Configure and enable Risk Spotter

Configure and enable the required and optional Guardium® and Risk Spotter modules, then enable Risk Spotter itself.

Before you begin

  • All collectors must be running V11.0 or later.
  • Ports 8983 and 9983, on both the collectors and the central manager, are opened when you enable enterprise search. Verify that these ports are not blocked by any firewall.
  • On the central manager or standalone system: Enter the GuardAPI command: grdapi restart_solr.
  • On the central manager: Enterprise search should be enabled by default. To check the Enterprise search status enter the following GuardAPI command:
    grdapi get_quick_search_info
    If it isn't enabled, enter the following GuardAPI command:
    grdapi enable_quick_search schedule_interval=2 schedule_units=MINUTE all=true includeViolations=true
  • Some Guardium modules must be enabled or configured before you can enable Risk Spotter. They are included in this task. You can enable the Risk Spotter process without enabling the optional Guardium modules. You get the best protection by enabling both the required and optional modules.
  • Enabling Risk Spotter only activates risk assessment for users audited by your installed policies. To dynamically audit risky users with Dynamic Auditing, create and install a Risk Spotter policy. See Create a Dynamic Auditing policy and Using the Policy Installation tool.

About this task

Configure Risk Spotter on the central manager or on a stand-alone Guardium system. In a central manager environment, enable all modules once on the central manager only. If you install a Risk Spotter policy, this is also managed from the central manager.

Important: To maximize your Risk Spotter results, enable the optional modules.
The required modules are:
  • Enterprise search: Queries data across the entire Guardium environment. It is enabled by default.
  • Unit utilization data processing: Assesses resource utilization of each Guardium system in your environment to maximize user auditing. See step 3
  • S-TAP and buffer usage monitoring: Enables the central manager to get updated information on unit utilization and on its managed units. (Not relevant for standalone Guardium systems.) See step 4
The recommended modules are:
  • Dynamic Auditing: To get the most comprehensive risk assessment, configure Dynamic Auditing: create, install, and select a policy that incorporates the Risk Spotter – Audited Risky users group. This policy audits identified risky users and users in the Risk Spotter watchlist, and it samples users beyond your policy radar to identify additional risks. For details on creating the policy, see Create a Dynamic Auditing policy.
  • The Database Protection Subscription service (DPS) publishes updates to known vulnerabilities (known risks). The DPS file is not mandatory but without it, the risk scores are less accurate. (Best practice is to subscribe to this service whether you use Risk Spotter or not.) See step 5
  • Active Threat Analytics identifies various types of suspected attacks. These findings are incorporated into the Risk Spotter analysis. See step 6

Click Logs and Status to open the Risk Spotter events log. This log has details of, for example: start and end of the Risk Spotter processes, if/when the risk spotter policy was uninstalled.

Note: All steps are relevant for a central manager and standalone systems unless noted otherwise.

Procedure

  1. Open the Risk Spotter page: go to Protect > Uncover Threat Vectors > Active Risk Spotter, and click Policy and related modules.
  2. Optional: Recommended: Dynamic Auditing
    1. Click Dynamic Auditing. The Configure Dynamic Auditing window opens.
    2. Select your Dynamic Auditing policy, then click Save. The system responds: Saved. Install the policy if it’s not already installed. (Only policies that use the Risk Spotter - Audited Risky Users group can be saved in this window.)
    3. Install the policy if it’s not already installed.
  3. To configure Unit utilization data processing from the Active Risk Spotter UI, follow the steps in this section. Enable unit utilization to assess resource utilization of each Guardium system in your environment, and enable central manager buffer usage monitoring to assess the available bandwidth over the entire system.
    1. Go to Manage > Unit Utilization > Unit Utilization Levels.
      1. Configure:
        • Schedule By = Day
        • Select Days = Every Day
        • Repeat every = 1 hour
        • Each day, begin repeating at = 12:00 AM (default)
        • Select Activate Schedule
      2. Click Save.
      3. Click Run Once Now.
    2. On the central manager only (not relevant for standalone systems): Go to Reports > Report Configuration Tools > Custom Table Builder. (You must have Custom Table Builder access rights to perform this step.)
      1. In the Custom Tables page, select CM Buffer Usage Monitor and click Upload Data.
      2. Under Scheduling, click Modify Schedule.
        1. Leave Start time at the default 12 a.m. (midnight) :.
        2. Set Restart to every hour.
        3. Leave Repeat at Do not repeat.
        4. Set Schedule by... to Day/Week and click Every Day.
        5. Click Save.
        6. Click Back.
        7. Click Run Once Now.
      3. Click Back to return to the Custom Tables page.
  4. To configure S-TAP information from the Active Risk Spotter UI, follow the steps in this section. On the central manager only (not relevant for standalone systems): enable S-TAP information to assess the available bandwidth over the entire system. (You must have Custom Table Builder access rights to perform this step.)
    1. Go to Reports > Report Configuration Tools > Custom Table Builder
    2. Select S-TAP info and click Upload Data.
    3. Under Scheduling, click Modify Schedule.
      1. Leave Start time at the default 12 a.m. (midnight) :.
      2. Set Restart to every hour
      3. Leave Repeat at Do not repeat.
      4. Set Schedule by... to Day/Week and click Every Day.
      5. Click Save.
      6. Click Back.
      7. Click Run Once Now.
  5. Optional: Recommended: If the Database Protection Subscription service (recommended) is gray, click Upload file to open the Customer Uploads page and import a DPS file: Guardium_V11_Quarterly_2019_Q1_20190227.enc or higher. See Customer Uploads for details on uploading and importing DPS files. (The DPS file is not mandatory, but risk scores are partial without it.) The DPS file can take a long time to install. If you restart the browser, the install stops. Either keep the Customer Upload window open until you see a status message, or enter the CLI command show dps to check install status. (DPS files are downloaded from Fix Central and Passport Advantage.)
  6. Optional: Recommended: On the central manager, enable Active Threat Analytics:
    • In the Risk Spotter page, click Configure in Active Threat Analytics Setup, expand the Active Threat Analytics processes section, and click Enable all processes. For more information, see Active Threat Analytics setup.
  7. Enable Risk Spotter. In the Risk Spotter page, click Enable opposite Risk Spotter process. (This button is enabled only when all required modules are enabled.)

Results

It can take up to 10 minutes for the Risk Spotter page to update the number of managed units running enterprise search; or whether Active threat analytics is enabled. Go to another page, then return to this page to refresh the display.

After the first run of the risk score process (between 01:00-02:00 daily), the Risk Spotter page shows results. The risky users are added incrementally according to the available collector resources.