly in the past three years as Microsoft pushes migration to cloud email for existing customers. Between 2016 and 2017, the number of on-premises Exchange Server enterprise mailboxes in use decreased by 46% as more customers moved to the cloud. Today, Exchange Online is the number one most popular enterprise cloud service by user count. But while the popularity of email remains, the nature of sharing is changing. In the cloud, Office 365 users also upload and share data in OneDrive, SharePoint, Microsoft Teams, Yammer, etc.
In the on-premises era, 64% of enterprises deployed an email data loss prevention (DLP) solution to prevent sensitive data from leaving the enterprise. However with information leaving the enterprise in a variety of ways in Office 365, enterprises wanting to enforce DLP policies for on-premises email must contend with these new cloud-native sharing methods. They also must recognize that email itself is changing. Before, email DLP solutions scanned the message payload, including any attachment. As attachment sizes have increased, Exchange Online has introduced capabilities to automatically attach large files via OneDrive, bypassing email DLP.
Real-time vs complete coverage
Today, cloud security solutions enforce controls across data in the cloud via two methods: inline and API. With an inline mode, enforcement occurs in real time as data moves from the end user to the cloud service. However, sitting inline doesn’t offer complete coverage. Sitting inline only gives visibility and control over data in motion, not data already resident in cloud services. The inline deployment mode also doesn’t cover data created natively in the cloud, because the contents of a file being edited live within an application cannot be inspected when sitting inline. And inline inspection breaks apps that rely on pinned certificates, a security feature being rolled out by more cloud providers to prevent man-in-the-middle attacks.
Cloud service providers have made APIs available for security providers to inspect content, monitor activity, and enforce controls. The API deployment mode offers complete coverage, both for data that users upload and also data at rest within the cloud service. This mode also supports data created natively in the cloud, and all applications including certificate pinned apps. However, there is one major drawback of APIs: they’re not real time. APIs are delayed by 5-20 minutes, which is actually a much bigger problem than it may seem because 21% of files are accessed within 5 minutes of being shared. Once the data is accessed, the horse has left the barn, so to speak, so enforcing controls on the data at that point is too late.
A leap in innovation
Today, we’re announcing three breakthrough innovations that address these challenges.
Autonomous Remediation automates the work that security analysts perform to remediate low-severity incidents. Our automation approach puts the end user at the center because, 1) the user has context for the incident, 2) cloud adoption is about increasing end user productivity, and 3) there are more end users than SOC analysts. When a user violates a policy, Skyhigh sends a coaching message to the user so they can correct the incident. Let’s say the user is editing a spreadsheet in Excel Online and she adds a credit card number, violating a DLP policy. Skyhigh detects the violation and surfaces an alert in Excel Online, while simultaneously sending the user a coaching notification to remove the credit card number. Once the user has fixed the violation, the alert is marked as resolved.
Observed performance of Autonomous Remediation at enterprises shows that end users, on average, resolve 97% of incidents on their own, and end users resolve, on average, one incident per month. The impact on SOC analysts is more pronounced. The volume of cloud incidents requiring review drops from 387 per SOC analyst per month to 12. This frees SOC analysts to monitor high-level dashboards showing incident volume and resolution, and to focus investigations on high-severity incidents end users are not able to resolve. End users benefit from a better experience too, since they no longer have to wait for IT’s response to continue working. Over time, real-time coaching also shifts user behavior, reducing the overall number of incidents being generated.