Cloud Application Security FAQs
03/26/2020 11 5793
Q. What are anomalies?
A. One threat individuals in your organization can face is the takeover of their account(s). Cloud App Security can detect this by analyzing unusual account behavior. logins to an account from new browsers, devices, or location.
- suspicious email activity or configurations, such as deleting all incoming email messages or forwarding
- messages to an external account or domain
- email account configurations that are insecure or make extensive use of filters, forwarding, or secondary accounts
- accounts where two-factor authentication has been disabled
- suspicious internal emails, often with multiple recipients
- multiple account password resets within an unusually short period of time
- changes in the grouping of contacts in emails messages or mailing lists
- changes in the usual characteristics of user sessions, such as the time of day, length of login session, or applications used
Q. Why do I see an IPv6 address reported for some login events?
A. Many mobile data networks use IPv6 and transmit the IPv6 address. These are most commonly seen to be cloud access events from mobile data networks (i.e. checking email from a mobile device). You can map the IP to the provider using a tool like this: https://www.ultratools.com/tools/ipv6Info
Q. Why do I see login events from areas I haven’t been to recently?
A. During the initial scan after SaaS App registration, 30 days of past login events are collected and analyzed. This is used to build a profile unique to each user of their “normal” pattern of access behavior, so variances in their behavior can be determined going forward.
Q. What is Shadow SaaS (Security as a Service)?
A. The Shadow SaaS feature is an email-based form of Shadow IT detection. Securing cloud-native emails such as O365 Email or G Mail with CAS allows the ability to detect and report SaaS services being used when end users have registered these services using their corporate email address.
Q. What is the difference between “Inline” protection and “Detect and Prevent”?
A. Inline scanning intercepts email and completes all scanning before the email is delivered to the end users’ mailbox (i.e. block until verdict). Detect and prevent allows delivery to the user’s mailbox while scanning, completes the scanning post-delivery, and can retract email as required based on policy settings.
Q. Does CAS include a SPAM feature?
A. As the Advanced Threat Protection for cloud-native email, CAS does include technology that augments the built-in SPAM capabilities of the cloud service providers. Layering on top of Microsoft’s and Google’s built-in security controls, which include SPAM and AV scanning services, CAS uses AI-based SPAM detection to detect new campaigns that have bypassed built-in controls.
Q. What do the different types of DLP compliance rules, like Intellectual Property, look for?
A. The DLP compliance rules look for types of data and terms in varying formats within each file. To reduce false positives, in some cases combinations and patterns of data, terms or keywords are used. Some example terms are: Financial – ABA routing numbers, account information, credit, credit card authorization, tax ID’s and Intellectual Property – terms such as Abstract summary, Access and Benefit-sharing, Annuity fee, Application, Assignor estoppel, Auslegeschrift, Beneficiaries,Biogen sufficiency , Branching off, Catch and release, Application, and Agreements.
Q. Do the DLP rules apply to just English or also localized language files?
A. DLP rules apply to English files at this time.
Q. Why do I see a “suspected phishing” event on an email sent by one of my users?
A. During the initial scan after SaaS App registration, 5 days of past email messages are analyzed. This is used to build a unique profile for each user. The Anti-Phishing algorithm analyzes over 300+ threat indicators, including the relationship between the sender and receiver. If an email hasn’t been sent or received to a recipient, and other indicators are present this can trigger an event. Details of the indicators triggering the event are available in the event details. These can be viewed and the event reclassified if necessary to update the machine learning algorithm.
Q. Why do I receive multiple alerts for one event?
A. Alert notifications are configured in the policy settings, with settings based on the configured actions. Alerts will be sent for each action, as configured by the policy.
Q. What is the size limit for scanning email attachments and files in cloud storage?
A. File scanning supports files up to 10MB.
Q. What types of file are supported for email attachment and file scanning by CAS?
A.CAS utilizes Capture ATP to detect advanced threats in email attachment and files stored in cloud storage, such as O365 OneDrive, SharePoint Online, Google Drive, Box and Drop Box. Capture ATP scanning supports the file types:
- Executables (PE, Mach-O, and DMG)
- PDF, Office 97-2003 file types (.doc , .xls ,...)
- Office (.docs , .xlsx ,...)
- Archives ( .jar, .apk, .rar, .gz, and .zip)
Q. Does CAS integrate with Hosted Email Security (HES)?
A. CAS and HES are separate technologies providing similar functionality for the email protection features. HES focuses on protecting specifically email, while CAS protects email and the whole suite of applications. Both products use Capture ATP for attachment and file scanning services.
Q. Does CAS support mixed mode licensing in a single tenant?
A. CAS offers 2 packages, Basic and Advanced. Managing a single tenant that includes both type of licenses is not supported.
Q. What happens to my protection if my CAS trial or subscription expires?
A.At time of expiration:
- Email and File scanning stops.
- Email and Storage policies set to Protect (Inline) and\or Detect and Prevent automatically revert to Monitor Only, preventing mail flow disruption.
- Policy modifications are disabled.
- Configuration|Licenses in the CAS UI is no longer visible or accessible.
- CAS Console and existing data is accessible with Expired status in the UI accessible for 44 days post expiration.
Day 2 - 44
- Licenses expiration reminders are sent, periodically, to the account owner via email with appropriate options to renew subscriptions.
- CAS Console and historical data remains accessible from expiration through day 44.
- Policy modifications cannot be made.
- Configuration|Licenses remain inaccessible.
Day 45 - Subscriptions or Trials not renewed
- CAS – SaaS Security tile in Capture Security Center is disabled for access.
- CAS instance (including sub domain, and associated data) is deleted.
Q. What SaaS Apps are currently supported by SonicWall Cloud App Security?
A. Currently, Cloud App Security protects Office 365 (Exchange Online, SharePoint Online and OneDrive), G Suite (Gmail and G Drive), Box and Dropbox.