Monitoring Box Security with USM Anywhere

May 24, 2019  |  Jose Manuel Martin


We recently announced the release of the new AlienApp for Box in USM Anywhere, which uses the Box Events API to track and detect detailed activity on Box. This new addition to the AlienApps ecosystem provides an extra layer of security to cloud storage services that many enterprises are outsourcing to Box. Beyond monitoring and data collection, USM Anywhere offers early detection of critical events and alerting, thanks to event correlation and business intelligence.

AT&T Alien Labs researchers have devised a set of 18 new correlation rules combining Box Events API features and other security indicators. This set is part of the AT&T AlienLabs threat intelligence feed and is included in every USM Anywhere installation.

USM Anywhere provides a fully configurable visualization panel of events retrieved from the Box Events API. It can be used to get a quick summary of the activity that users and applications performed with the Box service, as well as discover common user actions that may pose a security risk for the account.

Monitoring Box visualization panel

Configuring USM Anywhere to work with a Box account is easy. It can work with most authentication methods. It is possible to configure App Token Authentication or JWT tokens, which use a private key to sign the requests. The visual interface guides the user through the credential configuration steps, shows a settings panel, a history of actions performed on schedule, and a brief status of the application.


Monitoring Box authentication

Moving data security to the cloud

Box enables companies to store their data in the cloud. This moves the scope of data security to platforms that can be accessed from the Internet at any moment and by multiple accounts at the same time. Brute force login attempts or spraying password attacks are among the most common intrusion mechanisms.

However, is all data treated the same way? How sensitive data is transmitted and stored is a major concern for enterprises. For instance, companies in the financial business aiming to meet PCI compliance using cloud storage services need to  confirm to their clients that credit card data is always protected from unauthorized access and available to be consumed at any time. Encryption is also a necessity to keep data at rest not accessible by unauthorized users. Box allows customers with special requirements to customize the encryption algorithm applied to their data, meeting performance requirements or facilitating compatibility with their applications.

Box provides a feature called Content Security Policy that allow companies to manage their sensitive data in a special fashion. It automatically detects digit strings matching a social security number or credit card data formats and enables automation of notifications or special storage. This type of features plays a leading role in data security and management for companies handling large amounts of data.

To prevent adversaries with access to a Box account to craft or remove the Content Security Policies configured by the company, USM Anywhere alerts when any of these objects are deleted.

Monitoring Box defense evasion

All these alerts are compatible with the set of features for security management utilized by USM Anywhere, including automation of actions, alerts suppression, reporting, or pivoting. Additionally, the USM Anywhere user will find a brief guideline for each alert, providing valuable scope to better understand the security implications and tips about how to proceed.

Malware detection

Compromised user accounts in cloud environments open a new door that adversaries can use to get initial access to machines and applications connected to the cloud service. Shared network  drives allow malware to spread through other user accounts and applications very quickly, thanks to file transfer automation.

USM Anywhere detects malicious activity by correlating threat indicators, including the latest indicators of compromise contributed to the Open Threat Exchange community. This enables early detection of interactions with known bad hosts. To detect threats against Box accounts, we have added correlation rules to detect user authentication from known malicious hosts, file transfers and other activities. Other indicators are observed to detect ransomware infections on a host machine, like known ransomware extensions in files or instruction-to-decrypt file uploads.

Monitoring Box credential abuse

Monitoring Box known malicious infrastructure

The USM network IDS is a valuable source of network information as well. Combining local network activity with Box events can help lead to early detections of host compromises. we added the correlation rule Executable Downloaded from Box Followed by Malware Activity, which checks for several indicators present in a given time gap to establish a reliable compromise alert.

Monitoring Box malware infection

In addition, Box tracks metrics with their own logic to automate malware detection. Box Anti-Virus Protection is a service available for Box Enterprise accounts that allows for malware detection based in file scan. This way, all files uploaded to Box are shared with a trusted third party that perform the virus scan. Any detection is automatically shared through the Box Events API channel.

Monitoring Box detected malicious file

It’s important to note that only those customers opting for anti-virus detection will have their files scanned by the trusted third party, allowing privacy for companies concerned about sensitive data disclosure.

Security measures for accessing cloud data

A key aspect to cover with cloud security is providing that data is accessed only by those who are authorized to do so. Stealing user credentials can allow adversaries to manipulate the cloud management configuration and consume private data. It is recommended to fortify user accounts with measures like multifactor authentication to mitigate the risk of credential compromise.

In the Box context, user accounts are managed by the admin user. Management operations can be monitored through the Box Events API. A wide variety of events are generated to announce user creation and deletion, two-factor authentication disabling, or new logon from an unknown device, for example.

Adversaries with access to valid user credentials and access control features will try to disable multi-factor authentication before taking advantage of them. This is a common scenario, when authorized users try to impersonate another user before performing a compromising action. USM Anywhere will issue a security alarm when an account is manipulated.

Monitoring Box access control

Access control monitoring provides valuable information to detect strange user behaviors. Information like the country from which a user logs on, or the device they used to do it, can be used to detect credential abuse indicators. User logins from two different countries in a short time period, or multiple user account deletion are signals of account compromise, and AT&T Alien Labs added correlation rules to detect it.

Monitoring Box credential abuse user login

Monitoring Box account manipulation

Orchestration rules in USM Anywhere allow security administrators to create more narrow detection patterns for their specific applications, looking at indicators like unexpected file types shared, unusual IP addresses requests, illogical logon source countries or unauthorized downloads.


While companies and regular users are more often trusting cloud services for data storage, adversaries are devising new attack vectors to compromise user accounts and access the valuable data. Access control management, user authorization or sensitive data disclosure are key aspects to consider when thinking about cloud security.

USM Anywhere is aiming to become the most complete security infrastructure for cloud services thanks to AlienApps, which make use of cloud services providers features. The new AlienApp for Box is the latest addition to the AlienApp ecosystem.

AT&T Alien Labs adds a wide variety of correlation rules and other detection pieces to the USM Anywhere platform. For that, we have worked with the Box Events API and identified key event traces to establish reliable pre and post intrusion attempt alerts. These rules are oriented to common attack vectors seen in cloud environments, like user account manipulation, brute force access attempts and malware spreading indicators.

Security administrators can also enable customized detection features for their applications by taking advantage of the USM Anywhere potential alongside the Box Event API feedback.


Below the full list of correlation rules implemented by AT&T Alien Labs featuring the Box Events API:

Access Control Modification - Two-Factor Authentication Disabled

Account Manipulation - Multiple User Accounts Deleted

Anomalous User Behavior - Admin Login from Unknown Device

Brute Force Authentication - Multiple Login Failures

Brute Force Authentication - Successful Login after Brute Force

Brute Force Authentication - Password spraying against Box

Credential Abuse - Authentication to Box from Known Malicious Host

Credential Abuse - User Login from Two Different Countries in a Short Period

Data Exfiltration - File sent to Known Malicious Host

Defense Evasion - Cover Tracks - User Account Created and Deleted in Short Period

Defense Evasion - Disabling Security Tools - Box Security Policy Deleted

Known Malicious Infrastructure - File shared from a Known Malicious Host

Known Malicious Infrastructure - Box Application Created from Known Malicious Host

Malware Infection - Box Detected a Malicious File Upload

Malware Infection - Executable Downloaded from Box Followed by Malware Activity

Ransomware Infection - Multiple Uploads with Known Ransomware Extension

Ransomware Infection - Ransomware Decryption Instructions File Upload

Sensitive Data Disclosure - Box Support Access Granted

Share this with others

Tags: usm anywhere, box

Get price Free trial