Procura un seguimiento del intercambio

User Threat Quotient (UTQ) report provides actionable security intelligence to an administrator, by helping them to get quick visibility of risky users who are posing security threats on organization’s network.

Note: Either Web Protection or Network Protection subscription is required to view the UTQ reports. Correlating data from various logs and reports to identify the risky users takes time and analytical skills for administrators,not to forget the chances of human oversight. UTQ gives automatic analysis of user’s Internet behavior, saving the administrators to go through the hassle of correlating the data.

Sophos Firewall calculates UTQ score of each user based on following two criteria:

1. Web surfing behaviour (Only Allowed, but potentially risky and Denied Web traffic for each user)

2. Advanced Threat Protection (ATP) logs (Infected clients/hosts or clients that are part of botnet) UTQ helps administrator to:

• Spot risky users at a glance.

• Identify which clients/hosts within the network are infected or part of botnet • Find out malicious insiders.

• Avoid chances of human oversight in correlating data from various logs and reports. • Take appropriate actions like fine-tuning security policies, security awareness training etc. Given below are the terms and icons used in UTQ along with their meanings:

• Relative Threat Score – Maximum threat posed by the user (in number), relative to the web behaviour of all other users for the selected date or date range.

• Relative Risk Ranking – Rank of the user (in number), in terms of posing security risk on the organization’s network, relative to the web behaviour of all the other users for the selected date or date range.

•

– UTQ Risk Meter, which displays average threat score for the selected user, relative to the threat scores of all other users for the selected date or date range.

UTQ report is displayed in the form of bubble graph as well as in a tabular format. The bubble graph is plotted between Relative Risk Ranking and Relative Threat Score; where the bubble represents the user and bubble size represents Relative Threat posed by the user. Mouse over on the bubble displays details like Username, Relative Threat Score and Relative Risk Ranking of a user.

Figure 40: User Threat Quotient (UTQ)

The bubble graph area is divided into three sections where; • Top 10% are marked as High Risk Users

• Next 40% are marked as Medium Risk Users • Last 50% are marked as Low Risk Users

Note: When the number of users for the selected period is less than 20, all the users are displayed as Blue bubbles and the sections mentioned above are not displayed.

The tabular report contains following information:

• User: Username of the user as defined in the Device. If the User is not defined, then it will display ‘N/A’ which means the traffic is generated by an undefined user.

• Relative Threat Score: Threat posed by the user (in number), relative to the web behaviour of all the other users, for the selected period.

Please note that UTQ is calculated and displayed after 24 hours only, which means there is no UTQ for current day. UTQ can be viewed for:

• Last 14 Days • Last 7 Days • Last 1 Day

By default, UTQ displays up to 100 risky users for the last 7 days along with their Relative Threat Score and Relative Risk Ranking.

Top most right corner of the screen displays UTQ Risk Meter, which displays relative threat score for the selected user.

Click User hyperlink in the table or bubble in the graph to view Reports by User and Date for the selected period.

Reports by User and Date

To view the following reports for a particular user and date, go to Reports > Dashboard > User Threat Quotient (UTQ) > User:

• Advanced Threats

• Detailed View - ATP

• Client Insights - ATP

• High Risk Web Categories

• High Risk Web Domains

• Blocked High Risk Web Categories

• Blocked High Risk Web Domains

Advanced Threats widget

Widget report displays a comprehensive summary of advanced threats in your network. View the report from Reports > Dashboard > User Threat Quotient (UTQ) > User. The report is displayed using a graph as well as in a tabular format.

By default, the report is displayed for the current date. The report date can be changed from the top most row of the page.

The bar graph displays the list of threats along with total number of attempts per threat while the tabular report contains the following information:

• Threat: Name of the threat.

• Host Count: Number of hosts infected with the threat. • Origin: Origin of the threat. Possible options:

• Firewall • IPS • DNS • Web

• Combination of any of the above

• Attempts: Total number of attempts per threat. The number is summation of Log only and Log & Drop attempts.

Detailed View - ATP widget

Widget report provides a detailed summary of advanced threats in your network.

View the report from Reports > Dashboard > User Threat Quotient (UTQ) > User. The report is displayed using a graph as well as in a tabular format.

By default, the report is displayed for the current date. The report date can be changed from the top most row of the page.

• Date: Date in YYYY-MM-DD format

• Host (Source IP): IP Address of the source host. • Threat: Name of the threat.

• Destination: IP Address of the infected destination. • Origin: Origin of the threat. Possible options:

• Firewall • IPS • DNS • Web

• Combination of any of the above

• Attempts: Total number of attempts. The number is summation of Log only and Log & Drop attempts. • Action: Action performed by the Device when a threat is detected. Possible options:

• Log & Drop: The data packet is logged and dropped. • Log only: The data packet is logged.

Security Heartbeat - ATP widget

Widget report provides an insight into advanced threats related to endpoints in your network. View the report from Reports > Dashboard > User Threat Quotient (UTQ) > User. The report is displayed in a tabular format. The tabular report contains the following information: • Host (Source IP): IP Address of the source host.

• Login User: Username of the infected user.

• Process User: Username of the user owning the process. • Executable: Name of the infected executable file. • Threat: Name of the threat.

• Destination: IP Address of the infected destination.

• Event Last Seen: Time when the infected executed file was last found in the host.

• Attempts: Total number of attempts. The number is summation of Log only and Log & Drop attempts.

High Risk Web Categories widget

Widget report displays list of top allowed web categories along with number of hits per web category. View the report from Reports > Dashboard > User Threat Quotient (UTQ) > User.

The report is displayed as a graph as well as in a tabular format.

Bar graph displays number of hits per web category while tabular report contains following information: • Category: Name of the Web category as defined in the Device.

• Hits: Number of hits to the Web category.

Click Category hyperlink or graph to view list of High Risk Web Domains for the selected User, Date / Date Range and Web Category.

High Risk Web Domains widget

Widget report displays list of top allowed web domains along with number of hits per web domain. View the report from Reports > Dashboard > User Threat Quotient (UTQ) > User.

The report is displayed as a graph as well as in a tabular format.

Bar graph displays number of hits per web domain while tabular report contains following information: • Domain: Name/IP Address of the domain.

• Category: Name of the Web category for the domain. • Hits: Number of hits to the domain.

Click icon to view the list of users who have accessed this domain.

Blocked High Risk Web Categories widget

Widget report displays list of top denied web categories along with number of hits per web category. View the report from Reports > Dashboard > User Threat Quotient (UTQ) > User.

The report is displayed as a graph as well as in a tabular format.

Bar graph displays number of hits per denied web category while tabular report contains following information: • Category: Name of the Web category as defined in the Device.

• Hits: Number of hits to the Web category.

Click Category hyperlink or graph to view list of Blocked High Risk Web Domains for the selected User, Date / Date Range and Web Category.

Blocked High Risk Web Domains widget

Widget report displays list of top denied web domains along with number of hits per domain. View the report from Reports > Dashboard > User Threat Quotient (UTQ) > User. The report is displayed as a graph as well as in a tabular format.

Bar graph displays number of hits per denied web domain while tabular report contains following information: • Domain: Name/IP Address of the domain.

• Category: Name of the Web category for the domain. • Hits: Number of hits to the domain.

Click icon view the list of URLs that the selected user has accessed for the domain. Click icon to view the list of users who have accessed this domain.

High Risk Web Domains

Widget report displays list of top allowed risky web domains along with number of hits per domain. View the report from Reports > Dashboard > User Threat Quotient (UTQ) > User > High Risk Web Categories widget > Category

The report is displayed as a graph as well as in a tabular format.

Bar graph displays number of hits per web domain while tabular report contains following information: • Domain: Name/IP Address of the domain.

• Category: Name of the Web category for the domain. • Hits: Number of hits to the domain.

Click icon view the list of URLs that the selected user has accessed for the domain. Click icon to view the list of users who have accessed this domain.

Blocked High Risk Web Domains

Widget report displays list of top denied risky web domains along with number of hits per domain.

View the report from Reports > Dashboard > User Threat Quotient (UTQ) > User > Blocked High Risk Web Categories widget > Category.

The report is displayed as a graph as well as in a tabular format.

Bar graph displays number of hits per denied web domain while tabular report contains following information: • Domain: Name/IP Address of the domain.

• Hits: Number of hits to the domain.

Click icon to view the list of users who have accessed this domain.

Detailed Report

Detailed report displays list of URLs accessed by selected user for the selected domain. The detailed report contains following information:

• Time : Time in YYYY-MM-DD HH:MM:SS format . • Host : IP Address or name of the host.

• URL: IP Address or URL name.

Click View hyperlink against an URL to access the URL.

Domain-wise Users

Report displays list of users who have accessed the particular domain. Domain wise users report contains following information.

• User : Name of the user as defined in the Device. • Hits: Number of hits to the domain by the user.

Click icon to view the detailed report showing a list of URLs that the selected user has accessed for the domain.