Configuring the trust evaluator
When you configure the trust evaluator, you can choose to monitor either all connections (the default) or administrator connections.
- Learn patterns from scratch.
- Run on all collectors.
- Evaluate all sessions for all users.
- Use default trust thresholds.
To change the default settings, click Configure to open the
Configure trust evaluator window. From here, you can use the following tabs to
configure your system. However, you can also choose to use the defaults and click
Enable to install the Real-time trust evaluator: incidents related to
all users
policy and start the training.
When you are done configuring the trust evaluator, click Save to save your changes. At this point, you can click Enable from the trust evaluator main page to begin training your system.
Inputs tab
- If you select a group from the Trusted connections list (for example, Risk Spotter - Trusted Users) the trust evaluator continues to monitor the connections. If a connection encounters a security incident, it is removed from the trusted connections and added to untrusted connections.
- If you select a group from the Untrusted connections list (for example, Risk Spotter - Top Risky Users) the trust evaluator assumes that the connections are never trusted. The trust evaluator does not include the connections that are specified as untrusted in the training.
Select Do not consider client IP as part of connection analytics to ignore client IP addresses during trust-score evaluation. This option is useful when the client IP address changes frequently, for example if your site uses dynamic or virtual IP addresses.
Systems tab
- Select the collectors that you want to include in the trust evaluator. The trust evaluator runs
only on a central manager, the Systems page displays the related collectors.
You can select one of the following system groups:
- All Collectors: Display all of the collectors associated with this central manager.
- All Units group: Display all available machines associated with this central manager.
- Alternatively, also use the filter box to find and display specific machines by name or number.
- After you select the machines that you want to include in the trust evaluator training, you can
take one of the following steps:
- Click Collectors to include all of the selected machines.
- Select each machine that you want to include.
Incidents tab
From Incidents, you can choose incidents that are related to all users or only incidents that are related to administrators.
For each type of incident (administrator or all users), Guardium® surfaces a read-only policy that you can view from the Security Policies page ( ). Depending on your selection, the trust evaluator uses one of the following session-level security incident policies.
Each policy provides a number of rules that track and report on possible security incidents that might be encountered at run time:- Real-time trust evaluator: incidents related to all users
- Real-time trust evaluator: incidents related to administrative users
The rules for each policy are described under Security incident policies.
- For information about incidents related to all users, see All users.
- For information about incidents related to administrative users, see Administrative users and applications.
When you enable the trust evaluator, Guardium installs the selected policy before training.
From Incidents, you can select and modify groups against which to run the trust evaluator. If you do not select any groups here, the trust evaluator runs against all server IP addresses associated with the selected S-TAP.Thresholds tab
From Thresholds, you can view or change the trust-score thresholds that the trust evaluator uses to mark connections as trusted, untrusted, or evaluated (that is, not trusted or untrusted). As you start to understand your system, you can tweak the default trust scores (90 or greater for trusted, 10 or lower for untrusted) to help ensure that your system is protected.