This article deals with how Symantec Information Centric Analytics (ICA) incorporates Risk Vectors to improve and display Risk Scores. In ICA, Risk vectors compare activities, events and incidents to similar activities, events and incidents. Risk vectors are used to calculate risk scores, and are defined for applications, computer endpoints, IP addresses, persons, and users. For example, person risk vectors compare a person's activities, events or incidents to the person's usual activities, other peers in the same department, and peers with the same manager to determine the person's risk level.
A Risk Weight is specified to allow certain vectors to contribute more to a risk score. For example, a failed authentication risk vector may have a weight of 5, and a successful authentication risk vector have a weight of 1. When computing the risk score, the failed authentication provides a larger contribution to the score than the successful authentication.
To create a risk vector based on a cell in the Analyzer, do the following:
1.Navigate to the Analyzer
2.Create a view or open an existing view.
3. Right-click the cell that has the data you want to use for the risk vector.
4. Click Create Risk Vector.
5. Select the entity type.
6. Enter a name for the risk vector.
7. Click the Enabled check box to enable the risk vector. Enabling the risk vector allows the risk vector to be used in risk calculations.
8. Click the Displayed check box to display the risk vector on the radar graphs on entity details pages.
9. Enter a weight for the risk vector. The risk weight allows certain vectors to contribute more to a risk score.
10. Click Save to save the risk vector.
Risk scoring settings include configuration options for displaying vectors and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual application pages in the Assets portal.
Application risk scoring settings include configuration options for displaying vectors and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual application pages in the Assets portal.
To configure application risk scoring settings, do the following:
1. In the ICA administration portal, select Settings, and then select General Settings.
2. Go to the Application Risk Scoring settings section.
3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events.
|
Setting
|
Description
|
|
Display the vector scores sorted by ordinal, true, or false to be sorted by application's vector scores
|
Enables the sorting and display of risk vector scores.
|
|
Enable Application Risk Score Calculation
|
Enables calculation of risk scores for applications.
|
|
Include the Unrated applications as part of the percentage of low
|
Enables the inclusion of unrated applications counted in the percentage of low-risk applications.
|
|
Literal threshold (inclusive) for Critical risk ratings
|
Sets the raw risk score for applications to be considered critical risk.
|
|
Literal threshold (inclusive) for High risk ratings
|
Sets the raw risk score for applications to be considered high risk.
|
|
Literal threshold (inclusive) for Medium for risk ratings
|
Sets the raw risk score for applications to be considered medium risk.
|
|
Number of days back to use in calculating application risk score ratings
|
Sets the number of days used to calculate application risk score ratings.
|
|
Number of desired Critical application risk score ratings
|
Sets the number of applications considered critical.
In a company with 100 computers, the number may be 10, and in a company with 20,000 computers, the number may be 50.
|
|
Percentage of desired High application risk score ratings
|
Defines the percentage for the high category for the application risk score. The default is the top 2 percent.
NOTE: Administrators can add, delete and change the vectors used for the risk score.
|
|
Percentage of desired Low application risk score ratings
|
Defines the percentage for the low category for the application risk score. The default is the bottom 66 percent.
NOTE: Administrators can add, delete and change the vectors used for the risk score.
|
|
Suppress vectors whose values for application, peers, and organization are all zero.
|
Disables the vectors from being displayed when the computer endpoints have a value of zero.
|
|
The maximum number of vectors to be displayed in the vector graph
|
Sets the maximum number of risk vectors to display on the vector graph. Enter 0 to display all risk vectors with a score greater than zero.
|
|
The minimum number of vectors to be displayed in the vector graph
|
Sets the minimum number of risk vectors to display on the vector graph.
|
|
Use the literal threshold to assign risk ratings
|
Enables the use of the literal threshold for risk ratings.
|
Computer endpoint risk scoring settings include configuration options for displaying vectors and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual a computer endpoint pages in the Assets portal.
To configure computer endpoint risk scoring settings, do the following:
1. In the ICA administration portal, select Settings, and then select General Settings.
2. Go to the Computer Endpoint Risk Scoring settings section.
3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events.
|
Setting
|
Description
|
|
Display the vector scores sorted by ordinal, true, or false to be sorted by computer endpoint’s vector scores
|
Enables the sorting and display of computer endpoints risk vector scores.
|
|
Enable Computer Endpoint Risk Score Calculation
|
Enables calculation of risk scores for computer endpoints.
|
|
Include the Unrated computer endpoints as part of the percentage of low
|
Enables the inclusion of unrated computer endpoints counted in the percentage of low-risk computer endpoints.
|
|
Literal threshold (inclusive) for Critical risk ratings
|
Sets the raw risk score for computer endpoints to be considered critical risk.
|
|
Literal threshold (inclusive) for High risk ratings
|
Sets the raw risk score for computer endpoints to be considered high risk.
|
|
Literal threshold (inclusive) for Medium for risk ratings
|
Sets the raw risk score for computer endpoints to be considered medium risk.
|
|
Number of days back to use in calculating computer endpoints risk score ratings
|
Sets the number of days used to calculate computer endpoints risk score ratings.
|
|
Number of desired Critical computer endpoints risk score ratings
|
Sets the number of computer endpoints considered critical.
In a company with 100 computers, the number may be 10, and in a company with 20,000 computers, the number may be 50.
|
|
Percentage of desired High computer endpoints risk score ratings
|
Defines the percentage for the high category for the computer endpoints risk score. The default is the top 2 percent.
NOTE: Administrators can add, delete and change the vectors used for the risk score.
|
|
Percentage of desired Low computer endpoints risk score ratings
|
Defines the percentage for the low category for the computer endpoints risk score. The default is the bottom 66 percent.
NOTE: Administrators can add, delete and change the vectors used for the risk score.
|
|
Suppress vectors whose values for computer endpoints, peers, and organization are all zero.
|
Disables the vectors from being displayed when the computer endpoints have a value of zero.
|
|
The maximum number of vectors to be displayed in the vector graph
|
Sets the maximum number of risk vectors to display on the vector graph. Enter 0 to display all risk vectors with a score greater than zero.
|
|
The minimum number of vectors to be displayed in the vector graph
|
Sets the minimum number of risk vectors to display on the vector graph.
|
|
Use the literal threshold to assign risk ratings
|
Enables the use of the literal threshold for risk ratings.
|
IP risk scoring settings include configuration options for displaying vectors and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual IP address pages in the Assets portal.
To configure IP risk scoring settings, do the following:
1. In the ICA administration portal, select Settings, and then select General Settings.
2. Go to the IP Risk Scoring settings section.
3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events.
|
Setting
|
Description
|
|
Display the vector scores sorted by ordinal, true, or false to be sorted by IP’s vector scores
|
Enables the sorting and display of IP addresses risk vector scores.
|
|
Enable IP Risk Score Calculation
|
Enables calculation of risk scores for IP addresses.
|
|
Include the Unrated IP addresses as part of the percentage of low
|
Enables the inclusion of unrated IP addresses counted in the percentage of low-risk IP addresses.
|
|
Literal threshold (inclusive) for Critical risk ratings
|
Sets the raw risk score for IP addresses to be considered critical risk.
|
|
Literal threshold (inclusive) for High risk ratings
|
Sets the raw risk score for IP addresses to be considered high risk.
|
|
Literal threshold (inclusive) for Medium for risk ratings
|
Sets the raw risk score for IP addresses to be considered medium risk.
|
|
Number of days back to use in calculating IP addresses risk score ratings
|
Sets the number of days used to calculate IP addresses risk score ratings.
|
|
Number of desired Critical IP addresses risk score ratings
|
Sets the number of IP addresses considered critical.
In a company with 100 computers, the number may be 10, and in a company with 20,000 computers, the number may be 50.
|
|
Percentage of desired High IP addresses risk score ratings
|
Defines the percentage for the high category for the IP addresses risk score. The default is the top 2 percent.
NOTE: Administrators can add, delete and change the vectors used for the risk score.
|
|
Percentage of desired Low IP addresses risk score ratings
|
Defines the percentage for the low category for the IP addresses risk score. The default is the bottom 66 percent.
NOTE: Administrators can add, delete and change the vectors used for the risk score.
|
|
Suppress vectors whose values for IP addresses, peers, and organization are all zero.
|
Disables the vectors from being displayed when the IP addresses have a value of zero.
|
|
The maximum number of vectors to be displayed in the vector graph
|
Sets the maximum number of risk vectors to display on the vector graph. Enter 0 to display all risk vectors with a score greater than zero.
|
|
The minimum number of vectors to be displayed in the vector graph
|
Sets the minimum number of risk vectors to display on the vector graph.
|
|
Use the literal threshold to assign risk ratings
|
Enables the use of the literal threshold for risk ratings.
|
Person risk scoring settings include configuration options for the high and low risk scores, and rating options. The vectors and ratings appear on the Risk Level tab of the individual person pages in the Identities portal.
To configure person risk scoring settings, do the following:
1. In the ICA administration portal, select Settings, and then select General Settings.
2. Go to the Person Risk Scoring settings section.
3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events.
|
Setting
|
Description
|
|
Display the vector scores sorted by ordinal, true, or false to be sorted by Person’s vector scores
|
Enables the sorting and display of Person’s risk vector scores.
|
|
Enable Person Risk Score Calculation
|
Enables calculation of risk scores for persons.
|
|
Include the Unrated Person’s as part of the percentage of low
|
Enables the inclusion of unrated Person’s counted in the percentage of low-risk Person’s.
|
|
Literal threshold (inclusive) for Critical risk ratings
|
Sets the raw risk score for people to be considered critical risk
|
|
Literal threshold (inclusive) for High risk ratings
|
Sets the raw risk score for people to be considered high risk.
|
|
Literal threshold (inclusive) for Medium for risk ratings
|
Sets the raw risk score for people to be considered medium risk.
|
|
Number of days back to use in calculating Person’s risk score ratings
|
Sets the number of days used to calculate Person’s risk score ratings.
|
|
Number of desired Critical Person’s risk score ratings
|
Sets the number of Person’s considered critical.
In a company with 100 computers, the number may be 10, and in a company with 20,000 computers, the number may be 50.
|
|
Percentage of desired High Person’s risk score ratings
|
Defines the percentage for the high category for the Person’s risk score. The default is the top 2 percent.
NOTE: Administrators can add, delete and change the vectors used for the risk score.
|
|
Percentage of desired Low Person’s risk score ratings
|
Defines the percentage for the low category for the Person’s risk score. The default is the bottom 66 percent.
NOTE: Administrators can add, delete and change the vectors used for the risk score.
|
|
Suppress vectors whose values for Person’s, peers, and organization are all zero.
|
Disables the vectors from being displayed when the Person has a value of zero.
|
|
The maximum number of vectors to be displayed in the vector graph
|
Sets the maximum number of risk vectors to display on the vector graph. Enter 0 to display all risk vectors with a score greater than zero.
|
|
The minimum number of vectors to be displayed in the vector graph
|
Sets the minimum number of risk vectors to display on the vector graph.
|
|
Use the literal threshold to assign risk ratings
|
Enables the use of the literal threshold for risk ratings.
|
User risk scoring settings include configuration options for the high and low risk scores, and rating options. The vectors and ratings appear on the Risk Level tab of the individual user pages in the Identities portal.
To configure user risk scoring settings, do the following:
1. In the ICA administration portal, select Settings, and then select General Settings.
2. Go to the Person Risk Scoring settings section.
3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events.
|
Setting
|
Description
|
|
Display the vector scores sorted by ordinal, true, or false to be sorted by User’s vector scores
|
Enables the sorting and display of User’s risk vector scores.
|
|
Enable User Risk Score Calculation
|
Enables calculation of risk scores for users.
|
|
Include the Unrated User’s as part of the percentage of low
|
Enables the inclusion of unrated User’s counted in the percentage of low-risk User’s.
|
|
Literal threshold (inclusive) for Critical risk ratings
|
Sets the raw risk score for users to be considered critical risk.
|
|
Literal threshold (inclusive) for High risk ratings
|
Sets the raw risk score for users to be considered high risk.
|
|
Literal threshold (inclusive) for Medium risk ratings
|
Sets the raw risk score for users to be considered medium risk.
|
|
Number of days back to use in calculating User’s risk score ratings
|
Sets the number of days used to calculate User’s risk score ratings.
|
|
Number of desired Critical User’s risk score ratings
|
Sets the number of User’s considered critical.
In a company with 100 computers, the number may be 10, and in a company with 20,000 computers, the number may be 50.
|
|
Percentage of desired High User’s risk score ratings
|
Defines the percentage for the high category for the User’s risk score. The default is the top 2 percent.
NOTE: Administrators can add, delete and change the vectors used for the risk score.
|
|
Percentage of desired Low User’s risk score ratings
|
Defines the percentage for the low category for the User’s risk score. The default is the bottom 66 percent.
NOTE: Administrators can add, delete and change the vectors used for the risk score.
|
|
Suppress vectors whose values for User’s, peers, and organization are all zero.
|
Disables the vectors from being displayed when the User has a value of zero.
|
|
The maximum number of vectors to be displayed in the vector graph
|
Sets the maximum number of risk vectors to display on the vector graph. Enter 0 to display all risk vectors with a score greater than zero.
|
|
The minimum number of vectors to be displayed in the vector graph
|
Sets the minimum number of risk vectors to display on the vector graph.
|
|
Use the literal threshold to assign risk ratings
|
Enables the use of the literal threshold for risk ratings.
|
For more best practice articles on Symantec Information Centric Analytics see the following posts: