About the risk score for users
Data Insight enables you to monitor malicious activity in your storage environment. Data Insight profiles all users by assigning a risk-score to every configured user. Higher the risk score of a user, higher is the perceived risk posed by the user.
A risky user typically displays anomalies such as:
Abrupt deviation in activity pattern where deviation on activity on sensitive files is given more weightage. (Anomaly)
The fraction of the total number of data sources that a user has permissions on.(Access)
Abnormal increase in number of alerts against the user. (Alerts)
Note that the user risk score is computed by considering the individual scores of different parameters for the last 15 days by default.
Data Insight computes the risk-score for a user based on the weighted sum of individual scores of the following parameters.
Table: Components for computing user risk score
Components
|
Descriptions |
Deviation in accesses pattern on sensitive and non-sensitive files.
|
The overall deviation score is the weighted sum of the deviation values for sensitive and non-sensitive files. |
Number of alerts against the user.
|
Percentage of alerts for a user against the total number of alerts, weighted by the severity of the policy that was violated. |
Number of shares the user has read/write access on.
|
Percentage of shares on which the user has read access, against the total shares across all the storage devices. |
Number of shares the user has write access on.
|
Percentage of shares on which the user has write access, against the total shares across all the storage devices. |
Number of shares the user is custodian on.
|
Percentage of shares for which the user is a custodian, against the total shares across all the storage devices. |
Deviation in the number of unique files that are accessed by the user. (Considering sensitive and non-sensitive files)
|
Overall score is the weighted sum of unique files that are accessed during past 15 days. |
Deviation in the number of unique files that are accessed by the user. (Considering sensitive files only)
|
Overall score is the weighted sum of unique files that are accessed during past 15 days. |
Deviation in the number of distinct DLP policies violated by the files accessed by the user.
|
Overall score is weighted sum of DLP policies.
The weights are proportional to the severity level of the policies.
|
Note that Data Insight assigns a default priority to these parameters when calculating their weighted sum.
The risk score assigned to a user helps you do the following:
Identify potentially malicious users.
Review the permissions that are granted to the users.
Review if a risky user is a custodian on any storage resource.
Review the top active data that is being accessed by the risky user.
Add a user with a high risk score to a watchlist to enable you to closely monitor the user's activities.