SecureCloud Events Remediation- Best Practices Guide

Event Type Rule Trigger Remediation Best Practice
user_access.png User Access No Coronet Clients Installed
  1. Install the application on your managed devices and encourage users to install it on their BYOD devices.
  2. If the rule is "noisy", consider lowering trigger sensitivity.
user_access.png User Access User login from a suspicious location/Abnormal login pattern
  1. Check if the location is valid or not (offices, employees' residentials, employee traveling, VPN usage, etc.).
  2. If you suspect abnormal login from a suspicious location:
    • Change the user password.
    • Make sure the password is strong enough.
    • Apply 2FA at least for users with sensitive roles.
  3. If the rule is “noisy”, consider lowering trigger sensitivity.
  4. Consider refining Geolocation by specifying known IPs or countries in the IP Addresses scope (under Configure > Rule Scopes > IP Addresses
user_access.png User Access Multiple login attempts
  1. Check with the employee if it was she/he who failed to connect. If yes, please ignore or assist with the password reset.
  2. If you suspect abnormal login from a suspicious location:
    • Frequently change user passwords
    • Make sure the password is strong enough.
    • Apply 2FA at least for users with sensitive roles
  3. If the rule is “noisy”, consider lowering trigger sensitivity.
 service_activity.png  Service Activity  Administrative activity
  1. Validate that the activity is indeed suspicious.
    • Contact the user if relevant.
    • Reconsider admin privileges.
    • Apply 2FA for admins.
  2. Consider refining Geolocation by specifying known IPs or countries in
  3. the IP Addresses scope (under Configure > Rule Scopes > Ip Addresses)
  4. If the rule is “noisy”, consider lowering trigger sensitivity
 service_activity.png   Service Activity Suspicious download
  1.  Validate that the activity is indeed suspicious.
    • Contact the user if relevant.
    • Limit user actions when necessary.
  2. If the rule is “noisy”, consider lowering trigger sensitivity.
 service_threat.png  Service Threats  Malware activity
  • Limit access to infected resources and user accounts
    Perform endpoint anti-virus scan.
  • Perform endpoint anti-virus scan.
  • Delete/Quarantine infected files.
  • Educate employees on phishing attacks and why they should avoid downloading files and apps from untrusted sources.
 service_threat.png  Service Threats  Suspicious Ransomware Activity
  •  Consult with your security consultant on how to act.
  • Limit access to infected resources and user accounts.
  • Perform endpoint anti-virus scan.
  • Educate employees on phishing attacks and why they should avoid downloading files and apps from untrusted sources.
  • Make sure that you have backup and disaster recovery plans in place.
dlp2.pngdlp1.png DLP (Data Loss Prevention) – File-type/Content   Any
  • Educate your users about company security policies and the collaboration of sensitive information.
  • Validate that the collaboration is indeed unauthorized.
  • Remove file/folder collaboration when necessary.
  • If the rule is “noisy,” consider limiting rule scope to specific users, user groups, or keywords.
 dlp_email.png  DLP (Data Loss Prevention) – Email  Any  
  • Educate your users about company security policies and the collaboration of sensitive information.
  • Validate that the collaboration is indeed unauthorized.
  • If the rule is “noisy,” consider limiting rule scope to specific users, user groups, or keywords.
 device_access.png  Device Access  Malware
  • Quarantine the device so it does not affect network and cloud resources.
  • Apply a malicious file removal tool, such as Microsoft’s MSRT
 device_access.png  Device Access  Other  
  • Fix the vulnerability on managed devices or guide your users on how to fix
    it on their BYOD devices.
  • Educate your users about endpoint security risks and measures, and
    how to use the Coronet Client to increase endpoint security.
  • Consider enabling the No Coronet clients installed trigger from the
    User access rule.
 network_threat.png  Network Access by Threat  Network anomaly detection  
  • Educate users about the risks of connecting to unsafe Wi-Fi networks and how to use the Coronet client to avoid them.
  • If the rule is “noisy”, consider lowering trigger sensitivity.
  • Consider enabling the No Coronet clients installed trigger from the User access rule.
 network_list.png  Network Access by List  Any  
  • Inform your users which Wi-Fi networks they should use or avoid.
  • Consider enabling the No Coronet clients installed trigger from the User access rule.
 Email_phishing__002_.png  Email Phishing  Any
  •   Make sure your users are educated about phishing attacks.
  • Inspect and delete suspicious emails.
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.