In this lesson, we’ll discuss how to detect rogue and outlier access using the Access

Outliers analytic and how to manage uisers with high-risk access.

1
2
Users who belong to a peer group (for example, Finance) share a common set of
access privileges to perform the functions of their job. These peer groups exhibit
distinct patterns of behavior. If an activity is detected that breaks from the distinct
pattern of the peer group, the user is considered an outlier. Outlier access is
considered high risk, but it may or may not pose a threat to the organization.

4
To configure the parameters:
1. Navigate to Menu > Analytics > Access Outliers.
2. Click the + sign and select Configure Parameters. The Configure
Parameters screen displays with the Outlier Detection Risk Variables and
the Peer Group Cohesiveness Variables entries.
3. Provide the following for Outlier Detection Risk Variables section:

§ Toggle Certify All Entitlements to YES if you want to run the job on
all the entitlements.
NOTE: If you do not enable this, you can specify how many
entitlements you would like to review and even exclude attributes
from the analysis.

§ Entitlement Cutoff: Set risk score that must be met before access
is considered an outlier.
Example: 0.85

§ Transaction Capacity Ceiling: Set when peer groups hold a large

set of entitlements to analyze large group as smaller sub-groups.
Example: 10.0

5
Provide the following for the Peer Group Cohesiveness Variables section:

1. Peer Entitlement Strength: Set the percentage of entitlements users in a

peer group must have in common for the peer group to be used for
outlier analysis. Example: 0.80 means users have 80% of entitlements in
common.

2. Peer Capacity Ceiling: Select the percentage of entitlements that must be

above the Peer Entitlement Strength for Peer Cohesiveness to equal
1(perfect). Example: 10.0 means 10% of the entitlements held by the
group are above the Peer Entitlement Strength.

Setting these variables high ensures that the peer group SNYPR analyzes to
detect outlier access are valid. Depending on your organization’s peer groups,
these numbers might be lower. For example, if the peer members in your
organization only have about 50% of entitlements in common, select .5 for

6
the peer entitlement strength. Setting the Peer Capacity Ceiling at a high
number ensures the entitlement strength is met by your peer groups.

6
Provide the following for the Peer Group Cohesiveness Variables section
(Continued):

3. Min Peer Population: Set the minimum number of users that must be in a peer
group before it is considered for analysis.

4. Peer Cohesiveness Cutoff: Set the minimum Peer Cohesiveness allowed to be

considered for analysis.
Example: 0.8. This means

The variables you set on the previous screen determine what constitutes a peer
group with a peer cohesiveness of 1. 1 means the peer group is perfectly cohesive. If
you want SNYPR to consider peer groups that have a high cohesiveness but that

7
aren’t perfect, you can lower the peer cohesiveness cutoff to .8 or to .5. Lowering this
number will show more results with lower risk. Keeping this number high will show
fewer results with higher risk.

7
After you have configured the entitlements to use in the analysis, and configured the
access outlier parameters, you can schedule the Access Outlier job.
On the Selection Criteria tab, the choices are as follows: All Peer Groups, Peer
Criteria, Selected Peer Groups, All Users, Users Criteria, and Selected Users. The
options for Peer Criteria and Users Criteria provide the opportunity to filter based on
peer or user attributes. The Selected options for Peer Groups and Users let you select
specific groups or users to be the subject of this review.

On the Run Job tab, you can set the percentage of entitlements to review, from the
top 5% to 100% or Manually. If you select Manually, outlier results are not available
on the Security Dashboard automatically. After the job completes, you can review
the outlier results manually by clicking on Review Results link next to the job and set
outlier threshold per resource before saving them to the Security Dashboard.
Provide a name for the job.
You can click Run to run immediately or schedule the job to run later.

8
After you have configured the entitlements to use in the analysis, and configured the
access outlier parameters, you can schedule the Access Outlier job.
On the Selection Criteria tab, the choices are as follows: All Peer Groups, Peer
Criteria, Selected Peer Groups, All Users, Users Criteria, and Selected Users. The
options for Peer Criteria and Users Criteria provide the opportunity to filter based on
peer or user attributes. The Selected options for Peer Groups and Users let you select
specific groups or users to be the subject of this review.

On the Run Job tab, you can set the percentage of entitlements to review, from the
top 5% to 100% or Manually. If you select Manually, outlier results are not available
on the Security Dashboard automatically. After the job completes, you can review
the outlier results manually by clicking on Review Results link next to the job and set
outlier threshold per resource before saving them to the Security Dashboard.
Provide a name for the job.
You can click Run to run immediately or schedule the job to run later.

9
1. Click the paper icon in the Action column to view the Access Outlier Job Details.
2. Select the resource from the left navigation pane.
3. Adjust the Outlier Probability Cut off percentage by using the slider as needed
and click Preview Results.
NOTE: The higher the probability cut off selected, the fewer potential outliers
there are to review.
4. When satisfied with the selections, click Finalize/Send for Access Review.

10
The Access Outliers Dashboard displays the results of Access Outlier jobs
which help in identifying:
1. High risk users: users with access not held by other members of
their peer group.
2. Rogue access: users with access users should not have at all for
their job title.

The following icons display on the Access Outliers Dashboard to help manage
the results:
3. Reports: click to download a report.
4. Refresh: click to refresh results.
5. Search: click to search for users by a specific attribute.

12
High Risk User scoring is based on peer group cohesiveness. The more
entitlements a peer group has in common and the fewer members of the
group have the outlier access, the higher the risk score for the user with
unusual access.

13
From the main menu, click Access Outliers Dashboard > High Risk Users to view
high-risk users by risk score.

14
When you expand the details, you can click the Policy Name (High Risk Access) to
view the user's high-risk accounts. This opens the High Risk Access Policy Details
screen. From here, you can use the Select Action dropdown to take actions on ALL
high-risk accounts for this user.

Click More Details to view information such as the Peer Cohesiveness of the peer
groups used in the analysis, the outlier probability, and to view the users who do and
do not have access to the same resources.

NOTE: The access values in this example are Active Directory privileges that are
expressed through membership in security groups. This will appear differently if you
are using an IAM/PAM tool other than Active Directory.

15
Click More Details to view more information about the entitlement, such as the
number of peers who have the access, the peer cohesiveness for the peer group, and
the outlier probability for the entitlement.

16
Click a value to view members of the user’s peer group that don’t have the access,
and members of other peer groups that have the access. This can help you determine
if the user should have the access. For example, if the none of the user’s peer group
members have the access, but members of different peer groups do, this access
might be the result of the user transferring and failing to remove the access they no
longer need.

17
Use the Select Action dropdown to take actions on ALL high-risk accounts for this
user.

18
You can take actions on high risk users. You can:
• Certify for all: this certifies all entitlements access for the account.
• Revoke for all accounts: this revokes access for for the account.
• Or you can allow a Date Extension for all entitlements for the account. This lets
you specify a date range that access should be granted for all accounts.

You can also take actions on each entitlement individually.

NOTE: The actions you take in SNYPR do not equate to actions in Active Directory or
the IAM/PAM tool you are using. These actions are transmitted to the tool as
notifications and must be taken within the tool.

19
Rogue Access scoring is based on whether a user should have an access privilege at
all. That is, one member of a peer group has an access privilege that other members
of the same peer group do not have.

21
Navigate to: Menu > Security Center > Access Outlier Dashboard, then click Rogue
Access Detected.

You can take the same actions to remediate rogue access.

The actions that can be taken to remediate rogue access are:

• Certify for Account
• Revoke for Account
• Date Extension for Account

22