Skip to main content

User Behavior Risk Data Collection

We make sure to temporarily collect and store sensitive data, exclusively at local level - on the user's workstation, for the sole purpose of raising alerts on potential threats your company may be exposed to by the user behavior. We do not save personal data like plain text usernames and passwords in any cloud database.

The local data we collect is deleted periodically, and may include only hashes of usernames and passwords, the total number of risky websites that have been accessed in a period of time, and the URLs of some of these suspicious websites, as well as their domain IPs.

The following table describes what user behaviors ERA is monitoring, and the way it processes and collects user data.

Rule name

Description

Type

Collected data

Plain HTTP Credentials

Verifies if the user has submitted or not credentials over insecure HTTP connections since the last scan.

passwords

We check if the user uses the same passwords across different external sites.

This scenario is enabled when we detect at least two external websites with the same password.

Shared HTTP Password External (1)

Verifies if the user accesses insecure websites (HTTP), and store the number of accessed websites, and their timestamps.

passwords

We store locally the hash of the passwords (CRC32 format) entered on external sites, as well as the accessed URL(s), domain IPs and username.

Shared HTTP Password Internal with External

Verifies if the user uses the same passwords shared between internal and external websites.

passwords

We store locally the hash of the passwords (CRC32 format) entered on internal and external sites, as well as the accessed URL(s) and domain IPs.

High Risk Browsing

Verifies if the user has browsed sites marked as phishing or fraud since the last scan. This scenario activates when the number of insecure websites accessed exceeds the current threshold.

browsing

We only store locally the number of high-risk accessed websites and their URLs, during a specific timeframe.

High Detection Count

Verifies if the user has been exposed to a high number of threats since the last scan. The scenario activates when the number of detections per user exceeds the preset threshold.

detections

We store locally the number of detections triggered during a specific timeframe.

Removable Device Infection

Verifies if the user has been exposed to a threat from a removable device (e.g., flashdrive, external HDD) since the last scan.

detections

We store locally the detections triggered during specific timeframe, the source of infection (USB/CD/ISO file).

SMB Infection

Verifies if the user has accessed any malicious files over a network shared folder since the last scan.

detections

We store locally the file access events originating from network shared folders or share points.

Browsing Infection

Verifies if the user has accessed any malicious URLs since the last scan.

detections

We store locally the the malicious/suspicious URLs and count them.

High Detection Count Over Time

Verifies if the user is exposed to an extremely high number of threats during a specific timeframe.

detections

We store locally the number of infections during a specific timeframe.

Shared HTTP Password External (2)

Verifies if the user fails to periodically change passwords for external websites.

passwords

We store locally: password hashes (CRC32 format), username hash and the URLs of external websites that triggered this behavior as well as domain Ips.

Old User Password

Verifies if the user has not changed the login password for the account (local or domain) for more than 30 days.

passwords

We don’t store anything locally. We query a function of Active Directory that returns the last time when the password for a user was changed.