Analyzing a risk area

You can analyze each individual risk area on the dashboard to understand the various factors that contributed to the current risk level. Analyzed data helps you to prioritize areas with the highest risk for remediation to reduce overall risk.

To view the dashboard with risk areas and the context details that are associated with the risk areas for analysis, from the home page, click Risk Manager. Alternatively, from the main menu on the navigation window, in the My applications section, click Risk Manager > Risk Dashboard.

Risk areas - assets

The Risk areas widget shows details about the critical security risk areas of your organization. A risk area is a logical group of threats of similar nature that are aggregated from various security products. For example, IBM® Security Guardium®, IBM Security QRadar®, or IBM Security Verify. You can view risk area information in chart or table views.

Chart view

In the Chart view, risk areas are plotted on the heat map. The heat map helps you to quantify the most critical 10 - 15 security risk areas of your organization that might need focus. The aggregated risk area scores are plotted on the dashboard by using the percentage calculation. The risk areas are plotted based on the following dimensions.

Horizontal X-axis represents probability of occurrence of risk that is determined based on threat occurrence pattern, threat severity, and asset criticality.
Vertical Y-axis represents potential business impact if risk occurs. Impact is assessed based on criticality of the assets.
The size of the bubble represents the number of impacted assets. Risk areas are represented as bubbles on the heat map.

Hover over a bubble to view information about the risk area. Size of the bubble varies based on the number of impacted assets in a specific risk area. The color of the bubble indicates the risk severity such as high, medium, or low. Bubbles for most critical risk areas are placed on upper right quadrant of the heat map. When you start the necessary remediation activities, the bubble moves toward lower-left quadrant of the map. Risk scores are updated based on status of the cases that are created to remediate risks.

To the right of the heat map, you can view the list of risk areas along with their computed risk score level. Risk areas are listed based on the risk levels from High to Low. By default, the first risk area in the list is selected and the associated context information is displayed in the various widgets. You can also view the last run date of the risk engine. The risk engine runs based on the frequency that is configured. For more information about risk configuration, see Risk configuration.

Table View

In the Table view, the following information about a risk area in shown in tabular format.

Element	Description
Area	Name of the risk area.
Risk	Risk score of a risk area that is computed based on the set configurations and depicted by using a 3-scale model, high, medium, or low scale.
Impact of risk	Indicates potential impact to the business if a risk event occurs. Impact is estimated based on criticality of the assets.
Likelihood of risk	Indicates probability or likelihood of a risk event that is occurring. Probability is calculated based on threat severity, vulnerabilities, and the asset criticality.
Occurrences	Total number of threat events.
Assets/IOCs	Total number of impacted assets and indicators of compromise (IOCs) in the selected risk area.

The context information that is associated with the selected risk area is displayed under various widgets. Context information helps you to understand and analyze reasons for the current risk level to take appropriate remediation actions. Scroll down the dashboard to view the context details for the selected risk area.

Risk areas - IOCs

The threat activity reports that contain indicators of compromise (IOCs) from TruSTAR is imported into Risk Manager for prioritization. Based on the tags, the reports are automatically mapped to the appropriate predefined risk areas. Based on the risk attributes of IOCs, the severity of a report is computed. The risk engine prioritizes the threat activity reports and plots them on the dashboard in the form of risk areas. Visualizing the data on the dashboard helps you to focus on the most critical risk areas for implementing appropriate remediation actions to reduce the identified risks. The risk areas are plotted based on the following dimensions.

The x-axis is plotted based on report severity and the number of times the report is received.
The y-axis is plotted based on the IOC category and the sighting count. Based on the IOC type, IOCs are categorized.
The size of the bubble represents the number of IOCs in the risk area.

Selected risk area

The Selected risk area widget shows following context information for the risk area that you select.

Element	Description
Threat events	Count of threat events that are identified in the impacted assets. For example, threat events can include threats from IBM QRadar, or policy violations, activity monitoring alert violations from IBM Guardium.
Total assets	Total number of assets in a risk area that are impacted by the threats.
Crown jewel	Number of assets with crown jewel information. Crown jewel is a most valuable data asset in an organization and might cause major business impact if compromised.
Sensitive assets	Number of assets with sensitive information. For example, PII information.
Risky users	Number of risky users that are associated with the risk area. Risky users are responsible for any security incident that impacts, or has the potential to impact, data security of an organization.
Total sightings	Number of times that the IOCs are referenced in a threat across the enclaves.
Total IOCs	Total number of IOCs in the risk area. Currently, IOCs are imported from TruSTAR.
Sensitive IOCs	Number IOCs with sensitive PII information such as threat actors and email addresses.
Risk score	Risk score of the risk area, which is the average of impact score and the threat probability score. Color icon next to the score indicates the risk severity such as high, medium, or low.

Top threat in risk area

The Top threat in risk area widget provides the following details about the top threat in the selected risk area.

Element	Description
Occurrences	Number of threat events in the top threat.
Indicators	Number of IOCs in which the top threat was detected.
Affected assets	Number of assets in which the top threat was detected.

To view details of all the threat events, click View all threats.

Click the View details View details icon

icon to view the following details of the top threat.

Overview: The overview information such as threat first and last seen date, count of threat events occurrences, threat severity, and names of the threat actors that are associated with the threat.
Affected assets: Links to the top three assets where the threat was detected. Click a link to view the asset overview information in the side window. To view details of all the affected assets, click View all assets.
Threat activity over time: The Threat activity over time chart shows pattern of occurrence of threat activities for the past 15 days from the privileged and unprivileged accounts. When you hover on a vertical bar on the chart, a tooltip displays the count of threat event occurrence, threat event occurrence date, and the group type.
You can view details of the threat activities that occurred on a particular date from all the privileged risky users along with their risk score. Click a privileged risky user name to view the Privileged user activity over time chart that shows details of the threat activities. Hover on a horizontal bar on the chart to view the details such as threat activity start time, end time, IP address of the affected asset, and the privileged account name.
Indicators: Links to the top three IOCs where the threat was detected. Click a link to view the IOC overview information in the side window. To view details of all the IOCs, click View all.

Controls

The Controls widget provides the information about enforcement controls that are implemented in the assets to protect data. Currently, Risk Manager supports controls such as Encryption and Monitoring. You can view the following information in the form of a bar graph.

Number of assets in the risk area that are encrypted.
Number of assets that are protected by using the motoring agents.

Vulnerability risk

The Vulnerability risk widget provides information about the assets that are vulnerable or exposed. The widget shows the number of vulnerabilities in the assets that are detected from the source products. For example, Guardium and QRadar. This widget shows the following information:

Number of critical, major, and minor vulnerabilities that are found in the assets from the source products in the form of a bar chart.
Number of weaponized vulnerabilities with exploits.
Number of vulnerabilities for which the weaponized code is not needed for exploitation.
Number of vulnerabilities with attack chaining capability.
Number of vulnerabilities with actions on objectives.

Asset criticality

The Asset criticality widget provides information about the assets that are critical to the organization. Criticality is assessed based on classification of data. Asset criticality determines the relative value or importance of an asset to the business, whether it is a database, application server, network device, or personnel. For example, regulated data, or whether the asset is critical for execution of an important business function. You can view the following information in the widget:

Classification of assets based on various categories of data in terms of its need for protection. For example, Confidential, Highly Confidential, or Highly Sensitive.
Classification of assets based on compliance to represent regulatory obligations that are associated with the data such as GDPR, PII, HIPAA, or CCPA.

Top recommendations

The Top recommendations widget provides the following information about the top four recommendations that are suggested to mitigate the identified issues in the selected risk area.

Element	Description
Risk	Risk level of the recommendation. Risk level is calculated based on the importance that you assign to the various factors during risk configuration.
Recommendation	Prescriptive remediation action that is suggested to mitigate the identified issues for reducing the risk.

For more information about recommendations and creating a case, see Recommendations.

Risk score over time

You must have access to the Risk Manager Advanced application to view data in the Risk score over time widget.

The risk trend chart tracks the risk score of a specific risk area over a period. You can view the trend for the last 30 days data. The risk trends down when you implement the suggested remediation actions. Recommendations are provided to remediate the identified issues based on the configuration that you set for various risk factors according to your organization needs. For more information about recommendations, see Recommendations.

Element	Description
Date	Date on which the risk score is trending for various reasons.
Risk score	Overall risk score is average of impact score and the threat probability score. Color icon next to the score indicates the risk severity such as high, medium, or low.
Trend	Direction a risk score is trending, upward, downward, or flat when compared to last one week data.
Reason for change	Reasons for the risk score trend.