User Behavior Risk Data Collection
We make sure to temporarily collect and store sensitive data, exclusively at local level - on the user's workstation, for the sole purpose of raising alerts on potential threats your company may be exposed to by the user behavior. We do not save personal data like plain text usernames and passwords in any cloud database.
The local data we collect is deleted periodically, and may include only hashes of usernames and passwords, the total number of risky websites that have been accessed in a period of time, and the URLs of some of these suspicious websites, as well as their domain IPs.
The following table describes what user behaviors ERA is monitoring, and the way it processes and collects user data.
Rule name | Description | Type | Collected data |
---|---|---|---|
Plain HTTP Credentials | Verifies if the user has submitted or not credentials over insecure HTTP connections since the last scan. | passwords | We check if the user uses the same passwords across different external sites. This scenario is enabled when we detect at least two external websites with the same password. |
Shared HTTP Password External (1) | Verifies if the user accesses insecure websites (HTTP), and store the number of accessed websites, and their timestamps. | passwords | We store locally the hash of the passwords (CRC32 format) entered on external sites, as well as the accessed URL(s), domain IPs and username. |
Shared HTTP Password Internal with External | Verifies if the user uses the same passwords shared between internal and external websites. | passwords | We store locally the hash of the passwords (CRC32 format) entered on internal and external sites, as well as the accessed URL(s) and domain IPs. |
High Risk Browsing | Verifies if the user has browsed sites marked as phishing or fraud since the last scan. This scenario activates when the number of insecure websites accessed exceeds the current threshold. | browsing | We only store locally the number of high-risk accessed websites and their URLs, during a specific timeframe. |
High Detection Count | Verifies if the user has been exposed to a high number of threats since the last scan. The scenario activates when the number of detections per user exceeds the preset threshold. | detections | We store locally the number of detections triggered during a specific timeframe. |
Removable Device Infection | Verifies if the user has been exposed to a threat from a removable device (e.g., flashdrive, external HDD) since the last scan. | detections | We store locally the detections triggered during specific timeframe, the source of infection (USB/CD/ISO file). |
SMB Infection | Verifies if the user has accessed any malicious files over a network shared folder since the last scan. | detections | We store locally the file access events originating from network shared folders or share points. |
Browsing Infection | Verifies if the user has accessed any malicious URLs since the last scan. | detections | We store locally the the malicious/suspicious URLs and count them. |
High Detection Count Over Time | Verifies if the user is exposed to an extremely high number of threats during a specific timeframe. | detections | We store locally the number of infections during a specific timeframe. |
Shared HTTP Password External (2) | Verifies if the user fails to periodically change passwords for external websites. | passwords | We store locally: password hashes (CRC32 format), username hash and the URLs of external websites that triggered this behavior as well as domain Ips. |
Old User Password | Verifies if the user has not changed the login password for the account (local or domain) for more than 30 days. | passwords | We don’t store anything locally. We query a function of Active Directory that returns the last time when the password for a user was changed. |