NetBackup™ 11.0 Anomaly Detection Extensions Guide
Configure risk engine-based anomaly detection
The NetBackup risk engine detects certain system anomalies in a proactive manner and sends appropriate alerts. It helps you take corrective action before you face any security threat in your environment.
You can configure the following options that the risk engine uses to detect anomalies for the given operations:
Use this option to detect when images are expired in an unusual or a suspicious manner.
By default, a system anomaly is generated when the risk engine detects an unusual or a suspicious image expiration attempt and allows the operation to proceed.
However, for additional security, you can configure multi-person authorization for such image expiration attempts, where an MPA approver needs to approve the operation.
Important notes on the Detect suspicious image expiration option
If the audit retention period is set to less than 3 months, this option accumulates data of 3 months and then becomes active.
This option supports full backup schedules. Other types of schedule are not considered. The retention level of an image is also not considered for this rule.
Images are expired by media ID, server name, or by recalculating the retention period.
Select and select the Generate multi-person authorization ticket if images are deleted in a suspicious manner option.
Note:
To successfully review the multi-person authorization tickets, ensure that one or more MPA approvers are available in your environment.
Use this option to detect when a user attempts to sign in to the NetBackup web UI at an unusual time. NetBackup identifies deviations in user sign-in patterns, and flags them.
A notification is generated when an unusual user login is detected.
For additional security, you can configure multi-person authorization for such unusual login attempts, where an MPA approver needs to approve the operation.
If an unusual login attempt is detected on a NetBackup host earlier that 11.0, the request is rejected. Carry out the operation on a NetBackup 11.0 host.
If an unusual login request is detected in the , the request is rejected. Use the web UI to carry out the operation.
If none of the users can login and they are placed on hold because of unusual login pattern, the NetBackup administrator can disable the unusual login detection to allow the users to sign in to the NetBackup web UI using the following command:
NBU_INSTALL_PATH/netbackup/bin/admincmd/nbseccmd -disableLoginAnomalyDetection
User logins that are based on the authentication types such as SAML, smart card, and API keys do not support login anomaly detection.
Click and use the option to enable multi-person authentication.
To successfully review the multi-person authorization tickets, ensure that one or more MPA approvers are available in your environment.
If multi-person authorization is enabled and an unusual user login is detected, the user's login is placed on hold.
A ticket is generated and requires approval for the user to proceed. Until the ticket is approved, the user shall not be able to login from the device.
If the ticket is approved, the user is allowed login and granted a free pass for the next 24 hours. During the free pass period, the user is not subjected to further scrutiny for unusual login attempts.
If the ticket is rejected, the user cannot log in for the current session but can try again with their credentials.
The user can choose to cancel their login request.
By default, a system anomaly is generated when the risk engine detects an unusual deletion or update of a policy. An alert is generated and the operation proceeds.
For additional security, you can configure multi-person authorization for such unusual policy update or deletion attempts, where an MPA approver needs to approve the operation.
Click and use the option to enable multi-person authorization for the Detect unusual updates to policies type of anomaly.
To successfully review the multi-person authorization tickets, ensure that one or more MPA approvers are available in your environment.
Two alerts are generated for unusual updates to a policy for the next 48 hours. After the second alert, no alert is generated for the next 48 hours even if the policy is modified.
If multi-person authorization is enabled, a ticket is generated for modification of a policy.
Approving two consecutive tickets for the same policy does not generate new tickets for the next 48 hours for the same policy.
If multi-person authorization is enabled for the policy operations on the global level, the Detect unusual updates to policies option is disabled.
Note:
If multi-person authorization is enabled for the Detect unusual updates to policies option, you cannot update or delete policies using the NetBackup Administration Console or the command-line interface.
Alternatively, use the nbcmdrun command to update or delete policies. For more information on the commands, see the NetBackup Commands Reference Guide.
Use this option to protect critical operations such as modifying global security settings and creating API key. When you select this option, you are required to reautneticate yourself by entering the one-time password that you see in the authenticator application on your smart device before you perform the given critical operations.
Ensure that you have configured multifactor authentication for your user account. If multifactor authentication is not configured, you are not prompted to reauthenticate.
Note:
It is strongly recommended that you configure multifactor authentication in your environment to prevent security threats by malicious sources.
Use this option to detect if there is a possible user session hijack by a malicious source.
The risk engine detects if the same user session token is used by another IP address, and sends a maximum of 10 alerts per day.
Select and select the check box to terminate the user session when the risk engine detects that there is a possible session hijack.