Skip to main content

Insider Risk

The Insider Risk page offers a comprehensive user-focused view of your organization's internal security risks. By utilizing the events data from your

existing datasets and policies, Cyberhaven generates a risk score for each user. This score is used to rank the users based on their risk level.

On this page, users are organized by their risk level enabling you to swiftly identify and address potential threats.

Benefits

The Insider Risk page enables a security analyst to,

Prioritize Risky Users: You can focus on addressing users who pose the highest risk, helping you allocate resources and attention more effectively.

Initiate Efficient Workflows: Ensure a quick and effective response to potential risks with necessary workflows or actions. For example, notifying your HR department about a user uploading sensitive source code. Or, informing your IT department that a former employee is still active.

Prevent Further Risk: Identify users who have engaged in risky behavior and prevent additional unauthorized actions by adjusting your policies.

Features

The Insider Risk page offers the following features.

User-centric dashboard

The users with the highest risk level are displayed at the top of the Insider Risk table. From the table, you can select a specific user and get detailed information about their risky actions.

User grouping

This page enables you to leverage your existing User Directory Integration to create dynamic user groups or easily add users to manual user groups. You can pin the top user risk groups to the top of this page, allowing you to easily view the user activities within each group. User risk groups help you quickly identify risky users, investigate their activities, and initiate an appropriate response workflow.

NOTE

A yellow dot is displayed in the table against the username if the user is not mapped to your directory service.

User investigation

When you select a user from the table, the right panel displays the user's risk summary which includes the following:

A daily risk score trendline graph that shows you the spikes in the user's risky activities over a period of 90 days. You can click on the provided link to see the relevant events.

The list of datasets with matching policies that the user triggered during the 90-day period. You can see the breakdown of the risk score from this section of the panel. Alink is provided so that you can easily navigate to the data flow detail for this user with the provided link.

A policy matches chart to help you analyze user behavior. From here you can use the links to directly view a user risk report or investigate specific incidents.

The All user details tab provides all the user information captured by the Endpoint Sensor including the local groups the user is associated with within your directory service.

The History tab provides a log of all the instances when a user's risk score was cleared. You can click on the Chat icon for each entry to view the details such as the user who cleared the risk score, the date and time when the score was cleared, and additional comments that were provided during the action.