As Cloud Security is becoming an increasingly greater concern for organizations of all sizes, the role and importance of Security Operations Centers (SOC) continues to expand. While end users leverag...
Updated Nov 02, 2021
Version 7.0
Blog Post
Niv Goldenberg I like what I'm seeing here. Question on this one (#4): "Certain alert types, such as an “Activity from infrequent country” alert may require additional input or context from the affected user, for the security operation teams to act on. In these cases, we can create a playbook to send a text or email to the user for two factor confirmation that activity in CAS indeed originated from the user."
That's an interesting choice of wording. I don't think you are enforcing a second factor authentication request of the user with the Microsoft Authentication app or something similar, for example. What you are asking for is a written confirmation that the login was valid. So if the login has occurred and the login is invalid, then the attacker has the credentials, will get the email message (as will the the valid user), and could respond directly to affirm validity. The text message route would be harder to penetrate.