New Features - SaaS Security - January 2025

Security teams often struggle with fragmented context and slow manual analysis when investigating complex user behavior anomalies, leading to prolonged response times and incomplete threat analysis. Behavior Threats Incident Details, available in SaaS Security, solves this challenge by providing comprehensive, granular information necessary for effective incident investigation. This feature delivers a chronological sequence of user activities, including application names, precise timestamps, and asset data. You gain instant visibility into how user risk scores are calculated and can access visual representations of activity patterns, enabling you to conduct thorough forensic analysis.

By using Incident Details, your security administrators can efficiently filter incidents, export detailed reports for compliance, and make informed decisions quickly. The feature significantly improves your team’s efficiency in detecting and analyzing potential insider threats, ultimately minimizing the risk of undetected security breaches and strengthening your overall security posture. The advanced filtering options and visual tree views that break down a user's risk score contribution ensure you can implement targeted remediation strategies and optimize administrative resources.

The Legacy UEBA Integration with Behavior Threats feature enhances your User and Entity Behavior Analytics (UEBA) capabilities by combining machine learning-based behavior threats with optimized rule-based policy rules. This integration addresses limitations in traditional rule-based systems, providing a more adaptive and accurate security solution. You can improve threat detection, reduce false positives, and identify complex behavioral anomalies and unknown threats. The system adapts to new threat patterns automatically, reducing the need for manual updates. You gain a consolidated view of all security incidents, streamlining threat management. This feature is valuable when you need to strengthen your security posture against sophisticated cyber threats, enhance operational efficiency, and customize threat detection policy rules. By implementing this solution, you can ensure your security infrastructure evolves with the changing threat landscape while offering scalability and flexibility. The feature is useful for detecting insider threats, account compromises, and emerging attack vectors. It allows your security teams to focus on strategic tasks rather than constant rule updates. With this integration, you can improve your overall security effectiveness, adapt to new threats more quickly, and gain deeper insights into user and entity behaviors across your organization.

Behavior Threats supports LLM powered user risk summary of the top 0.1% of risky users. This summary provides detailed insights into unusual activities, data access patterns, and potential security concerns even when incidents are not generated, enabling security administrators like you to understand and assess user risk more effectively. LLM-powered user risk summary is an innovative approach for evaluating high-risk users by analyzing their activity patterns and machine learning model results. This summary offers an overview of user risk factors, surpassing the limitations of current incident descriptions that often focus on single aspects. It's valuable for explaining high risk scores for users without recorded incidents. This approach has shown promising results in production, offering additional insights compared to traditional incident descriptions.

Although third-party plugins extend the capabilities of a marketplace app, they can introduce security risks to your organization. To manage this risk, you can now create Plugin Access Control policies in SaaS Security Posture Management (SSPM). These policies allow you to specify which plugins you consider unauthorized in your environment.

Once configured, SSPM scans your marketplace apps at regular intervals to detect installations of these plugins. Depending on the marketplace app, you can configure the policy to automatically revoke a plugin’s access. If automatic revocation is not supported, you can configure notifications to alert you to a policy violation. You can receive these alerts through a task in an issue tracking system, an email, or a webhook to a Slack or Microsoft Teams channel. After receiving a notification, you can take manual action to remove the plugin, ensuring your security posture remains strong.