BeyondInsight Clarity Analytics

BeyondInsight Clarity is a behavior analytics tool that examines and classifies events and activities to identify outliers or anomalies. An outlier is an observation which deviates so much from the other observations that it arouses suspicion. Clarity ranks activities and classifies assets according to their deviation from normal activity. The normal activity or baseline is formed from:

  • History of past activities
  • Risk attributes of an observed activity

Each activity or event has several key characteristics. When an observed characteristic goes beyond normal, an alert is issued. More flagged alerts indicates higher level of abnormality and threat level. The numeric threat level is the sum of all flagged alerts. In addition, all assets are grouped into clusters by similarity, taking into account all available information including vulnerabilities, attacks, installed applications, services, open ports, running applications, etc.

As a result, the behavior analytics:

  • Assigns a threat level to each event from BeyondTrust Discovery Scanner, Endpoint Privilege Management, Privilege Management for Unix & Linux, and Password Safe.
  • Assigns cluster ID to all assets.

You can use Clarity to analyze data from the following sources:

  • Endpoint Privilege Management
  • Privilege Management for Unix & Linux
  • BeyondTrust Discovery Scanner
  • Password Safe
  • Third-party imports

Configure BeyondInsight Clarity Analytics

To work with BeyondInsight Clarity, you must configure the following settings:

  1. Select Configuration.
  2. Under Analytics & Reporting, select Clarity Analytics, and then set the following:
    • Enable Analytics: Check the box to turn on the BeyondInsight Clarity feature.
    • Time to run (hours, minutes): Set the time to run the data collection.
    • Frequency to run Analytics: Set the frequency to run analytics.
    • Alert Threshold: The threshold for flagging explicit alerts. The higher the value the higher the sensitivity and fewer flagged alerts. The range is between 0 – 1. The default value is 0.65.
    • Som Probability Threshold: The threshold for flagging pattern alerts. The range is between 0 – 1. The lower the value the higher the sensitivity and fewer flagged alerts. The default value is 0.05.
    • Send notification to: Enter an email address. An email is sent to the recipient after the analytics processing is complete. A summary of the analysis is included in the email.
    • Alert malware confidence level: Select a confidence level from the list. The default value is Medium. Use the setting to filter on the higher potential malware risks that are presented in the analytics data.

Using the risk analytics values, you can focus the results data on the highest risk assets.

When you choose to normalize the data, the asset at the highest risk is assigned the highest rating. All other assets are rated and organized below the highest risk asset. Normalizing the results provides a way to distribute the assets in a more meaningful way to analyze the data.

Using the analysis influence slider, you can change the results to emphasize risk levels based on exposures or threats . For example, if you move the slider to Exposure, asset exposure risk factors are given greater weighting in the final risk calculation and increase an asset's risk score.

Analysis influence is only available for log calculations.

Clarity Reports

The following reports are available to run against the cluster map data:

  • Event Review - Attacks: Breakdown of alert triggers for attack events by threat level.
  • Event Review - Malware: Breakdown of alert triggers for Malware events by threat level. This report can be used to display Clarity Malware events from BeyondInsight.
  • Event Review - Privilege Management for Windows: Breakdown of alert triggers for events by threat level. Includes relevant event details, and is ordered by threat level from largest to smallest.
  • Event Review - Password Safe Release Events: Breakdown of alert triggers for release events by threat level.
  • Event Review - Privilege Management for Unix & Linux Breakdown of alert triggers for events by threat level. Includes relevant event details, and is ordered by threat level from largest to smallest.
  • Event Review - Scanner: Breakdown of alert triggers for agent events by threat level. Includes relevant event details, and is ordered by threat level from largest to smallest.
  • Highest Populated Clusters: Lists the most populated clusters.
  • Lowest Populated Clusters: Lists the clusters with the least assets.
  • Top 10 Assets by Cluster Movement: Displays differences in an asset's cluster assignment. Shows items by size of move (distance between clusters) and time frame (fast or slow). The time frame can indicate that an asset is an outlier if the changes occur quickly.
  • Top 10 Assets by Total Threat Level: Displays top 10 assets based on overall threat level. This report can be used to display Clarity Malware events from BeyondInsight.
  • Top 10 Users by Threat Level: Displays top 10 users based on overall threat level.