Indicators of behavior

Indicators of behavior (IoBs) are composed of one or more of the events detected that compromise business operations and indicate an anomaly or breach of existing policy.

Forcepoint IoBs are created as follows:
  1. Raw events are collected and analyzed as described below.
  2. When an event triggers an alert, an IoB is matched to the behavior.

While an individual IoB does not necessarily indicate malicious intent, a combination of IoBs indicates high-risk behavior. By collecting IoBs, the solution allows a narrative to be built, explaining the intent behind a user's actions.

The following engines are used to detect IoBs:
  • Policy engine
    • Based on the supported channels, analyzes user activities against the policy engine, which detects indicators of behavior and triggers alerts.
  • Extensibility engine
    • The extensibility engine looks for correlations between multiple users' activities. This engine runs every 60 min and updates IoBs accordingly.
  • Anomaly detection engine
    • Counters are sets of event data that establish an individual’s baseline activities. The events are analyzed with the anomaly detection engine to identify risky behaviors.
The following channels are monitored for activity (Windows):
  • Clipboard: User copies information to the clipboard.
  • Cloud desktop: User copies a file to a desktop synchronized cloud folder.
  • Email (Outlook): User sends emails. Both the body and attachment of an email are monitored.
  • Local hard drive: User saves a file from a network share to a local hard drive.
  • Network share: User copies a file or folder from a network shared drive.
  • Printing: User prints a document using corporate printing resources.
  • Removable storage: User copies a file or folder to a removable storage device.
  • Screen capture: User takes a screen capture of part of or an entire screen.
  • Web traffic: User views web pages or downloads Internet content.
  • Windows Event Log: User performs a task that adds an entry to a monitored event log file.

For a detailed information on Forcepoint supported Indicators of Behavior, log in to the support site and access Forcepoint Indicators of Behavior.