System and method for detecting anomalies associated with network traffic to cloud applications

What is claimed is: 1. An anomaly detection system comprising: a processor; a memory; and a security application stored in the memory and including instructions, which are executable by the processor and are configured to: collect information of behavior data for a plurality of users of an organization accessing one or more cloud application(s) via a distributed network, wherein the behavior data includes tracked information tracked over time for the plurality of users, and wherein the one or more cloud application(s) are implemented on one or more server computer(s) of a service provider; establish a plurality of baselines for each of the plurality of users and for each of the one or more cloud application(s) or types of cloud applications of the organization; detect anomalies based on the plurality of baselines; provide aggregated anomaly data by aggregating the anomalies (i) corresponding to two or more of the plurality of baselines and a same behavior, or (ii) corresponding to multiple users of a same cloud application during a same period of time, wherein the aggregated anomaly data includes weighted values describing the aggregated anomalies, with higher weights of the weighted values indicating higher likelihoods that the aggregated anomaly data is associated with malicious activity, wherein multiple different types of aggregations are selectably performable to aggregate the anomalies, each of the multiple different types of aggregations being associated with a corresponding weight used to weight the weighted values, and wherein determining which specific weight to apply to the weighted values is based on which particular type of aggregation included within the multiple different types of aggregations is selected to aggregate the anomalies; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value. 2. The anomaly detection system of claim 1 , wherein: the security application collects the information by requesting logs from at least one of a proxy, a gateway, or a firewall; and the logs include fields indicating access periods of the one or more cloud application(s), Internet protocol addresses of client computers of the plurality of users, usernames of the plurality of users, names of the one or more cloud application(s), volumes of data transferred between the client computers and machines of the one or more cloud application(s), and numbers of transactions between the client computers and the machines of the one or more cloud application(s). 3. The anomaly detection system of claim 1 , wherein the security application, in establishing the plurality of baselines: selects the tracked information of the behavior data to monitor; selects a parameterized statistical distribution from a family of distributions based on the tracked information; fits values of the tracked information provided from the behavior data to the selected parameterized statistical distribution; and determines a mean and a variance based on the fitted values. 4. The anomaly detection system of claim 3 , wherein the security application detects the anomalies based on the values of the tracked information, the mean and the variance. 5. The anomaly detection system of claim 3 , wherein the security application, in determining the risk value, determines a probability that the aggregated anomaly data is to occur based on the plurality of baselines, the mean, a difference between the mean and the aggregated anomaly data, and the variance. 6. The anomaly detection system of claim 1 , wherein the security application aggregates the anomalies corresponding to the two or more of the plurality of baselines to provide the aggregated anomaly data. 7. The anomaly detection system of claim 1 , wherein the security application aggregates the anomalies corresponding to the multiple users of the same cloud application during the same period of time to provide the aggregated anomaly data. 8. The anomaly detection system of claim 1 , wherein the countermeasure includes: alerting one of the plurality of users, a client computer, an owner of a machine executing a cloud application associated with the aggregated anomaly data, or a representative of a service provider of the cloud application associated with the aggregated anomaly data, wherein the one or more cloud application(s) include the cloud application associated with the aggregated anomaly data; and preventing or limiting access for one of the plurality of users to the cloud application associated with the aggregated anomaly data. 9. The anomaly detection system of claim 1 , wherein collecting the information of the behavior data for the plurality of users is performed by determining one or more parameter(s) to monitor and requesting the one or more parameter(s) from a firewall. 10. An anomaly detection system comprising: a processor; a memory; and a security application stored in the memory and including instructions, which are executable by the processor and are configured to: collect information of behavior data for a plurality of client computers of an organization accessing one or more cloud application(s) via a distributed network, wherein the behavior data includes tracked information tracked over time for the plurality of client computers, and wherein the one or more cloud application(s) are implemented on one or more server computer(s) of a service provider; establish a plurality of baselines for each of the plurality of client computers and for each of the one or more cloud application(s) or types of cloud applications of the organization; detect anomalies based on the plurality of baselines; provide aggregated anomaly data by aggregating the anomalies (i) corresponding to two or more of the plurality of baselines and a same behavior, or (ii) corresponding to multiple client computers accessing a same cloud application during a same period of time, wherein the aggregated anomaly data includes weighted values describing the aggregated anomalies, with higher weights of the weighted values indicating higher likelihoods that the aggregated anomaly data is associated with malicious activity, wherein multiple different types of aggregations are selectably performable to aggregate the anomalies, each of the multiple different types of aggregations being associated with a corresponding weight used to weight the weighted values, and wherein determining which specific weight to apply to the weighted values is based on which particular type of aggregation included within the multiple different types of aggregations is selected to aggregate the anomalies; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value. 11. The anomaly detection system of claim 10 , wherein the security application, in establishing the plurality of baselines: selects the tracked information of the behavior data to monitor; selects a parameterized statistical distribution from a family of distributions based on the tracked information; fits values of the tracked information provided from the behavior data to the selected parameterized statistical distribution; and determines a mean and a variance based on the fitted values. 12. The anomaly detection system of claim 11 , wherein the security application detects the anomalies based on the values of the tracked information, the mean and the variance. 13. The anomaly detection system of claim 11 , wherein the security application, in determining the risk value, determines a probability that the aggregated anomaly data is to occur based on the plurality of baselines,