User Risk Score on Anomalies
User Risk Score is a metric you can use to determine the risk a user might pose to your organization's cloud services and data, in order to better analyze your organization's overall security posture. It allows you to discover and track any changes in a user's normal usage patterns, to identify threats quickly and accurately.
The User Risk Score is calculated using a weighted average of multiple attributes based on incidents, threats, anomalies, and activities. This score is updated daily and is calculated based on the last 100 day's activities and incidents.
Skyhigh Security provides this comprehensive assessment of a User's Risk Score by measuring the following factors:
- Deviation in intent and usage. This compares a user’s recent behavior with their past behavior, to identify suspicious changes.
- User’s security posture. This compares the user's behavior with other users' behavior, to compare them to normal usage.
- Metadata. Metadata about the user, which is obtained via external and internal sources, such as trusted devices, locations, and networks.
NOTE: User Risk Score is displayed only for sanctioned CASB users. Skyhigh Security provides risk scores only for users who have been subjected to Skyhigh CASB analysis for at least seven days of network activity within the last 100 days.
View the User Risk Score
To view the User Risk Score from the Anomalies (found under Incidents > Anomalies > Anomalies) page:
- On the Anomalies page, click any anomaly in the table to see the Anomaly Cloud Card for the specific user.
- From the Anomaly Cloud Card, click User to see the User Details Cloud Card for that user.
- From the User Details Cloud Card, click View Full User Details corresponding to the Risk attribute.
You can view the User Risk Score associated with each user at a glance on the User Details Page on Anomalies.
To drill down for more details, see the User Details Cloud Card on Anomalies.
How is User Risk Score Computed?
The concept of a “High-Risk User” is applied throughout the product. The User Risk Score is computed daily on a scale of 1–9 (9 implies the highest risk). It is calculated using multiple data points such as incidents, threats, anomalies, and activities. Scores are computed using the usage history for the last 100 days that Skyhigh CASB has for the user. Risk ratings get more predictable as Skyhigh CASB sees more usage data from the user and in turn might not be as accurate for new users.
Individual usage is then indexed against an average user to compute a composite risk score. Risk scores are not dependent on time windows nor are they sensitive to short bursts of activity in a small time window. Because a user’s risk is based on their activity for the entire time they are monitored by Skyhigh CASB, it is not possible to use this score to determine how risky a user is during a specific time period.
For information on the risk attributes used to determine the User Risk Score, see User Risk Attributes.