Risk Vectors and Risk Scores
search cancel

Risk Vectors and Risk Scores

book

Article ID: 172063

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

Incorporating Risk Vectors into Information Centric Analytics (ICA) to improve risk scores.

Resolution

What is a Risk Vector?

Risk vectors compare activities, events and incidents to similar activities, events and incidents.  Risk vectors are used to calculate risk scores, and are defined for applications, computer endpoints, IP addresses, persons, and users.  For example, person risk vectors compare a person's activities, events or incidents to the person's usual activities, other peers in the same department, and peers with the same manager to determine the person's risk level.

What is a Risk Weight?

A Risk Weight is specified to allow certain vectors to contribute more to a risk score. For example, a failed authentication risk vector may have a weight of 5, and a successful authentication risk vector have a weight of 1. When computing the risk score, the failed authentication provides a larger contribution to the score than the successful authentication.

Configuring Risk Scoring Settings

Risk scoring settings include configuration options for displaying vectors, and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual application pages in the Assets portal.

Configuring Application Risk Scoring Settings

Application risk scoring settings include configuration options for displaying vectors, and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual application pages in the Assets portal.

To configure application risk scoring settings, do the following:

  1. Go to the Application Risk Scoring settings section.
  2. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events.

Setting

Description

Display the vector scores sorted by ordinal, true, or false to be sorted by application's vector scores

Enables the sorting and display of risk vector scores.

Include the Unrated applications as part of the percentage of low

Enables the inclusion of unrated applications counted in the percentage of low-risk applications.

Number of days back to use in calculating application risk score ratings

Sets the number of days used to calculate application risk score ratings.

Number of desired Critical application risk score ratings

Sets the number of applications considered critical.

In a company with 100 computers, the number may be 10, and in a company with 20,000 computers, the number may be 50.

Percentage of desired High application risk score ratings

Defines the percentage for the high category for the application risk score. The default is the top 2 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score.

Percentage of desired Low application risk score ratings

Defines the percentage for the low category for the application risk score. The default is the bottom 66 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score.

Suppress vectors whose values for application, peers, and organization are all zero.

Disables the vectors from being displayed when the computer endpoints have a value of zero.

 

Configuring Computer Endpoint Risk Scoring Settings

Computer endpoint risk scoring settings include configuration options for displaying vectors, and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual a computer endpoint pages in the Assets portal.

To configure computer endpoint risk scoring settings, do the following:

  1. In the Risk Fabric administration portal, select Settings, and then select General Settings.
  2. Go to the Computer Endpoint Risk Scoring settings section.
  3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events.

Setting

Description

Display the vector scores sorted by ordinal, true, or false to be sorted by computer endpoint’s vector scores

Enables the sorting and display of computer endpoints risk vector scores.

Include the Unrated computer endpoints as part of the percentage of low

Enables the inclusion of unrated computer endpoints counted in the percentage of low-risk computer endpoints.

Number of days back to use in calculating computer endpoints risk score ratings

Sets the number of days used to calculate computer endpoints risk score ratings.

Number of desired Critical computer endpoints risk score ratings

Sets the number of computer endpoints considered critical.

In a company with 100 computers, the number may be 10, and in a company with 20,000 computers, the number may be 50.

Percentage of desired High computer endpoints risk score ratings

Defines the percentage for the high category for the computer endpoints risk score. The default is the top 2 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score.

Percentage of desired Low computer endpoints risk score ratings

Defines the percentage for the low category for the computer endpoints risk score. The default is the bottom 66 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score.

Suppress vectors whose values for computer endpoints, peers, and organization are all zero.

Disables the vectors from being displayed when the computer endpoints have a value of zero.

 

Configuring IP Risk Scoring Settings

IP risk scoring settings include configuration options for displaying vectors, and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual IP address pages in the Assets portal.

To configure IP risk scoring settings, do the following:

  1. In the Risk Fabric administration portal, select Settings, and then select General Settings.
  2. Go to the IP Risk Scoring settings section.
  3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events.

Setting

Description

Display the vector scores sorted by ordinal, true, or false to be sorted by IP’s vector scores

Enables the sorting and display of IP addresses risk vector scores.

Include the Unrated IP addresses as part of the percentage of low

Enables the inclusion of unrated IP addresses counted in the percentage of low-risk IP addresses.

Number of days back to use in calculating IP addresses risk score ratings

Sets the number of days used to calculate IP addresses risk score ratings.

Number of desired Critical IP addresses risk score ratings

Sets the number of IP addresses considered critical.

In a company with 100 computers, the number may be 10, and in a company with 20,000 computers, the number may be 50.

Percentage of desired High IP addresses risk score ratings

Defines the percentage for the high category for the IP addresses risk score. The default is the top 2 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score.

Percentage of desired Low IP addresses risk score ratings

Defines the percentage for the low category for the IP addresses risk score. The default is the bottom 66 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score.

Suppress vectors whose values for IP addresses, peers, and organization are all zero.

Disables the vectors from being displayed when the IP addresses have a value of zero.

 

Configuring Person Risk Scoring Settings

Person risk scoring settings include configuration options for the high and low risk scores, and rating options. The vectors and ratings appear on the Risk Level tab of the individual person pages in the Identities portal.

To configure person risk scoring settings, do the following: In the Risk Fabric administration portal, select Settings, and then select General Settings.

  1. In the Risk Fabric administration portal, select Settings, and then select General Settings.
  2. Go to the Person Risk Scoring settings section.
  3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events.

Setting

Description

Display the vector scores sorted by ordinal, true, or false to be sorted by Person’s vector scores

Enables the sorting and display of Person’s risk vector scores.

Include the Unrated Person’s as part of the percentage of low

Enables the inclusion of unrated Person’s counted in the percentage of low-risk Person’s.

Number of days back to use in calculating Person’s risk score ratings

Sets the number of days used to calculate Person’s risk score ratings.

Number of desired Critical Person’s risk score ratings

Sets the number of Person’s considered critical.

In a company with 100 computers, the number may be 10, and in a company with 20,000 computers, the number may be 50.

Percentage of desired High Person’s risk score ratings

Defines the percentage for the high category for the Person’s risk score. The default is the top 2 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score.

Percentage of desired Low Person’s risk score ratings

Defines the percentage for the low category for the Person’s risk score. The default is the bottom 66 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score.

Suppress vectors whose values for Person’s, peers, and organization are all zero.

Disables the vectors from being displayed when the Person has a value of zero.

 

Configuring User Risk Scoring Settings

User risk scoring settings include configuration options for the high and low risk scores, and rating options. The vectors and ratings appear on the Risk Level tab of the individual user pages in the Identities portal.

To configure user risk scoring settings, do the following:

  1. In the Risk Fabric administration portal, select Settings, and then select General Settings.
  2. Go to the Person Risk Scoring settings section.
  3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events.

Setting

Description

Display the vector scores sorted by ordinal, true, or false to be sorted by User’s vector scores

Enables the sorting and display of User’s risk vector scores.

Include the Unrated User’s as part of the percentage of low

Enables the inclusion of unrated User’s counted in the percentage of low-risk User’s.

Number of days back to use in calculating User’s risk score ratings

Sets the number of days used to calculate User’s risk score ratings.

Number of desired Critical User’s risk score ratings

Sets the number of User’s considered critical.

In a company with 100 computers, the number may be 10, and in a company with 20,000 computers, the number may be 50.

Percentage of desired High User’s risk score ratings

Defines the percentage for the high category for the User’s risk score. The default is the top 2 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score.

Percentage of desired Low User’s risk score ratings

Defines the percentage for the low category for the User’s risk score. The default is the bottom 66 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score.

Suppress vectors whose values for User’s, peers, and organization are all zero.

Disables the vectors from being displayed when the User has a value of zero.

 

Creating a Risk Vector

To create a risk vector, do the following:

1. Go to the Admin navigation menu item and select settings

2. On the far right section of the screen, click on the "More" option and select the Risk Vectors item

3. Identify and select the Risk Vector type that you would like to create a new vector for

4. Click New Risk Vector.

5. Enter the vector name.

6. Click the enabled check box to enable the vector, and assign a risk weight.

7. Enter the query for the risk vector. The query is just a unique count of something (Applications, Computer Endpoints, IPs, Users, or Persons) based on a defined use case laid out in a SQL Query.

Example Query:

Note that with the query above:

- Row 2: Unique Identifier for the User. This could also be the IPID, ComputerEndpointID, PersonID, or ApplicationID if doing a risk vector for a different type.

- Row 3: Represents a value (generally a count or a sum).

NOTE: The line highlighted in red is required if you are wanting to have Event Classification Weight Multipliers taken into account when calculating the score.

- Row 9: Reference a parameter placeholder (%DateForPortalSettingUserRiskVectorsDaysBack%) that will be replaced by a formula using the User Risk Vector portal setting when the Risk Vector is evaluated.

8. Click Save to save the risk vector, or Cancel to cancel the addition.

Powered by Wolken Software