Security Analytics Engine 1.0. Help Desk User Guide

Transcription

1

2 2015 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Dell Inc. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Dell Inc. Attn: LEGAL Dept 5 Polaris Way Aliso Viejo, CA Refer to our web site (software.dell.com) for regional and international office information. Trademarks Dell and the Dell logo are trademarks of Dell Inc. and/or its affiliates. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of others. Legend CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. Security Analytics Engine Updated - January 2015 Software Version - 1.0

3 Contents Administration Web Site Overview Introduction How the Security Analytics Engine works Launch the Administration web site Web site components Heading bar Main web pages Navigating the Administration web site Auditing Introduction Auditing page Filtering options Audit Events table Event Details pane Filtering the audit events Displaying details for an individual audit event Adding and managing overrides on the Auditing page Adding a policy override Managing a policy override Policy Overrides Introduction Policy Overrides page Adding and managing overrides on the Policy Overrides page Adding a policy override Managing a policy override About Dell Contacting Dell Technical Support Resources

4 Administration Web Site Overview 1 Introduction Launch the Administration web site Web site components Introduction The Security Analytics Engine from Dell is used by applications for adaptive authorization. By using risk policies, an application is able to customize their authorization requirements to better minimize the risk of a malicious user gaining access to the application. In some instances a legitimate user will receive a threat level that blocks their access to an application (for example, due to a business trip outside their normal geographic location). In these cases, the user can contact a help desk operator to get a temporary override. How the Security Analytics Engine works When a user attempts to access an application which uses the Security Analytics Engine, they are evaluated by a customizable risk policy to determine the risk of allowing the user access. Each risk policy is made up of conditions which have assigned scores. For each access attempt these conditions are evaluated, and the scores for the conditions that are triggered during the attempt are combined to create a risk score. For example, suppose an application has a risk policy containing the following conditions: For an access attempt outside of the user s login time pattern (Abnormal Time), assign a score of 4. For an access attempt from a whitelisted IP address range (Whitelist), assign a score of -2. For an access attempt from a restricted country (Restricted Country), assign a score of Major Threat. A user attempting to access the application from a whitelisted IP address range at 10 p.m., instead of their regular access time of 9 a.m., is assigned a risk score of 2 (-2 for the IP address and 4 for the time of access). This risk score is then turned into a threat level (a numeric value between 0 and 7), which is sent to the application. For this example, the risk score of 2 would also be a threat level of 2 since it already falls within the threat level range. However, if the user is also attempting access from a restricted country they would receive a threat level of 7 since triggering a condition assigned the score of Major Threat will increase a risk score by The application then uses the threat level to determine whether to allow access, request additional authentication information before allowing access, or deny access. A user can then contact a help desk operator for further assistance if they are unable to access an application due to a high threat level. Launch the Administration web site You can access the Security Analytics Engine Administration web site from any computer that has network access to the server. 4

5 To launch the Security Analytics Engine Administration web site: NOTE: In order to launch the Security Analytics Engine Administration web site, you must be added to the help desk operator role. If you do not have the correct permissions, contact your Security Analytics Engine Administrator. 1 Open your web browser and enter the URL of the Security Analytics Engine Administration web site: NOTE: Where <server> is the IP address or host name (or localhost ) of the server where the Security Analytics Engine was installed. 2 When the web site is launched, enter your username and password. 3 (Optional) Select the Keep me logged in check box to remain logged in to the Security Analytics Engine Administration web site until the Log Out option is selected. 4 Click Log in. 5 The Home page of the Security Analytics Engine Administration web site appears. Web site components The Security Analytics Engine Administration web site consists of the following components allowing you to navigate and use the Security Analytics Engine Administration web site. Heading bar Main web pages Navigating the Administration web site Heading bar The heading bar, at the top of each page, displays the account and general information about the Security Analytics Engine. Security Analytics Engine - Administration Click to return to the Home page of the Security Analytics Engine Administration web site. NOTE: If the following two items are not automatically displayed, click the corner. button in the upper right <Username> About Click <Username> and select Log Out to disconnect from the Security Analytics Engine Administration web site. Click to display the About Security Analytics Engine dialog which displays general release information about the Security Analytics Engine, copyright information, third-party components, legal notices and contact information. 5

6 Main web pages The Security Analytics Engine Administration web site s Home page contains the following pages: Table 1. Main web pages Page Auditing Policy Overrides Description Allows you to view and filter the auditing data collected by the Security Analytics Engine. Allows you to create and manage policy overrides. Navigating the Administration web site To navigate the Security Analytics Engine Administration web site, use the breadcrumb trail directly beneath the heading bar or your browser s navigation buttons. As you open pages they become links in the breadcrumb trail, with the Home page to the far left and the currently displayed page underlined furthest to the right. These links are used to navigate back to parent pages but after being clicked will erase all links for later pages. For example, if the Home link is clicked while on the Policy Overrides page, the Policy Overrides link disappears. To return to the Policy Overrides page, use your browser s back button or from the Home page click Policy Overrides. 6

7 2 Auditing Introduction Auditing page Filtering the audit events Displaying details for an individual audit event Adding and managing overrides on the Auditing page Introduction When a user is unable to log in to an application due to a high threat level, the help desk operator is able to create an override to allow them access. This is done by locating the audit event and creating an override for the user that will allow them to access Security Analytics Engine protected applications for a specified period of time. Auditing page The Auditing page is displayed when Auditing is clicked on the Home page of the Security Analytics Engine Administration web site. 7

8 The Auditing page displays a list of the events for the applications currently utilizing the Security Analytics Engine. These results are filtered using the fields located at the top of the page. Filtering options The following are the filtering options at the top of the page: NOTE: Refreshing the screen returns the Auditing page to its default settings. From To This field specifies a start date for searching events. By default, this is the current date. Click the button to display a calendar from which to select a start date for searching events. This field specifies an end date for searching events. By default, this is the current date. Click the button to display a calendar from which to select an end date for searching events. Application(s) This drop-down list displays the currently configured applications. Select to display auditing information for all applications or a specific application. By default, auditing events for all applications are displayed. 8

9 Max Records Search This field is used for setting the maximum number of records ( ) to return for the search. By default, this is 1000 records. The Search button updates the Audit Events table located beneath the filtering options. Filter Results This field is used to filter the displayed events based on the keywords entered. The table is updated automatically as characters are entered into the field. Audit Events table The following information is displayed for each event in the Audit Events table located beneath the filtering options: Date/Time Application Message Policy User Name IP Address This column displays the date and time the event was detected. This column displays the name of the application. This column displays the message associated with the event and the threat level assigned to the access attempt. This column displays the risk policy that was evaluated. This column displays the name of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine. This column displays the IP address of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine. Event Details pane When an event is selected from the audit events list, a Details button appears at the bottom of the screen. Clicking the Details button will open a panel along the bottom of the page with the following fields and button: Conditions that returned TRUE (Default) This section shows the conditions evaluated for the application that returned true and thus impacted the threat level sent to the application. The score listed to the right of a condition name is the score assigned to the triggered condition. Selecting a condition will display information regarding what caused the condition to return as true. Clicking show all will switch to displaying the Monitored Conditions section. 9

10 One of the following icons will appear to the left of each condition name: - indicates a good condition. - indicates a bad condition. Monitored Conditions Override Displayed when the show all link is clicked, this will display all conditions that were monitored during the access attempt. Selecting a condition will display information regarding what caused the condition to return as true or false. Clicking show only true will switch to displaying the Conditions that returned TRUE section. One of the following icons will appear to the left of each condition name: - indicates a good condition. - indicates a bad condition. If there is no override currently assigned to the user, clicking this button will open the Add Override dialog. If there is an override currently assigned to the user, the Modify Override dialog will be displayed. Filtering the audit events The following procedure explains how to filter the events displayed in the Audit Events table. To filter audit events: NOTE: Refreshing the screen removes filtering and returns the Auditing page to its default settings. 1 From the Home page, click Auditing to open the Auditing page. 2 In the From field, click the button to display a calendar and select the start date. 3 In the To field, click the button to display a calendar and select the end date. 4 In the Application(s) field, select to display auditing information for all applications or a specific application. 5 In the Max Records field, set the maximum number of records ( ) to return for the search. By default, this is 1000 records. 6 Click the Search button to update the Audit Events table. 7 To further filter the list of events, enter characters into the Filter Results field. The Audit Events table is updated automatically. 8 The results can also be sorted to help you locate a specific event. To sort the data: Click on the column heading to be used for the sort criteria. The sort order will be in ascending order, but can be changed to descending order by clicking the heading a second time. To remove the sort order from a column, click the column heading until the arrow disappears. 10

11 Displaying details for an individual audit event The following procedure explains how to view a detailed explanation of the conditions that were evaluated during an audit event. To display details for an individual audit event: 1 From the Home page, click Auditing to open the Auditing page. By default, the audit events for the current date are displayed. 2 Select an event and click the Details button on the bottom left of the page (see Filtering the audit events for information on locating a specific event and/or an event from a previous date). 3 A new panel appears at the bottom of the page displaying the Conditions that returned TRUE section on the left side of the panel. This section displays the conditions evaluated for the application that returned true and thus impacted the threat level sent to the application. The score listed to the right of the condition name is the score assigned to the triggered condition. One of the following icons will appear to the left of each condition name: - indicates a good condition. - indicates a bad condition. Clicking the show all link will display all conditions that were monitored during the access attempt regardless of whether they returned true or false. 4 Selecting a condition from the left column will display additional information in the right column regarding the condition. Each condition includes the following additional details: <plugin name> - <condition name> (Result: <true/false>) - This displays the name of the plugin, the name of the condition and whether the condition returned as true or false during the access attempt. For example, BuiltinPlugin1 - IsAbnormalTime (Result: true). Use the expand properties button (right arrow) to the left of the heading to display the following information for the condition: Parameters - Use the expand properties button (right arrow) to the left of this heading to display each condition parameter with its current setting. For example, Days = 30. Details - Use the expand properties button (right arrow) to the left of this heading to display information on what caused the condition to trigger or not trigger during the access attempt. 5 To close the Details panel, click the Details button. 11

12 Adding and managing overrides on the Auditing page NOTE: Policy overrides can also be created and managed on the Policy Overrides page. See Policy Overrides page for more information. NOTE: In cases where overrides have been disabled for a risk policy, the threat level will always be reported regardless of whether or not there is an override in place for the user. Adding a policy override When a user has failed to authenticate due to a high threat level, you can create an override to allow that user access for a specified period of time. IMPORTANT: To avoid allowing a malicious user access to applications, only create an override when you are positive the user is legitimate. To add a policy override: 1 From the Home page, click Auditing. By default, the audit events for the current date are displayed. 2 Select the audit event you want to override and click the Details button on the bottom left of the page (see Filtering the audit events for information on locating a specific event and/or an event from a previous date). 3 From the Details panel, click the Override button in the lower right corner. The Add Override dialog appears. 4 The name of the user appears in the User Name field. Verify that this is the correct user for the override. NOTE: This field cannot be edited. 5 For Browser ID, select the browser ID that corresponds to the selected audit event or select Any to allow any browser. 6 In the Expiration field, click the button to select an expiration date for the override. By default, the next day is selected. 7 Click the Save button to save the override and close the dialog. The override is now in effect for the user until the specified expiration date. Managing a policy override To edit a policy override: 1 From the Home page, click Auditing. 2 Select an audit event from the list that is associated with a current override and click the Details button on the bottom left of the page (see Filtering the audit events for information on locating a specific event). 3 From the Details panel, click the Override button in the lower right corner. The Modify Override dialog appears. 12

13 4 The following information is displayed for the override: Last Updated By: <nn> - The username of the administrator or help desk operator that last created or modified the override. NOTE: This field cannot be edited. User Name - The name of the user to whom the override applies. NOTE: This field cannot be edited. Browser ID - The browser ID to which the override applies. User Address - The IP address to which the override applies. In the Expiration field, click the button to select an expiration date for the override. Make any necessary changes to the override. 5 Click the Save button to save the changes to the override and close the dialog. The changes to the override are now in effect for the user until the specified expiration date. To delete a policy override: 1 From the Home page, click Auditing. 2 Select an audit event from the list that is associated with a current override and click the Details button on the bottom left of the page (see Filtering the audit events for information on locating a specific event). 3 From the Details panel, click the Override button in the lower right corner. The Modify Override dialog appears. 4 Click the Delete button to delete the policy override. 5 A confirmation dialog will appear. Click the Delete button. 13

14 3 Policy Overrides Introduction Policy Overrides page Adding and managing overrides on the Policy Overrides page Introduction From the Home page of the Security Analytics Engine Administration web site, click on the Policy Overrides link to open the Policy Overrides page where you can view and manage all policy overrides that are currently in effect. Policy Overrides page This page allows you to view, create and manage override policies. The following button appears at the top of the page: Add Override This button is used for creating a new override. The following filtering option is available at the top of the page: Filter This field is used for filtering overrides. The table updates automatically as characters are entered into the field. The following information and buttons are displayed for each policy override: User Name The name of the user to whom the override applies. 14

15 User Address Browser ID Expiration The IP address of the user to which the override applies. The browser ID to which the override applies. The date the policy override expires. After this date the override will no longer appear in the list and the user will again be evaluated according to an application s risk policy. Last Updated By Edit Delete The username of the administrator or help desk operator that last created or edited the override. Click this button to edit the selected override. Click this button to delete the override. Once the override is deleted it will no longer be in effect for the user. When multiple pages are necessary to display the overrides, the following buttons located at the bottom of the screen are used to navigate between the pages: Use this button to display the previous page. Click a page number to display that page. Use this button to display the next page. Adding and managing overrides on the Policy Overrides page NOTE: Policy Overrides can also be created and managed on the Auditing page by selecting specific audit events. See Auditing page for more information. NOTE: In cases where overrides have been disabled for a risk policy, the threat level will always be reported regardless of whether or not there is an override in place for the user. Adding a policy override When a user has failed to authenticate due to a high threat level, you can create an override to allow that user access to Security Analytics Engine protected applications for a specified period of time. IMPORTANT: To avoid allowing a malicious user access to an application, only create an override when you are positive the user is legitimate. 15

16 To add a policy override: 1 From the Home page, click Policy Override. 2 Click the Add Override button in the upper right corner to open the Add Override dialog. 3 In the User Name field, enter the name of the user to which the override applies. 4 For Browser ID, enter the browser ID for the user. 5 In the User Address field, enter the user s IP address. 6 Click the button to select the date the override will expire. By default, the next day is selected. 7 Click the Save button to save the override and close the dialog. The new override will appear listed on the Policy Overrides page. Managing a policy override To edit a policy override: 1 From the Home page, click Policy Override. 2 Select the override to edit and click Edit to open the Modify Override dialog. 3 The following information is displayed for the override: Last Updated By: <nn> - The username of the administrator or help desk operator that last created or modified the override. NOTE: This field cannot be edited. User Name - The name of the user to whom the override applies. NOTE: This field cannot be edited. Browser ID - The browser ID to which the override applies. User Address - The IP address to which the override applies. Expiration - Click the button to select an expiration date for the override. 4 Click the Save button to save the changes to the override and close the dialog. The changes to the override will now be in effect for the user until the specified expiration. To delete a policy override: 1 From the Home page, click Policy Override. 2 On the Policy Override page, use one of the following methods to delete a policy override: Locate the policy override to delete and click the corresponding Delete button. Click the Edit button associated with the override to open the Modify Override dialog. Click the Delete button. Select the check box to the left of the policy override(s) to delete and click the Delete Selected Overrides button located in the lower left corner. 3 A dialog will be displayed confirming that you want to delete the selected override(s). Click the Delete button. 16

17 About Dell Dell listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit Contacting Dell Technical Support: Online Support Product Questions and Sales: (800) Technical Support Resources Technical support is available to customers who have purchased Dell software with a valid maintenance contract and to customers who have trial versions. To access the Support Portal, go to The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. In addition, the portal provides direct access to product support engineers through an online Service Request system. The site enables you to: Create, update and manage Service Requests (cases) View Knowledge Base articles Obtain product notifications Download software. For trial software, go to Trial Downloads. View how-to videos Engage in community discussions Chat with a support engineer 17