Activity-based Alerts: Giving IT More Granularity and Control

BetterCloud is dedicated to innovating for IT professionals, which is why we’re constantly adding new features to the platform. At last year’s customer conference, Altitude, we presented a few feature ideas and posed a question to our attendees: Which one is most important to you? The number one requested feature was Activity-based Alerts, and at BetterCloud, your feedback directly shapes our product.

That’s why we are thrilled to talk about Activity-based Alerts, currently available for Okta, Dropbox, Box, and G Suite.

How you (our customers) helped make Activity-based Alerts a reality

When we asked our customers last year at Altitude what they’d like to be informed of in their SaaS environment, we heard feedback like:

• “I want be notified when X number of files/records are downloaded in a specified amount of time.”
• “I want alerts for unrecognized IP addresses.”
• “I want to know when users have suspicious or failed logins.”
• “I want to monitor end user activity across providers.”

Comments like these made us want to dig deeper into the underlying issues at hand. What do these types of alerts mean for IT, and why are they important? To find out, we interviewed customers, who told us:

• There are certain events that happen in SaaS environments that need a swift and firm response.
• Suspicious activity in one connected application is a concern for every other application.
• Reaching out to a user when a lockout or failed login occurs is always a positive.

With all of these learnings in mind, we put the concept of Activity-based Alerts together.

What Activity-based Alerts are, and why they’re important to the future of security

Historically, BetterCloud has focused on what we call state-based alerts. Think of these as alerts on configurations that “persist.” For example, if a user becomes an admin or if a file is shared externally, our alerts tell you that the user or file is in a particular “state.” But activity-based alerts are based off of instantaneous events, such as a failed user login or the downloading of a confidential file.

We’ll continue investing in state-based alerts, but activity-based alerts are the next frontier for companies securing mission critical SaaS apps. In order to stay on top of these instantaneous events though, you have to take an API-based approach to security.

APIs are integral to core SaaS control strategies, such as identity and access management, privilege admin management, and entitlements/settings change management. Event and data activity monitoring (i.e., activity-based alerts) is the next layer of security after those foundational strategies. The only way to achieve those strategies is through APIs, since you need to be in the application itself to provide this type of security.

We knew this wouldn’t be an easy feature to build. It has taken six sprints so far with 18 team members involved, which equates to about 43,200 hours. With our state-based alerts, we’ve been able to listen to alert feeds from our SaaS partners, but for activity-based alerts we’d need to listen to every event across the audit logs of our connected applications and decipher what was relevant for teams to actually go through and take actions on.

How Activity-based Alerts can help you

This was a top requested feature by your IT peers at last year’s Altitude for good reason. In many scenarios, admins lack much needed insight into what end users are doing in their environments. Surfacing these alerts allows admins to create policies to take action on suspicious activities automatically.

With Activity-based Alerts, admins no longer need to make the trade off between security and productivity. Here are three ways that Activity-based Alerts can help IT admins save time, better monitor activities across various applications, and protect their environment.

1. Find suspicious activities

Activity-based Alerts provide a more granular view of events that are occurring within a domain. For example, if a user is downloading a large number of internal files or exporting a large number of records, this could signify suspicious behavior. With Activity-based Alerts, admins can trigger an action if this happens and, if needed, investigate further. Admins can also be alerted if a file in a crucial folder is deleted, which helps prevent data loss. By mitigating potential threats, these alerts provide an unprecedented level of security around data and files in your SaaS environment.

2. Understand results quickly

A huge benefit of Activity-based Alerts lies in the enrichment of the data across all applications within BetterCloud. Admins need more information on a triggered alert beyond the user’s ID number or email address. BetterCloud ingests over 1,500 data objects/second and enriches your environment’s data so admins have complete context on a user, file, or group across applications. This level of detail can be used to understand the appropriate remediation actions or to trigger specific policies based on specific attributes (e.g., user’s title or department, file’s owner, etc). As an example, if an admin is particularly interested in a download of a file titled “Confidential” from Dropbox, BetterCloud allows admins to view a complete profile of the user across applications, including profile information, account settings, and owned files, as well as the file’s metadata to determine the correct path of remediation.

3. Take actions and enforce policies

Activity-based Alerts allow BetterCloud admins to monitor events that occur, and then take actions instantaneously. For example, if a user downloads hundreds of files from their Dropbox account, admins can instantly log the user out of their Okta account and send an email to their manager. Tracking these activities previously only offered limited responses, such as email notifications to the admin teams. With Activity-based Alerts, users can now easily track and trigger actions across multiple applications at once based on these alerts, saving time, increasing productivity, and improving your security posture.

Activity-based Alerts allow users to identify and remediate security risks much more quickly. Using event-related data, BetterCloud can now provide a deeper level of insights than ever before.

What you need to know about Activity-based Alerts:

• Currently available for Okta, Dropbox, Box, and G Suite. Coming soon for Salesforce and Microsoft.
• Only available for BetterCloud Enterprise customers.
• BetterCloud One and Core customers can set up a demo to discuss how they can access Activity-based Alerts.
• For more information on your subscription or to schedule a training session on Activity-based Alerts, please contact your Customer Success Manager or email success@bettercloud.com.
• To learn more about Altitude 2018 (Oct. 2-4 in Denver, Colorado), click here.