search cancel

What is the value of Risk Levels?

book

Article ID: 175587

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

In an environment that is already using categories and malware analysis, what is the value of Risk Levels?

Resolution

There are three main advantages that Risk Levels provide:

  • Help threat hunters to zone in quicker to threats
    • The question to ask is why did something on my network go somewhere bad in the first place. Threat hunters typically want to more information than just a category and Risk Levels can provide some of that context.
      • For example, Risk Level 10 would be well-known malware, while Risk Level 9 would be a fresh dynamic detection. If it is a fresh detection, it means nothing else probably knows about it (outside of Symantec Intelligence) so it’s probably worth digging into. In these cases, the category would still block regardless of it being a 9 or 10, but the customer wouldn't have the ability to investigate it adequately without Risk Levels.
  • Granular policy control for mitigating the risk vs. the value of a site
    • Risk Level/category combos allow for granular policy for handling unique threats.  
    • Risk Levels allow for the customer to place custom restrictions in policy. For example, the customer could look at the file type, or content type, then increase or decrease the Risk Level in that case. Helping the customer have a very unique 

 

  • Identifying shady content
    • This is traffic that hasn't been identified as good or bad but is exhibiting odd behavior. In these cases, as you well know, uncategorized traffic is a huge culprit. The value that Risk Levels provide here cannot be overstated. Blocking uncategorized traffic is painful, but the point of blocking uncategorized traffic is that the value isn't worth the risk it poses to the business.
    • We have found countless incidents, where there was no category at the time, but Risk Levels have detected the anomaly before anyone else.
    • Here are a few examples:

 

  • Many URLs coming from Iran were detected to be involved in a spearfishing campaign. When we received intelligence, we added them to the database as phishing, but WebPulse Risk Levels were already protecting customers weeks before the intelligence community knew about them:

‚Äč

Site

Function

Dynamic Rating

cdn-edge-akamai[.]com

 

C2

Category: none, Risk Level: 6

Category: Suspicious, Risk Level: 7

cam-research-ac[.]com

Spearphishing site; Stage 1 payload host

Category: none, Risk Level: 5/6

185.15.247[.]154

C2 site (unused)

Category: none. Risk Level: 6