The Risk Dashboard is a crucial tool in your security management that allows you to quickly identify the current state of risk in your fleet. It does this by analyzing risk signals and trends over the past 30 days. This information is invaluable for locating risks by users and the progression of passkeys' risks over time so you can create policies to enhance your security posture. You have full control over the Risk Dashboard and can take immediate action to prevent risks by deactivating a user or revoking a passkey.
You can access this page in the Admin console by simply selecting Insights in the nav bar.
Contents
- How risk scores are calculated
- View risky users in the last 30 days
- View risks blocked by policy rules in the last 30 days
- View risky passkeys in the last 30 days
See Risk Signals & Policy Configurations for a description of risk/threat signals and the policies you must set to check for them.
How risk scores are calculated
Beyond Identity has meticulously developed 19 ”risk signals” (described here) that accurately assess the risk exposure of each ID, passkey, and authentication in your data. Each risk signal is designed to detect a particular type of security risk or suspicious behavior using features from authentication events. These detections are then aggregated into risk scores ranging from zero to 100. Higher risk scores represent more significant levels of risk. This reliable system helps you prioritize remediation actions to mitigate risk in your environment effectively. The Risk Dashboard tables are sorted in descending order, ensuring that the highest risk entities are always at the top of each table.
The risk score is calculated by comparing threat signal detection counts to baselines representing average security posture. This is initially done for each signal. Scores from the separate signals are then combined to form the risk scores reported in the tables.
Example
Suppose a User ID is being scored over a 30-day window. The scoring algorithm first adds detections separately from each threat signal. For instance, the “Fast travel” signal may have five detections out of 100 authentication attempts from the ID in the last 30 days. The algorithm uses a “Fast travel” baseline to calculate how anomalous this detection rate is in the form of a standard score. It quantifies how many standard deviations above average the detection count of five is given 100 authentication attempts. This is done for each threat signal separately, and the standard scores are then merged into a single risk score using an in-house aggregation method developed by Beyond Identity.
This means that the risk scores are outlier scores. Users with a risk score of zero are more secure than average, while users with medium or high-risk scores have anomalously high detection rates.
View risky users in the last 30 days
Based on the risk signals, this graph shows potential risks from users in your fleet. You can create policies that will deny authentications from these users until they update their operating system to a supported version for example.
Don't miss out on the most exciting parts of this feature! Check out the video below for highlights.
For step-by-step information, see the steps below!
- Click a risk signal in the Risky users in the last 30 days graph to view a table with the list of user authentications with the selected risk.
Risky authentications are aggregated to create a User Risk Score of:
-
- Low (0-39)
- Medium (40-69)
- High (70-100)
- (Optional) Select the status of a user to show only Active, Suspended, or Deleted users.
- (Optional) Filter by Risk Signal to view a different risk.
- Click the down arrow in a row to learn more about the risk signals for this user.
Tip: You can also export data in this table to a .csv file. - To take action to deactivate a user:
- Click a User ID link.
- Click Deactivate User.
- A message informs you that the user was deactivated. If needed, you can delete a user from this page.
View risks blocked by policy rules in the last 30 days
This graph shows the number of authentications with risks blocked by policies you’ve created. You can use the Risky users or Risky passkeys in the last 30 days graphs on this page to identify additional risks that need to be added to policies. To see which policies you need to create, see Risk Signal & Policy Configurations.
For step-by-step information, see the steps below!
- Click a rule in the Risky users in the last 30 days graph to view a table with the list of denied authentications for the selected rule/risk signal.
- (Optional) Filter by Risk Signal to view a different risk.
- Click the down arrow in a row to view a description of the policy rule.
- Click the rule to open the policy page to view the rule under Rule Name.
- Click the event link to view a list of events impacted by this policy rule.
View risky passkeys in the last 30 days
This graph shows potential risks from passkeys in your environment. Because users may have multiple passkeys, you can revoke access to a risky passkey without removing access to other passkeys that aren’t impacted.
Don't miss out on the most exciting parts of this feature! Check out the video below for highlights.
For step-by-step information, see the steps below!
- Hover over a point in the Risky passkeys in the last 30 days graph.
- Click See details to view a table with the list of risky passkeys.
Risky passkeys are aggregated to create a Passkey Risk Score of:
-
- Low (0-39)
- Medium (40-69)
- High (70-100)
- (Optional) Select the status of a passkey to show only Active or Deleted passkeys.
- (Optional) Filter by Risk Signal to focus on a specific risk.
- Click the down arrow in a row to learn more about a passkey’s vulnerabilities.
Tip: You can also export data in this table to a .csv file. - To take action to revoke the passkey:
- Click a Passkey ID link.
- Click the checkbox beside the passkey on the Passkeys page.
- Click Revoke passkey(s).
- When prompted, click Revoke passkeys.
- A message informs you that the passkey was revoked.
Comments
0 comments
Please sign in to leave a comment.