Anomaly Alerts

Backblaze Anomaly Alerts utilize artificial intelligence and machine learning to detect potentially nefarious operations on your data occurring outside of expected workflows. Known as data exfiltration, these unexpected data transfers can include unauthorized uploads and downloads and are often the result of weak security practices, such as misconfigured security settings or poorly implemented access controls. Without proper monitoring, there is often a delay between when a data exfiltration event occurs and when it is detected. By providing early detection and notification of atypical data operations, Anomaly Alerts allow you to rapidly and proactively respond to such threats with detailed information. 

Enabling Anomaly Alerts

To enable Backblaze Anomaly Alerts, please contact a Backblaze Customer Success Manager (CSM). You can work with a CSM to configure your Backblaze Anomaly Alert threshold preferences, which include Low, Medium, or High (threshold preferences default to Medium and above). Once Anomaly Alerts preferences are configured, Backblaze will begin monitoring your account.

How Anomaly Alerts Work

Backblaze Anomaly Alerts identify abnormal patterns in uploads and downloads, comparing current activity to an established baseline of historical user activity. Our machine learning models leverage daily and weekly usage patterns to improve detection accuracy. Anomalies are scored based on their severity of deviation from typical activity patterns and classified using configurable thresholds (High, Medium, Low) to flag potential data exfiltration events.

When Backblaze detects an outlier in user activity, an Anomaly Alert is sent with the following details: 

• Type of anomaly (UPLOADS or DOWNLOADS)
• The user-configured anomaly threshold level for the alert (Low, Medium, or High)
• Date and time of the detection (UTC)
• A link to your account so that you can review the relevant Bucket Access Logs for the detected anomaly

Responding to Anomaly Alerts

Please treat any Anomaly Alert as a potentially critical situation and respond promptly by investigating and addressing the anomaly. Upon receiving an Anomaly Alert, carefully review the details of your Anomaly Alert email notification and examine your Bucket Access Logs. You can help mitigate the risk of data exfiltration in the following ways:

• Review your current security measures and conduct regular security audits.
• Rotate access keys and review bucket permissions to ensure that permissions adhere to the principle of least privilege, wherein only the minimum necessary access is granted. 
• Consider enabling Object Lock where appropriate to create immutable backups.
• For more information on responding to Anomaly Alerts, please contact Backblaze support.