Configuring the trust evaluator

When you configure the trust evaluator, you can choose to monitor either all connections (the default) or administrator connections.

From the Configuration section of the Real-Time Trust Evaluator window, you can see the current settings for the trust evaluator. The default settings are shown on the trust evaluator page. Each setting is associated with one of the configuration tabs.
  • Learn patterns from scratch.
  • Run on all collectors.
  • Evaluate all sessions for all users.
  • Use default trust thresholds.
  • Evaluate 12 of 12 anomalies.

To change the default settings, click Configure to open the Configure trust evaluator window. From here, you can use the following tabs to configure your system. However, you can also choose to use the defaults and click Enable to install the Real-time trust evaluator: incidents related to all users policy and start the training.

When you are done configuring the trust evaluator, click Save to save your changes. At this point, you can click Enable from the trust evaluator main page to begin training your system.

Inputs tab

From Inputs, you can specify groups of explicitly trusted or untrusted connections. When you add an existing group, the trust evaluator adds those connections to the specified list.
  • If you select a group from the Trusted connections list (for example, Risk Spotter - Trusted Users) the trust evaluator continues to monitor the connections. If a connection encounters a security incident, it is removed from the trusted connections and added to untrusted connections.
  • If you select a group from the Untrusted connections list (for example, Risk Spotter - Top Risky Users) the trust evaluator assumes that the connections are never trusted. The trust evaluator does not include the connections that are specified as untrusted in the training.

Select Do not consider client IP as part of connection analytics to ignore client IP addresses during trust-score evaluation. This option is useful when the client IP address changes frequently, for example if your site uses dynamic or virtual IP addresses.

Systems tab

From Systems, you can make the following changes:
  • Select the collectors that you want to include in the trust evaluator. The trust evaluator runs only on a central manager, the Systems page displays the related collectors. You can select one of the following system groups:
    • All Collectors: Display all of the collectors associated with this central manager.
    • All Units group: Display all available machines associated with this central manager.
  • Alternatively, also use the filter box to find and display specific machines by name or number.
  • After you select the machines that you want to include in the trust evaluator training, you can take one of the following steps:
    • Click Collectors to include all of the selected machines.
    • Select each machine that you want to include.

Incidents tab

From Incidents, you can choose incidents that are related to all users or only incidents that are related to administrators.

For each type of incident (administrator or all users), Guardium® surfaces a read-only policy that you can view from the Security Policies page (Policies > Security Policies > Policy Builder for Data). Depending on your selection, the trust evaluator uses one of the following session-level security incident policies.

Each policy provides a number of rules that track and report on possible security incidents that might be encountered at run time:
  • Real-time trust evaluator: incidents related to all users
  • Real-time trust evaluator: incidents related to administrative users

The rules for each policy are described under Security incident policies.

When you enable the trust evaluator, Guardium installs the selected policy before training.

From Incidents, you can select and modify groups against which to run the trust evaluator. If you do not select any groups here, the trust evaluator runs against all server IP addresses associated with the selected S-TAP.
Note: If you select Incidents related to administrators, make sure that the groups you select include only populated groups. If you select an empty group, there are no members of the group to test against. Therefore, the trust evaluator cannot find security incidents for the empty group, but does not provide any indication that the group is not populated.

Thresholds tab

From Thresholds, you can view or change the trust-score thresholds that the trust evaluator uses to mark connections as trusted, untrusted, or evaluated (that is, not trusted or untrusted). As you start to understand your system, you can tweak the default trust scores (90 or greater for trusted, 10 or lower for untrusted) to help ensure that your system is protected.

Anomalies tab

When training begins, the anomalies engine tracks unique connections. The trust evaluator starts to recognize anomalies after it sees a sufficient number of unique connections. When any anomalies are found, they are logged in the Connection Exceptions report.
Note: The number of "sufficient connections" to detect anomalies is based on your environment and set without user involvement, but it is always greater than 1000 connections.

From Anomalies, select some or all of the anomaly conditions. The trust evaluator uses the read-only Real-time trust evaluator: Security anomalies policy, where each rule represents an anomaly type. For more information about the Security anomaly policy, see Security anomalies.