Real-time trust evaluator

The Real-time Trust Evaluator (RTTE) evaluates the application connections that are monitored by Guardium®. Connections are classified as "untrusted", "evaluated" or "trusted". Trust scores (value from 0 - 100) are assigned to each classified connection. Connections that are not classified as trusted or untrusted are classified as evaluated.

The trust evaluator release consists of the following main modules:
  1. Security incident policies that are capable of detecting denial-of-service attacks, credential stuffing attacks, password-spraying attacks, and connection authentication vulnerabilities.
    Note: You cannot modify the trust evaluator policies.
  2. Probabilistic engine (Probability engine), based on a Bayesian machine learning model. This model requires a long training period. The training status is displayed in the user interface so that you can follow it.

Both modules evaluate application connections in parallel.

The evaluated application connections are collected. The trust evaluator is integrated with session level policies. Thus, a session level policy installed outside the trust evaluator can be used to alert customers of security breaches, create security exceptions, and terminate connections if necessary. For more information, see Session-level policies.

Note: The trust evaluator is available from central manager machines only. In addition, all collectors must be at Guardium 11.4 or later.

When using the trust evaluator, it's best to manage policies from the central manager. This avoids situations where enabling the trust evaluator causes the central manager to overwrite policies that may have been updated on managed units but not yet synced to the central manager. If you must manage policies from managed units, wait until any policy changes are synced to the central manager before enabling the trust evaluator.

Getting started

To get started with the real-time trust evaluator, browse to Protect > Security Policies > Real-Time Trust Evaluator from a central manager and click Enable.

When the trust evaluator starts up, it installs security incidents policies, and begins to evaluate incoming connections. At the same time, the probability engine enters its first training phase.

Here's what you need to know:
  • You can view the evaluated application connections from the connections window. For more information, see Configuring the connections table.
  • When you click Enable, the trust evaluator installs the security incident policies. You can use the default, Real-time trust evaluator: incidents related to all users, or select a different policy from the Configuration section. For more information, see Configuring the trust evaluator.
  • When you click Disable, the trust evaluator stops and uninstalls the security incidents policy.

The remainder of this topic provides more information about how the trust evaluator works, configuration information, and details about the connection table and information graphs.

How the trust evaluator works

When you first start the trust evaluator, it begins to evaluate application connections by using installed security incident policies. At the same time, the probability engine module starts its training phase.

At this point, trust evaluator can detect untrusted application connections. Untrusted application connections include security violating connections such as communicating with plain passwords, performing denial-of-service credential stuffing or password-spraying attacks, administrative communicating with not encrypted information, and so on. The trust evaluator sets low trust scores to detected untrusted connections.

When the probability engine finishes its training, it starts to evaluate application connections as well. Connections can be evaluated as “untrusted”, “evaluated” or “trusted”.

Trusted versus untrusted connections

The trust evaluator identifies a connection as trusted when it meets one of the following criteria:
  • The connection matches the criteria of the trusted connection group.
  • The probability engine deems that the connection is sufficiently common.
A connection is identified as untrusted in the following circumstances:
  • A connection that is identified by a security incident policy as a threat.
  • A user-supplied untrusted group.
  • In addition, there can be multiple factors and parameters that identify the trustworthiness of a connection. The probability engine can assign an untrusted score if it is not similar to known data, or if other trust evaluator components identify issues for that connection. For example, you might have a case where the probability engine identifies a connection as trusted, but an anomaly or incident is identified for the connection. In this case, the connection is identified as untrusted.