Applications
Topics:
Adding and managing applications
Adding and managing risk policies
Introduction to applications
Before an application can use the Security Analytics Engine to generate risk scores, an application definition must be added and configured within the Security Analytics Engine Administration web site using the Applications page. In addition to adding an application, you also need to configure the risk policies for that application to determine how the Security Analytics Engine evaluates the risk of allowing a user to access the application and any risk policies which will be used for alerting. Although client applications use only one risk policy at a time for evaluating access attempts, all risk policies associated with an application that are configured for alerting will also send alerts if they are triggered during an access attempt. For more information on the different uses for risk policies, see Risk policies.
Risk policies
Before you begin working with risk policies, you need to be aware that they should perform two different roles for an application: evaluating and alerting. Although configured using the same settings, a risk policy used for alerting and a risk policy used for evaluation should be designed with that specific role in mind. An application does not distinguish between a shared risk policy and a non-shared risk policy, therefore you can use any combination of shared and non-shared risk policies for alerting and evaluation.
A risk policy that an application selects to use for evaluation will most likely be similar to the risk policy used in the Sample Application provided by default with the Security Analytics Engine (for more information, see Sample Application). It consists of all the conditions that you want checked during an access attempt and those conditions operate together to create a single risk score which the application then uses to determine whether to allow an access attempt, request additional authentication information from the user, or deny access. Alerts can be configured for the risk policy providing the evaluation in which case the alert is sent when the generated risk score exceeds the configured threshold.
A risk policy designed for alerting will in its simplest form consist of a single condition without modifiers. When an access attempt occurs, all risk policies with alerting enabled that are associated with the application will send alerts. Due to the method used for calculating risk scores, an alert sent with information about a single triggered condition is not always the same as the amount it contributed to the risk score during the access attempt.
Applications page
The Applications page is displayed when Applications is clicked in the left pane of the Security Analytics Engine Administration web site. From this page you can launch the Application wizard to add new or edit existing applications, and create and manage the risk policies being used by applications. The Applications page displays all the applications currently using the Security Analytics Engine and the risk policies used by each application.
The following buttons and field appear across the top of the page:
This button is used for adding a new application.
This button is used for editing an existing application.
This button is used for deleting an existing application.
The following information is displayed for each configured application:
Application Name
Displays the name assigned to the application when it was created.
Description
Displays the description of the application. This description was added when the application was created.
Policies
Displays the risk policies currently available for use by the application. To distinguish between shared risk policies and risk policies, shared risk policies are marked as ‘(shared)’. It is the responsibility of the client application to determine which risk policy to evaluate during access attempts.