Veritas Data Insight User's Guide
- Section I. Introduction
- Section II. Data Insight Workspace
- Navigating the Workspace tab
- Analyzing data using the Workspace views
- Viewing access information for files and folders
- Viewing user activity on files or folders
- About visualizing collaboration on a share
- Viewing access information for users and user groups
- Section III. Data Insight reports
- Using Data Insight reports
- About Data Insight security reports
- Permissions reports
- Permissions Search report
- Creating a Permissions Query Template
- Permissions Query Template actions
- Ownership Reports
- About Data Insight storage reports
- About Data Insight custom reports
- Managing reports
- Viewing reports
- Using Data Insight reports
- Section IV. Remediation
- Configuring remediation workflows
- Managing workflow templates
- Creating a workflow using a template
- Managing workflows
- Using the Self-Service Portal
- About the Self-Service Portal
- Managing data
- About managing data using Enterprise Vault and custom scripts
- About adding tags to files, folders, and shares
- Managing permissions
- Configuring remediation workflows
- Appendix A. Command Line Reference
About the risk score for users
Data Insight enables you to monitor malicious activity in your storage environment. Data Insight profiles all users by assigning a risk-score to every configured user. It displays the riskiness of a user in terms of a numerical score that ranges from 0 to 100. Higher the risk score of a user, higher is the perceived risk posed by the user.
The risk score places each user at a relative distance from other users and orders them in accordance with how risky a user is in comparison to other users.
A risky user typically displays anomalies such as:
The fraction of the total number of data sources that a user has permissions on. (Access)
Abrupt deviation in activity pattern where deviation on activity on sensitive files is given more weightage. (Anomaly)
Abnormal increase in number of alerts against the user. (Alerts)
Note that the user risk score is computed by considering the individual scores of different parameters for the last 15 days by default. The user risk score is calculated on a daily basis and stored for the last 180 days.
The risk score assigned to a user helps you do the following:
Identify potentially malicious users.
Review the permissions that are granted to the users.
Review if a risky user is a custodian on any storage resource.
Review the top active and sensitive data that is being accessed by the risky user.
Add a user with a high risk score to a watchlist to enable you to closely monitor the user's activities.
Data Insight computes the risk-score for a user based on the weighted sum of individual scores of the following parameters.
Table: Components for computing user risk score
Components | Descriptions |
---|---|
Deviation in accesses pattern on sensitive and non-sensitive files. | The overall deviation score is the weighted sum of the deviation values for sensitive and non-sensitive files. |
Number of alerts against the user. | Percentage of alerts for a user against the total number of alerts, weighted by the severity of the policy that was violated. |
Number of shares the user has read/write access on. | Percentage of shares on which the user has read access, against the total shares across all the storage devices. |
Number of shares the user has write access on. | Percentage of shares on which the user has write access, against the total shares across all the storage devices. |
Number of shares the user is custodian on. | Percentage of shares for which the user is a custodian, against the total shares across all the storage devices. |
Deviation in the number of unique files that are accessed by the user. (Considering sensitive and non-sensitive files) | Overall score is the weighted sum of unique files that are accessed during past 15 days. |
Deviation in the number of unique files that are accessed by the user. (Considering sensitive files only) | Overall score is the weighted sum of unique files that are accessed during past 15 days. |
Deviation in the number of distinct DLP policies violated by the files accessed by the user. | Overall score is weighted sum of DLP policies. The weights are proportional to the severity level of the policies. |
Note that Data Insight assigns a default priority to these parameters when calculating their weighted sum.
The User Risk Dossier provides the next level of details of the factors that contribute towards the user risk score.