CloudLock Unveils Breakthrough Method for Isolating True Security Threats From Among Billions of Suspicious User Activities

Q1-16 Cybersecurity Report: The CloudLock CyberLab's "Cloud Threat Funnel" Methodology Reveals Distinct User Behavior Patterns, Helping Businesses Lock Into Only the Real Threats

WALTHAM, MA--(Marketwired - Mar 28, 2016) - When is a security alert not a real security alert? With hacks and breaches a daily reality for businesses, security teams deal with a barrage of suspicious and anomalous user behaviors and have little time to isolate and focus on the true threats. Today, CloudLock's security intelligence arm, The CloudLock CyberLab announced its breakthrough discovery that solves this challenge -- the "Cloud Threat Funnel." Following its extensive research of the daily behavior of 10 million users, 1 billion files and 140,000 cloud apps, CloudLock CyberLab detected distinct patterns of user behaviors and developed a new process for isolating truly malicious threats from the noise of other potentially suspicious or unusual behaviors. CloudLock's findings and methodology are presented in its Q1-16 cloud cybersecurity report published today, "The Cloud Threat Funnel: Suspicious User Behavior That Matters."

The report reveals that 99.6 percent of users accessed cloud platforms from just one or two countries per week. Establishing this as the norm, the team was then able to isolate the long tail revealing anomalies: 1 in 20,000 users, for example, logged in from six or more countries and, within this group, the CyberLab found some users logging in from as many as 68 different countries in a given week -- real needles in the haystack. By applying the Cloud Threat Funnel methodology, the CyberLab was able to correlate these anomalous behaviors with other high-risk suspicious user activities and pinpoint compromised accounts.

How the Cloud Threat Funnel Works
It starts with all user behavior -- looking at high-fidelity information from an array of sources. This data set can be enriched with third-party threat intelligence resources and run through anomaly detection algorithms to reduce the likelihood of false positives. The threat funnel then moves into anomalies, recognizing outliers that do not conform to expected patterns, like a sudden burst of activity. Anomalies are then distilled down to high-risk, high-impact suspicious activities, by coupling the results of anomaly detection with custom-defined rules and correlating access to sensitive assets and applications. An adaptive, self-learning model, the threat funnel reduces the number of alerts being generated to improve the signal-to-noise ratio and visibility. Using this approach allows security professionals to focus their efforts on true malicious threats.

Identifying Patterns of High-Risk Behaviors
CloudLock's research determined the following user behavior patterns that are representative of the signal-to-noise challenge faced by security teams:

  • The activities of top offenders are significantly higher than the average user. Top offenders exhibit up to 227 times more anomalous activities than average users.
  • Only 0.02 percent (1 in 5,000) of all user activities represent suspicious behaviors.
  • Eight percent of all user logins fail or get challenged. Of these, 1.3 percent originate from risky countries.

What Now?
To embrace the Cloud Threat Funnel, organizations need to deploy an adaptive security model that can provide security teams with predictive, preventive, detective and responsive capabilities. Key components of an adaptive security model include threat intelligence, cloud vulnerability insight, cyber research, community intelligence, centralized policies, and contextual analysis. Leveraging these factors in unison will help avoid alert fatigue and improve the precision of identifying threats.

Starting with the highest impact incidents is the key to success. By narrowing the focus on top offenders and user activities that are the most indicative of true threat, security teams can make confident decisions much faster than ever before and avoid costly breaches with little effort.

To download the full report, visit

About The CloudLock CyberLab
The CloudLock CyberLab is a global team of leading security experts, analysts, penetration testers, incident responders, forensic investigators and security researchers focused on driving unique insight into cybersecurity threats related to the cloud. CloudLock is the only security vendor uniquely combining U.S. and Israeli Military Intelligence with real-time, crowdsourced cloud security insight, continuously monitoring over one billion files daily across more than 10 million users. Security professionals feed into CloudLock's unique security insight through peer-driven, crowdsourced Community Trust Ratings™. This intelligence allows organizations to immediately respond to emerging cloud cyber threats and risky apps.

About CloudLock
CloudLock is the cloud-native CASB and Cloud Cybersecurity Platform that helps organizations securely leverage cloud apps they buy and build. CloudLock delivers security visibility and control for SaaS, IaaS, PaaS and IDaaS environments across the entire enterprise in seconds. Founded by Israeli Elite Cybersecurity Military Intelligence experts, the company delivers actionable cybersecurity intelligence through its data scientist-led CyberLab and crowdsourced security analytics across billions of data points daily. CloudLock has been recognized by Inc. Magazine as the fastest growing security product company in the U.S. and by Glassdoor as one of the top 3 best places to work in the U.S. Learn more at

Contact Information:

CloudLock Press Contact:
Stephanie Olesen