Security Analytics Engine Overview

Security Analytics Engine Overview

Topics:

Introduction to the Security Analytics Engine

The Security Analytics Engine provides an extra level of security that can be customized to fit the needs of every application. The Security Analytics Engine works by monitoring users and browsers to ensure that they are not accessing applications from locations, networks, etc. that are potentially unsafe, thus reducing the threat of a malicious user or browser gaining access to your application.

How the Security Analytics Engine works

How the Security Analytics Engine works

When a user attempts to access an application which uses the Security Analytics Engine, a customizable risk policy evaluates the risk of allowing the user access. Each risk policy is made up of conditions and modifiers which have assigned scores. For each access attempt, these conditions and their associated modifiers are evaluated individually and a single risk score is then calculated using all the condition scores.

For example, a user could log in to an application using an abnormal browser while also using a weak method of authentication. The risk policies allow you to take these two types of behavior into account by letting you apply modifiers to conditions in cases where additional circumstances may affect the risk from a triggered condition. The conditions are assigned a condition score and the modifiers are then able to increase or lessen that condition score if they are triggered at the same time. So in this case, by triggering both the abnormal browser condition and its associated weak authentication modifier, the configured condition score is further increased due to the modifier.

A condition can also have no impact on a risk score when triggered if there is a modifier applied which is configured to cancel out the condition score. If the user using an abnormal browser is also on a configured whitelist, the whitelist modifier could be applied to have a zeroing effect on both the condition it is associated with and any other modifiers that are also triggered. Assuming no other conditions are triggered, this user would receive a risk score of 0 for the access attempt.

The Security Analytics Engine also allows you to include conditions without modifiers associated with them. For example, the earlier access attempts probably would not be as much of a security threat as someone that logs in from an IP address that is associated with malware. Configuring a risk policy to give the highest risk score to potential malware infected access attempts means that even if the user appears on a whitelist being used as a modifier to negate a different condition they would still receive the highest risk score.

The risk score that is calculated for each access attempt is then sent to the application which uses the risk score to determine whether to allow access, request additional authentication information from the user before allowing access, or deny access. A user may also contact a help desk operator for further assistance if they are unable to access an application due to a high risk score.

Launch the Administration web site (fallback)

You can access the Security Analytics Engine Administration web site from any computer that has network access to the server.

To launch the fallback login page of the Security Analytics Engine Administration web site

1. Open your web browser and enter the URL for the fallback login page of the Security Analytics Engine Administration web site:

   https://<server>/SecurityAnalyticsEngine/Fallback

   NOTE: Where <server> is the IP address or host name (or ‘localhost’) of the server where you installed the Security Analytics Engine.

2. When the web site is launched, enter the fallback password in the Password field.
3. Click Log in. The Home page of the Security Analytics Engine Administration web site appears.