Access control policies aim to balance security and end user productivity, yet often fall short due to their static nature and limited ability to adapt to evolving threats. But what if there was an easy way to automate access control per user, considering individual risk factors and staying up-to-date with the latest advanced attacks? <\/p>\n

Zscaler User Risk Scoring takes dynamic access control and risk visibility to the next level using records of previous behavior to determine future risk.<\/p>\n

Similar to how insurance companies use driving records to determine car insurance rates, or banks use credit scores to assess loan eligibility, user risk scoring leverages previous behavior records to assign risk scores to individual users. This allows organizations to set dynamic access control policies based on various risk factors, accounting for the latest threat intelligence.<\/p>\n

User risk scoring empowers organizations to restrict access to sensitive applications for users with a high risk score until their risk profile improves. By considering factors such as past victimization by cyberattacks, near-misses with malicious content, or engagement in behavior that could lead to a breach, organizations can ensure that access control policies are tailored to individual risk profiles.<\/p>\n

Organizations can set user risk thresholds to allow or deny access to both private and public application<\/p>\n

How does user risk scoring work?<\/p>\n

User risk scoring plays a crucial role across the Zscaler platform, driving policies for URL filtering, firewall rules, data loss prevention (DLP), browser isolation, and Zscaler Private Access (ZPA); and feeding into overall risk visibility in Zscaler Risk360. By leveraging user risk scores within each of these security controls, organizations can better protect all incoming and outgoing traffic from potential threats.<\/p>\n

URL filtering rules are one way that risk scoring can be applied to policies within Zscaler Internet Access (ZIA)<\/p>\n

The risk scoring process consists of two components: the static (baseline) risk score and the real-time risk score. The static risk score is established based on a one-week lookback at risky behavior and is updated every 24 hours. The real-time risk score modifies this baseline every 2 minutes throughout the day, updating whenever a user interacts with known or suspected malicious content. Each day at midnight, the real-time risk score is reset.<\/p>\n

Zscaler considers more than 65 indicators that influence the overall risk score. These indicators fall into three major categories: pre-infection behavior, post-infection behavior, and more general suspicious behavior. The model accounts for the fact that not all incidents are equal; each indicator has a variable contribution to the risk score based on the severity and frequency of the associated threat.<\/p>\n

Pre-infection behavior indicators encompass a range of blocked actions that would have led to user infection, such as blocked malware, known and suspected malicious URLs, phishing sites, pages with browser exploits, and more. <\/p>\n

Post-infection behavior indicators include things like detected botnet traffic or command-and-control traffic, which show that a user\/device has already been compromised. <\/p>\n

Suspicious behavior indicators are similar to pre-infection indicators but are less severe (and less guaranteed to lead to infection), covering policy violations and risky activities like browsing deny-listed URLs, DLP compliance violations, anonymizing sites, and more. <\/p>\n

*A more detailed sampling of these indicators is included at the bottom of this article.
\nHow can Zscaler customers use risk scoring?<\/p>\n

User risk scores can be found in the the analytics and policy administration menus of both Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). They are also woven together with a range of additional inputs in Zscaler Risk360, which allows security teams to delve deeper into their organization\u2019s holistic risk. <\/p>\n

Organizations can monitor risk scores for individuals and for the overall organization<\/p>\n

Zscaler also has deep integrations with many leading security operations tools, allowing the same telemetry and incident alert context that feeds into risk scoring to be shared with tools like SIEM, SOAR, and XDR via a REST API to streamline workflows. <\/p>\n

These scores can be used to:
\nDrive access control policies<\/p>\n

User risk scoring gives network and security teams a powerful tool to use to drive low-maintenance zero trust access control policies, controlling both incoming and outgoing internet and application traffic. It can be combined with other dynamic rulesets (e.g., device posture profiles) and static rulesets (e.g., URL and DNS filtering and app control policy) to protect organizations from breaches without unnecessarily restricting user productivity.<\/p>\n

User risk, device posture, and other access policies work together seamlessly to optimize secure access<\/p>\n

Monitor overall organizational risk and key factors that can be improved<\/p>\n

Admins can monitor their company risk over time to assess the top areas of overall company risk and prioritize remediation efforts. They can see how risk scores are distributed across users and locations, and can benchmark their risk score against other companies in their industry.<\/p>\n

Company risk scores can be analyzed over time against industry benchmarks <\/p>\n

Monitor risky users on an individual basis and understand how (and why) their risk is trending<\/p>\n

If a user\u2019s risk score spikes, admins can take action, whether that be isolating that user\u2019s machine to deal with an active threat, or simply training a user that certain behaviors are posing an unacceptable risk. <\/p>\n

Admins can analyze individual users and double-click into specific incidents<\/p>\n

Overall, Zscaler User Risk Scoring, with its categorization of threats and aggregation of logs, offers valuable insights into an organization’s security posture. By understanding the different types of risks and behaviors associated with cyberthreats, organizations can implement dynamic access control policies and proactively protect their critical assets and data. With risk scoring, organizations can navigate the ever-changing threat landscape with confidence.<\/p>\n

To learn about more of Zscaler\u2019s unique inline security capabilities, check out our Cyberthreat Protection page.
\nSample Indicators for User Risk Scoring<\/p>\n

\u00b7 Pre-infection behavior includes a range of blocked actions that would have likely led a user to be infected, such as:<\/p>\n

o Malware blocked by Zscaler\u2019s Advanced Threat Protection or inline Sandbox<\/p>\n

o Blocked known and suspected malicious URLs<\/p>\n

o Blocked websites with known and suspected phishing content<\/p>\n

o Blocked pages with known browser exploits<\/p>\n

o Blocked known and suspected adware and spyware<\/p>\n

o Blocked pages with a high PageRisk score<\/p>\n

o Quarantined pages<\/p>\n

o Blocked files with known vulnerabilities<\/p>\n

o Blocked emails containing viruses<\/p>\n

o Detected mobile app vulnerabilities<\/p>\n

\u00b7 Post-infection behavior includes a range of blocked actions that were attempted after a user was infected, such as:<\/p>\n

o Botnet traffic<\/p>\n

o Command-and-control traffic<\/p>\n

\u00b7 Suspicious behavior includes policy violations and other risky sites, files, and conditions that could lead to infection, such as:<\/p>\n

o Deny-listed URLs<\/p>\n

o DLP compliance violations<\/p>\n

o Pages with known dangerous ActiveX controls<\/p>\n

o Pages vulnerable to cross-site scripting attacks<\/p>\n

o Possible browser cookie theft<\/p>\n

o Internet Relay Chat (IRC) tunneling use<\/p>\n

o Anonymizing sites<\/p>\n

o Blocks or warnings from secure browsing about an outdated\/disallowed component<\/p>\n

o Peer-to-peer (P2P) site denials<\/p>\n

o Webspam sites<\/p>\n

o Attempts to browse blocked URL categories<\/p>\n

o Mobile app issues included denial of the mobile app, insecure user credentials, location information leaks, personally identifiable information (PII), information identifying the device, or communication with unknown servers<\/p>\n

o Tunnel blocks<\/p>\n

o Fake proxy authentication<\/p>\n

o SMTP (email) issues including rejected password-encrypted attachments, unscannable attachments, detected or suspected spam, rejected recipients, DLP blocks or quarantines, or blocked attachments<\/p>\n

o IPS blocks of cryptomining & blockchain traffic<\/p>\n

o Reputation-based blocks of suspected adware\/spyware sites<\/p>\n

o Disallowed use of a DNS-over-HTTPS sit\u00a0\u00a0<\/p>\n

\u200b<\/p>\n

\u00b7 \u00a0 Pre-infection behavior <\/strong>includes a range of blocked actions that would have likely led a user to be infected, such as:<\/strong><\/p>\n

o \u00a0 Malware blocked by Zscaler\u2019s Advanced Threat Protection or inline Sandbox<\/p>\n

o \u00a0 Blocked known and suspected malicious URLs<\/p>\n

o \u00a0 Blocked websites with known and suspected phishing content<\/p>\n

o \u00a0 Blocked pages with known browser exploits<\/p>\n

o \u00a0 Blocked known and suspected adware and spyware<\/p>\n

o \u00a0 Blocked pages with a high PageRisk score<\/p>\n

o \u00a0 Quarantined pages<\/p>\n

o \u00a0 Blocked files with known vulnerabilities<\/p>\n

o \u00a0 Blocked emails containing viruses<\/p>\n

o \u00a0 Detected mobile app vulnerabilities<\/p>\n

\u00b7 \u00a0 Post-infection behavior<\/strong> includes a range of blocked actions that were attempted after a user was infected, such as:<\/p>\n

o \u00a0 Botnet traffic<\/p>\n

o \u00a0 Command-and-control traffic<\/p>\n

\u00b7 \u00a0 Suspicious behavior <\/strong>includes policy violations and other risky sites, files, and conditions that could lead to infection, such as:<\/p>\n

o \u00a0 Deny-listed URLs<\/p>\n

o \u00a0 DLP compliance violations<\/p>\n

o \u00a0 Pages with known dangerous ActiveX controls<\/p>\n

o \u00a0 Pages vulnerable to cross-site scripting attacks<\/p>\n

o \u00a0 Possible browser cookie theft<\/p>\n

o \u00a0 Internet Relay Chat (IRC) tunneling use<\/p>\n

o \u00a0 Anonymizing sites<\/p>\n

o \u00a0 Blocks or warnings from secure browsing about an outdated\/disallowed component<\/p>\n

o \u00a0 Peer-to-peer (P2P) site denials<\/p>\n

o \u00a0 Webspam sites<\/p>\n

o \u00a0 Attempts to browse blocked URL categories<\/p>\n

o \u00a0 Mobile app issues included denial of the mobile app, insecure user credentials, location information leaks, personally identifiable information (PII), information identifying the device, or communication with unknown servers<\/p>\n

o \u00a0 Tunnel blocks<\/p>\n

o \u00a0 Fake proxy authentication<\/p>\n

o \u00a0 SMTP (email) issues including rejected password-encrypted attachments, unscannable attachments, detected or suspected spam, rejected recipients, DLP blocks or quarantines, or blocked attachments<\/p>\n

o \u00a0 IPS blocks of cryptomining & blockchain traffic<\/p>\n

o \u00a0 Reputation-based blocks of suspected adware\/spyware sites<\/p>\n

o \u00a0 Disallowed use of a DNS-over-HTTPS sit<\/p>\n

\u00a0Access control policies aim to balance security and end user productivity, yet often fall short due to their static nature and limited ability to adapt to evolving threats. But what if there was an easy way to automate access control per user, considering individual risk factors and staying up-to-date with the latest advanced attacks? <\/p>\n

Zscaler User Risk Scoring takes dynamic access control and risk visibility to the next level using records of previous behavior to determine future risk.<\/p>\n

Similar to how insurance companies use driving records to determine car insurance rates, or banks use credit scores to assess loan eligibility, user risk scoring leverages previous behavior records to assign risk scores to individual users. This allows organizations to set dynamic access control policies based on various risk factors, accounting for the latest threat intelligence.<\/p>\n

User risk scoring empowers organizations to restrict access to sensitive applications for users with a high risk score until their risk profile improves. By considering factors such as past victimization by cyberattacks, near-misses with malicious content, or engagement in behavior that could lead to a breach, organizations can ensure that access control policies are tailored to individual risk profiles.<\/p>\n

Organizations can set user risk thresholds to allow or deny access to both private and public application<\/p>\n

How does user risk scoring work?<\/p>\n

User risk scoring plays a crucial role across the Zscaler platform, driving policies for URL filtering, firewall rules, data loss prevention (DLP), browser isolation, and Zscaler Private Access (ZPA); and feeding into overall risk visibility in Zscaler Risk360. By leveraging user risk scores within each of these security controls, organizations can better protect all incoming and outgoing traffic from potential threats.<\/p>\n

URL filtering rules are one way that risk scoring can be applied to policies within Zscaler Internet Access (ZIA)<\/p>\n

The risk scoring process consists of two components: the static (baseline) risk score and the real-time risk score. The static risk score is established based on a one-week lookback at risky behavior and is updated every 24 hours. The real-time risk score modifies this baseline every 2 minutes throughout the day, updating whenever a user interacts with known or suspected malicious content. Each day at midnight, the real-time risk score is reset.<\/p>\n

Zscaler considers more than 65 indicators that influence the overall risk score. These indicators fall into three major categories: pre-infection behavior, post-infection behavior, and more general suspicious behavior. The model accounts for the fact that not all incidents are equal; each indicator has a variable contribution to the risk score based on the severity and frequency of the associated threat.<\/p>\n

Pre-infection behavior indicators encompass a range of blocked actions that would have led to user infection, such as blocked malware, known and suspected malicious URLs, phishing sites, pages with browser exploits, and more. <\/p>\n

Post-infection behavior indicators include things like detected botnet traffic or command-and-control traffic, which show that a user\/device has already been compromised. <\/p>\n

Suspicious behavior indicators are similar to pre-infection indicators but are less severe (and less guaranteed to lead to infection), covering policy violations and risky activities like browsing deny-listed URLs, DLP compliance violations, anonymizing sites, and more. <\/p>\n

*A more detailed sampling of these indicators is included at the bottom of this article.
\nHow can Zscaler customers use risk scoring?<\/p>\n

User risk scores can be found in the the analytics and policy administration menus of both Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). They are also woven together with a range of additional inputs in Zscaler Risk360, which allows security teams to delve deeper into their organization\u2019s holistic risk. <\/p>\n

Organizations can monitor risk scores for individuals and for the overall organization<\/p>\n

Zscaler also has deep integrations with many leading security operations tools, allowing the same telemetry and incident alert context that feeds into risk scoring to be shared with tools like SIEM, SOAR, and XDR via a REST API to streamline workflows. <\/p>\n

These scores can be used to:
\nDrive access control policies<\/p>\n

User risk scoring gives network and security teams a powerful tool to use to drive low-maintenance zero trust access control policies, controlling both incoming and outgoing internet and application traffic. It can be combined with other dynamic rulesets (e.g., device posture profiles) and static rulesets (e.g., URL and DNS filtering and app control policy) to protect organizations from breaches without unnecessarily restricting user productivity.<\/p>\n

User risk, device posture, and other access policies work together seamlessly to optimize secure access<\/p>\n

Monitor overall organizational risk and key factors that can be improved<\/p>\n

Admins can monitor their company risk over time to assess the top areas of overall company risk and prioritize remediation efforts. They can see how risk scores are distributed across users and locations, and can benchmark their risk score against other companies in their industry.<\/p>\n

Company risk scores can be analyzed over time against industry benchmarks <\/p>\n

Monitor risky users on an individual basis and understand how (and why) their risk is trending<\/p>\n

If a user\u2019s risk score spikes, admins can take action, whether that be isolating that user\u2019s machine to deal with an active threat, or simply training a user that certain behaviors are posing an unacceptable risk. <\/p>\n

Admins can analyze individual users and double-click into specific incidents<\/p>\n

Overall, Zscaler User Risk Scoring, with its categorization of threats and aggregation of logs, offers valuable insights into an organization’s security posture. By understanding the different types of risks and behaviors associated with cyberthreats, organizations can implement dynamic access control policies and proactively protect their critical assets and data. With risk scoring, organizations can navigate the ever-changing threat landscape with confidence.<\/p>\n

To learn about more of Zscaler\u2019s unique inline security capabilities, check out our Cyberthreat Protection page.
\nSample Indicators for User Risk Scoring<\/p>\n

\u00b7 Pre-infection behavior includes a range of blocked actions that would have likely led a user to be infected, such as:<\/p>\n

o Malware blocked by Zscaler\u2019s Advanced Threat Protection or inline Sandbox<\/p>\n

o Blocked known and suspected malicious URLs<\/p>\n

o Blocked websites with known and suspected phishing content<\/p>\n

o Blocked pages with known browser exploits<\/p>\n

o Blocked known and suspected adware and spyware<\/p>\n

o Blocked pages with a high PageRisk score<\/p>\n

o Quarantined pages<\/p>\n

o Blocked files with known vulnerabilities<\/p>\n

o Blocked emails containing viruses<\/p>\n

o Detected mobile app vulnerabilities<\/p>\n

\u00b7 Post-infection behavior includes a range of blocked actions that were attempted after a user was infected, such as:<\/p>\n

o Botnet traffic<\/p>\n

o Command-and-control traffic<\/p>\n

\u00b7 Suspicious behavior includes policy violations and other risky sites, files, and conditions that could lead to infection, such as:<\/p>\n

o Deny-listed URLs<\/p>\n

o DLP compliance violations<\/p>\n

o Pages with known dangerous ActiveX controls<\/p>\n

o Pages vulnerable to cross-site scripting attacks<\/p>\n

o Possible browser cookie theft<\/p>\n

o Internet Relay Chat (IRC) tunneling use<\/p>\n

o Anonymizing sites<\/p>\n

o Blocks or warnings from secure browsing about an outdated\/disallowed component<\/p>\n

o Peer-to-peer (P2P) site denials<\/p>\n

o Webspam sites<\/p>\n

o Attempts to browse blocked URL categories<\/p>\n

o Mobile app issues included denial of the mobile app, insecure user credentials, location information leaks, personally identifiable information (PII), information identifying the device, or communication with unknown servers<\/p>\n

o Tunnel blocks<\/p>\n

o Fake proxy authentication<\/p>\n

o SMTP (email) issues including rejected password-encrypted attachments, unscannable attachments, detected or suspected spam, rejected recipients, DLP blocks or quarantines, or blocked attachments<\/p>\n

o IPS blocks of cryptomining & blockchain traffic<\/p>\n

o Reputation-based blocks of suspected adware\/spyware sites<\/p>\n

o Disallowed use of a DNS-over-HTTPS sit\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

Access control policies aim to balance security and end user […]<\/p>\n","protected":false},"author":0,"featured_media":2187,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2186","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n