netwrix risk insight user guide · 2020. 10. 20. · 6.4.example 30 7.configuringthresholds 31...

Netwrix Risk InsightUser GuideVersion: 1.04/27/2021

Legal Notice

The information in this publication is furnished for information use only, and does not constitute a commitment from Netwrix Corporation of any features or functions, as this publication may describe features or functionality not applicable to the product release or version you are using. Netwrix makes no representations or warranties about the Software beyond what is provided in the License Agreement. Netwrix Corporation assumes no responsibility or liability for the accuracy of the information presented, which is subject to change without notice. If you believe there is an error in this publication, please report it to us in writing.

Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrix product or service names and slogans are registered trademarks or trademarks of Netwrix Corporation. Microsoft, Active Directory, Exchange, Exchange Online, Office 365, SharePoint, SQL Server, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks and registered trademarks are property of their respective owners.

Disclaimers

This document may contain information regarding the use and installation of non-Netwrix products. Please note that this information is provided as a courtesy to assist you. While Netwrix tries to ensure that this information accurately reflects the information provided by the supplier, please refer to the materials provided with any non-Netwrix product and contact the supplier for confirmation. Netwrix Corporation assumes no responsibility or liability for incorrect or incomplete information provided about non-Netwrix products.

© 2021 Netwrix Corporation.

All rights reserved.

2/57

Table of Contents1. Overview 5

2. How it works 6

3. Getting started 7

4. Configuring the infrastructure 9

4.1. Configuring sites 10

4.1.1. Creating a site 11

4.1.2. Managing sites 14

4.2. Setting up the agent for data upload 15

4.2.1. Prerequisites 15

4.2.2. Setup 15

4.2.3. Updating the agent 19

4.2.4. Troubleshooting 19

4.3. Configuring data providers 20

4.3.1. Adding a data provider 20

4.3.2. Deleting a data provider 21

4.3.3. Monitoring data provider operation 21

4.3.4. Updating client secret for provider 21

5. Roles and permissions 24

5.1. Permissions 24

5.2. Roles and role-based access 24

5.3. Configuring role-based access 26

5.3.1. Adding users 26

5.3.2. Modifying and deleting users 27

6. Understanding risk scores 28

6.1. Metrics 28

6.2. Metric states 28

6.3. Aggregated risk score 28

6.3.1. How is the weighted score calculated? 29

6.4. Example 30

3/57

7. Configuring thresholds 32

8. Examining risks 35

8.1. Exporting report data 35

8.2. Risk Summary dashboard 36

8.3. Risk history 39

9. Organizations 41

9.1. My organization page 41

9.2. Managed organizations 43

9.2.1. Adding an organization 43

9.2.2. View report 43

10. Health dashboard 45

11. Appendix. Monitored risks 46

12. Glossary 57

4/57

Netwrix Risk Insight User Guide

1. Overview

1. OverviewNetwrix Risk Insight provides a high-level graphical insight into the IT risks that may affect organizations on a daily basis.

Whether your company has a single office or multiple distributed remote/branch offices, Netwrix Risk Insight will highlight the areas of concern, track progress, and present findings against configurable KPIs across the whole organization.

Leverage the major benefits of this solution:

l Easily identify areas of risk and address then with remediation actions

l Track organizational progress

l Export data from each view for sharing and analysis

l Examine multiple sites and environments through a single pane of glass

5/57


2. How it works

2. How it worksNetwrix Risk Insight is a Microsoft Azure hosted, multi-tenant SaaS application that connects to one or more of a customer's on-premises Netwrix Auditor and/or Netwrix Data Classification installations. Solution architecture and components interactions are shown in the figure below.

Netwrix Risk Insight Agent is a lightweight Windows service which you deploy in your network. The agent collects aggregate data from your on-premises and/or Netwrix Data Classification servers and uploads the data to your Netwrix Risk Insight tenant via REST API calls over HTTPS every 15 minutes.

Netwrix Risk Insight Web API receives the data from Netwrix Risk Insight Agent . Token- based authentication is used for verification between the Web API and the agent. The service behind the API stores the data in the Azure SQL Database. The data is segregated by tenant (organization).

Netwrix Risk Insight Website is the presentation layer of the product that retrieves data from the Azure SQL database and presents it to users. Users can access this web portal with their corporate credentials using Azure AD Authentication (OAuth 2.0). Data is retrieved via API calls made on the user's behalf.

6/57


3. Getting started

3. Getting startedOnce the Netwrix team has created a new Risk Insight tenant for your organization, you will receive an invitation email with the subject line Netwrix Risk Insight – Account Created from the Netwrix Risk Insight sender (email address <[email protected]>).

This email includes a unique access link to Netwrix Risk Insight web portal. You need to activate your account via the link within 7 days (if it expires, you will need to follow the link and request a new activation link).

Review the table below to get started with Netwrix Risk Insight:

Step Related sections

1 Review the minimal requirements:

l Software requirements:

l Netwrix Auditor version 9.96.8412 Update 5 and above

l Netwrix Data Classification version 5.5.4 and above

l Supported web browsers:

l Google Chrome

l Microsoft Edge

l Firefox

2 Click the activation link in the email or copy its address into the browser window.

3 Accept Netwrix EULA and Cloud Addendum.

4 Enter the Azure AD account that you specified in your initial request for Risk Insight tenant creation. To log you in, the solution will use Azure AD Authentication (OAuth 2.0). If you are the initial user in the tenant, you will have Tenant Administrator role assigned to your account. Use this privileged account to configure the infrastructure you want to monitor and to assign security rights to other users.

l Creating a site

l Roles and permissions

l Configuring role-based access

5 After logging in, you will be automatically redirected to the Sites page of the Netwrix Risk Insight Configuration area.

l Configuring sites

6 Risk Insight relies on the aggregated data it receives from on-premises Netwrix products (Netwrix Auditor and Netwrix Data Classification).

7/57


3. Getting started

Step Related sections

Therefore, the first thing you need to do when starting to use Risk Insight is create a site in Risk Insight representing your on-premises Netwrix deployment, and then leverage that site’s configuration to hook up a local agent to the cloud.

NOTE: To configure sites, a user requires either the Tenant Administrator or Site Manager role.

7 Set up your first site. l Creating a site

8 Once the site settings are configured, copy the configuration with the Copy Config command— you will need these settings for agent deployment.

9 Download the agent installer and deploy the agent. When prompted for configuration, paste the settings you've copied.

l Setting up the agent for data upload

10 Complete the setup. Data upload to Netwrix Risk Insight will begin shortly.

NOTE: If data has not started to appear in the Risk Insight web portal within 15 minutes, follow the instructions in the Troubleshooting

See next:

l Creating a site


8/57


4. Configuring the infrastructure

4. Configuring the infrastructureThis section describes how to configure the infrastructure for collecting data from your on-premises environment and uploading this data to the cloud for analysis and reporting. As explained above, Netwrix Risk Insight relies on the aggregated data it receives from on-premises Netwrix products (Netwrix Auditor and Netwrix Data Classification).

l Your on-premises and/or Netwrix Data Classification servers are represented in Risk Insight configuration as data providers.

l A physical or a virtual location where one or both of these servers are deployed is represented in the Risk Insight dashboard as a site. For example, you can have a single site for all your Netwrix deployments, or configure separate sites for each datacenter that your company is auditing with Netwrix products.

l You will also need to deploy an agent - a lightweight Windows service that will collect aggregated data from data providers and upload it to the cloud-based Risk Insight tenant.

So, to start working with Risk Insight, you should configure a site and then leverage that site’s configuration to hook up a local agent to the cloud.

See next:

l Configuring sites

l Configuring data providers


9/57



4.1. Configuring sitesTo configure sites, you need the Tenant Administrator or Site Manager role. See Configuring role-based access for details.

To add, view and manage sites, in the Configuration pane, click Sites on the left.

See next:

l Creating a site

l Managing sites

10/57



4.1.1. Creating a siteTypically, you add a new site after the first login to Netwrix Risk Insight web portal. Also, you will need to add a new site when there is a new environment /office in your organization.

To add a new site:

1. Navigate to Configuration→Sites.

2. Click Add site.

NOTE: Risk Insight might redirect you to the page automatically when you log into the portal, if no site has been configured yet and you have appropriate permissions.

3. Specify a name for the site (e.g. the building name for the office, or the city in which the office is located).

4. Define the Country and Time Zone. This is important to ensure that data is fed into the product across multiple countries accurately. The time zone should reflect the time zone for that office/ installation.

1. If you need to add Netwrix solution that will provide data for risk analysis, click Add provider.

2. In the dialog displayed, select the required provider from the list — currently it includes and Netwrix Data Classification. Click OK to save the settings and get back to the site properties.

11/57



3. If you want to allow data (collected at the site) to be uploaded only from the particular IP addresses, click Add IP range and specify the required addresses. Click OK to save the settings and get back to the site properties.

4. Click Next to proceed.

5. To access the cloud-based components and upload data for analysis, data providers running on this site will use the Risk Insight agent. Download its installer by clicking Download agent.

6. Then prepare for the agent deployment. During the agent setup, you will be prompted for the provider configuration. This is a JSON file automatically generated by Risk Insight and presented in the current window. It contains connection settings that will allow data providers running in the site to access the cloud-based components: API endpoint, cloud application (client) secret, etc.

Configuration JSON structure will look like follows:

{

"ProviderType_<ID>": {

"ApiEndpoint": "https://risk-us-api.netwrix.com/",

"TenancyReference": "<tenant_ID>",

"ProviderReference": "<provider_ID>",

"ClientSecret": "<client_secret>"

}

}

7. Copy these configuration parameters by clicking Сopy Config.

IMPORTANT! For security reasons this configuration is only displayed while this dialog is open. You won't be able to retrieve these settings again after you close this blade. If necessary, you can paste and save them to a file in a safe location.

12/57



You will need to paste these parameters at the agent setup — when prompted for connection credentials.

Once the site settings are configured, click Finish and proceed with agent deployment.

See next: Setting up the agent for data upload

13/57



4.1.2. Managing sitesAfter you create a site, it appears in the Sites section of the Configuration area.

You can manage your sites as followings:

l View site settings, including agent status.

l Edit site settings — for that, click the required site and specify the necessary values. See also Creating a site

l Delete a site.

IMPORTANT! Site deletion leads to the deletion of all the associated data from the database. The program will ask you to confirm the action.

14/57



4.2. Setting up the agent for data upload

4.2.1. PrerequisitesThe machine where you plan to deploy the agent must meet the requirements listed below.

Specification Requirement

RAM 2 GB min

Operating system Microsoft Windows Server 2012 R2 or later

Other software Microsoft .NET Framework 4.7.2 or later

Netwrix Auditor version

9.96.8412 Update 5 and above

Netwrix Data Classification version

5.5.4 and above

Netwrix Risk Insight agent version

Please check you have the latest version installed: https://www.netwrix.com/sign_in.html?rf=my_products.html

The account under which the agent will run should have access to:

l Netwrix Auditor Integration API — see Prerequisites and Authentication for details.

l NDC database — see Accounts and Required Permissions for details.

4.2.2. Setup

To deploy an agent:

1. Check the prerequisites.

2. Download the agent installer while adding the site on the Add site blade, or open Configuration → Sites, select the required site and click the Download agent button in its properties:

15/57

https://www.netwrix.com/sign_in.html?rf=my_products.html

https://helpcenter.netwrix.com/NA/API/API_Configuration.html

https://helpcenter.netwrix.com/NA/API/Authorization.html

https://helpcenter.netwrix.com/NDC/NDC/Deployment/Account_Reqs.html



3. Once the download completes, extract the installer file from the downloaded archive.

IMPORTANT! Do not run the agent setup from within the archive. Extract the setup file from the archive before running.

4. Run the extracted NRI Agent Installer.exe on the machine that has proper network connectivity to the required Netwrix server (data provider).

16/57



5. When prompted, accept Netwrix EULA.

6. At the Services step of the installation wizard:

a. Provide the destination path to install the agent.

b. Specify the user account under which the agent will run. Make sure it has sufficient access rights (see "Prerequisites" above).

17/57



7. At the Risk Insight Configuration step you will be prompted to paste the configuration parameters for connection between the site with data providers and Netwrix Risk Insight cloud-based portal. Use the JSON you have copied at Creating a site stage or when viewing the site properties.

8. At the Provider Configuration step:

l Select the Enabled check box for Netwrix product that will provide data for Netwix Risk Insight. This can be Netwrix Auditor, Netwrix Data Classification, or both.

l Enter the corresponding Server name; the API URL will be filled in automatically.

7. Complete the setup. Data upload to Netwrix Risk Insight will begin shortly.

18/57



4.2.3. Updating the agentIf you need to re-deploy the agent or update the upload settings, it will be necessary to obtain the new connection configuration parameters and copy them to the Provider Configuration dialog of the agent setup.

To obtain new parameters, click the Update Client Secret link in the Providers blade. See also Configuring data providers.

4.2.4. TroubleshootingIf data has not started to appear in the Risk Insight web portal within 15 minutes after configuring the agent, do the following:

1. Verify that the machine running the agent has access to the internet and Netwrix Auditor server configured properly.

2. Verify that your Netwrix Auditor server local firewall settings allow connectivity from the agent. You may need to create a firewall rule to allow inbound connection for the Netwrix API on port 9699.

NOTE: This is the default port; it may have been adjusted during the configuration of Netwrix Auditor, so check the actual setting. See this article.

If the problems with data upload still persist, contact Netwrix Support.

19/57

https://helpcenter.netwrix.com/NA/API/API_Configuration.html



4.3. Configuring data providersThe solution supports two predefined data providers:

l Netwrix Auditor (version 9.96.8412 Update 5 and above)

l Netwrix Data Classification (version 5.5.4 and above)

By default, the solution automatically sets up both providers for the new site. Later you may want to add or modify the data provider. For that, refer to the instructions below.

NOTE: To configure data providers for a site, a user needs Site Manager role.

4.3.1. Adding a data providerWhen you need to add a data provider for the certain site, take the following steps:

1. Select a site in the Sites list of the Configuration pane to see its properties.

2. Click Add provider.

3. In the Add provider window, select the required provider type:

Verify provider version and click OK.

The JSON configuration for the new provider will then be displayed. Use it to set up the agent, as described in the Setting up the agent for data upload section.

IMPORTANT! Remember to copy the JSON file, download the agent and paste the JSON configuration at agent setup. Otherwise, data from the new provider will not be uploaded to Risk Insight.

20/57



4.3.2. Deleting a data providerTo stop data provisioning by a certain data provider for required site:

1. Select the site in the Sites list to open its properties.

2. Select the data provider from the list and click Delete.

NOTE: After this operation the cloud-based engine will stop analyzing data from that provider. However, the on-site agent will be still uploading data to the cloud. To stop this process, re-install the on-site agent, as described in the Creating a site section.

4.3.3. Monitoring data provider operationTo monitor how the data provisioning goes on:

1. In the Configuration area select Upload Activity under Auditing.

2. The report on data provisioning will be displayed:

4.3.4. Updating client secret for providerIf you need to re-deploy the agent or update its settings (using the setup wizard), you will have to specify connection settings anew — to safely communicate data from the site to the cloud. In particular, the provider will need a new client secret.

21/57



To update client secret for a provider:

1. Open the site properties and click Generate Configuration button.

.

2. Click Copy to clipboard.

IMPORTANT! Once you close the blade, the JSON configuration will no longer be available. If necessary, you can paste and save the configuration to a file in a safe location.

When you run the agent setup wizard to deploy or modify the agent, enter the copied settings at the Provider Configuration step. Settings will be applied automatically after you finish the wizard.

NOTE: Any previous provider configurations will be invalid upon the first use of this new configuration.

22/57



See also Setting up the agent for data upload.

For more information about solution architecture and configuration, refer to the sections above and to Netwrix Risk Insight Security Guide.

23/57


5. Roles and permissions


5.1. PermissionsThe following permissions are defined in the product:

Permission Details

Site Management Allows retrieval, creation, modification and removal of sites and associated entities (Site IPs, Providers, Locations).

Tenant Management Allows creation, activation and deactivation of tenancies.

Tenant View Allows users to view the currently configured tenants.

Threshold Management

Allows retrieval and modification of thresholds for the current tenant.

User Management Allows retrieval, creation, modification and deletion of users, and application and removal of roles from a user.

View Dashboards Provides access to view dashboards.

View System Health Provides access to view system health (Inactive Agents).

5.2. Roles and role-based accessThere are several roles defined in the product on installation. Users are granted roles, which, in turn, grant them the associated permissions.

The following roles are currently defined:

Role Associated Permissions Details

Dashboard Creator Manage Dashboards

View Dashboards

Can view, create, edit and share dashboards.

Dashboard Viewer View Dashboards Can view dashboards that have been shared with them.

Site Manager Site Management Can view, create, edit, and delete sites and their related entities (Site IPs, Providers,

24/57



Role Associated Permissions Details

Locations)

Tenant Administrator

Provides full control over a single tenant, namely the following permissions:

l User Management

l Threshold Management

l Site Management

l View Dashboards

l Manage Dashboards

l Audit View

l Bulk User Add

Threshold Manager Threshold Management Can view, edit, and delete thresholds for metrics.

User Manager User Management Can create, edit, and delete users.

NOTE: If you are the initial user in the tenant, you will have Tenant Administrator role assigned to your account.

Roles can be created, modified or deleted.

See next:

Configuring role-based access

25/57



5.3. Configuring role-based accessTo secure access to solution configuration and other operations, Netwrix Risk Insights uses role-based access. The set of available roles and permissions is described in the Roles and permissions section.

To view and manage users and roles, in the Configuration pane, click Users on the left. The list of users will be displayed.

5.3.1. Adding users

To add a new Netwrix Risk Insights user and configure users access:

1. In the Users pane, click Add user.

2. In the Name field, provide the user’s email address, e.g. [email protected]. For multiple addresses, use comma as a separator.

3. In the User roles section, select the roles for this user or multiple users.

4. When finished, click Add.

26/57



5.3.2. Modifying and deleting users l To modify user settings, select a user in the list.

l To delete a user, click Delete.

NOTE: As the product has a built-in role model, there are the following restrictions for user deletion to avoid situations when all the users are locked out of that tenant (organization):

l It is now allowed to delete all users within a tenant.

l It is not allowed to delete the last tenant administrator within a tenant.

l It is not allowed for users to delete themselves.

27/57


6. Understanding risk scores

6. Understanding risk scoresOrganization's overall IT security risk state is based on a set of metrics created using industry best practices for measuring identity, infrastructure and data-related risks.

The Risk Assessment feature of Netwrix Auditor provides detailed reports on each of these metrics. We recommend reviewing the risk report for each metric involved in a risk score increase.

NOTE: Make sure you have the Agent (v 21.3.22.1 and above) installed. Otherwise, you cannot get key risk indicators for your infrastructure.

6.1. MetricsEach metric has a risk score that is on a scale of 0 to 100, based on the assigned thresholds, as follows:

l A value exactly on the error threshold yields a risk score of 75 points

l A value exactly at the warning threshold yields a risk score of 35 points

l A value halfway between the two thresholds will score 55 points

6.2. Metric statesEach metric is also classified into a particular state:

l 'Within Range'

l 'Needs Attention'

l 'Action Required'

The number of metrics in each state are also displayed in the Risk Score dashboard.

6.3. Aggregated risk scoreOnce the risk score for a particular metric is calculated, it is weighted based on the metric's importance in the aggregated risk score. Each metric's individual risk score contribution is displayed below.

You can monitor how the aggregated risk score is changing over time, and focus your efforts on the areas where risk is the highest. See the Risk Summary dashboard section for details.

28/57



The weighted score of each metric shows how much this metric contributes to the overall risk score in the table. To learn how the weighted score is calculated, refer to the next section.

The thresholds allow you to categorize metrics against KPIs. There are two predefined thresholds: Error and Warning threshold. They are also adjustable to suit the organizations requirements. For details, refer to Configuring thresholds section of this guide.

6.3.1. How is the weighted score calculated?Each metric is assigned a value between 0 and 4 based on risk level:

Risk level Value

Critical 4

High 3

Medium 2

Low 1

Minimal 0

29/57



Then the calculation algorithm works as follows to provide a weighted score for each metric:

1. First, it sums up the risk levels (their numeric values) for all metrics included the risk score and creates a “total risk level”.

2. Then for each metric it calculates an individual score, based on their risk level. Individual score is determined depending on where the metric value sits within the thresholds:

o If a value is exactly at the ‘warning’ threshold, the score is 35.

o If a value is exactly at the ‘error’ threshold, the score is 75.

The score value is then multiplied by that metric’s risk level value, creating the metric score.

3. Then all the individual metric scores are sumed up.

4. The result is divided by the overall risk level value (total risk level, calculated at step 1).

All in all, to work out the weighted score for each metric (i.e. how much they contribute to the overall risk score in the table), the algorithm takes the metric’s individual risk value and divides it by the total risk level.

6.4. ExampleWe assume there are 2 metrics – Metric A & Metric B

l Metric A has a level of ‘Normal’ (with numeric value 2, as it comes from the table above). Current metric value is exactly on the warning threshold, so the score is 35.

l Metric B has a level of ‘Critical’ (numeric value 4). Current value is above the error threshold.

The total risk level is 6 = 2 (for Normal) + 4 (for Critical)

Individual risk value for Metric A is 70 = 35 (individual score for exact warning) x 2 (individual risk level for Metric A)

Individual risk value for Metric B is 400 = 100 (individual score for above error) x 4 (individual risk level for Metric B)

Total score is 470 = 70 + 400

Overall risk score is 78.33 = 470 (total score) / 6 (total risk level)

The individual weighted scores (to show as contributions to risk score) are:

o Metric A: 11.66 = 70 / 6 (total risk level)

o Metric B: 66.66 = 400 / 6 (total risk level)

Each metric is pre- configured with industry standard values. However, if you wish to adjust the thresholds for a metric or the risk level of that metric, then simply select Edit on the row of that particular metric.

Depending on the nature of the metric (percentage, file size, number of, etc) the threshold values will vary and can be adjusted to suit your company requirements.

30/57



Also, if a metric has a higher/lower importance to your business you can simply adjust the risk level setting higher/lower, which will in turn increase/decrease the relative weighting when calculating the combined risk score.

To learn how to configure thresholds, see the Configuring thresholds section of this guide.

31/57


7. Configuring thresholds

7. Configuring thresholdsThe thresholds are used to categorize metrics against your organization's KPIs.

NOTE: To learn how the thresholds influence risk score calculation, see Understanding risk scores section of this guide.

To view and manage thresholds, in the Configuration pane, click Thresholds on the left.

To adjust thresholds or weight of a metric:

1. Select the metric in the list.

32/57



2. In the metric properties window specify the necessary settings:

Setting Description

Error threshold When reaching this value, the metric will be considered an error.

Warning threshold When reaching this value, the metric will be considered a warning.

Thresholds as percentage If selected, instructs the program to calculate threshold as a total value percentage.

If cleared, threshold will be calculated as a static number.

Risk level Indicates how much the state of this metric affects aggregated risk scores.

If a metric has a higher/lower importance to your business, adjust this setting higher/lower,which will, in turn, increase/decrease the relative weighting when calculating the aggregated risk score.

See also Understanding risk scores.

3. When finished, click Save.

33/57



34/57


8. Examining risks

8. Examining risksThe Risks area provides a single-pane view of the organization's risk state through a dashboard.

It has the following panels:

l Risk Summary dashboard that includes Risk score, Risk history and Top risk metrics

l Key risk indicators classified into a particular state: 'Within Range' (green), 'Needs Attention' (orange), or 'Action Required' (red). The solution displays them compared with the previous day in form of % or number change (depends on the threshold). The direction of this change is highlighted by using respective arrows (↑ ;↓ ; = ) and color (green = positive change, yellow = no change, red = negative change).

For each panel, Netwrix Risk Insights supports drilling down to the detailed reports and exporting reported data.

8.1. Exporting report dataRisk reports as well as charts and graphs can be exported by clicking the Export button.

35/57


8. Examining risks

8.2. Risk Summary dashboardThe aggregated Risk State panel represents the overall IT security risk state, based on a set of metrics created using industry best practices for measuring identity, infrastructure and data risks. You can monitor how the aggregated risk score is changing over time and focus your efforts on the areas where risk is the highest.

Each metric's risk score is on a scale of 0 to 100, based on the assigned thresholds. A value exactly on the error threshold yields a risk score of 75 points, and a value exactly at the warning threshold yields a risk score of 35 points. A value halfway between the two thresholds will score 55 points.

l Once the risk score for a particular metric is calculated, it is weighted based on the metric's importance in the aggregated risk score shown in the Risk score widget.

l The Risk metrics widget gives you a quick-glance overview of current status of the organization against the configured metrics. To view all of them, click the related link in the top right.

Then the Risk breakdown report is displayed.

36/57


8. Examining risks

Then you can get a detailed reports on each of these metrics. Click on the metric with a certain state (e.g. Action Required, colored red) to examine in detail what is going on in the infrastructure, causing this critical state.

TIP: We recommend reviewing the risk report for each metric involved in a risk score increase.

37/57


8. Examining risks

38/57


8. Examining risks

8.3. Risk historyThe Risk history dashboard widget allows the user to track the progress, negative or positive, of the organization’s risk score.

The graph in this widget displays the trend for overall risk score.

Click the widget to view a more detailed Risk Trend Breakdown presenting data trends by the three key metric areas (Identity, Infrastructure, and Data):

For further investigation, navigate to the dedicated metric of interest.

For example, if you see an upward trend on the Data grouping, we would recommend viewing the Data dashboard to identify the specific metric(s) that have contributed to this increase in risk and, where appropriate, viewing each connected risk report.

39/57


8. Examining risks

l To drill down to the details, click the metric you need.

l To export reported data, click the Export button.

While looking at the historical trend in Data, Infrastructure or Identity section, you can click on a point on the graph so that the current dashboard is updated and it is possible to see the values for each trend at that point of time.

To adjust the time period for which the data is displayed, use the Risk history for list on the left.

40/57


9. Organizations

9. OrganizationsRisk Insight operates as a service, providing data analysis and reporting capabilities for the organizations (tenants) or company departments/RO/BOs. Organization management pages are available to the authorized administrators of a company or Managed Service Provider in the Configuration area.

9.1. My organization pageIn this page, tenant administrators can view their organization name and status, or send a request to delete the organization from the list of tenants.

If you want your organization to be no longer serviced with Risk Insight, you can request to delete it from the list of tenants by clicking Request deletion.

NOTE: Data analysis will be terminated for deleted organization; its existing data and users will be removed from Risk Insight.

If you have requested to delete your organization, its status will be changed to Pending deletion.

You can cancel your request within a 14-days period - for that, log in to Risk Insight with administrative account, go to Configuration area, select Administration — My organization and click Revoke deletion.

If you are using the solution as a Managed Service Provider, you can manage your tenants using the Managed organizations page.

See next: Managed organizations

41/57


9. Organizations

42/57


9. Organizations

9.2. Managed organizationsThis pages is available to the authorized administrators of a company or Managed Service Provider (MSP) in the Configuration area.

In this page, MSP administrators can view their managed organization name and status, as well as authorized user accounts (those that have access to Risk Inisight web portal for their organizations).

To view the organization properties in its own page, click the organization name.

To add a new organization, follow the procedure below.

9.2.1. Adding an organizationTo add a new organization to the list of managed tenants:

1. In Managed organizations page, click Add organization.

2. In the new blade, specify authorized users who will be able to work with this organization's data in Risk Insight web portal. Later you can configure their roles, as described in the Configuring role-based access section.

3. You can optionally add tags to identify this organization - for example, by geographic location or by data provider.

4. When finished, click Save.

9.2.2. View reportFor organizations overview report, click the Dashboards tab on top. Select Overview under the Managed Organizations on the left.

The report will show:

l Number of organizations with high risk metric values detected during the reported period

l Number of organizations with health issues

l Full list of managed organizations with their risk scores and health issues. You can filter the list by the property you need.

43/57


9. Organizations

.

44/57


10. Health dashboard

10. Health dashboardThe Health dashboard helps you to monitor how the data providers are working in different sites. For example, Netwrix Auditor health metrics include current resource capacity and monitoring plan statuses.

The top widgets display the resource capacity for the product storages: SQL Server databases storing audit data, Long-Term Archive that stores historical data in the file-based repository, and working folder that stores short-term data, log files and other information. To learn more, refer to Netwrix Auditor documentation.

Click the widget to view a more detailed report on system health.

Then you can click each metric to open a blade with its detailed status, edit its parameters if necessary, and view recommendations.

l To drill down to the details, click the metric you need.

l To export reported data, click the Export button.

For example, if you see Need attention status for a monitoring plan, click its name to view the details that may help you to investigate this health issue.

45/57

https://helpcenter.netwrix.com/NA/Overview/How_it_works.html

https://helpcenter.netwrix.com/NA/Overview/How_it_works.html


11. Appendix. Monitored risks


Supported risks/metrics are listed in the table below.

Metric Description Default risk level thresholds

Related best practices and regulations

Data provided by Netwrix Auditor

User accounts with "Password never expires"

Enabled user accounts whose passwords never expire might be in violation of your organization's security policy.

0 — Low

[1 – 5] — Medium

> 5 — High

NIST:

IA-5 control: Review changes to password policy requirements, and audit user and admin activity for policy compliance. https://nvd.nist.gov/800- 53/Rev4/control/IA-5

Related regulations:

CIS, FISMA NIST, GDPR, ISO 21001, NERC CIP, NIST 800-171, PCI DSS,

SWIFT

User accounts with "Password not required"

Accounts that can be used to log on without a password are a high risk and require immediate attention.

0 — Low

[1 – 2] — Medium

> 2 — High

NIST:

IA-5 control: Review changes to password policy requirements, and audit user and admin activity for policy compliance. https://nvd.nist.gov/800- 53/Rev4/control/IA-5


CIS, FISMA NIST, GDPR, ISO 21001, NERC CIP, NIST 800-

46/57

https://nvd.nist.gov/800-53/Rev4/control/IA-5










171, PCI DSS, SWIFT

Disabled computer accounts

Disabled computers often lack current patches and antivirus software, making them easy targets for cyberattacks if they are re-enabled. Periodically identifying and deleting these accounts will reduce this risk.

≤ 1% — Low

(1% – 3%) — Medium

≥ 3% — High

NIST:

AC-2 Control: Disable unused accounts after a defined period of inactivity.

https://nvd.nist.gov/800- 53/Rev4/control/AC-2


CIS, FISMA NIST, ISO 21001, NERC CIP, NIST 800-171, PCI DSS, SWIFT

Inactive user accounts

Inactive user accounts can be taken over and misused, so you should periodically identify and disable them, and then remove them.

0% — Low

(0% – 1%) — Medium

≥ 1% — High

NIST:

AC- 2 Control: Disable unused accounts after a defined period of inactivity.



ASD ISM, CJISSP, FISMA NIST, GDPR, GLBA, HIPAA, ISO 27001, NERC CIP,

NIST 800-171, PCI DSS, SOX

Inactive computer accounts

Inactive computer accounts can be misused, so you should periodically identify and disable them, and then remove them.

0% — Low

(0% – 3%) — Medium

≥ 3% — High

NIST:

AC-2 Control: Disable unused accounts after a defined period of inactivity.



47/57

https://nvd.nist.gov/800-53/Rev4/control/AC-2










ASD ISM, CJISSP, FISMA NIST, GDPR, GLBA, HIPAA, ISO 27001, NERC CIP, NIST 800-171, PCI DSS, SOX

Servers with Guest account enabled

Unauthenticated users should never be allowed to access servers.

0% — Low

(0% - 1%] — Medium

>1% — High

NIST:

AC-6 control: Employ the principle of least privilege, allowing only access that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. https://nvd.nist.gov/800- 53/Rev4/control/AC-6


ASD ISM, CIS, CJISSP, FISMA NIST, GDPR, GLBA, HIPAA, ISO 27001, NERC CIP, NIST 800-171, PCI DSS, SOX, SWIFT

Servers that have local user accounts with "Password never expires"

Local user accounts with passwords that never expire could be in violation of your organization's security policy.

0% — Low

Medium risk level — not used

>0% — High

NIST:

IA-5 control: Authenticator management: Review changes to password policy requirements, and audit user and admin activity for policy compliance. https://nvd.nist.gov/800- 53/Rev4/control/IA-5


CIS, GDPR, FISMA NIST, ISO 21001, NERC CIP, NIST 800-171, PCI DSS, SWIFT

48/57










User accounts with administrative permissions

Minimizing the number of users with administrative privileges reduces security risks and is required by many compliance mandates.

≤ 2% — Low

(2% – 3%) — Medium

≥ 3% — High

NIST:

AC-6 control: Employ the principle of least privilege, allowing only access that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions.



ASD ISM, CIS, CJISSP, FISMA NIST, GDPR, GLBA, HIPAA, ISO 27001, NERC CIP, NIST 800- 171, PCI DSS, SOX, SWIFT

Administrative groups

Minimizing the number of administrative groups helps you understand and control the assignment of powerful permissions, as required for security and compliance.

≤ 2% — Low

(2% – 3%) — Medium

≥ 3% — High

NIST:


https://nvd.nist.gov/800-

53/Rev4/control/AC-6



49/57









Administrative group membership sprawl

Membership in the Local Administrators group confers great power, so only a few trusted principals with a documented need should be in that group.

0% — Low

>0% — High

NIST:




Empty security group

Empty groups with administrative privileges are a potential back door for attackers.

Regularly identify and delete empty groups.

≤ 1% — Low

(1% – 2%) — Medium

≥ 2% — High

NIST:

AC-3 control: Ensure user permissions comply with your access control policies. https://nvd.nist.gov/800- 53/Rev4/control/AC-3


ASD ISM, CJISSP, FISMA NIST, NERC CIP, NIST 800-171

Site collections with the"Get a link" feature enabled

The "Get a link" feature enables users to create links to contentthat they can send to anyone. To reduce the risk of improper sharing and data exfiltration, this feature should be used judiciously.

≤30% — Low

(30% - 60%) — Medium

≥60% — High

NIST:


50/57












Sites with the "Anonymous access" feature enabled

Allowing anonymous access to your content increases its exposure significantly, so this feature should be used with caution.

≤30% — Low

(30% - 60%) — Medium

≥60% — High

NIST:






Site collections with broken

Broken inheritance can make the permissions

≤30% — Low

(30% - 60%) —

NIST:

51/57











inheritance management process extremely complex and time consuming. As a result, users might have more permissions to SharePoint data than they need to do their jobs, increasing the risk of security incidents and compliance violations

Medium

≥60% — High






Files and folders accessible by Everyone

No sensitive, regulated or confidential data should be accessible by the Everyone group.

≤ 1% — Low

(1% – 5%) — Medium

≥ 5% — High

NIST:




52/57











File and folder names containing sensitive data

The names of files and folders should never indicate that they contain confidential data, such as credit card details or Social Security numbers.

0 — Low

1 — Medium

> 1 — High

NIST:

SI-12 control: Manage and retain sensitive personal information in accordance with applicable laws, regulations and operational requirements. https://nvd.nist.gov/800- 53/Rev4/control/SI-12


CIS, FISMA NIST, GDPR, GLBA, HIPAA, ISO 27001, NERC CIP, PCI DSS, SOX

Potentially harmful files on file shares

Executables, installers, scripts and registry keys can introduce malware, viruses and other harmful applications into your network, so they should not be stored on shared resources.

0 — Low

1 — Medium

> 1 — High

NIST:

RA-3 control: Regularly assess risks to your information systems and act on the findings. https://nvd.nist.gov/800- 53/Rev4/control/RA-3


ASD ISM, FISMA NIST, GDPR, GLBA, HIPAA, NERC CIP, NIST 800-171, PCI DSS, SOX

Direct permissions on files and folders

Best practices recommend assigning permissions through group membership rather than directly, to facilitate easier and more accurate rights management.

0% — Low

(0% – 5%) — Medium

≥ 5% — High

NIST:



53/57

https://nvd.nist.gov/800-53/Rev4/control/SI-12


https://nvd.nist.gov/800-53/Rev4/control/RA-3

https://nvd.nist.gov/800-53/Rev4/control/RA-3








Documents and list items accessible by Everyone and Authenticated Users

Documents and list items that accessible by Everyone and Authenticated Users are highly exposed. Ensure that permissions are assigned in accordance with the least-privilege principle.

≤25% — Low

(25% - 50%) — Medium

≥50% — High

NIST:




Servers with non-approved operating systems

Servers should be running only whitelisted operating systems.

0% — Low


>0% — High

NIST:

CM-2 control: Establish and maintain baseline configurations and inventories of organizational information systems. https://nvd.nist.gov/800-

53/Rev4/control/CM-2



54/57



https://nvd.nist.gov/800-53/Rev4/control/CM-2






Servers with under- governed Windows Update configurations

Servers that bypass Group Policy or have updates disabled are considered unmanaged in regard to Windows Update.

0% — Low

>0% — Medium

High risk level — not used

NIST:

SI-2 control: Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.

https://nvd.nist.gov/800- 53/Rev4/control/SI-2


CIS, FISMA NIST, ISO 21001, NERC CIP, NIST 800- 171, PCI DSS, SWIFT

Servers with unauthorized antivirus software

Servers should be running only whitelisted antivirus tools.

0% — Low


>0% — High

NIST:

CM-2 control: Establish and maintain baseline configurations and inventories of organizational information systems.

https://nvd.nist.gov/800- 53/Rev4/control/CM-2



Data provided by Netwrix Data Classification

Sensitive Documents

Records that contain sensitive content should be stored only in secure locations to minimize unauthorized access.

0% — Low

(0% – 5%) — Medium

≥ 5% — High

NIST AC-6 control: Employ the principle of least privilege, allowing only access that is necessary to accomplish assigned tasks in accordance with

55/57









organizational missions and business functions.

Related regulations: ASD ISM, CIS, CJISSP, FISMA NIST, GDPR, GLBA, HIPAA, ISO 27001, NERC CIP, NIST 800-171

Sensitive Documents by Taxonomy

Records that contain sensitive content, such as content regulated by GDPR or HIPAA, should be stored only in secure locations to minimize unauthorized access.

0% — Low

(0% – 5%) — Medium

≥ 5% — High

NIST AC-6 control: Employ the principle of least privilege, allowing only access that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Related regulations: ASD ISM, CIS, CJISSP, FISMA NIST, GDPR, GLBA, HIPAA, ISO 27001, NERC CIP, NIST 800-171, PCI DSS, SOX, SWIFT

Duplicate Documents

A high level of document duplication increases the risk of data being stored in unsecure locations, the risk of old data being used in decision making, and storage and maintenance costs.

0% — Low

(0% – 5%) — Medium

≥ 5% — High

NIST AC-6 control: Employ the principle of least privilege, allowing only access that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Related regulations: ASD ISM, CIS, CJISSP, FISMA NIST, GDPR, GLBA, HIPAA, ISO 27001, NERC CIP, NIST 800-171, PCI DSS, SOX, SWIFT

56/57


12. Glossary

12. Glossary

M

My TermMy definition

57/57