How to setup Box Shield Threat Detection
Box Shield enables you to configure and apply a variety of threat detection rules that alert you to deviations in a user usual work activities.
With Threat Detection, you can:
- detect malicious account holders who use their access to steal data or access content.
- detect compromised accounts based on context such as locations, activities, and access patterns.
- detect potential malware in content uploading to your enterprise’s Box account, and enforce downloading restrictions.
- make important security decisions based on rules and behaviors.
Box Shield provides several detection rule types that you can configure and apply. A detection rule watches for a specific type of anomalous event in account holders’ activity, and triggers a Shield notification when the rule detects the event. Detection rules types include:
This type of rule detects potential malware in content uploading to your enterprise’s Box account. Malicious content rules offer multiple types of malware detection:
- Reputation scan of threats by comparing your files to files known to contain malware
- Deep scan of certain file types by evaluating the content of those files
Malware Deep Scan is an additional layer of scanning capabilities available in the Box Shield Threat Detection Malicious Content rule.
To test this I uploaded the EICAR malware test files, specifically designed to trigger your anti-virus software, and here is the result:
Here are the details of one of the files:
When Shield detects potential malware, by default, Box displays a warning banner to all users accessing malicious content from the Box Web app, and enforces downloading restrictions you selected when you configured this rule.
For more information on the malware deep scan see this box support article.
This rule type detects someone apparently accessing content from an unusual or excluded geographic location or host IP address.
In testing this rule, I remembered all the Nigerian princes that needed our help in accessing their fortunes back in the early 2000’s. Since my VPN does not connect to Nigeria, I had to test this using South Africa, maybe they migrated…
A here are the details of the alert:
This rule type detects someone apparently accessing content in a session characterized by unusual user-agent strings, unusual IDs, uncommon types of applications, new IP addresses, and an improbably rapid change in the person’s log-in location.
This one is much harder to test because it is less deterministic. As a user I can be legitimately using a VPN and appear to have traveled, or be using another browser in my other computer on a different network, or even accessing the same file via my mobile device.
Some customers report very few or even no detection, while others report many false positives. Never the less you can always report the false positives within the app, helping to fine tune the machine learning. Keep in mind that your mileage may vary.
I did try to trigger this rule with no success (I’m not much of a hacker), and I wasn’t able to get through at all, being redirected to the login page of the box app. This means the security mechanism of the box app is not letting me through, before the rule has a chance to be triggered.
This rule type detects unusual download patterns. ML will establish what content a user usually works with and then AI can score if a download is considered usual or not.
For example imagine a customer service rep, that went for lunch and forgot to lock the laptop.
If someone grabs the computer and decides to go poke around and downloads some finance content, which the user never does, you’ll probably get a warning of an unusual download.
I couldn’t trigger this on my developer account either, because of lack of multiple users, diverse content and downloading patterns.
Setting up rules
You can start creating rules by accessing the shield rules on your administration console.
Rules follow the same generic format but may have specific options for specific types.
Start by naming and describing the rule:
Next you define the select criteria, determining to what do these rules apply.
For the suspicious session and the anomalous downloads (like the example above) there are no options.
The malicious content type rule does have an extra options to allow the deep scan of Microsoft office files.
On the suspicious location you can determine which locations and type of content to monitor.
You can also create exceptions for some well known context, for example excluding an IP address or a specific app.
Finally you select what actions to take, including if you want these events to be published on the box event stream and if you want to send a notification to a specific user by email.
The malicious content type rule has an extra options where you define if you want to restrict the download.
For more information in setting up rules, see this box support article.
You can send feedback about the rules detection to help improve its performance. For example the suspicious location feedback looks like this:
And here is an example of the malicious content detection feed back, where you can also mark the file as safe:
Often it is easier to create and maintain a list rather than individually manage rules details.
For example we could create a list of United States sanctioned countries and then use it on the suspicious locations rule.
Note: This list came from a wiki article and it is meant as an example.
You can use Shield lists to configure which locations, ip addresses, domains or emails to include.
For more information on lists see this Using shield lists article.
It found something, now what?
Once you start getting alerts the first thing to do is start a triage process where you decide what threat alerts are important and indicate attacks, what alerts are not attacks at all, including false positives, and everything in between.
Keep in mind most of these rules are probabilistic and not deterministic.
Take a look at our Triaging and Remediating Shield Threat Detection Alerts support article for more details.
Like what you see? Go and get started with the Box Shield Threat Detection.
Check out the other articles on this Box Shield and Classification series: