Chat now with support
Chat with Support

Security Analytics Engine 1.1 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password Security Settings Glossary

Authentication List

* 
NOTE: The BuiltinPlugin is associated with this condition and provides important settings.
Categorized as a Behavior condition, this type of condition determines the method of authentication used for access. The following parameters are available:
Table 13. Authentication List parameters
Parameter
Description
Associated default conditions
Identifier
Enter a name for the condition.
Weak Authentication (Default)
Strong Authentication (Default)
Description
Enter a description for the condition.
Weak Authentication (Default)
Request used a weak method of authentication.
Strong Authentication (Default)
Request used a strong method of authentication.
Risk Type Value
Select the impact the condition will have on the risk score:
Can increase risk - Selecting this option will cause the risk score to increase if the access attempt comes from a listed authentication method.
Can decrease risk - Selecting this option will cause the condition score to decrease if the access attempt comes from a listed authentication method. A condition with this setting can only be used as a modifier in a risk policy.
Can both increase or decrease risk - Selecting this check box will allow you to configure the risk score to either increase or decrease.
NOTE: In order to avoid application configuration errors, this parameter cannot be edited once the condition has been saved.
Weak Authentication (Default)
Can increase risk
Strong Authentication (Default)
Can decrease risk
Authentication Definitions
From the drop-down list, select the check box to the left of an authentication method to check for it during an access attempt.
Weak Authentication (Default)
14 item(s) selected - SAML 1.1 Password, SAML 2.0 Internet Protocol, SAML 2.0 InternetProtocolPassword, SAML 2.0 MobileOneFactorUnregistered, SAML 2.0 MobileOneFactorContract, SAML 2.0 Password, SAML 2.0 PasswordProtectedTransport, SAML 2.0 PreviousSession, SAML 2.0 Telephony, SAML 2.0 Telephony (“Nomadic”), SAML 2.0 Telephony (Personalized), SAML 2.0 Telephony (Authenticated), SAML 2.0 Unspecified, SAML 1.1 Unspecified
Strong Authentication (Default)
34 item(s) selected - SAML 1.1 Kerberos, SAML 1.1 Secure Remote Password (SRP), SAML 1.1 Hardware Token, SAML 1.1 SSL/TLS Certificate-Based Client Authentication, SAML 1.1 PGP Public Key, SAML 1.1 SPKI Public Key, SAML 1.1 XKMS Public Key, SAML 1.1 XML Digital Signature, SAML 2.0 Kerberos, SAML 2.0 MobileTwoFactorUnregistered, SAML 2.0 MobileTwoFactorContract, SAML 2.0 Public Key - X.509, SAML 2.0 Public Key - PGP, SAML 2.0 Public Key - SPKI, SAML 2.0 Public Key - XML Digital Signature, SAML 2.0 SmartcardPKI, SAML 2.0 Smartcard, SAML 2.0 SoftwarePKI, SAML 2.0 Secure Remote Password, SAML 2.0 SSL/TLS Certificate-Based Client Authentication, SAML 2.0 TimeSyncToken, ADSF IWA, CAM Multi-factor Windows Radius, CAM Multi-factor Password Radius, CAM Multi-factor Kerberos Radius, CAM Multi-factor Certificate Radius, CAM Multi-factor Kerberos Certificate, CAM Multi-factor Windows Certificate, CAM Multi-factor Password Certificate, CAM Multi-factor Windows Authy, CAM Multi-factor Password Authy, CAM Multi-factor Kerberos Authy, CAM Multi-factor Certificate Authy, CAM Multi-factor Certificate Certificate
Checking for an authentication method
The following procedure explains how the Security Analytics Engine checks the method of authentication used during an access attempt.
How the Security Analytics Engine checks for an authentication method
1
A user attempts to access an application that uses an Authentication List condition type to check the method of authentication used for access.
2
The Security Analytics Engine checks if this access attempt is from one of the specified methods of authentication. If this check returns as false (it is not from a specified method), the risk score is not affected.
3
If the check returns as true (it does use a specified method), the risk score is affected.

Location

The following condition is available in the Location category:
Table 14. Location conditions
Condition type
Plugin
Default condition
Abnormal Location
GeoLocationPlugin
Abnormal Location (Default)
Country List
GeoLocationPlugin
Restricted Country (Default)

Abnormal Location

* 
NOTE: The GeoLocationPlugin is associated with this condition and provides important settings.
Categorized as a Location condition, this type of condition always causes the risk score to increase if the location is determined to be abnormal. The following parameters are available:
Table 15. Abnormal Location parameters
Parameter
Description
Associated default condition
Identifier
Enter a name for the condition.
Abnormal Location (Default)
Description
Enter a description for the condition.
Location failed to conform to previous user or device behavior.
Maximum Travel Speed
The kilometers per hour a person or device can travel between access attempts. The travel speed cannot exceed 9999 kilometers per hour.
1000
Also Report Unknown Location
Select this check box to report an unknown location, such as an anonymous proxy or satellite provider, as abnormal. If this is not selected, an unknown location will not be considered abnormal.
(Selected)
Checking for an abnormal location
The following procedure explains how the Security Analytics Engine checks the location of a user or browser attempting to access an application.
How the Security Analytics Engine checks for an abnormal location
1
A user attempts to access an application that uses an Abnormal Location condition type to check for abnormal geolocations.
* 
NOTE: If there is no user ID or browser ID in the access request, checking the geolocation is not relevant. Therefore, the geolocation is considered normal and the risk score is not affected.
2
The Security Analytics Engine checks if this access attempt is from an internal network. If this check returns as true (it is from an internal network), the geolocation is considered normal and the risk score is not affected.
3
If the internal network check returns as false, the Security Analytics Engine checks the VPN Networks (IP address and subnet mask) configured for the GeoLocationPlugin. If this check returns as true (the VPN is configured), the geolocation is considered normal and the risk score is not affected.
4
If the VPN check returns as false, the Security Analytics Engine checks if this is the first access attempt from the IP address for the user or device. If this check returns as true (it is the first access attempt from the IP address), the geolocation is considered abnormal and the risk score is increased.
5
Next, the Security Analytics Engine compares the current IP address with the last IP address the user and device successfully signed in on. If the IP addresses match (both the user and device last signed in from this IP address), the geolocation is considered normal and the risk score is not affected.
6
If the IP addresses are different, the Dell™ OnDemand Service gets passed the incoming IP address and returns the geographic coordinates of the IP address. The Security Analytics Engine compares the geographic coordinates for the current and last IP address, and calculates the distance between them to ensure that the IP addresses are not separated by a distance deemed impossible to travel within the amount of time between access attempts (i.e., the user cannot log in to the application from Canada an hour before logging in from India). If the Security Analytics Engine determines that the distance between IP addresses is possible within the time frame, the geolocation is considered normal and the risk score is not affected.
* 
NOTE: If the Security Analytics Engine cannot connect to the OnDemand Service at the time of the access attempt and the Also Report Unknown Location check box is selected, the geolocation is considered abnormal based on the previous steps and the risk score is increased.
If the Security Analytics Engine cannot connect to the OnDemand Service at the time of the access attempt and the Also Report Unknown Location check box is cleared, an unknown geolocation is reported as normal and the risk score is not affected.
7
If the Security Analytics Engine determines the distance between the IP addresses is too far apart within the time frame, the Security Analytics Engine considers the geolocation abnormal and the risk score is increased.

Country List

* 
NOTE: The GeoLocationPlugin is associated with this condition and provides important settings.
Categorized as a Location condition, this type of condition determines where the request originated from in order to increase/decrease protection for access attempts from specific countries. The following parameters are available:
Table 16. Country List parameters
Parameter
Description
Associated default condition
Identifier
Enter a name for the condition.
Restricted Country (Default)
Description
Enter a description for the condition.
Originated from a country classified as restricted.
Risk Type Value
Select the impact the condition will have on the risk score:
Can increase risk - Selecting this option will cause the risk score to increase if the access attempt comes from a listed country.
Can decrease risk - Selecting this option will cause the condition score to decrease if the access attempt comes from a listed country. A condition with this setting can only be used as a modifier in a risk policy.
Can both increase or decrease risk - Selecting this check box will allow you to configure the risk score to either increase or decrease.
NOTE: In order to avoid application configuration errors, this parameter cannot be edited once the condition has been saved.
Can increase risk
Country
From the drop-down list of countries, select the check box for each country to look for during an access attempt.
3 item(s) selected - Iran, Islamic Republic of; Sudan; Syrian Arab Republic
NOTE: These countries are from the following list posted by the U.S. Department of State: http://www.state.gov/j/ct/list/c14151.htm
Checking for a specific country
The following procedure explains how the Security Analytics Engine checks the country of the IP address attempting to access an application against a list of countries.
How the Security Analytics Engine checks for a country
1
A user attempts to access an application that uses the Country List condition type to check the location against the list of countries.
2
The Security Analytics Engine checks if this access attempt is from an internal network. If this check returns as true (it is from an internal network), then the Security Analytics Engine returns false and the risk score is not affected.
3
If the access attempt did not come from an internal network, the Security Analytics Engine checks the VPN networks (configured and enabled using the GeoLocationPlugin). If this check returns as true (the VPN is configured), then the Security Analytics Engine returns false and the risk score is not affected.
4
Next, the Security Analytics Engine connects with the OnDemand Service to check the location of the access attempt against the list of countries specified for the condition. If the location appears on the list, then the risk score is affected.
* 
NOTE: If the Security Analytics Engine cannot connect with the OnDemand Service at the time of the access attempt, the Security Analytics Engine returns false since the country cannot be determined and the risk score is not affected.
5
If the country does not appear on the list of countries, the risk score is not affected.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating