Introduction
This guide walks you through the steps required to configure One Identity Safeguard for Privileged Sessions (SPS) so that you can start analyzing session data and user behavior using One Identity Safeguard for Privileged Analytics (SPA).
SPS and SPA are part of the One Identity Safeguard solution, which in turn is part of One Identity's Privileged Access Management portfolio.
One Identity Safeguard for Privileged Sessions (SPS) integrates data from SPS to use as the basis of user behavior analysis. SPA uses machine learning algorithms to scrutinize behavioral characteristics (using data from SPS), and generates user behavior profiles for each individual privileged user. SPA compares actual user activity to user profiles in real time, with profiles being continually adjusted using machine learning. When SPA detects unusual activity, this is indicated on the user interface of SPS in the form of high scores and visualized insight.
NOTE: The primary audience of this guide is One Identity Pre-Sales and Support Engineers, as well as Engineers representing One Identity's Partners.
If you wish to configure SPS to interwork with SPA as an end user, contact our Support Team or Professional Services for assistance.
Before you start
Prerequisites
One Identity Safeguard for Privileged Sessions has the following requirements when using it with One Identity Safeguard for Privileged Analytics:
Table 1: One Identity Safeguard for Privileged Sessions prerequisites
SPS version |
Any supported version from version 5 F4 onward, ideally the latest one. |
License |
A license that has One Identity Safeguard for Privileged Analytics (SPA) enabled.
To find out if your license supports SPA, obtain a support bundle, and check license information in the configuration XML.
For details on how to obtain a support bundle, see Collecting logs and system information for error reporting in the Administration Guide.
Alternatively, if you are unsure whether you have licensing enabled, it is safe to assume that you do not.
NOTE: If you are using SPS 5 F5 or later, you are able to run SPA without a license option for 2 months. |
Access rights |
A user account with admin access rights. |
Session data from network traffic |
Session data that:
-
contains real, unique usernames linked to users other than root/administrator or a shared account
-
has commands extracted
-
has keystrokes extracted
-
has window titles extracted
For more details, see Prerequisites in Analyze data using One Identity Safeguard for Privileged Analytics. |
NOTE: If you are upgrading to SPS version 5 F4 or later from an earlier version, wait for the session database upgrade to finish.
To track progress, check the system monitor. It displays a message telling you that the session database upgrade is in progress, and it also shows the percentage of completion.
You can also go to Search, where all data that has been through the upgrade process is available.
In the case of large databases, the upgrade can take hours or even days, but the system should remain completely usable during the process. The upgrade starts with the most recent sessions and goes backward in time.
Limitations
SPS used in combination with SPA currently has the following limitations:
-
SPA requires at least 12GB RAM to operate. If you are interested in upgrading your appliance, contact our Support Team.
-
SPA requires a lot of computation, which can put pressure on SPS:
-
The keystroke algorithm is much more resource-hungry than the other algorithms, therefore our recommendation is to start analyzing data using the algorithms that require less resources.
-
Before you start using SPA, make sure that at least half the capacity of SPS is available.
-
SPA only analyzes audit trails and SPS metadata, it does not analyze log data.
Algorithms
One Identity Safeguard for Privileged Analytics analyzes user behavior with the help of algorithms, also called analytics.
The algorithms of One Identity Safeguard for Privileged Analytics are mathematical methods that can be used to analyze session data from multiple angles. Algorithms have to be trained using a history of session data. Based on this training, an algorithm can build a baseline of a particular user's behavior and score new sessions. Scores will indicate whether a particular user's behavior is normal or unusual, compared to the baseline. Algorithms also provide visualization to display insight about user behavior.
Currently, the following algorithms are supported:
-
The keystroke algorithm is able to tell whether a user is really who they say they are based on their typing dynamics. SPA compiles a typing profile for each user based on how many seconds it typically takes for the user to press combinations of keys on their keyboard. The keystroke algorithm analyzes keyboard data coming from RDP or SSH sessions and compares it with the user's profile.
-
SPA compiles a commands profile for the user based on the commands that they usually execute. The command algorithm determines the probability of the occurrence of certain commands within a session.
-
The login time algorithm builds a profile based on the exact time in a day when a user logs in. Based on the user's profile, it can tell how unusual the time of login is, given the daily distribution of the user's login events in the past.
-
The host login algorithm analyzes how similar two hosts are based on the users that log in to those hosts. When a user logs in to a host that they never or only very rarely log in to, that will not be considered an anomaly if that host is similar to other hosts that the user frequently uses.
-
The frequent item set (fis) algorithm is similar to a "customers who bought these items also bought" type of algorithm used on e-commerce websites. It examines multiple attributes of sessions and attempts to find values that frequently appear together, forming a set. Using this information, the fis algorithm is able to discover patterns in user behavior, such as "this person only uses RDP in the middle of the night from this IP address".
-
The window title algorithm analyzes window titles to uncover unusual user behavior, that is, it identifies users based on what window titles they usually have on their screen. It is currently an experimental algorithm and is disabled by default.
|
Caution:
This is an EXPERIMENTAL feature. It is documented, but the performance impact on production systems has not been determined yet. Therefore this feature is not yet covered by support. However, you are welcome to try it (preferably in non-production systems) and if you have any feedback, send it to feedback-sps@oneidentity.com. |
-
The mouse-movement-based user authentication algorithm is able to tell whether a user is who they say they are based on their mouse movements.
|
Caution:
This is an EXPERIMENTAL feature. It is documented, but the performance impact on production systems has not been determined yet. Therefore this feature is not yet covered by support. However, you are welcome to try it (preferably in non-production systems) and if you have any feedback, send it to feedback-sps@oneidentity.com. |
-
The scripted session detection determines whether activities in a session point towards being a scripted session. The following internal algorithms in the background assist in determining whether a session is scripted:
- The clockmaster algorithm is able to detect unnaturally precise sessions that start repeatedly at certain peak minutes of an hour (for example, at 8:30, 10:30, 11:30, and so on). The algorithm flags such sessions as scripted sessions. The reason behind this is that the minutes in the timestamps of humans' activities in a longer time period supposedly have random uniform distribution or are very close to it.
-
The gapminder algorithm is able to detect scripted sessions based on the time gaps between the sessions that belong to a given account. When the time gaps between sessions have typical, repeating values, then that suggests unnatural periodic behavior. The gapminder algorithm does not build baselines. Instead, it continuously checks for time gaps of equal length between sessions. If there are four consecutive sessions with equal time gaps between them and they are followed by a fifth session with the same time gap, then the algorithm flags the fifth session as a scripted session.
Regarding the size of time gaps and how big a gap qualifies as a time gap worth monitoring, the algorithm considers the time elapsed between two sessions to be a time gap if the length of the gap is equal to or greater than 10 minutes and equal to or less than two days.
The range of algorithms available is planned to be extended in future releases.
SPA automatically runs an algorithm evaluator tool each day to evaluate how well these algorithms for analytics are working on the current dataset residing on the SPS deployment. For more information on this tool, see Algorithm evaluation. If you want more information on how to interpret the evaluation results on your SPS deployment, contact our Support Team.
Algorithm evaluation
The algorithm evaluator tool is a support tool used to evaluate how well the machine learning algorithms for SPS analytics are working on the current dataset residing in the SPS deployment. The tool is run every day automatically by analytics-daily.service, but you can also run it manually by issuing the following commands on the console, when instructed to do so by One Identity Support:
-
make-cross-scores: This command performs a scoring calculation that serves as a basis for the algorithm evaluation procedure.
-
evaluate-cross-scores: This command evaluates the metrics of the scoring performed with the make-cross-scores command, and generates the report of the evaluation, available at the following location:
/opt/pam-pipeline/var/algoeval-report/
The report directory contains the evaluation results in a report.txt file, and in several plot image files in a *.png format. Send these report files to One Identity Support when instructed.