Outlier Detection
Enable and start auditing outlier detection in two easy steps, letting Guardium do the work of identifying abnormal server and user behavior, and providing early detection of possible attacks.
An outlier is behavior by a particular source (in DAM either a database or a particular user on a database, and in FAM either a server or an OS user), in a particular time period or scope that is outside of the “normal” time frame or scope of the particular database or user's activity. Outliers can indicate a security violation that is taking place, even if the activities themselves do not directly violate an existing security policy.
- User accessing a table for the first time
- User selecting specific data in a table that he has never selected before
- Exceptional volume of errors. For example, an application generates more SQL errors than it has in the past. This could indicate that there is a SQL injection attack in progress.
- Activity that itself is not unusual, but its volume is unusual
- Activity that itself is not unusual, but the time of activity is unusual. For example, a DBA is accessing a particular table more frequently than in the past. This could indicate that the DBA is slowly downloading small amounts of data over time.
- Exceptional volume of errors
- Activity that itself is not unusual, but its volume is unusual
- Activity that itself is not unusual, but the time of activity is unusual
Outlier Mining findings are available from the Investigation Dashboard (Quick Search) and in Reports.
Outlier mining operates on data that is already audited by a security policy. Make sure that the data you want evaluated for outliers is already audited by a security Policy.
- A central manager, with data from its aggregators' collectors (except a collector that is running outliers detection locally).
- A collector, using only its own data.
- A central manager that receives data from aggregators that are managed by another CM. This is the multi-CM environment.