Risk assessment

Risk assessment is conducted by Forcepoint Neo, which continuously collects and correlates events to detect suspicious behavior.

Forcepoint Neo uses the following activity channels and engines to collect and contextualize events. An event is an occurrence of user behavior related to an organization's assets or environment, captured by monitoring specific channels for activities that may indicate a compromise of policies. Events comprise indicators of behavior and generate alerts that elevate a user's risk score.

Indicators of behavior (IoBs) are composed of one or more of the events detected by Forcepoint Neo that compromise business operations and indicate an anomaly or breach existing policy. Forcepoint Neo creates IoBs as follows:
  1. Raw events are collected and analyzed as described below.
  2. When an event triggers an alert, an IoB is matched to the behavior.
While an individual IoB does not necessarily indicate malicious intent, a combination of IoBs indicates high-risk behavior. By collecting IoBs, Dynamic User Protection allows a narrative to be built, explaining the intent behind a user's actions.
  • The following channels are monitored for activity (Windows):
    • Clipboard – User copies information to the clipboard.
    • Cloud desktop – User copies a file to a desktop synchronized cloud folder.
    • Email (Outlook) – User sends emails. Both the body and attachment of an email are monitored.
    • Local hard drive – User saves a file from a network share to a local hard drive.
    • Network share – User copies a file or folder from a network shared drive.
    • Printing – User prints a document using corporate printing resources.
    • Removable storage – User copies a file or folder to a removable storage device.
    • Screen capture – User takes a screen capture of part of or an entire screen.
    • Web traffic – User views web pages or downloads Internet content.
    • Windows Event Log – User performs a task that adds an entry to a monitored event log file.
  • The following channels are monitored for activity (macOS):
    • Web traffic – User views web pages or downloads Internet content.
    • Email (Apple Mail) – User sends emails. Both the body and attachment of an email are monitored.
    • Network share – User copies a file or folder from a network shared drive.
    • Printing – User prints a document using corporate printing resources.
    • Removable storage – User copies a file or folder to a removable storage device.
  • Policy engine
    • After data is aggregated, it is run against the policy engine, which detects potential IOBs and triggers alerts.
  • Anomaly detection
    • Event data is analyzed with the anomaly detection engine to identify risky behavior.
  • Risk calculation
    • Each event that triggers an alert has an associated risk impact. Each impact results in a calculated score between 0 and 100. The risk score is continuously computed and updates as new alerts are triggered.

See the Hack Stack Calculating the user risk score in DUP for more information about how risk scores are calculated.