Skip to main content

Risk Signals & Policy Configurations

  • Updated

Below are examples of how you can leverage our risk and misconfiguration detections to enable security controls via the Beyond Identity policy engine. For information on using the Risk Dashboard, see Understanding the Risk Dashboard.

 

Risk Signal Types

  • Baselines - Risk signals that detect deviations from standard security practices, like enabling a firewall and keeping the OS up-to-date.
  • Threat indicators - Risk signals that detect indicators of compromise that could occur if an identity or device is stolen.
  • Behavior changes - Risk signals that detect anomalous behaviors. These are not "smoking guns" for malicious activity but could provide further evidence of an active threat.
 Signal Name & Type
  Description & Policy Controls

Anomalous authentication interval

(Behavior change)

Checks whether the time between authentication and trailing authentication is anomalously long, > 30 days.

Example usage in policy

auth_interval.png

Antivirus off

(Baseline)

Checks whether the authenticating macOS or Windows device has antivirus disabled.

Example usage in policy

antivirus.png

  Deny.png

Biometric not
set

(Baseline)

Checks whether the authenticating Android, iOS, Windows, or macOS device does not have biometrics set.

Example usage in policy

biometric.png

BitLocker disabled

(Baseline)

Checks whether the authenticating Windows device has BitLocker disabled.

Example usage in policy

bitlocker.png

Fast travel

(Threat indicator)

Checks whether consecutive authentication locations from the same user imply travel speed > 500 mph.

Example usage in policy

impossible_travel.png

FileVault disabled

(Baseline)

Checks whether the authenticating macOS device has FileVault disabled.

Example usage in policy

filevault.png

Firewall off

(Baseline)

Checks whether the authenticating macOS or Windows device has a disabled firewall.

Example usage in policy

firewall.png

High frequency authentications

(Behavior change)

Checks whether an authentication follows a string of 4 prior authentications from the same user in a period of less than a minute.

Example usage in policy

high_frequency.png

IP blocklists

(Threat indicator)

Checks whether the authentication IP is part of a public blocklist, including known TOR exit nodes.

Example usage in policy

ip_blocklist.png

Jailbroken/
Rooted

(Baseline)

Checks whether the authenticating device is jailbroken (iOS) or rooted (Android).

iOS example usage in policy

jailbroken.png

Android example usage in policy

root.png

Moderate phishing resistance

(Baseline)

Checks whether the authentication uses a launch mechanism that is sub-optimal still offers moderate phishing resistance. More specifically, this signal detects launch mechanisms that exclude origin information but still do an IP check.

The following authentication launch mechanisms trigger detections:

  • App Scheme (All platforms) - Applies to the app identifier in a deep link.
  • Copy/Paste (All platforms except Linux) - Applies to authentications where a link is manually copied/pasted to authenticate.
  • Universal Link (iOS only) - Applies to authentications where a magic link is clicked on to authenticate.

Example usage in policy

Launch mechanism.png

New geolocation

(Behavior change)

Checks whether a user authenticates from a new location relative to their previous year of authentication history.

Example usage in policy

last_year.png

New passkey

(Behavior change)

Checks whether a user authenticates from a new passkey.

Example usage in policy

new_passkey.png

No TEE

(Baseline)

Checks whether the authenticating device does not have TEE (Trusted Execution Environment OR TPM/Secure Enclave).

macOS example usage in policy

secure_enclave.png

Windows example usage in policy

tpm.png

OS end-of-life

(Baseline)

Checks whether the authenticating device OS is past end-of-life.

Example usage in policy

os_eol.png

OS vulnerabilities

(Baseline)

Checks whether the authenticating macOS or Windows device OS has more than a specified number of critical or high severity Common Vulnerabilities and Exposures (CVEs).

Recommended values:

  • Critical Severity CVEs:  > 30
  • HIGH Severity CVEs:  > 200

Example usage in policy

os_vulnerability.png

Password not set

(Baseline)

Checks whether the authenticating Android, iOS, Windows, or macOS device is not password or passcode-protected.

Example usage in policy

password.png

Roaming

(Baseline)

Checks whether the authentication uses the roaming launch mechanism, which offers minimal phishing resistance.

Roaming applies to authentications made from a secondary device that is enrolled with Beyond Identity. This option requires that Roaming Authentication is enabled. See Configure roaming authentication for more information.

Example usage in policy

Launch mechanism.png

Suspicious geolocation

(Threat indicator)

Checks whether the authentication geolocation is from a country known for suspicious activity.

Note: We currently pre-select the geolocation based on known malicious activity for this signal; however, the policy can be configured based on anywhere you deem suspicious.

Example usage in policy

geolocation.png

Related articles

Comments

0 comments

Please sign in to leave a comment.