Skip to content
CA Privileged Access Manager - 2.8.3
Documentation powered by DocOps

Integrate with CA Threat Analytics

Last update November 2, 2017

CA Threat Analytics integrates with CA Privileged Access Manager to evaluate the risk of privileged user activity to detect and mitigate threats from suspicious activity. Evaluation factors include the location of a privileged user, time and duration of activity, the system connections, and user history for security.

By persistently monitoring activity, CA Threat Analytics identifies the anomalies based on historical user behavior. The analytics server returns a risk level to CA PAM. The risk level can dynamically trigger activities, such as starting session recording or prompting the user to reauthenticate.

The integration of CA Threat Analytics and CA PAMis explained in the following topics:

CA Threat Analytics and CA PAM Server Interaction

The two servers interact following this sequence:

  1. CA PAM collect event data.
    CA PAM server collects event data and forwards it to the threat analytics server. Events include:
    • Logging in and out of the CA PAM server
    • Opening or closing a connection to a target device or endpoint
    New event data is forwarded immediately. Entities other than the CA PAM server might also forward events for the same users. 

  2. CA Threat Analytics analyzes event data.
    The threat analytics server performs continuous analysis on the collected data. Each existing user has a risk level that is assigned one of the following values:
    • Good
    • Suspect
    • Bad
    For each new event, the received data is compared against past behavior for that same user. If the data is for a user without a threat server records, CA Threat Analytics prepares a new record. The service then begins compiling data for that user.
    Based on continuous analysis and the historical data for a user, CA Threat Analytics might change the risk level. The server then return the result to CA Privileged Access ManagerRisk level changes do not always happen immediately after receiving event data; the change might occur later.

  3. CA PAM applies mitigations
    Depending on the returned risk level or changes to the risk level, CA PAM can take actions against users. These actions are called mitigations.

Mitigations Applied Against Threats

The risk level that CA Threat Analytics returns determines the actions which CA PAM takes against the user.

Risk Level Mitigation
Good None
Suspect

Session Recording

Recording begins for any current connection session until the end of the session. The server records all future connection sessions in their entirety.

Bad

Re-authentication and Session Recording

Any current login and device-connection sessions are suspended. CA PAM forces the user to re-authenticate by displaying a login window.

For all applets, session activity pauses and the applet window disappears. The reauthenticate window then opens. For any TCP service, such as PuTTY or OpenSSH, the terminal window remains open, but you cannot enter anything in it.

Session Recording Mitigations When Risk Level Changes

Session recordings span over time. When the user has a connection session in progress that is being recorded, the following rules also apply:

Risk Level Changes To Behavior
Good Suspect or Bad
  • A new recording of that session begins immediately.
  • Recording continues until the end of that session.
  • Subsequent connection sessions are recorded from beginning to end.
Suspect or Bad Good
  • Recording continues until the end of that session.
  • Subsequent connection sessions are not recorded, unless an applicable policy specifies session recording.
Was this helpful?

Please log in to post comments.