Why do I need a CASB for shadow IT when I already have a SIEM?

Johannesburg, 18 Mar 2020
Read time 4min 10sec

Why does my organisation need to have a shadow IT solution when we already own a next-gen firewall/Web proxy and have all the logs in a security information and event management (SIEM) solution?

This is a question we are often asked by our customers. The answer is that MVISION Cloud CASB allows organisations to uncover shadow IT usage that is not visible via a query in a SIEM or with next-generation firewall (NGFW)/Secure Web gateway (SWG) tools. NGFW and Web proxies typically catalogue Web services using a category and a reputation score. So, a Russian e-mail service, like, would simply be categorised as “Web-based e-mail” with “trustworthy” reputation. A typical output of a Web reputation score from NGFW/SWG is shown below.

Source: WebRoot BrightCloud Threat Intelligence
Source: WebRoot BrightCloud Threat Intelligence

What it doesn’t tell you is that is hosted in Russia, that it does not encrypt user data at rest, and that it is a source of leaks to the Darknet. It’s definitely not the kind of site a security-conscious organisation would want its employees using at work.

The reason for this discrepancy in cloud service assessment is that NGFW/SWG products primarily look at cloud services from a traditional cyber security perspective: Is the site a source for spam, Web attacks, malware, etc? MVISION Cloud CASB starts there, and also looks at the cloud service business risk. MVISION Cloud provides each cloud service with a risk score based on an assessment of 46 control points, covering over 240 risk attributes. Furthermore, McAfee MVISION Cloud maintains a detailed registry of over 26 000 cloud services, with approximately 100 new services added to the registry each month. For comparison, the registry of a leading NGFW vendor currently has a little over 3 000 services. The good news is that shadow IT data discovered by MVISION Cloud can be consumed by an organisation’s existing security stack to block user access or limit the scope of user activity within a service. Here’s how this service ranks in MVISION Cloud:

Source: WebRoot BrightCloud Threat Intelligence
Source: WebRoot BrightCloud Threat Intelligence

McAfee often gets asked the following question: If shadow IT findings are based on Web traffic log data stored in a SIEM, why can’t I find information about an organisation’s shadow usage directly from a SIEM console? The main reason is that an SOC analyst doesn’t know what he doesn’t know. If asked: “Show me all PDF converters hosted outside of the US that are used on an organisation’s network,” where does an SOC analyst even start, what does he search for?

The easier route is to utilise McAfee MVISION Cloud CASB and search the MVISION Cloud Registry for “document conversion” services and see which unsanctioned PDF converters are “in use”. The SOC analyst can then send the MVISION Cloud Registry data about the suspect services directly to a SIEM via API. This data can now be used to seed searches within the SIEM tool for further analysis by SOC analyst.

Another scenario where MVISION Cloud makes a traditional SIEM more “cloud aware” is logging URL space for complex services. For example, if an SOC analyst wants to block Netflix and creates a rule to block all * URLs, he will be surprised to find that Netflix is not actually blocked, and users can still access the content. The reason for this is that most NGFW/SWG products know of only a handful of ways to get to a cloud service. MVISION Cloud, through its crowd-sourcing approach, knows of hundreds of ways to get to a cloud service and updates these as URLs change. Going back to the Netflix example, below is a screenshot from the MVISION Cloud console showing some of the other URLs associated with the video streaming service.

Source: WebRoot BrightCloud Threat Intelligence
Source: WebRoot BrightCloud Threat Intelligence

If an SOC analyst searches for * in a SIEM console, he will only get a partial view of all Netflix activity. The SOC analyst would need MVISION Cloud to figure out the * domains and other ephemeral URL strings to get a complete view of the Netflix service on the organisation’s network.

Ultimately, MVISION Cloud for shadow IT should be used as a complementary tool to an organisation’s SIEM capability. It’s a symbiotic relationship. An organisation’s SIEM is the source of shadow IT data for MVISION Cloud, but it is MVISION Cloud that makes the SIEM tool cloud aware.

Keep reading about MVISION Cloud here.

Editorial contacts
PR Connections Alison McDonald (+27) 11 468 1192
McAfee Amy Bunn
See also