Endpoint Risk Analytics (ERA)
Endpoint Risk Analytics (ERA) helps you assess and harden your endpoints security configurations against industry best practices, to minimize the attack surface.
Important
Endpoint Risk Analytics module is available only for supported Linux and Windows desktop and server operating systems.
ERA gathers and analyzes data through risk scan tasks ran on selected devices in your network.
To do so you must first make sure the ERA module is activated from the frat.howto-risk applied to the selected devices.
To do so you must first make sure the ERA module is activated from the policy applied to the selected devices:
Go to the Policies page.
Click the Add button and configure the General settings.
Scroll to and select the Risk Management policy.
Select the check box to enable the Risk Management features and start configuring policies that define how to run the Risk Scan task.
Note
For more information about the GravityZone Indicators of Risk, refer to GravityZone Indicators of Risk.
For more information about known application vulnerabilities, refer to the CVE Details website.
Running the Risk Scan task
Follow these steps to run risk scan tasks and assess the results:
You can run risk scan tasks on endpoints in two ways:
On demand - by selecting the endpoints from the Network page and sending a Risk Scan task from the Tasks menu.
Scheduled - by configuring from policy a risk scan task that runs automatically on target endpoints at a defined interval.
Note
For more information refer to Running tasks.
After the risk scan has finished successfully, GravityZone calculates a risk score for each endpoint.
Access the Risk Management dashboard to obtain the following information:
The company risk score and score evolution
Risk scores and statistics broken down into misconfigurations, vulnerable applications, and affected devices
The description of each indicator of risk and the recommended remediation actions
Access the Security Risks page to analyze and mitigate the discovered misconfigurations, application vulnerabilities, and human based risks.
Access the Companies View page for an overview of the risk score of all the companies under your management.
The Risk Management Dashboard
The Risk Management page provides an overview of your network security and risk assessment information.
The data displayed on this page is organized in several widgets:
Important
When you access the Dashboard for the first time you will be prompted with a notification bar that requires your permission to allow GravityZone to monitor unusual user activity.
Note
See User Behavior Risk Data Collection for more details on how we process user data.
Company Risk Score
The overall risk score displays the level of risk your organization is exposed to by misconfigured system settings, known vulnerabilities of currently installed applications, and potential risks caused by user activity and behavior.
The score represents an average of the three major risk categories: Misconfiguration, App Vulnerabilities, and Human Risks, and it is adjusted using the Health Industry Modifier.
Click the widget and a details panel will open where you can see details of how the overall risk is being calculated and broken down into subcategories.
Note
Running an on-demand Risk Scan on a new target device will influence the overall score. The results will be kept for 90 days, or until the next scan.
Health Industry Modifier
The Health Industry Modifier dynamically adjusts the company score based on common vulnerabilities and exposures (CVEs) discovered in your environment, which have already been exploited at industry level.
Score Over Time
This widget is a histogram that displays the weekly evolution of the number of affected devices detected as vulnerable after risk scans. The histogram data represents the number of devices affected by risk indicators from the last seven days, until 12 AM (server time) of the current day.
Top Misconfigurations
This widget displays the top 15 results for indicators that triggered a risk alert after scanning the devices, ordered by the number of affected devices. Each card represents one indicator that has triggered a risk alert for at least one device.
Each card displays the following elements:
The indicator's name
The number of devices detected as vulnerable for this indicator
The severity for the current indicator of risk
If you click the individual indicator widget it will open the selected indicator of risk in the Misconfigurations tab of the Security Risks page, where you may take appropriate actions to mitigate this risk.
If you click the View All button you will view the entire list of discovered misconfigurations in the Misconfigurations tab of the Security Risks page.
Note
For more details on misconfigurations, refer to GravityZone Indicators of Risk.
Top Vulnerable Apps
This widget displays the top 15 results for known application vulnerabilities that triggered a risk alert after scanning the devices, ordered by the number of affected devices. Each card represents one vulnerable application that raised a risk alert for at least one device.
Each card displays the following elements:
The application's name.
The number of devices made vulnerable by this application.
The severity for the vulnerable application.
If you click the individual app widget it will open the selected vulnerability in the App Vulnerabilities tab of the Security Risks page, where you may take appropriate actions to mitigate this risk.
If you click the View All button you will view the entire list of discovered application vulnerabilities in the App Vulnerabilities tab of the Security Risks page.
Note
You can find details about known application vulnerabilities on the CVE Details website.
Top User Behavior Risks
This widget displays the top 15 results for potential risks caused by unintentional or reckless behavior of users active in your network, ordered by the number of vulnerable users. Each card represents a human based risk caused by at least one user.
If you click the individual human risk widget it will open the selected risk in the User Behavior Risks tab of the Security Risks page, where you may view and analyze it in more detail.
If you click the View All button you will view the entire list of all the discovered human risks generated by user activity in the User Behavior Risks tab of the Security Risks page.
Note
This new ERA feature is available as a preview version, enabling you only to view human-based risks, and to ignore them if they are irrelevant to your environment. More enhanced functionality will be added in the coming future.
Note
See User Behavior Risk Data Collection for more details on how we process user data.
Servers by Severity
This widget shows the severity of the risks threatening the servers in your environment.
The impact of the discovered misconfigurations and application vulnerabilities is displayed as a percentage.
Workstations by Severity
This widget shows the severity of the risks threatening the workstations in your environment.
The impact of the discovered misconfigurations and application vulnerabilities is displayed as a percentage.
Top Devices at Risk
This widget displays the most vulnerable servers and workstations in your environment, according to the overall score calculated after scanning for misconfigurations and vulnerabilities.
If you click the View All button you will view the entire list of devices exposed to potential threats in the Devices tab of the Security Risks page.
Top Users by Behavior Risks
This widget displays the most vulnerable users in your environment, according to the overall score calculated after analyzing their behavior and activity.
If you click the View All button you will view the entire list of users that may have been exposing your organization to potential threats through their behavior, in the Users tab of the Security Risks page.
Security Risks
This page displays all the risks, affected devices, and vulnerable users discovered in your environment after running a Risk Scan task.
The indicators of risk are displayed in a fully customizable grid formation with complex filtering options:
Select the company under your management to analyze and mitigate the risks impacting it.
Select which category to investigate:
Use these action buttons to customize your grid:
Click the
Show/Hide Columns button to add or remove filter columns.The page will update automatically, loading the cards with information matching the added columns.
You can always reset the filter columns from the Reset button inside the Show/Hide Columns drop-down menu.
Click the
Show/Hide Filters button to show or hide the filters bar.Click the
Refresh button to refresh the list.
Each indicator entry is listed in a rich card format, providing an overview of each indicator of risk, with information based on the selected filters.
Misconfigurations
The Misconfigurations tab displays by default all the GravityZone indicators of risk. It provides detailed info of their severity, number of affected devices, the misconfiguration type, mitigation type (manual or automatic), and status (active or ignored).
Note
Automatic mitigation actions are not available for the FRAT license or subscription. Upgrade to a full product license or trial to unlock them. Contact your sales representative for more information.
To fix multiple misconfigurations at once:
Select the master check box or individual boxes of indicators of risk to select them.
Click the Fix Risks button.
A new window pops up where you need to confirm the action, or cancel it.
A new task is created to apply the recommended setting on all affected devices.
Note
You may check the progress of the task in the Network > Tasks page.
If the indicator of risk can be mitigated only manually, you need to access the affected devices yourself and apply the recommended configuration.
To change the status of misconfigurations:
Select the master check box or individual boxes of indicators of risk to select them for status change.
Click the Ignore/Restore Risks button to change the status from Active to Ignored, or vice-versa.
Note
The Ignore Risks action applies to all the selected devices, and influences the overall company risk score upon performing a new risk scan.
We strongly recommend you to assess how disregarded indicators of risk may impact your organization's security.
You can customize the information displayed in cards and filter misconfigurations by using these options:
Filtering option | Details |
|---|---|
Misconfiguration | This column includes a searchable drop-down menu that allows you to filter the list of indicators by name. |
Severity | This column allows you to filter the list of indicators by the level of severity of each indicator of risk. You may select between Low, Medium, and High. |
Affected Devices | This column shows the number of servers and workstations that may be exposed to threats by a specific indicator of risk. |
Type | This column allows you to filter the list of indicators of risk by their type:
|
Mitigation Type | This column allows you to filter the list of indicators of risk that can be mitigated manually or automatically. |
Status | This column allows you to filter the list of indicators of risk by their status, Active or Ignored. |
Click the misconfiguration you want to analyze, to expand its specific side panel.
Each panel contains:
An info section with the name of the risk indicator, its level of severity, number of affected devices, and type.
A Details section that thoroughly describes the setting, and configuration guidelines.
A Mitigations section that includes recommendations that minimize the risk on the affected devices, as well as available actions:
The Fix Risk functionality is not enabled for the FRAT license or subscription.
Upgrade to a full product license or trial to unlock them. Contact your sales representative for more information.
Click the Fix Risk button to properly configure this setting.
A new window pops up where you need to confirm the action, or cancel it.
A new task is created to apply the recommended setting on all affected devices.
Note
You may check the progress of the task in the Network > Tasks page.
If the indicator of risk can be mitigated only manually, you need to access the affected devices yourself and apply the recommended configuration.
The Ignore Risk button changes the status of the selected risk from Active to Ignored.
Tip
You can change it back to active state anytime you choose to, by clicking the Restore Risk button.
The View Devices button takes you to the Devices tab, to see all the devices this indicator of risk is currently affecting.
App Vulnerabilities
The App Vulnerabilities tab displays all the vulnerable applications discovered on devices in your environment during scanning. It provides detailed info of their level of severity, number of known CVEs per application, and number of affected devices.
The top 100 vulnerabilities are displayed for each application. The vulnerabilities are ranked by severity. After resolving existing vulnerabilities, you can run a Risk scan task to discover and display more.
You can customize the information displayed in cards and filter vulnerable applications by using these options:
Filtering option | Details |
|---|---|
Applications | This column includes a searchable drop-down menu that allows you to filter the list of vulnerable applications by name. |
Severity | This column allows you to filter the list of vulnerable applications by the level of severity of each app. You may select between Low, Medium, and High. |
CVE | This column shows the number of Common Vulnerabilities and Exposures (CVEs) for applications currently installed in your environment. |
Affected Devices | This column shows the number of servers and workstations that may be exposed to threats by a specific indicator of risk. |
Click the vulnerable app you want to analyze to expand its specific side panel.
Each panel contains:
An info section with the name of the application, level of severity, how many devices it affects, and how many exploits were allowed to corrupt your environment.
A Remediation section with mitigation actions and list of discovered CVEs:
The Patch App functionality is not enabled for the FRAT license or subscription.
Upgrade to a full product license or trial to unlock them. Contact your sales representative for more information.
Click Patch App button to apply available patches for the vulnerable application.
Important
The Patch App functionality works only for scanned devices that have the Patch Management module installed.
A new window pops up where you need to confirm the action, or cancel it.
A new task will be created to apply the patches to vulnerable applications on all affected devices.
Note
You may check the progress of the task in the Network > Tasks page.
The Ignore App button changes the status of the selected app from Active to Ignored.
Note
You can change it back to active state anytime you choose to, by clicking the Restore App button.
The View Devices action takes you to the Devices tab to see all the devices this vulnerable application is currently affecting.
Expand listed CVEs and click the View CVE Database button to access the database with specific info.
User Behavior Risks
The User Behavior Risks tab displays all the risks caused by the reckless or unintentional actions of active users, or lack of measures taken to properly secure their working sessions while in your network. It provides detailed info of the level of severity, number of vulnerable users, risk status and type.
Note
See User Behavior Risk Data Collection for more details on how we process user data.
You can customize the information displayed in cards and filter human risks by using these options:
Filtering option | Details |
|---|---|
Human Risks | This column includes a searchable drop-down menu that allows you to filter the list of human risks by name. |
Severity | This column allows you to filter the list of human risks by their level of severity. You may select between Low, Medium, and High. |
Vulnerable Users | This column shows the number of users causing human risks. |
Mitigation Type | This column allows you to filter the list of risks that can be mitigated manually or automatically. |
Status | This column allows you to filter the list of risks by their status, Active or Ignored. |
Click the human risk you want to analyze, to expand its specific side panel.
Each panel contains:
An info section with the name of the risk, level of severity, vulnerable users, risk status, and a detailed description of the risk.
A Mitigations/User Actions section with mitigation actions:
The Ignore Risk button changes the status of the selected risk from Active to Ignored.
Note
You can change it back to active state anytime you choose to, by clicking the Restore Risk button.
The View Users action takes you to the Users tab to see all the users that have triggered this risk while active in your network.
Devices
The Devices tab displays all the scanned servers and workstations under your management. It provides detailed info of their name, level of severity, device type, and number of risks affecting them.
The top 500 vulnerabilities are displayed for each device. The vulnerabilities are ranked by severity. After resolving existing vulnerabilities, you can run a Risk scan task to discover and display more.
You can customize the information displayed in cards and filter devices by using these options:
Filtering option | Details |
|---|---|
Device | This column includes a searchable drop-down menu that allows you to filter the list of affected servers and workstations by name. |
Severity | This column allows you to filter the list of devices by the level of severity affecting each device. You may select between Low, Medium, and High. |
Misconfigurations | This column shows the number of misconfigurations discovered per device. |
CVEs | This column shows the number of Common Vulnerabilities and Exposures (CVE) discovered per device. |
Device Type | This column allows you to filter the list of devices by their type. You may select between Server, and Workstation. |
Click the device you want to investigate to expand its specific side panel.
Each panel contains:
An info section with the name of the device, level of severity, and number of misconfigurations and common vulnerabilities and exposures affecting it.
The Ignore Endpoint button changes the status of the selected risk from Active to Ignored.
Note
You can change it back to active state anytime you choose to, by clicking the Restore Endpoint button.
A risks section displaying in detail each misconfiguration and vulnerable application discovered on the device, grouped in two tabs.
The Misconfigurations tab includes all the misconfigurations discovered on the device, grouped into indicators of risk that can be fixed automatically, and indicators of risk that may be resolved only manually.
The Fix All Risks functionality is not enabled for the FRAT license or subscription.
Upgrade to a full product license or trial to unlock them. Contact your sales representative for more information.
Click Fix All Risks button to remediate all the misconfigured settings and policies affecting this device.
A new task is created to apply the recommended setting on the affected device.
Note
You may check the progress of the task in the Network > Tasks page.
For indicators of risk that can be mitigated only manually, you need to access the affected device yourself and apply the recommended configuration.
Note
You can also choose to investigate separately each misconfiguration affecting the current device, and fix them one by one using the Fix Risk button.
The App Vulnerabilities tab includes all the vulnerable applications discovered on the device, and number of CVEs impacting each application.
The Patch All Apps functionality is not enabled for the FRAT license or subscription.
Upgrade to a full product license or trial to unlock them. Contact your sales representative for more information.
Click Patch All Apps button to apply available patches for all the vulnerable applications that expose the selected device to threats.
Important
The Patch All Apps functionality works only for scanned devices that have the Patch Management module installed.
A new window pops up where you need to confirm the action, or cancel it.
A new task will be created to apply the patches to vulnerable applications on all affected devices.
Note
You can check the progress of the task in the Network > Tasks page.
Note
You can also choose to investigate separately each vulnerable app affecting the current device, and patch them one by one using the Patch App button.
Users
The Users tab displays all users which, intentionally or not, are exposing your environment to threats. It provides information such as the user name, level of overall risk severity for that user, the user's title and department, number of risks they are exposed to, and their status in calculating the overall company risk.
Note
See User Behavior Risk Data Collection for more details on how we process user data.
You can customize the information displayed in cards and filter vulnerable applications by using these options:
Filtering option | Details |
|---|---|
Users | This column includes a searchable field that allows you to filter the list of vulnerable users by name. |
Severity | This column allows you to filter the list of vulnerable users by their level of severity. You may select between Low, Medium, and High. |
No. of Risks | This column shows the number of human risks each user is posing. |
Title | This column allows you to filter the list of users by their title inside the organization. |
Department | This column allows you to filter the list of users by the department they belong to within your organization. |
Status | This column allows you to filter the list of users by their status, Active or Ignored. |
Click the user you want to investigate to expand its specific side panel.
Each panel contains:
An info section with the user name, title and department, contact information, level of severity, and status.
A Mitigations/User Actions section with mitigation actions:
The Ignore User button changes the status of the selected user from Active to Ignored.
Note
You can change it back to active state anytime you choose to, by clicking the Restore User button.
Companies View
The Companies View page provides an overview of the overall risk for all the companies under your management.
Companies with the highest exposure to threats make the top of the list hierarchy, so you can access them easily and take fast actions to harden their security.
Customize the list of managed companies by using these options:
Filtering option | Details |
|---|---|
Company Name | This column includes a searchable drop-down menu that allows you to filter the list of companies by name. |
Severity | This column allows you to filter the list of companies by the level of severity of the risk impacting them. You may select between Low, Medium, and High. |
After customizing the list with companies it's easy to access each one, analyze the risks that make them vulnerable to potential threats and take actions:
Click a company in the list and it will take you to the dashboard area populated with data specific to the selected company.
Note
Selecting a company from the list also populates the Security Risks page, where you can investigate the misconfigurations, vulnerable applications, human based risks, and affected devices within the company.
You can also export the list of companies under your management in
.csvformat.
The Companies View page will be empty if no Risk scan task is deployed beforehand for the companies under your management.