How Cloud Discovery works
Cloud Discovery analyzes your traffic logs against Cloud App Security's cloud app catalog of over 13,000 cloud apps that are ranked and scored based more than 50 attributes, to provide you with ongoing visibility into cloud use, shadow IT and the risk they pose on your organization. The Cloud app catalog rates risk for your cloud apps based on regulatory certification, industry standards, and best practices. Four complementary processes run on the Cloud app catalog to keep it up to date:
- Automated data extraction directly from the cloud app (for attributes such as SOC 2 compliance).
- Automated advanced data extraction for data by our algorithms (for attributes such as HTTP security headers).
- Continuous analysis by our cloud analyst team (for attributes such as Encryption at rest).
- Customer-based revision requests based on customer submission requests for revisions to the Cloud app catalog . All requests are reviewed by our cloud analyst team and updated based on their findings.
Using traffic logs for Cloud Discovery
Cloud Discovery utilizes the data in your traffic logs. The more detailed your log, the better visibility you get. Cloud Discovery requires web-traffic data with the following attributes:
- Date of the transaction
- Source IP
- Source user - highly recommended
- Destination IP address
- Destination URL recommended (URLs provide higher accuracy for cloud app detection than IP addresses)
- Total amount of data (data information is highly valuable)
- Amount of uploaded or downloaded data (provides insights about the usage patterns of the cloud apps)
- Action taken (allowed/blocked)
Cloud Discovery cannot show or analyze attributes that are not included in your logs. For example, Cisco ASA Firewall standard log format does not contain the Amount of uploaded bytes per transaction nor Username, and does not contain Target URL (but only target IP). Therefore, these attributes will be shown in Cloud Discovery data for these logs, and the vibility over the cloud apps we be limited. For Cisco ASA firewalls, it is necessary to set the information level to 6.
In order to successfully generate a Cloud Discovery report, your traffic logs must meet the following conditions:
- Data source is supported (see list below).
- Log format matches the expected standard format (this will be checked upon upload by the Log tool).
- Events are not more than 90 days old.
- The log file is valid and includes outbound traffic information.
Supported firewalls and proxies
- Blue Coat Proxy SG - Access log (W3C)
- Check Point
- Cisco ASA Firewall (For Cisco ASA firewalls, it is necessary to set the information level to 6)
- Cisco IronPort WSA
- Cisco ScanSafe
- Cisco Merkai – URLs log
- Dell Sonicwall
- Fortiner Fortigate
- Juniper SRX
- McAfee Secure Web Gateway
- Microsoft Forefront Threat Management Gateway (W3C)
- Palo Alto series Firewall
- Sophos SG
- Squid (Common)
- Squid (Native)
- Websense - Web Security Solutions - Investigative detail report (CSV)
- Websense - Web Security Solutions - Internet activity log (CEF)
- Zscaler
Data attributes (according to vendor documentation):
| Data source | Target App URL | Target App IP | Username | Origin IP | Total traffic | Uploaded bytes |
|---|---|---|---|---|---|---|
| Blue Coat | Yes | No | Yes | Yes | Yes | Yes |
| Checkpoint | No | Yes | No | Yes | No | No |
| Cisco ASA | No | Yes | No | Yes | Yes | No |
| Cisco FWSM | No | Yes | No | Yes | Yes | No |
| Cisco Ironport WSA | Yes | Yes | Yes | Yes | Yes | Yes |
| Cisco Scansfe | Yes | No | Yes | Yes | Yes | Yes |
| Dell SonicWall | Yes | Yes | No | Yes | Yes | Yes |
| Fortigate | No | Yes | No | Yes | Yes | Yes |
| Juniper SRX | No | Yes | No | Yes | Yes | Yes |
| McAfee SWG | Yes | No | No | Yes | Yes | Yes |
| Meraki | Yes | Yes | No | Yes | No | No |
| MS TMG | Yes | No | Yes | Yes | Yes | Yes |
| PAN | Yes | Yes | Yes | Yes | Yes | Yes |
| Sophos | Yes | Yes | Yes | Yes | Yes | No |
| Websense | Yes | No | No | Yes | No | No |
| Zscaler | Yes | No | Yes | No | Yes | No |