Configuring Risk
By understanding risk, you can highlight the identified weaknesses and prioritize actions according to the potential impact of a security breach.
Risk configuration can be used for the following purposes:
-
Prioritize the result of incidents by focusing first on the higher risk incidents
-
Find the highest risk cloud service accounts or cloud identities and reduce the organizational risk
The Delinea Platform assesses account access scope, ongoing attacks, and inherent vulnerabilities in each account's security to provide a comprehensive understanding of risk.
The platform presents scores for the following types of cloud service user risk:
-
Overall risk: Total risk score, combining the Blast radius and Account takeover risk.
-
Blast radius risk: The risk of potential damage based on how much access each cloud service account or cloud identity has. Blast radius risk incorporates account administrative access, shadow admin privileges, privileged access, and non-privileged access.
-
Account takeover risk: The risk of a cloud service account being taken over. Account takeover risk is calculated based on relevant platform detection rules (from the detection, account takeover, and stale access categories). Risk reflects the weakness of the account (for example, lacking MFA) or if an actual attack was detected on the accounts (for example, a brute force attack).
To configure risk:
Risk scores are determined by underlying risk factors. You can customize the importance and relevance (weight) of these risk factors so that the risk scores presented reflect your specific needs.
Blast radius risk is determined by the importance assigned to each access factor.
Account takeover risk is determined by the findings of each detection rule and the importance assigned to each rule. The detection rules shown are those in the Detection, Account takeover, and Stale access groups.
-
In the left navigation, select Settings > General Settings > Risk analysis.
-
The Blast Radius tab shows the risk factors that make up the blast radius score. To see the definition of a risk factor, click its tool tip. To set levels for account takeover risk, select the Account Takeover tab.
-
Click an importance level for a factor. To ignore the risk factor entirely, toggle it to be inactive.
If a detection rule was disabled or deleted through the Detection Rules page, it is still shown in the Account Takeover tab, but it will not be relevant to the score, regardless of the weight you select.
-
Repeat for other risk factors.
Changes are saved automatically. The risk score calculation will reflect the updated weighting within four hours.
Viewing Risk
From the left navigation, select Inventory, then Identities.
You can see risk scores for each cloud service user on the Identities tab. You might need to enable the display of these columns. For more information about this tab, see Identities. Risk associated with accounts is shown on the Accounts tab.
Identity Details
With the Identities tab selected, click a cloud service user. Overall risk for the selected identity is displayed on the General tab in the Details pane, along with user properties, the number of associated accounts, policies, and activities.
Select the Accounts tab to view associated accounts and their details.
Accounts Details
With the Accounts tab selected, click an account. Overall risk for the selected account is displayed on the General tab in the Details pane, along with memberships, access, account type, and activities. Basic account Properties and Custom Properties (password and owner) are displayed.
Additional tabs include:
-
MFA Factors displays characteristics of MFA Factor used in the environment. See Account MFA Factors.
-
Posture & Threat lists all related alerts and Analytics cases. See Threat Center.
-
User Activity displays activity based on successful actions by country, browser, and top 5 IPs.
-
Privileges lists unique privileges and usage.