Chat now with support
Chat with Support

Security Analytics Engine 1.1 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password Security Settings Glossary

Shared risk policies

Before you begin working with shared risk policies, you need to be aware that they should perform two different roles for an application: evaluating and alerting. Although configured using the same settings, a risk policy used for alerting and a risk policy used for evaluation should be designed with that specific role in mind. An application does not distinguish between a shared risk policy and a non-shared risk policy, therefore you can use any combination of shared and non-shared risk policies for alerting and evaluation.
A risk policy that an application selects to use for evaluation will most likely be similar to the risk policy used in the Sample Application provided by default with the Security Analytics Engine (for more information, see Sample Application). It consists of all the conditions that you want checked during an access attempt and those conditions will operate together to create a single risk score which the application will then use to determine whether to allow an access attempt, request additional authentication information from the user, or deny access. Alerts can be configured for the risk policy providing the evaluation in which case they will issue an alert when the generated risk score exceeds the configured threshold.
A risk policy designed for alerting will in its simplest form consist of a single condition without modifiers. When an access attempt occurs, all risk policies with alerting enabled that are associated with the application will send alerts. Due to the method used for calculating risk scores, an alert sent with information about a single triggered condition will not always be the same as the amount it contributed to the risk score during the access attempt.

Shared Policies page

The Shared Policies page is displayed when Shared Policies is clicked on the Home page of the Security Analytics Engine Administration web site. From this page you can launch the Shared Policy wizard to add new or edit existing shared risk policies.
The Shared Policies page displays all of the shared risk policies currently available for use by applications.
The following buttons appear across the top of the page:
This button is used for adding a new shared risk policy.
This button is used for editing an existing shared risk policy.
This button is used for deleting an existing shared risk policy.
The following information is displayed for each configured shared risk policy:
Policy Name
Displays the name assigned to the shared risk policy when it was created.
Description
Displays the description of the shared risk policy. This description was added when the shared risk policy was created.
Applications
Displays the applications currently assigned the shared risk policy.

Adding and managing shared risk policies

In instances where applications have similar risk evaluation or alerting needs, shared risk policies are used to ease the burden of creating and managing identical risk policies within multiple applications. It is the responsibility of the client application to determine which risk policy to evaluate during access attempts, however all risk policies with alerting enabled will automatically send alerts once they are associated with an application. For more information on configuring risk policies for evaluating and alerting, see Shared risk policies.

Adding a new shared risk policy

To add a new shared risk policy
1
On the Shared Policies page, click the button to open the Add Shared Policy dialog.
2
In the Policy Name field, enter a unique display name for the shared risk policy. This name is only used within the Administration web pages.
3
(Optional) In the Description field, enter a brief description of the shared risk policy. This description is only used within the Administration web pages.
4
(Optional) Select the Disable Policy Override check box to disable overrides for this shared risk policy. This setting applies to all applications that use the shared risk policy.
5
(Optional) Use the Alerting section of this dialog to set up email alerts for this risk policy. Click Alerting to display the following settings:
Notify Admin - Select the check box to begin sending email alerts and in the field enter the email address of the person that will be receiving the alerts.
Notify User - Select the check box to send an email alert to the user attempting access when they exceed a certain score.
- If Notify User is selected, click this button to open the Customize User Alert Email dialog which is used for customizing the subject and descriptive body text of the alert email sent to the user. Once edits are made, click Accept to close the dialog.
Alert When - Select one of the following options:
Always - Send alerts when a risk policy is evaluated by the application and when the application updates user behavior data.
Only when specified - Sends an alert when the risk policy used for evaluation generates a risk score for the application.
Scores <nn> Or More - In this field enter the minimum risk score (1-100) a user must receive in order for an alert to be sent.
* 
IMPORTANT: When multiple, identical alerts for the same risk policy occur within a 5 minute period, the Security Analytics Engine will only send one alert. If alerting is used in risk policies with multiple conditions, you may want to assign different scores for each condition since there is a chance that a user may attempt access twice in that 5 minute window and trigger different conditions yet still cause the same score.
6
Click the button in the upper right corner to open the Select conditions to monitor dialog.
7
Select the check box to the left of a condition name to add that condition to the risk policy. All selected conditions will remain highlighted so you can track which conditions are being used in the risk policy.
8
Repeat Step 7 until you have selected all the conditions to apply to the risk policy.
Multiple conditions of the same type are allowed in a risk policy and are useful for adding levels of risk to a type of condition. For example, one Abnormal Browser condition can increase a risk score if the browser was unused for 15 days while a second Abnormal Browser condition can further increase the risk score if the browser was unused for 30 days. If a browser that has not been used in over 30 days is used for access, both will be triggered causing both assigned scores to be included in the risk score.
9
Click the OK button to close the dialog.
10
The Add Shared Policy dialog displays the selected conditions according to category. Each condition has a slider associated with it that is used to assign a percentage to the condition. Assign each condition a percentage according to how much of a risk you consider a user that triggers the condition during an access attempt.
* 
NOTE: Hovering over a condition will display a button. Clicking this button will display the condition’s description.
11
(Optional) Each condition can also be assigned modifiers. These modifiers are used to either increase or decrease the score of a triggered condition in cases when a modifier is also triggered. This allows you to control how a single condition is calculated without lessening or intensifying the effect of another condition which should not be impacted by those same, or possibly any, modifiers. The following steps are required for adding a modifier to a condition:
Locate the condition which is to be assigned a modifier.
Select the button located to the left of the condition name to open the Select condition modifiers dialog.
On the Select condition modifiers dialog, select a check box located to the left of a condition name to add that condition as a modifier of the original condition. All selected conditions will remain highlighted so you can track which conditions are being used as modifiers of the original condition.
Click OK to close the dialog.
Each modifier will now appear listed beneath the original condition with a scroll bar set at 100%. Move the slider in increments of 10 to set the impact each modifier will have on the condition score. Depending on how each modifier was configured on the Conditions page (Can increase risk, Can decrease risk, or Can both increase or decrease risk), the following settings are available:
0% - A modifier set to this percentage will automatically cause the condition score to be 0% regardless of any other modifiers triggered. (Can decrease risk or Can both increase or decrease risk)
10%-90% - A modifier set to any percentage between these two will decrease the condition score when triggered. (Can decrease risk or Can both increase or decrease risk)
100% - A modifier set to this percentage will not impact the condition when triggered. (Can decrease risk, Can increase risk, or Can both increase or decrease risk)
110%-200% - A modifier set to any percentage between these two will increase the condition score when triggered. (Can increase risk or Can both increase or decrease risk)
12
(Optional) To preview possible risk scores that can occur for the risk policy, click the button in the upper right corner of the dialog to enable Preview Mode. Edits to the risk policy are allowed while preview mode is active.
Select the check boxes to the left of any conditions or modifiers to preview the risk score that will occur if they are triggered during an access attempt. The Risk Score field at the top of the dialog will update as selections are made.
Click the button to close preview mode.
13
Once each condition and modifier has been assigned a percentage, click Save to save the shared risk policy and return to the Shared Policies page.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating