Understanding importance and confidence in threat detectors

book

Article ID: 170924

calendar_today

Updated On:

Products

CASB Security Standard CASB Security Premium CASB Security Advanced CASB Audit CASB Gateway

Issue/Introduction

Need a better understanding of what importance level and confidence level, in detect, are and how they are important.

Resolution

For every BBI you can configure both the importance level and a confidence level that determines how much certainty you require to declare an incident. The greater the confidence setting, the more comprehensive a user profile must be before declaring that an incident falls outside the bounds of normal behavior. For example, setting confidence to 90% means that the detector does not fire unless the user’s profile has enough data for Detect to tell the difference between normal and abnormal behavior with 90% certainty. An important tradeoff inherent in this method is that a larger confidence value requires a longer training period to achieve the required certainty.

The importance and confidence settings influence detectors very differently--high confidence with low importance means something very different from low confidence with high importance.

Consider the three examples described below.

  • If you were particularly concerned that malware or a bad actor might threaten your data with anomalously frequent deletes, you might configure a lower confidence and higher importance for the corresponding detector as shown below.



    By setting a lower confidence level, you are taking the position that you would rather get more false positives than let any real incident be suppressed. And by selecting a higher importance, you are asking that the user’s ThreatScore be increased more for an incident of anomalously frequent deletes than for other anomalously frequent actions.
     
  • If you happened to believe that excessive use of sharing is more harmful to the company than any other action, including delete, you might configure the Anonymously frequent sharing detector as shown below.



    The relatively low confidence level reflects a better-safe-than-sorry policy, and the Critical setting for importance raises the user’s ThreatScore sharply when the behavior is detected.
     
  • If you believe that anomalously frequent user actions represent a danger only when the pattern is very well developed, you might use the settings shown below for this detector.



    The high confidence setting tells Detect to declare an incident only when it can do so with a minimal chance of false positives. The low importance setting raises the user’s ThreatScore only a modest amount for each incident.

 

Attachments