Security Analytics Engine 1.2

Categorized as a Location condition, this type of condition always causes the risk score to increase if the location is determined to be abnormal. The following parameters are available:

Table 15: Abnormal Location parameters
Parameter	Description	Associated default condition
Identifier	Enter a name for the condition.	Abnormal Location (Default)
Description	Enter a description for the condition.	Location failed to conform to previous user or device behavior.
Maximum Travel Speed	The kilometers per hour a person or device can travel between access attempts. The travel speed cannot exceed 9999 kilometers per hour.	1000
Also Report Unknown Location	Select this check box to report an unknown location, such as an anonymous proxy or satellite provider, as abnormal. If this is not selected, an unknown location will not be considered abnormal.	(Selected)

Checking for an abnormal location

The following procedure explains how the Security Analytics Engine checks the location of a user or browser attempting to access an application.

How the Security Analytics Engine checks for an abnormal location

A user attempts to access an application that uses an Abnormal Location condition type to check for abnormal geolocations.

NOTE: If there is no user ID or browser ID in the access request, checking the geolocation is not relevant. Therefore, the geolocation is considered normal and the risk score is not affected.
The Security Analytics Engine checks if this access attempt is from an internal network. If this check returns as true (it is from an internal network), the geolocation is considered normal and the risk score is not affected.
If the internal network check returns as false, the Security Analytics Engine checks the VPN Networks (IP address and subnet mask) configured for the GeoLocationPlugin. If this check returns as true (the VPN is configured), the geolocation is considered normal and the risk score is not affected.
If the VPN check returns as false, the Security Analytics Engine checks if this is the first access attempt from the IP address for the user or device. If this check returns as true (it is the first access attempt from the IP address), the geolocation is considered abnormal and the risk score is increased.
Next, the Security Analytics Engine compares the current IP address with the last IP address the user and device successfully signed in on. If the IP addresses match (both the user and device last signed in from this IP address), the geolocation is considered normal and the risk score is not affected.

If the IP addresses are different, the OnDemand Service gets passed the incoming IP address and returns the geographic coordinates of the IP address. The Security Analytics Engine compares the geographic coordinates for the current and last IP address, and calculates the distance between them to ensure that the IP addresses are not separated by a distance deemed impossible to travel within the amount of time between access attempts (that is, the user cannot log in to the application from Canada an hour before logging in from India). If the Security Analytics Engine determines that the distance between IP addresses is possible within the time frame, the geolocation is considered normal and the risk score is not affected.

NOTE: If the Security Analytics Engine cannot connect to the OnDemand Service at the time of the access attempt and the Also Report Unknown Location check box is selected, the geolocation is considered abnormal based on the previous steps and the risk score is increased.

If the Security Analytics Engine cannot connect to the OnDemand Service at the time of the access attempt and the Also Report Unknown Location check box is cleared, an unknown geolocation is reported as normal and the risk score is not affected.

If the Security Analytics Engine determines the distance between the IP addresses is too far apart within the time frame, the Security Analytics Engine considers the geolocation abnormal and the risk score is increased.

Country List

Conditions > Condition categories > Location > Country List

NOTE: The GeoLocationPlugin is associated with this condition and provides important settings.

Categorized as a Location condition, this type of condition determines where the request originated from in order to increase or decrease protection for access attempts from specific countries. The following parameters are available:

Table 16: Country List parameters

Parameter

Description

Associated default condition

Identifier

Enter a name for the condition.

Restricted Country (Default)

Description

Enter a description for the condition.

Originated from a country classified as restricted.

Risk Type Value

Select the impact the condition will have on the risk score:

Can increase risk - Selecting this option causes the risk score to increase if the access attempt comes from a listed country.
Can decrease risk - Selecting this option causes the condition score to decrease if the access attempt comes from a listed country. A condition with this setting can only be used as a modifier in a risk policy.
Can both increase or decrease risk - Selecting this check box allows you to configure the risk score to either increase or decrease.

NOTE: In order to avoid application configuration errors, this parameter cannot be edited once the condition has been saved.

Can increase risk

Country

From the drop-down list of countries, select the check box for each country to look for during an access attempt.

3 item(s) selected - Iran, Islamic Republic of; Sudan; Syrian Arab Republic

NOTE: These countries are from the following list posted by the U.S. Department of State.

Checking for a specific country

The following procedure explains how the Security Analytics Engine checks the country of the IP address attempting to access an application against a list of countries.

How the Security Analytics Engine checks for a country

A user attempts to access an application that uses the Country List condition type to check the location against the list of countries.
The Security Analytics Engine checks if this access attempt is from an internal network. If this check returns as true (it is from an internal network), then the Security Analytics Engine returns false and the risk score is not affected.
If the access attempt did not come from an internal network, the Security Analytics Engine checks the VPN networks (configured and enabled using the GeoLocationPlugin). If this check returns as true (the VPN is configured), then the Security Analytics Engine returns false and the risk score is not affected.

Next, the Security Analytics Engine connects with the OnDemand Service to check the location of the access attempt against the list of countries specified for the condition. If the location appears on the list, then the risk score is affected.

NOTE: If the Security Analytics Engine cannot connect with the OnDemand Service at the time of the access attempt, the Security Analytics Engine returns false since the country cannot be determined and the risk score is not affected.

If the country does not appear on the list of countries, the risk score is not affected.

Network

Conditions > Condition categories > Network

The following conditions are available in the Network category:

Table 17: Network conditions
Condition type	Plugin	Default condition
Dynamic Blacklist	BlacklistProviderPlugin	Dynamic Blacklist (Default)
Network List	BuiltinPlugin	Whitelist (Default)

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Security Analytics Engine 1.2 - User Guide

Location

Abnormal Location

Checking for an abnormal location

Country List

Checking for a specific country

Network