Real-time trust evaluator
The Real-time Trust Evaluator (RTTE) evaluates the application connections that are monitored by Guardium®. Connections are classified as "untrusted", "evaluated" or "trusted". Trust scores (value from 0 - 100) are assigned to each classified connection. Connections that are not classified as trusted or untrusted are classified as evaluated.
- Security incident policies that are capable of detecting denial-of-service attacks, credential
stuffing attacks, password-spraying attacks, and connection authentication vulnerabilities.Note: You cannot modify the trust evaluator policies.
- Probabilistic engine (Probability engine), based on a Bayesian machine learning model. This model requires a long training period. The training status is displayed in the user interface so that you can follow it.
Both modules evaluate application connections in parallel.
The evaluated application connections are collected. The trust evaluator is integrated with session level policies. Thus, a session level policy installed outside the trust evaluator can be used to alert customers of security breaches, create security exceptions, and terminate connections if necessary. For more information, see Session-level policies.
When using the trust evaluator, it's best to manage policies from the central manager. This avoids situations where enabling the trust evaluator causes the central manager to overwrite policies that may have been updated on managed units but not yet synced to the central manager. If you must manage policies from managed units, wait until any policy changes are synced to the central manager before enabling the trust evaluator.
Getting started
To get started with the real-time trust evaluator, browse to Enable.
from a central manager and clickWhen the trust evaluator starts up, it installs security incidents policies, and begins to evaluate incoming connections. At the same time, the probability engine enters its first training phase.
- You can view the evaluated application connections from the connections window. For more information, see Configuring the connections table.
- When you click Enable, the trust evaluator installs the security incident
policies. You can use the default,
Real-time trust evaluator: incidents related to all users
, or select a different policy from the Configuration section. For more information, see Configuring the trust evaluator. - When you click Disable, the trust evaluator stops and uninstalls the security incidents policy.
The remainder of this topic provides more information about how the trust evaluator works, configuration information, and details about the connection table and information graphs.
How the trust evaluator works
When you first start the trust evaluator, it begins to evaluate application connections by using installed security incident policies. At the same time, the probability engine module starts its training phase.
At this point, trust evaluator can detect untrusted application connections. Untrusted application connections include security violating connections such as communicating with plain passwords, performing denial-of-service credential stuffing or password-spraying attacks, administrative communicating with not encrypted information, and so on. The trust evaluator sets low trust scores to detected untrusted connections.
When the probability engine finishes its training, it starts to evaluate application connections as well. Connections can be evaluated as “untrusted”, “evaluated” or “trusted”.
Trusted versus untrusted connections
- The connection matches the criteria of the trusted connection group.
- The probability engine deems that the connection is sufficiently common.
- A connection that is identified by a security incident policy as a threat.
- A user-supplied untrusted group.
- In addition, there can be multiple factors and parameters that identify the trustworthiness of a connection. The probability engine can assign an untrusted score if it is not similar to known data, or if other trust evaluator components identify issues for that connection. For example, you might have a case where the probability engine identifies a connection as trusted, but an anomaly or incident is identified for the connection. In this case, the connection is identified as untrusted.