4.8. Behaviour analytics
This chapter looks at the Behaviour analytics report page and the information that can be found on the page. The following topics are included in this chapter:
4.8.1. Behaviour analytics report
Privileged Behaviour Management reporting builds on the data available through the analytics reports and produces a three-dimensional display. The reports are formulated by comparing activity, or the lack of it, against learned baselines and presents the results in terms of ‘active threat’ and ‘latent risk’, where ‘active threat’ is unusual activity and ‘latent risk’ shows the connections between users and highly privileged device accounts that are rarely or never used.
Behaviour analytics is a powerful tool that will allow you to ask questions relating to malicious behaviour from an insider threat or raise concerns about privileged access.
This graph analyses the behaviour of individual user logons. The data presented in the chart shows a 7 day period and logs the IP address(es) from which a user logs in from. The level of suspicion is indicated in the vertical bar from 0 - 1 and colour coded, 0 meaning no suspicious and 1 meaning suspicion activity reported.
The data collected and analysed is calculated into levels of suspicion based on the following criteria:
- If a user logs on only once within the time period, then there will be no suspicion.
- Suspicion will go down if the user continuously only logs on from 1 IP address.
- Based on collisions, where a user logs in from multiple IP addresses within the same time slice.
- The more the user logs on from multiple IP addresses, the further the suspicion level increases.
- The system will build a baseline from the number of user connections for each IP address; as the baseline increases, the suspicion will decrease.
- Differing IP subnets are equally considered in the calculations.
From the data in this chart, anomalous logon IP addresses can be targeted and investigated to ensure there is no malicious intent or unauthorized access.
The latent threat graph shows which assigned privileges users are actually using. It is calculated as a proportion of the available devices that have been accessed within the last 6 months, where a single login is enough to count as usage.
The horizontal latent threat line indicates if the devices to which a user has privileges to access is being used. A latent threat of 1 means that users are not using any of the devices to which they have been granted privileged access levels. From this data analysis, you can investigate why and if the privileged access is still a valid requirement for that user. In turn, allowing you to reduce threat levels and manage user privileges more effectively, ensuring users are not over privileged.
A user with a latent threat of 0 means that they are regularly or semi-regularly accessing all of the devices to which they have been granted privileged access levels to, therefore they have a low latent threat level.
Suspicion by time
The suspicion by time 3D graph shows all the users and a single number for suspicion for all privileged users. The data is time-sliced into months and the level of suspicion is colour-coded.
To calculate the suspicion level by time, a weighted sum of a number of measures of behaviours are collected and analysed, these include:
- Users’ suspicion level by activity, device and posture.
- The activity suspicion level is determined by the length of the session connection to the device.
- The device suspicion is determined by the number of devices accessed by the user.
- The posture suspicion is determined by the IP address used when logging onto the PxM Client.
- For each of the above factors, PxM creates a baseline for each user.
Suspicion will increase when a user deviates from their expected behaviour as set by their baseline.
The graph can be freely zoomed, rotated and have mouse over elements.