Why do I need a CASB for Shadow IT when I already have a SIEM?

By on Mar 18, 2020

Why does my organization need to have a Shadow IT solution when we already own a Next-Gen Firewall / Web Proxy and have all the logs in a Security Information and Event Management (SIEM) solution?

This is a question we are often asked by our customers. The answer is that MVISION Cloud CASB allows organizations to uncover Shadow IT usage that is not visible via a query in a SIEM or with Next-Generation Firewall (NGFW) / Secure Web Gateway (SWG) tools. NGFW and Web Proxies typically catalog web services using a category and a reputation score. So, a Russian email service, like mail.ru, would simply be categorized as “Web-based Email” with “Trustworthy” reputation. A typical output of a web reputation score from NGFW / SWG is shown below.

Source: WebRoot BrightCloud Threat Intelligence

What it doesn’t tell you is that mail.ru is hosted in Russia, that it does not encrypt user data at rest, and that it is a source of leaks to the Darknet. It’s definitely not the kind of site a security-conscious organization would want its employees using at work.

The reason for this discrepancy in cloud service assessment is that NGFW/SWG products primarily look at a cloud services from a traditional cyber security perspective: Is the site a source for spam, web attacks, malware, etc.? MVISION Cloud CASB starts there, and also looks at the cloud service business risk. MVISION Cloud provides each cloud service a risk score based on an assessment of 46 control points, covering over 240 risk attributes. Furthermore, McAfee MVISION Cloud maintains a detailed registry of over 26,000 cloud services, with approximately 100 new services added to the registry each month. For comparison, the registry of a leading NGFW vendor currently has a little over 3,000 services. The good news is that Shadow IT data discovered by MVISION Cloud can be consumed by an organization’s existing security stack to block user access or limit the scope of user activity within a service. Here’s how this service ranks in MVISION Cloud:

McAfee often gets asked the following question: If Shadow IT findings are based on web traffic log data stored in a SIEM, why can’t I find information about an organization’s Shadow usage directly from a SIEM console? The main reason is that a SOC analyst doesn’t know what he doesn’t know. If asked “Show me all PDF converters hosted outside of US that are used on organization’s network,” where does a SOC analyst even start, what does he search for?

The easier route is to utilize McAfee MVISION Cloud CASB and search the MVISION Cloud Registry for “Document Conversion” services and see which unsanctioned PDF converters are “in use.” The SOC analyst can then send the MVISION Cloud Registry data about the suspect services directly to a SIEM via API. This data can now be used to seed searches within the SIEM tool for further analysis by SOC analyst.

Another scenario where MVISION Cloud makes a traditional SIEM more “cloud aware” is logging URL space for complex services. For example, if a SOC analyst wants to block Netflix and creates a rule to block all *.netflix.com URLs, he will be surprised to find that Netflix is not actually blocked, and users can still access the content. The reason for this is that most NGFW/SWG products know of only a handful of ways to get to a cloud service. MVISION Cloud, through its crowd sourcing approach, knows of 100s of ways to get to a cloud service and updates these as URLs change. Going back to the Netflix example, below is a screenshot from the MVISION Cloud console showing some of the other URLs associated with the video streaming service.

If a SOC analyst searches for *.netflix.com in a SIEM console, he will only get a partial view of all Netflix activity. The SOC analyst would need MVISION Cloud to figure out the *.nflxvideo.net domains and other ephemeral URL strings to get a complete view of the Netflix service on the organization’s network. Ultimately, MVISION Cloud for Shadow IT should be used as a complimentary tool to an organization’s SIEM capability. It’s a symbiotic relationship. An organization’s SIEM is the source of Shadow IT data for MVISION Cloud, but it is MVISION Cloud that makes the SIEM tool cloud aware.

Keep reading about MVISION Cloud here.

About the Author

Andrey Zhuk

Andrey Zhuk is a Cloud Security Architect supporting McAfee Federal practice, where he is focused on helping US Government Agencies adopt new cloud services and secure agency assets in the cloud. Andrey is an experienced cloud, cyber and network architect with over 13 years of experience in US Federal Government space. He is well versed ...

Read more posts from Andrey Zhuk

Subscribe to McAfee Securing Tomorrow Blogs