One Identity Safeguard for Privileged Sessions 5.7.0 - Safeguard for Privileged Analytics Configuration Guide

Introduction

This guide walks you through the steps required to configure One Identity Safeguard for Privileged Sessions (SPS) so that you can start analyzing session data and user behavior using One Identity Safeguard for Privileged Analytics (SPA).

SPS and SPA are part of the One Identity Safeguard solution, which in turn is part of One Identity's Privileged Access Management portfolio.

SPA integrates data from SPS to use as the basis of user behavior analysis. SPA uses machine learning algorithms to scrutinize behavioral characteristics (using data from SPS), and generates user behavior profiles for each individual privileged user. SPA compares actual user activity to user profiles in real time, with profiles being continually adjusted using machine learning. When SPA detects unusual activity, this is indicated on the user interface of SPS in the form of high scores and visualized insight.

NOTE:

The primary audience of this guide is One Identity Pre-Sales and Support Engineers, as well as Engineers representing One Identity's Partners.

If you wish to configure SPS to interwork with SPA as an end user, contact our Support Team or Professional Services for assistance.

Before you start

Prerequisites

One Identity Safeguard for Privileged Sessions has the following requirements when using it with One Identity Safeguard for Privileged Analytics:

Table 1: One Identity Safeguard for Privileged Sessions prerequisites
Type Requirement
SPS version Any supported version from version 5 F4 onward, ideally the latest one.
License

A license that has One Identity Safeguard for Privileged Analytics (SPA) enabled.

To find out if your license supports SPA, obtain a debug bundle, and check license information in the configuration XML.

For details on how to obtain a debug bundle, see "Collecting logs and system information for error reporting" in the Administration Guide.

Alternatively, if you are unsure whether you have licensing enabled, it is safe to assume that you do not.

NOTE:

If you are using SPS 5 F5 or later, you are able to run SPA without a license option for 2 months.

Access rights A user account with admin access rights.
Session data from network traffic

Session data that:

  • contains real, unique usernames linked to users other than root/administrator or a shared account

  • has commands extracted

  • has keystrokes extracted

  • has window titles extracted

For more details, see Prerequisites in Analyze data using One Identity Safeguard for Privileged Analytics.

NOTE:

If you are upgrading to SPS version 5 F4 or later from an earlier version, wait for the session database upgrade to finish.

To track progress, check the system monitor. It displays a message telling you that the session database upgrade is in progress, and it also shows the percentage of completion.

You can also go to Search > Search, where all data that has been through the upgrade process is available.

In the case of large databases, the upgrade can take hours or even days, but the system should remain completely usable during the process. The upgrade starts with the most recent sessions and goes backward in time.

Limitations

SPS used in combination with SPA currently has the following limitations:

  • SPA is only supported on the T10 appliance or equivalent due to memory requirements.

  • SPA requires a lot of computation, which can put pressure on SPS:

    • The keystroke algorithm is much more resource-hungry than the other algorithms, therefore our recommendation is to start analyzing data using the algorithms that require less resources.

    • Before you start using SPA, make sure that at least half the capacity of SPS is available.

  • SPA only analyzes audit trails and SPS metadata, it does not analyze log data.

Algorithms

One Identity Safeguard for Privileged Analytics analyzes user behavior with the help of algorithms, also called analytics.

The algorithms of One Identity Safeguard for Privileged Analytics are mathematical methods that can be used to analyze session data from multiple angles. Algorithms have to be trained using a history of session data. Based on this training, an algorithm can build a baseline of a particular user's behavior and score new sessions. Scores will indicate whether a particular user's behavior is normal or unusual, compared to the baseline. Algorithms also provide visualization to display insight about user behavior.

Currently, the following algorithms are supported:

  • The keystroke algorithm is able to tell whether a user is really who they say they are based on their typing dynamics. SPA compiles a typing profile for each user based on how many seconds it typically takes for the user to press combinations of keys on their keyboard. The keystroke algorithm analyzes keyboard data coming from RDP or SSH sessions and compares it with the user's profile.

  • SPA compiles a commands profile for the user based on the commands that they usually execute. The command algorithm determines the probability of the occurrence of certain commands within a session.

  • The login time algorithm builds a profile based on the exact time in a day when a user logs in. Based on the user's profile, it can tell how unusual the time of login is, given the daily distribution of the user's login events in the past.

  • The host login algorithm analyzes how similar two hosts are based on the users that log in to those hosts. When a user logs in to a host that they never or only very rarely log in to, that will not be considered an anomaly if that host is similar to other hosts that the user frequently uses.

  • The frequent item set (fis) algorithm is similar to a "customers who bought these items also bought" type of algorithm used on e-commerce websites. It examines multiple attributes of sessions and attempts to find values that frequently appear together, forming a set. Using this information, the fis algorithm is able to discover patterns in user behavior, such as "this person only uses RDP in the middle of the night from this IP address".

  • The window title algorithm analyzes window titles to uncover unusual user behavior, that is, it identifies users based on what window titles they usually have on their screen. It is currently an experimental algorithm and is disabled by default.

The range of algorithms available is planned to be extended in future releases.

Enable One Identity Safeguard for Privileged Analytics

Prerequisites:

A license that has One Identity Safeguard for Privileged Analytics (SPA) enabled.

Purpose:

To enable SPA, complete the following steps.

Steps:
  1. Go to Basic Settings > Local Services > Privileged Account Analytics.

    Figure 1: Basic Settings > Local Services > Privileged Account Analytics

  2. Select the Enable checkbox.

  3. Click Commit.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

Please note our Privacy Policy recently changed to support GDPR. You may read it here. Continuing to use our website indicates you have accepted the new policy.