Risk-Adaptive Protection with Forcepoint Behavioral Analytics

Forcepoint Behavioral Analytics is an on-premises solution that runs a set of dedicated servers that ingest DLP events and incidents data into the Forcepoint Behavioral Analytics platform, and performs modeling and analytics to determine a user risk profile. The calculated user risk level is sent to the Forcepoint Security

Manager and pushed to the Forcepoint DLP Endpoints. Then, when Forcepoint DLP polices are triggered, different reactions can take place based on the current user risk level.

Forcepoint Behavioral Analytics requires that the endpoint to be connected to the corporate network in order for the endpoints to send the DLP events and incidents data to the Forcepoint Behavioral Analytics servers.

To enable Risk-Adaptive Protection with Forcepoint Behavioral Analytics:

Steps

  1. Deploy a Forcepoint Behavioral Analytics instance. See the Forcepoint Behavioral Analytics Administration and Troubleshooting manual.
  2. Enable Risk-Adaptive Protection in Forcepoint DLP. See Analytics section.
  3. Configure relevant policies and rules so that actions are risk-level dependent. SeeCustom Policy Wizard - Severity and Action section.
  4. Enable/Disable Risk-Adaptive Protection for specific users/groups. Use the RAP UserManager.exe. See the Dynamic Data Protection Getting Started Guide for more information.
  5. Users can be either custom or based on a user directory. Users are assigned risk level 1 as a default risk-level value.
  6. Sync the modified list of Risk-Adaptive Protection users in the Forcepoint Behavioral Analytics system. See Forcepoint Behavioral Analytics Administration and Troubleshooting manual.
  7. Check DLP incidents. See Managing incident reports section.
  8. Investigate users. See Forcepoint Behavioral Analytics Administration and Troubleshooting manual .