Risk Spotter functions
Learn how Risk Spotter identifies risky users across your entire system.
Risk Spotter runs on central managers and on stand-alone systems. All collectors must be running V11.0 or later.
The Risk Spotter implements a dynamic risk assessment, considering multiple risk factors,
including:
- Vulnerabilities and violations that are associated with the user
- Errors
- Threat Analytics findings
- Activity during off-work hours (defined by AFTER HOURS WORK and BEFORE HOURS WORK in the Time Period Builder page, and distributed from the central manager to its managed units.)
- Data access volume
- Volume of activities
- Access to sensitive data
- Type of commands the user ran (DML, DDL, SYSTEM, and so on)
To maximize the Risk Spotter benefits, implement your own Risk Spotter Dynamic Auditing policy
that uses the Risk Spotter - Audited Risky Users group. When you implement a Dynamic Auditing
policy:
- Guardium® adds
three types of users to the Risk Spotter - Audited Risky Users group, and audits the group
continuously. The three types of users are:
- Top risky users: Users identified by the Risk Spotter algorithm, together with your installed policies. Users in this group are carried over from day to day if their risk score warrants it. (The top risky users list is not copied to the secondary central manager. In the case of a failover, the Top risky users list is empty in the new primary central manager.)
- Watchlist users: The Watchlist is a group of users that you populate, for further observation or investigation. You can add any user to the watchlist. These users remain in the Watchlist group in subsequent Risk Spotter daily iterations, regardless of their risk score.
- Random sampled users: Risk Spotter continuously scans across your system, beyond your policy radar, evaluating non-audited users and identifying potential risky users.
- Risk Spotter updates the Risk Spotter - Audited Risky Users group members and reinstalls the policy during its daily process (1:00-2:00), effectively updating any policy that uses it.
- Guardium constantly monitors resources. If a managed unit’s resources are overloaded for any reason, Guardium automatically uninstalls the Dynamic Auditing policy on the overloaded managed units. Uninstalling the policy does not impact the members of the Risk Spotter - Audited Risky Users group or Risk Spotter - Watchlist group. A user that is only audited by the Dynamic Auditing policy is not audited on the day the policy is uninstalled. New risky users on a collector that does not have the policy installed are not added to the Risk Spotter – Audited Risky Users group, and the risk score of existing users is not updated. Click Logs and Status to open the Risk Spotter events log to see which managed units do not have the policy installed.