home

Security Service Edge

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Security Service Edge

Monitoring Cloud Activity From Charts

Anomalous Activities

The Anomalous Activities detection engine continuously profiles data attributes and user behavior to detect activity that is out of the ordinary for your enterprise. Monitoring includes the locations from where logins take place (geo-logins), source IP addresses, and devices used. User behavior includes activities such as content uploads and downloads, edits, deletes, logins, and logouts.

Anomalies are not actual policy violations but can serve as alerts for possible data security threats and malicious data access. Examples of anomalies might be an abnormally large number of downloads from an individual user, a higher-than-normal number of logins from the same user, or persistent login attempts by an unauthorized user.

The user profile includes sizes of file downloads across cloud applications, as well as the time of the day and day of the weeks that the user is active. When the engine detects a deviation from the observed behavior over this period, it flags the activity as anomalous.

Anomalies are classified into two types: deterministic and statistical.

  • Deterministic detection works in real time and detects anomalies as user activity occurs, with a nominal delay (for example, 10 to 30 seconds). The algorithm profiles entities (such as users, devices, applications, content, user locations, and data destination location), attributes (such as access location, source IP address, device used), and the relation between them.

    When an unknown or unexpected new relation is encountered, it is evaluated for suspicious activity. The sample of user activities profiled in this approach is relatively small and grows over time. The accuracy of the anomalies detected using this method is high, although the number of rules or the search space is limited.

  • Statistical detection creates a user’s baseline with a larger activity sample, typically spanning over a 30-day period to reduce false positives. User activity is profiled using a three-dimensional model: the metric observed (location, access count, file size), time of the day, and day of the week. The metrics are grouped by time and day. Activities profiled includes:
  • Content downloads
  • Content access -- uploads, edits, deletes

  • Network access -- logins and logouts

    When the engine detects a deviation from the observed behavior over this period, based on clustering techniques, it flags the activity as anomalous. It detects anomalies in non-real time with a delay of typically one hour.

    The deterministic algorithm is used for geoanomaly detection. The statistical algorithm is used for anomalous downloads and for content and network access.

    To view anomalous activities, Select Monitor > Anomalous Activities.

Last updated: November 20, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.