Teramind's Approach to Measuring Risk
Teramind utilizes a "rule-based" approach to measure risk. This flexible model scales risk based on user-defined severity while automatically tracking frequency and timing thresholds, allowing you to differentiate between isolated incidents and habitual violations. By adapting to behavior in real-time, Teramind identifies both one-off high-risk events and accumulated risk over time, transforming raw activity into a nuanced and responsive map of organizational risk.
Key Benefits of This Approach:
Using a rule-based scoring system provides several strategic advantages for security teams:
Measurable Risk Metrics: Easy to understand, numerical Risk Score provides an objective way to compare risk levels across departments and audit the effectiveness of security policies over time.
Elimination of Alert Fatigue: Frequency-based thresholds filter out "noise," ensuring your team focuses only on significant, high-scoring threats.
Detection of "Slow-Drip" Threats: Because the Risk Score is cumulative, the system identifies users who consistently commit minor infractions that, when aggregated, represent a major behavioral issue.
Proportional Responses: Take different rule action(s) based on the detected risk level.
Defining the Risk Severity
You need to define risk severity in two specific locations within your behavior rules to account for how risks are reported differently in the Insights dashboard (high-level snapshot) vs. Behavior Alerts and other dashboards (detailed analysis).
Location 1: General Settings Tab
You assign Rule Violation Severity to a behavior rule form its General Settings tab. This value is reflected in the Insights dashboard.
The Rule violation severity allows you to specify a risk level for the rule. You can either drag the slider or use the number field to enter a number between 0-100. This risk value is used in the Insights dashboard.
Location 2: Actions > Advanced Tab
You assign risk Severity to a behavior rule form its Actions > Advanced tab. This value is reflected in the Behavior Alerts dashboard other dashboards where risk values are shown.
It's based on Period (e.g., daily), and Frequency. For example, you can set an email rule that sets a "Low" risk severity when a user sends 5 emails (frequency) in a day (period) but "High" severity when they send >10 emails. You can take different rule actions based on the frequency and severity. For example, Warn action for the "Low" risk event and Block action for the "High" risk event.
Viewing Risk Reports
There are two places you can view your risk reports. The Insights dashboard provides high-level snapshot and the Behavior Alerts shows detailed analysis.
Insights Dashboard
The Insights dashboard shows risks derived from the rules' General Settings tab:
On the top-left corner of Insights dashboard, you will see a donut graph displaying the total number of incidents for a chosen period, broken down by risk severity.
Behavior Alerts Dashboard
The primary source for you to view the risk severity report is the Behavior Alerts dashboard's Risk tab:
How Risk Severity is Translated into Risk Score in Behavior Alerts Dashboard
The "Risk Severity" from the rules is translated from a label to a number or "Risk Score" on the dashboard. A risk severity of “None” means 0 risk score, “Low” means 1, “Moderate” means 2, “High" means 3, etc. The total risk score is:
Risk Score = Alert Count x Risk Severity
On the dashboard, you will notice a "Count" value. It means the number of alerts or how many times a rule is broken. Each rule violation generates 1 alert. So even if you broke only one rule, but did it three times during the report period, the Count will be 3. So, for example, if a user broke a rule twice with a risk severity of 3, their alert count will be 2 and risk will be 2x3 = 6.