- Home
- UEBA risk scoring
Risk scoring
In this page
- Signs of an insider threat
- Signs of account compromise
- Signs of data exfiltration
Risk assessment is a standard capability of most security information and event management (SIEM) and user entity behavior and analytics (UEBA) solutions. Cybersecurity risk assessment solutions provide network-wide risk assessment and management workflows to detect deviant behaviors and ensure the security posture of an organization stays strong. Every known anomaly is assigned a risk score; the more abnormal the behavior, the higher the risk score. Whenever an anomaly is detected, the risk score is added to the corresponding user or entity's existing risk score.
A risk score can range from anywhere between zero to 100, indicating no risk to maximum risk, respectively. The risk score is dependent on factors such as the significance of the action from a security standpoint, the extent of the deviation from the baseline, the frequency of deviation, and the time elapsed since the deviation.
In addition to an overall risk score, each user and entity also has an associated risk score for insider threats, account compromise, and data exfiltration. If IT administrators feel an entity or user's risk score is too high, they can scrutinize it further and take action to stop any potential threats to the organization.
Below are the different types of threats and the activities that may increase the risk score of users and entities.
Signs of an insider threat
- Access at unusual times
- Unauthorized file access and modification
- Several authentication failures within a specific time period
- Abnormal system access patterns
Signs of account compromise
- Multiple instances of software installed on a host
- Numerous logon failures on a host
- Sporadic access locations
- User installing unauthorized software
Signs of data exfiltration
- Multiple USB drives plugged in by a user
- Suspicious commands executed by a user
- Host logons from irregular locations
- Abnormal download patterns
Sometimes there may be an actual situation that calls for a deviation from regular activity patterns, resulting in an increased risk score. To prevent false alarms, the SIEM or UEBA solutions must evolve constantly and learn the routine of every user and entity, adjusting what is considered a normal or baseline behavior. With these capabilities, a SIEM or UEBA solution can recognize the changes in patterns and bring down the risk score if there's no indication of a threat.