Symantec Information Centric Analytics Planning and Configuration

Symantec™ Information Centric Analytics Planning and Configuration Guide

Version 6.5.3 Symantec ICA Planning and Configuration Guide

Product version 6.5.3 Documentation version: 2 This document was last updated on: March 23, 2020.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit https://www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.

This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Broadcom 1320 Ridder Park Drive San Jose, California 95131 https://www.broadcom.com Contents

Preface 15 Related Documentation 15 Style Conventions 15 Chapter 1: Introduction to Symantec ICA 17 Key Interface Components of Symantec ICA 17 Dashboards 18 Analyzer 18 Action Plans 18 Events 18 Vulnerabilities 18 Assets and Identities 19 Tasks for Administrators 19 Symantec ICA Installation 19 Integration Pack Configuration 19 Settings Configuration 19 Dashboard Design 20 Privileges Configuration 20 Chapter 2: Overview of the Symantec ICA Architecture 21 About the Presentation Tier 21 About the Processing Tier 22 About the Integration Tier 22 Architecture Components 23 Server Options for Symantec ICA Architecture 25 Three-server Architecture for Symantec ICA 25 Two-server Architecture for Symantec ICA 26 Chapter 3: Preparing for Symantec ICA Installation 29

3 Creating an Implementation Plan 29 Identifying the People Involved in the Installation 32 Identifying Data Sources and Obtaining Access 33 Identifying Potentially Long Lead-Time Items 34 Chapter 4: Prerequisites and Privileges for Installing and Administrating Symantec ICA 37 Disk Space Requirements for Symantec ICA 37 Production and Development Sizing Recommendations for Symantec ICA 38 Sizing for Three Server Architectures 38 Sizing for Two Server Architectures 39 Server Requirements for Symantec ICA 40 Microsoft SQL Server Requirements for the Web and Application Server Hosting Symantec ICA 40 Microsoft IIS Server Requirements for the Web and Application Server Hosting Symantec ICA 41 Microsoft SQL Server Requirements for Hosting the Symantec ICA Database 42 Microsoft SQL Server Analysis Services Settings for Symantec ICA 42 TCP Port Requirements for Symantec ICA 43 Required Installation Privileges and Credentials 43 Account Credentials for Symantec ICA Installation 44 Symantec ICA Server Installation Privileges for the Application Server Hosting Symantec ICA 44 Symantec ICA Server Installation Wizard Privileges for Database Server Hosting Symantec ICA 44 Required Steady State Privileges 45 Symantec ICA Server Service Account and Steady State Usage Accounts 46 Permission Settings to Run Symantec ICA 46 Setting Permissions with Microsoft SQL Server Management Studio 46 Setting Permissions Using Scripts 47 Script to set server-level user: 47 Script to set server-level permissions: 47 Script to set access to Symantec ICA databases: 48 Script to create the user for any other databases or data warehouses: 49 Chapter 5: Installing Symantec ICA 51 Task 1: Reviewing the Configuration Recommendations 51 Task 2: Installing and Provisioning Using the Symantec ICA Setup Wizard 52 Task 3: Installing Integration Packs 56 Task 4: Processing Risk Fabric SQL Server Agent Jobs 56 Task 5: Verifying Installation and Operation of Symantec ICA 56 Passing Kerberos Credentials to the Symantec ICA Application Server and Microsoft SQL Server 57 Kerberos Credential Setting Prerequisites 57

4 Using the setspn Command to Pass Kerberos Credentials 57 Troubleshooting Kerberos Credential Settings 58 Troubleshooting Symantec ICA Processing When Using Kerberos 59 Chapter 6: Symantec ICA Configuration 61 Chapter 7: Settings Configuration 63 Configuring General Settings 65 Configuring Advanced Settings 66 Configuring Action Plan Settings in General Settings 74 Configuring Application Notification Settings 75 Configuring Application Risk Scoring Settings 76 Configuring Application Startup Tasks Settings 77 Configuring Branding Settings 77 Configuring Computer Endpoint Risk Scoring Settings 81 Configuring Custom Help Links Settings 83 Configuring Dashboard Settings 83 Configuring Data In Motion Settings in General Settings 84 Configuring Data Retention Settings 86 Configuring Email Settings 86 Configuring Event Enrichment Settings 87 Configuring Event Scenario Settings 88 Configuring Labels Settings 88 Configuring Licensing Settings 89 Configuring Metric Settings 89 Configuring Normality Scoring Settings 91 Configuring Person Risk Scoring Settings 92 Configuring Residual Risk Settings in General Settings 94 Configuring Risk and Compliance Settings 94 Configuring Risk Model Settings 95 Configuring Risk Scoring Settings 96 Configuring Risk Scoring - Overall Settings 97 Configuring Scan Exclusions Settings 98 Configuring SKETCH Settings 99 Configuring TAXII Client Settings 99 Configuring User Risk Scoring Settings 100 Configuring Vulnerability Notifications Settings 102

5 Adding a New Setting 103 Configuring Data in Motion Settings 104 Incident Settings 104 Incident Channels 105 Incident Protocols 105 Incident Severities 106 Incident Statuses 106 Incident Remediation Resolutions 107 Incident Remediation Reasons 107 Incident Loss Impact 108 Incident Policies 108 Remediation Action Types 109 Adding a Remediation Action Type 109 Setting Default Columns for Data In Motion Pages 111 Configuring Policy Settings 112 Creating a Policy 112 Configuring Queue Settings 112 Creating a Queue 113 Configuring Web Activity Settings 114 Configuring Vulnerabilities Settings 114 Editing Vulnerability Settings 114 Filtering the List of Vulnerabilities 115 Configuring Residual Risk Settings 116 Configuring Action Plan Settings 116 Creating an Action Plan Status 116 Creating an Action Plan Resolution 117 Creating an Action Plan Reason 117 Creating an Action Plan Priority 117 Editing an Action Plan Attribute 117 Deleting an Action Plan Attribute 117 Configuring Details Grid Configuration Settings 118 Creating a Details Grid Query 118 Configuring Entity Actions Settings 118 Creating an Entity Action 119 Configuring Notifications 120 Creating a Notification Template 120 Creating an Application Notification 120

6 Configuring Organizations and Regions Settings 121 Creating an Organization 121 Adding a Sub-Organization 121 Creating a Region or Country 122 Adding a Country 122 Configuring Operating Systems 122 Adding an Operating System Rule 123 Editing an Operating System Rule 123 Changing the Priority of an Operating System Rule 123 Deleting an Operating System Rule 123 Chapter 8: Risk Models Configuration 125 Creating a Risk Model 126 Editing a Risk Model 127 Deleting a Risk Model 128 Adding a Threat Type 128 Editing a Threat Type 128 Deleting a Threat Type 128 Adding an Impact Type 129 Editing an Impact Type 129 Editing an Impact Type Importance Value 129 Deleting an Impact Type 129 Editing a Likelihood Setting 130 Chapter 9: Risk Vectors Configuration 131 Creating an Analyzer Risk Vector 131 Creating a SQL Risk Vector 132 Setting the Risk Vector Order 132 Chapter 10: Entity Collections Configuration 133 Creating an Entity Collection 133 Setting Entity Collection Properties 134 Deleting an Entity Collection 134 Chapter 11: Event Scenarios Configuration 135 Creating a Time-based Event Scenario 136 Creating a Rollup Event Scenario 137 Editing an Event Scenario 139 Deleting an Event Scenario 139

7 Appendix A: Symantec ICA Pre-installation Checklists 141 Company Information 141 Data Sources for Symantec ICA 142 Server Sizing for Symantec ICA 142 Events to Process with Symantec ICA 143 Server Requirements for Two-Tier Architecture 143 Technical Requirements for Two-Tier Architecture 143 Microsoft IIS Web Server Infrastructure Prerequisites for Two-Tier Architecture 143 Web Server Role Services for Two-Tier Architecture 143 Windows Server Features for Two-Tier Architecture 144 Microsoft SQL Database Server for Two-Tier Architecture 145 Additional Software for Two-Tier Architecture 145 Server Requirements for Three-Tier Architecture 145 Technical Requirements for Three-tier Architecture 146 Microsoft IIS Web Server Infrastructure Prerequisites for Three-Tier Architecture 146 Webs Server Role Services for Three-tier Architecture 146 Windows Server Features for Three-tier Architecture 147 Microsoft SQL Database Server for Three-tier Architecture 147 Additional Software for Three-tier Architecture 147 Microsoft SQL Server Analysis Services (SSAS) for Three-tier Architecture 148 Required Account Privileges 148 Symantec ICA Service Account Privileges 148 Symantec ICA Server Installation Wizard Privileges 149 Configuration Requirements for TCP Port 149 Kerberos Credentials 149 Microsoft SQL Database Server Settings 150 Microsoft SQL Server Analysis Server (SSAS) Settings 150 Appendix B: Symantec ICA Installation on Server Core for Microsoft Windows Server 2012 153 Task 1: Setting Up Web Server Roles and Management on Server Core 153 Task 2: Copying Installation Files and Components to Server Core 154 Task 3: Installing Symantec ICA and Components on Server Core 155 Appendix C: Encrypting the Symantec ICA Database 157 Using Transparent Data Encryption on the Symantec ICA Database 157 Appendix D: Configuring SSL 161 Task 1: Obtaining a Server Certificate 161

8 Task 2: Binding the Certificate to a Port 161 Task 3: Verifying the Connection to Symantec ICA Using SSL 162 Appendix E: Troubleshooting Symantec ICA 163 General Troubleshooting Tasks 163 Troubleshooting the Nightly Processing Data Load 164 Viewing Transaction Logs 164 Appendix F: Uninstalling Symantec ICA from a Server 165 Index 167

9 10 List of Tables

Table 2-1 Symantec ICA Architecture Components 24

Table 4-1 Sizing for Three Server Production Environment 38

Table 4-2 Sizing for Three Server Development Environment 39

Table 4-3 Sizing for Two Server Production Environment 39

Table 4-4 Sizing for Two Server Test Environment 39

Table 4-5 Sizing for Two Server Development Environment 40

Table 4-6 Requirements for Application Server Hosting Symantec ICA 40

Table 4-7 Microsoft IIS Server Requirements for Server Hosting Symantec ICA 41

Table 4-8 Microsoft SQL Server Requirements for the Symantec ICA Database Server 42

Table 4-9 Microsoft SQL Server Analysis Services Settings 42

Table 4-10 TCP Ports Used with Symantec ICA 43

Table 4-11 Required Installation Privileges 43

Table 4-12 Service Account Privileges 44

Table 4-13 Symantec ICA Server Setup Wizard Privileges 45

Table 4-14 Required Administration Privileges 45

Table 4-15 Service and Steady State Usage Accounts 46

Table 7-1 Advanced Settings Configuration Options 66

Table 7-2 Action Plan Settings Configuration Options 74

Table 7-3 Application Notifications Settings Configuration Options 75

11 Table 7-4 Application Risk Scoring Settings Configuration Options 76

Table 7-5 Application Startup Tasks Settings Configuration Options 77

Table 7-6 Branding Settings Configuration Options 78

Table 7-7 Computer Endpoint Risk Scoring Settings Configuration Options 82

Table 7-8 Custom Help Links Settings Configuration Options 83

Table 7-9 Dashboard Settings Configuration Options 84

Table 7-10 Data In Motion Settings Configuration Options 84

Table 7-11 Email Settings Configuration Options 87

Table 7-12 Event Enrichment Settings Configuration Options 87

Table 7-13 Event Scenario Settings Configuration Options 88

Table 7-14 Labels Settings Configuration Options 88

Table 7-15 Licensing Settings Configuration Options 89

Table 7-16 Metric Settings Configuration Options 90

Table 7-17 Normality Scoring Settings Configuration Options 92

Table 7-18 Person Risk Scoring Settings Configuration Options 92

Table 7-19 Residual Risk Settings Configuration Options 94

Table 7-20 Risk and Compliance Configuration Options 94

Table 7-21 Risk Model Configuration Options 96

Table 7-22 Entity Risk Scoring Settings Configuration Options 96

Table 7-23 Risk Scoring - Overall Settings Configuration Options 98

Table 7-24 Scan Exclusions Settings Configuration Options 98

Table 7-25 SKETCH Settings Configuration Options 99

Table 7-26 TAXII Client Configuration Options 99

Table 7-27 User Risk Scoring Settings Configuration Options 100

Table 7-28 Vulnerability Notifications Settings Configuration Options 102

12 Table 7-29 Policy Field Settings 112

Table 7-30 Vulnerability Management List Filters 115

Table 7-31 Details Query Settings 118

Table 7-32 Entity Action Field Settings 119

13 14 Preface

This guide is for Symantec ICA (Information Centric Analytics) administrators. It provides guidance about how to install, configure Symantec ICA.

This guide is for Symantec ICA (Information Centric Analytics) administrators. It provides guidance about how configure and administer Symantec ICA. Related Documentation

The following guides provide additional information about Symantec ICA:

l Symantec ICA User Guide

l Symantec ICA Administration Guide

l Symantec ICA Dashboard Designer Guide

l Symantec ICA Integration Guide

l Symantec ICA Analyzer Reference

l Symantec ICA Release Notes Style Conventions

This guide uses the following style conventions:

Element Meaning Bold Signifies user interface elements. Italic Indicates the titles of books and other substantial publications, or placeholder variables. Monospace Indicates placeholders in code examples that represent variables. Italic Monospace Defines code and script samples, and characters typed exactly as shown, including commands, and file names. NOTE Alerts the reader to supplementary information. See Also Identifies other Symantec ICA documentation that has supplementary information.

15 16 Chapter 1

Introduction to Symantec ICA

Symantec ICA (Information Centric Analytics) actively engages all parties from security employees and their managers to the executive board to lower the security risks in their environment. Symantec ICA automates the analysis of security information so that it is prioritized, and current. It gives your organization insight into your cyber security posture. Symantec ICA provides contextual awareness of what employees and others are doing by identifying and prioritizing bad actors and actions inside and outside your organization. This insight is key to effective cyber risk management. It allows you to act on malicious users who are related to several events, instead of just the individual events.

Symantec ICA collects the data from your company's security monitoring tools, such as Symantec DLP, and user directory information, such as Microsoft Active Directory. It correlates and distills the data to provide a holistic view of user activity, threats and events. You get the information that you and your team need to recognize and remediate events. Any actions performed by you and your team are logged in Symantec ICA for audit compliance.

How you work with Symantec ICA platform depends on your responsibilities. Symantec ICA provides tools for each level of the security organization to recognize and act on cyber threats. If you are an analyst, then you might use the analyzer and dashboards. If you are a responder, then you might use action plans and data in motion (DIM) pages. If you are the CISO (chief information security officer), then you might use the up-to-date dashboards and scorecards to get the data you need to track progress, and present findings to the board of directors. Key Interface Components of Symantec ICA

The following are the key components of the Symantec ICA interface. The components can be available or not based on users' privileges. For example, only Symantec ICA users with the Can View Analyzer privilege can view the analyzer.

Introduction to Symantec ICA | Page 17 Dashboards

Dashboards Dashboards are the interface for all underlying security risk metrics that provide reporting throughout Symantec ICA. The metrics are organized and listed by groups, referred to as scorecards, so that users can navigate and view metrics that meet their particular interests. Scorecards are collections of risk metrics, such as DLP events and behaviors, that can be customized to align key values or intersections of data points with business goals. In addition to scorecards, the Dashboards section contains out-of-the-box and custom dashboards. The custom dashboards display custom content for specific users and groups, such as management or security response personnel.

Analyzer The analyzer helps users view, organize, and summarize data into on-demand, personalized views and reports.

Action Plans Action Plans provides users with workflows that let security personnel interact with each other to resolve the threats and vulnerabilities that have been identified by Symantec ICA. This enables organizations to monitor their risk mitigation workflows and track the progress of specific risk mitigation activities. Action plans ensure that every threat and vulnerability is assigned to a mitigator who can resolve and remediate the threat and vulnerability, and then report the resolution back to their team or manager. Managers can track the progress and resolution of threats and vulnerabilities to ensure compliance and resolution.

Events Events presents security personnel with the top data in motion, authentication, endpoint protection, and web activity events in the environment. The pages are the entry points for reviewing and responding to prioritized risk information at a high level, sorted into specific groups based on issue type, such as suspicious authentication events or visits to known malicious IP addresses.

Vulnerabilities Vulnerabilities allows security personnel to effectively manage the vulnerabilities and configuration issues related to their associated applications, as well as manage false positive reports and exceptions. The data represented in the section includes vulnerabilities and configuration issues that have been escalated by the security team. False positive reports are vulnerabilities that were marked as risks by the system but the causes are known, and have business decisions associated with them. Exceptions are issues that do not need remediation, such as a test system that is missing current patches. The exceptions are attached to findings, and include a justification.

This section helps security personnel see a clear picture of the applications, computers, and web vulnerabilities on a per-user basis. Symantec ICA provides the ability to change

Page 18 | Introduction to Symantec ICA Assets and Identities

viewpoints to see information across the organization or for a specific individual. The end result is a complete understanding of the issues and risks related to the environment, equipping security personnel with the information they need to make informed decisions towards remediation.

Assets and Identities The Assets and Identities sections present information about objects or persons that have been identified as security threats. Each asset and identity has a details page including information about its risk rating, events, location, and IP address. The out-of-the-box risk ratings are low, high, critical, and urgent. The ratings can be changed by the Symantec ICA administrator. Tasks for Administrators

There are many duties related to Symantec ICA administration.

l Symantec ICA Installation

l Integration Pack Configuration

l Settings Configuration

l Dashboard Design

l Privileges Configuration

Symantec ICA Installation The Symantec ICA installation wizard guides you through the installation process. Prior to Symantec ICA installation, you must review the required privileges and prerequisites to ensure a successful installation. During installation, the application and database components are set up. After installation, you use integration packs to pull user and organization data, and then process the Symantec ICA agent jobs.

See Also: Symantec ICA Planning and Configuration Guide

Integration Pack Configuration Integration packs define the mappings from data sources to Symantec ICA. The integration administrator uses the predefined integration packs to pull data, as well as using the integration wizard to write queries that pull data from other data sources to a Symantec ICA table. The administrator then uses the wizard to map the data source staging tables to the appropriate Symantec ICA tables.

See Also: Symantec ICA Integration Guide

Settings Configuration Symantec ICA settings define the user experience and options. The settings range from changing the interface colors and adding default messages to defining policies and entity

Introduction to Symantec ICA | Page 19 Dashboard Design

actions on the toolbar. Symantec ICA is highly configurable to meet your organizations needs. The following are examples of what you can configure:

l Symantec ICA comes with the predefined Data In Motion actions Escalate, Resolve, and Dismiss. You can add other actions, such as Investigate and Send to Training, or disable the predefined actions.

l The default colors for Symantec ICA may not match your organization's standard interface colors. You can set the colors of the Symantec ICA menus and header to match your organization's colors.

Dashboard Design Dashboards provide a high-level view of the organization's threats and vulnerabilities. There are out-of-the-box dashboards and custom dashboards. The dashboard administrator is responsible for making the dashboards available to the different users of Symantec ICA. For example, the administrator can create and group one set of dashboards for upper management and another set for line-of-business owners.

See Also: Symantec ICA Dashboard Designer Guide

Privileges Configuration You set privileges to manage Symantec ICA access and interaction. You can set which dashboards, sections, and actions are available to a user or role. For example, there are privilege options that allow a user to view all metrics, or have access to only specific metric types related to specific organizations or countries. Another user might have privileges only to view the Symantec ICA analyzer. Privileges can be granted to users, and roles, as needed. A group inherits its privileges from the users and roles in the group.

Page 20 | Introduction to Symantec ICA Chapter 2

Overview of the Symantec ICA Architecture

The Symantec ICA (Information Centric Analytics) architecture is logically divided into tiers. This follows the best practices of separation of data and functionality for multi-tier, web- enabled applications. The data flows from the integration tier to the presentation tier, and are as follows:

l Presentation tier: User section and administration section of Symantec ICA

l Processing tier: Data aggregation, data processing, and analytics processing

l Integration tier: Data collection and integration, data filtering, and data normalization See Also: "Server Requirements for Symantec ICA" on page 40 About the Presentation Tier

The presentation tier provides the Symantec ICA interface to users and administrators. The Symantec ICA application is web-enabled, and divided into the user sections and the administration section.

The user sections contain the following options:

l Dashboards, out-of-the-box and custom

l Authentication events

l Analyzer views, out-of-the-box and custom

l Events and incidents

l Vulnerabilities, such configuration issues and host vulnerabilities

l Assets, such as computer endpoints and applications

l Identities, such as users Users perform the following tasks:

l Create action plans

l View security threats and vulnerabilities

l Act on security threats and vulnerabilities

l Investigate events and incidents

Overview of the Symantec ICA Architecture | Page 21 About the Processing Tier

l Review key performance indicators and metrics

l Analyze data The data is up-to-date, and filtered based on a user's responsibilities. The Symantec ICA analyzer is a search and analytics tool for ad-hoc analysis of the underlying data integrated into Symantec ICA. It allows users to directly browse the Symantec ICA data, create saved searches, metrics, and so on.

The administration section has the following sections:

l Settings: Define policies, actions, risk settings, and configure the Symantec ICA interface.

l Integration: Define data sources and mappings to pull data into Symantec ICA using the integration wizard.

l Dashboards: Create user-specific dashboards with the dashboard wizard based on analyzer queries.

l Privileges: Configure user and role privileges, and group configuration, with the ability to limit what data Symantec ICA users see, and what functionality they are able to use in Symantec ICA. NOTE: The options available in the administration section can be limited based on the user and role privilege settings. For example, one administrator may have privileges to only work with the dashboard wizard, while another may have privileges to work only on Data in Motion settings and remediation actions. About the Processing Tier

The processing tier is the core of the Symantec ICA platform. Microsoft SQL Server, and Microsoft SQL Server Analysis Services function in this tier. This tier runs the processing and analysis of vast quantities of incident, event, and other security data. This tier performs the following tasks:

l Data aggregation

l Behavior analytics

l Risk analysis The processing tier also transfers the Symantec ICA data into the multi-dimensional analyzer, and processes the data. The analyzer allows users to compare disparate data sets, and view that data in an optimized fashion. About the Integration Tier

The integration tier imports data from numerous data sources to either Symantec ICA staging tables, or to individual data warehouses tailored for the data sources. The data may be imported using a push from the data source or by a pull from Symantec ICA import utilities. The goal is to get data into Symantec ICA from any data source, and to do this in a

Page 22 | Overview of the Symantec ICA Architecture Architecture Components

sustainable, automated manner that does not require administrative overhead. The data is collected, filtered, and normalized in Symantec ICA. Depending on the integration process, data is imported into Symantec ICA staging tables or into specialized data warehouses.

When using a database-to-database connection from a platform or security product to Symantec ICA, the data is copied into Symantec ICA staging tables specific to that product or platform. The data is then normalized with data from similar sources, and moved into Symantec ICA tables in a consolidated and cohesive manner.

When an API or listener is used, or when the data is pushed in bulk, the data is staged in a data warehouse. That data warehouse contains tables for all of the data. If a Symantec ICA import utility is used, then the data warehouse also contains information essential to its function. For example, the configuration and authentication parameters necessary to establish a connection to the data source. The data warehouse contains a history of the data pulls that have occurred, and data watermarks for efficiency.

Symantec ICA integration wizard is used to define the parameters when pulling data from a custom database, a legacy system, or extracted data. At a high level, the integration wizard pulls data from databases, flat files, and log aggregation platforms. The integration wizard uses targeted queries to pull data from these disparate sources, and map them into specific and normalized Symantec ICA entities and security event types. Once a mapping is complete and functional, the mapping job runs automatically according to an administrator-defined schedule. Architecture Components

The following graphic shows the Symantec ICA tiers and their components:

The components and software of the Symantec ICA architecture are as follows:

Overview of the Symantec ICA Architecture | Page 23 Architecture Components

Table 2-1 Symantec ICA Architecture Components

Symantec ICA Software Description Component Application and Microsoft Internet The Symantec ICA web application uses Microsoft Internet Web Server Information Information Services (Microsoft IIS). In some environments, Services Symantec ICA is the only application being served by Microsoft IIS, and is on a dedicated server.

The Microsoft IIS administrative tool is used for configuring the Microsoft IIS application, including port numbers, HTTPS, SSL configuration, and encryption. Database Microsoft SQL This component is the Symantec ICA relational database, Software Server one or more product-specific data warehouses, database views, Symantec ICA stored procedures, and linked servers. The linked servers are connections from the Microsoft SQL Server instance to other databases or data sources.

Microsoft SQL Server Management Studio (Microsoft SSMS) is used for administration of Symantec ICA databases. Multi-dimensional Microsoft SQL Microsoft SQL Server Analysis Services (Microsoft SSAS) is a Database Server Analysis separate and distinct product from Microsoft SQL Server. It Services is not a relational database platform. It is a multidimensional data storage platform and analytics engine. The data is accessed using a query language called MDX, which is separate and distinct from SQL. Microsoft SSMS is the primary administrative tool for the Symantec ICA cube. User and Symantec ICA The user sections provide the platform for Symantec ICA Administrator users to interact with the application. The administration sections section provides the ability to configure privileges, and Symantec ICA features and data. Integration Packs Various Integration packs pull data from major third-party security products, and other widely-used enterprise tools and products. The Symantec ICA integrations packs enable out- of-the-box configuration and data integration after Symantec ICA installation. Integration Defined by The integration wizard adapters provide the ability to Wizard Adapters administrator connect, query, and provide protocol-specific transport of data from an external data source to Symantec ICA. This includes database platforms, which are the most frequently- used integration data sources, and other platforms such as LDAP, or CSV flat files. Server Operating Microsoft Microsoft Windows operating system runs each Symantec

Page 24 | Overview of the Symantec ICA Architecture Server Options for Symantec ICA Architecture

Symantec ICA Software Description Component System Windows Server ICA server. 2016 Log Integration Various The logger integration wizard adapters provide the ability to Wizard Adapters integration connect, query, and provide protocol-specific data transport adapters from the following SIEM platforms: l Symantec ICDx (Integrated Cyber Defense)

l HP Arcsight

l IBM Qradar

l Splunk Enterprise

Server Options for Symantec ICA Architecture

Symantec ICA uses a three-server architecture or a two-server architecture. The following sections describe the architectures.

NOTE: Symantec ICA can be installed on one server, but Symantec recommends using at least two servers for production environments.

Three-server Architecture for Symantec ICA The three-server architecture is the preferred Symantec ICA architecture, and it is the default architecture for large installations. The servers should be dedicated exclusively for Symantec ICA, and not shared with other applications or services.

In this architecture, the presentation tier is located on the Web and Application Server, and the processing and integration tiers are distributed between the Microsoft SQL Server and Microsoft SSAS servers. The following table describes the three servers:

Server Tier Software Components

Web and Presentation l Microsoft IIS Application server l Symantec ICA application provides all the functionality of the user and administrator sections.

Microsoft SQL Processing and l Microsoft SQL Server applications Server server Integration l Microsoft Integration Services

l Microsoft SSMS for management of the components, databases, and cubes

l Microsoft SQL Server Agent to run jobs, and Symantec ICA jobs

l Symantec ICA database and data warehouses

Overview of the Symantec ICA Architecture | Page 25 Two-server Architecture for Symantec ICA

Server Tier Software Components used by import utilities and data pushing mechanisms

l Symantec ICA integrations, import utilities, and database tools

Microsoft SQL Processing, and l Microsoft SSAS application Server Analysis optionally, l Symantec ICA and Metric History cubes Services Integration

The three-server architecture requires more effort initially to set up the Microsoft applications. It also requires that all Symantec ICA prerequisites are installed on web application server and the database server instead of one server. In general, this architecture is easier and less time-consuming to manage for the life cycle of the Symantec ICA platform.

Two-server Architecture for Symantec ICA The two-server architecture is common at small, medium, and even some large installations. In this architecture, the presentation tier is on the Web and Application Server, and the other two tiers are on a single server. Both servers should be dedicated exclusively for Symantec ICA, and not shared with other applications or services. The following table describes the two servers:

Server Tier Software Components

Web and Application Server Presentation l Microsoft IIS

l Symantec ICA application which provides all of functionality in the user and administrator sections

Microsoft SQL Server and Processing l Microsoft SQL Server Microsoft SQL Server and l Microsoft SSAS Analysis Services server Integration l Microsoft IIS

l Microsoft SSMS for management of the various components, databases, jobs and job schedules, and cubes

l Microsoft SQL Server Agent to run jobs, and Symantec ICA jobs

l Symantec ICA database and data warehouses used by import utilities and data pushing mechanisms

l Symantec ICA integrations, import utilities, and database tools

l Symantec ICA and Metric History cubes

Page 26 | Overview of the Symantec ICA Architecture Two-server Architecture for Symantec ICA

Organizations that have hardware constraints or small-to-medium implementations should consider the two-server architecture. Given proper configuration, this architecture works well. It does require more time initially to implement, and more attention for its life cycle, particularly in the areas of job processing durations and performance tuning.

Microsoft SQL Server and Microsoft SSAS are both resource-intensive applications that allocate and use system resources in different ways. They compete with each other for resources, in particular, server memory. Because of this, the default Microsoft configuration parameters cannot be used. The parameters must be changed so that each Microsoft application gets an appropriate amount of system resources, but not so much as to impact the other applications.

As the data set grows, the configurations may need to be changed or tuned to improve performance. Additional server resources may need to be added, which requires review of the configuration Microsoft SSAS parameters.

For hardware sizing, it is assumed that all servers are dedicated exclusively for Symantec ICA. Of the primary system resources (processors, memory, network, and storage), the resources for storage are the most difficult to estimate for the Symantec ICA life cycle. The following items impact the storage calculations: l Size of the initial data sets l Volatility or weekly growth of the data sets l Data retention policies l Space for TEMPDB database and log files l Space for backups

Overview of the Symantec ICA Architecture | Page 27 Page 28 | Chapter 2 Chapter 3

Preparing for Symantec ICA Installation

This chapter describes tasks that help ensure a successful Symantec ICA (Information Centric Analytics) installation. The tasks help you gather the data needed to perform the installation, and also identify steps that might slow down or block the installation. This chapter contains the following topics:

l Creating an Implementation Plan

l Identifying the People Involved in the Installation

l Identifying Data Sources and Obtaining Access

l Identifying Potentially Long Lead-Time Items Creating an Implementation Plan

Prior to installing and configuring Symantec ICA, you and your team should create an implementation plan. The following questions should be considered and answered when creating the plan:

l What issues are solved by Symantec ICA?

Discuss and document known issues for the users and the organization. Determine if the initial solution can solve the problems, or if additional data sources or follow-on configuration may be required to address the issues.

Document the general and specific goals of all user groups and stakeholders. This information aids in designing the solution configuration. It also helps to determine the type of user training needed post-installation. Any goals that are not satisfied by the initial installation can become the next steps or the next phase of the Symantec ICA project.

l Who will have access to the Symantec ICA administration section? How will their responsibilities divided?

The administration section provides access to Symantec ICA configuration settings, dashboard administration, privileges, and integration. Symantec ICA administrators can have access to all options, or just one or two. For example, an administrator may be given

Preparing for Symantec ICA Installation | Page 29 Creating an Implementation Plan

privileges to create and edit policy settings. Another administrator may be given privileges to administer all settings, including policy settings.

l Who will be using the Symantec ICA sections? What will their privileges be?

Users can have access to all Symantec ICA sections or be limited to a subset. For example, a user could have access to use the Symantec ICA analyzer and to view Assets, but not be able to remediate issues. Define and document who will use Symantec ICA, including their titles and functional roles.

l What roles and groups will be defined for Symantec ICA?

Roles and groups allow you to set privileges for users based on similar responsibilities. Role privileges are additive with user privileges. Groups do not have assigned privileges. They inherit their privileges from the user that the group is assigned to by the system administrator.

l When will Symantec ICA be installed and configured for use?

Document any required or desired delivery dates. If these are hard dates, document why that is the case. When setting dates, it is recommended that you explore other projects that could affect the Symantec ICA implementation. An example of potential conflict is a project to upgrade the software for a Symantec ICA data source platform either during or before the Symantec ICA project begins.

See Also: "Identifying the People Involved in the Installation" on page 32 and "Identifying Potentially Long Lead-Time Items" on page 34

l Will Symantec ICA use a two-server architecture or a three-server architecture?

Symantec ICA and Analysis Services can be on the same or separate servers. When installing them are on the same server, allocate each 50% of the memory on the server.

Define the architecture layout, and include a diagram that shows the physical architecture. A drawing of the physical architecture makes the design easier to visualize, and concrete in nature. Document the reasons for using a two-server or three-server architecture, and the rationale for that decision.

See Also: "Server Options for Symantec ICA Architecture" on page 25 and "Disk Space Requirements for Symantec ICA" on page 37

l What performance setting will be used for power options?

Symantec recommends selecting the High Performance option for processor power. This option provides maximum energy to the CPUs.

l Will Secure Sockets Layer (SSL) be configured for Symantec ICA?

Page 30 | Preparing for Symantec ICA Installation Creating an Implementation Plan

SSL provides an encrypted connection between the Symantec ICA server and the client computers.

See Also: "Configuring SSL" on page 161 l What type of encryption will be used for Microsoft SQL Server Analysis Services (Microsoft SSAS) data?

See Also: "Encrypting the Symantec ICA Database" on page 157 l What data sources will be used for pulling authentication, incident, and event data? What data sources will be used for pulling vulnerability data, such as host and code vulnerabilities?

Data sources are the authentication and monitoring tools used to gather data at your organization. Common data sources are Microsoft Active Directory, Symantec DLP, FireEye NX, and McAfee Vulnerability Manager. Symantec ICA uses integration packs to pull data from the sources to the Symantec ICA staging tables.

List each data source that needs to provide data to Symantec ICA. The data source information includes details such as system ownerships, and who can grant access to the systems or data.

See Also: "Identifying Data Sources and Obtaining Access" on page 33 l Are there integration packs for your data sources available from Symantec?

Symantec has several predefined integration packs. If an integration pack is not available for a data source used in your environment, then you can use the Symantec ICA integration wizard to define the queries to pull the data, and map the data to the Symantec ICA tables. l What policies will be defined?

You define policies to align with corporate initiatives. Policies in Symantec ICA have settings for risk weights, and normality. Risk weights allow certain policies to contribute more to a risk score. Examples of policies are "Monitor email messages for confidential data," or "Confidential files sent out of organization." l Are the out-of-the-box risk vectors all you need? If not, what risk vectors will be defined? What weights will be set for the risk vectors?

Risk vectors are used to calculate risk scores, and are defined for applications, computer endpoints, IP addresses, and people. The vectors are queries defined by you, and include a risk weight. Risk weights allow certain vectors to contribute more to a risk score. For example, a failed authentication risk vector may have a weight of 5, and a successful authentication risk vector have a weight of 1. When computing the risk score, the failed

Preparing for Symantec ICA Installation | Page 31 Identifying the People Involved in the Installation

authentication provides a larger contribution to the score than the successful authentication.

l How big is your organization?

The size of an organization influences risk score ratings. Risk score ratings set the number for what is considered critical, high and low. For example, two companies want to set the number of employees that are considered critical to 5%. For a small organization with 100 employees that would be 5 employees. For an organization with 30,000 employees that would be 1,500 employees. The smaller company may want to adjust the percentage to have a slightly larger number, such as 10. The larger organization should adjust the percentage to have a more manageable number, such as 60.

l What type of dashboards are needed? Who will view them?

Dashboards provide strategic and operational visibility to executives, managers, and line- of-business owners. Dashboards are created based on the needs of the viewers. For example, a dashboard for the board of directors could show a high-level view of the security initiatives and trends. A dashboard for an application owner could have charts for the critical and high application vulnerabilities, average age of the vulnerabilities, and statuses.

See Also: "About Custom Dashboards" in Symantec ICA Dashboard Designer Guide

l Who will be responsible for creating dashboards?

Administrators can be responsible for creating all dashboards. However, other users can also be assigned privileges to create dashboards. For example, the Engineering group may request that a person in their group be assigned dashboard privileges to create Engineering-specific dashboards.

See Also:

l "Privileges Configuration" in Symantec ICA Administration Guide

l "Dashboard Configuration" in Symantec ICA Dashboard Designer Guide Identifying the People Involved in the Installation

In a typical installation, several individuals and groups are involved in the process. Some of the people involved are as follows:

l System owners

l Process owners

l Stakeholders

l Approvers

l Access providers

l Task providers

Page 32 | Preparing for Symantec ICA Installation Identifying Data Sources and Obtaining Access

When considering who will be involved in the Symantec ICA installation, consider the following questions:

l Who can create a service account specifically to install and manage the Symantec ICA application for the life cycle?

l Who provides access to the servers and operating system to be used to install and host Symantec ICA?

l Which individuals manage access to the Microsoft SQL Server and Microsoft SQL Server Analysis Services applications and databases?

l Who can grant sysadmin status temporarily for the installation activities?

l Who can provide read-only access to each Microsoft Active Directory domain controller?

If there are several domains, then a table should be created to document ownership and the administrative personnel.

l Who can provide read-only access to the databases for each endpoint (EP) and data loss prevention (DLP) instance?

In many cases, the provider is not the EP or DLP administrator, but the Microsoft SQL Server database administrator or Oracle database administrator. However, it is important to know the EP or DLP administrator who can authorize access to the databases, as they are usually considered the true data owners.

l Will the DLP API write back feature in Symantec ICA be used?

If DLP API write back will be used, then the DLP administrator must provide an account for DLP API write back. Identifying Data Sources and Obtaining Access

After completing the list of people necessary for installation and implementation, gather the data necessary to perform the integrations of Symantec ICA with the various data sources. In large organizations, this can be a complicated task, especially if the data source systems are globally or geographically dispersed, or managed using a distributed strategy.

Accounts for Symantec ICA to access data sources should be non-expiring and dedicated to the Symantec ICA platform exclusively. The accounts should not be used by human users for any purposes.

The following are some of the data sources used with Symantec ICA:

Data Description Source Symantec The database for each DLP platform needs to be accessed. This access is

Preparing for Symantec ICA Installation | Page 33 Identifying Potentially Long Lead-Time Items

Data Description Source DLP typically granted by an Oracle database administrator, after authorization is granted by the DLP application owners. Microsoft Windows authentication or database authentication can be used. Symantec The database for each SEP instance needs to be accessed by Symantec ICA. SEP This access is typically granted by a Microsoft SQL Server database administrator, after authorization is granted by the SEP application owners. Microsoft Windows authentication or database authentication can be used. BlueCoat Symantec ICA cannot access the BlueCoat web proxy data directly. The web Web proxy data must be stored in a log storage and aggregation platform or in a Proxy SIEM. A login with appropriate permissions to access the data is required for each system that stores BlueCoat web proxy data.

Data source accounts access should be obtained with the proper approvals. After they are approved, requests should be made to the administrative personnel to create the accounts and grant the appropriate access to all relevant systems or databases. Identifying Potentially Long Lead-Time Items

During the installation and implementation process, there are activities that can, and frequently do, become lengthy and time-consuming endeavors. These activities should be started as soon as possible, and need frequent oversight. In some cases, a single person acts as the liaison to the Symantec ICA project team, and oversees these items. In other cases, a Symantec ICA project team member may play a more active role. The initial installation can frequently proceed without all of the items being completed before installation day, but it is recommended that these items be achieved first in order to streamline installation and implementation activities.

The following table lists examples of long lead-time items:

Long Lead- Description time Item Server Whether using virtual machines or physical servers, obtaining server hardware can take hardware time. For example, the organization may have formal and rigid processes to follow, and requests must be approved by multiple people. Other organizations may require an architectural board review, or a configuration change board to review and approve requests. Service Accounts are needed for installation and management of Symantec ICA. Service accounts accounts are also recommended for each data source type. Special processes may be required to request and provision service accounts. Approvals or security exceptions may be required to make the passwords permanent and non-expiring. Access to all Obtaining the appropriate access to all necessary data sources can be time consuming, data sources

Page 34 | Preparing for Symantec ICA Installation Identifying Potentially Long Lead-Time Items

Long Lead- Description time Item especially if the target systems are managed in a distributed fashion. It is possible to install Symantec ICA without having access completed for every data source or data source instance, but the installation cannot be completed until achieving all integrations. Having all access granted and validated by installation day saves substantial time and rework. Firewall Connectivity from the Symantec ICA servers to the data sources and from the data changes sources to Symantec ICA needs to be validated. This connectivity is generally from an IP address/port pair on the Symantec ICA side to multiple IP address/port pairs on the data source side, and bidirectional access is generally required. Database default ports are frequently not on the firewall white lists. Access from the primary user communities to the Symantec ICA web and application server should also be validated, particularly if non-standard HTTP/HTTPS port numbers are used. HTTPS and Symantec ICA installs with HTTP protocol on the web and application server by default, SSL server but enabling HTTPS protocol is highly recommended. Using HTTPS requires the certificates installation of an SSL server certificate into the keystore of the Symantec ICA web and application server. In some organizations, new certificates require a time-consuming acquisition cycle. In others, the certificates are readily available and can be installed quickly. Usually a separate security team performs this function.

Symantec recommends using the TLS 1.2 protocol. Until the server certificates are installed, HTTPS will not function for Symantec ICA users. Installation The installer can be run prior to Symantec ICA installation. The installer checks the prerequisites majority of prerequisites, and provides links to download required software.

It is highly recommended that all software be downloaded in advance, and placed into a Symantec ICA software repository with a well-defined directory structure. This approach allows for a repeatable installation process across multiple environments. It also enables disaster recovery processes, by having access to the Symantec ICA software and prerequisite software.

Preparing for Symantec ICA Installation | Page 35 Page 36 | Chapter 3 Chapter 4

Prerequisites and Privileges for Installing and Administrating Symantec ICA

This chapter describes the required prerequisites and privileges for Symantec ICA (Information Centric Analytics) installation and administration. It contains the following topics:

l Disk Space Requirements for Symantec ICA

l Server Requirements for Symantec ICA

l TCP Port Requirements for Symantec ICA

l Required Installation Privileges and Credentials

l Required Steady State Privileges NOTE: The Symantec ICA installer can be run before installation to check the prerequisites on the servers. Disk Space Requirements for Symantec ICA

The Symantec ICA application server stores the web application files, which require a minimum of 1 GB of disk space.

Microsoft SQL Server component requires approximately 20% the size of the total processed data. For example, if one target database is 350 GB and a second target database is 900 GB, then allocate 250 GB of space for Symantec ICA use on the SQL Server Analysis Services instance. The percentage is specific to the deployment environment, and actual disk space requirements vary by environment. The minimum amount of required disk space is 200 GB.

The physical components of Symantec ICA are an application server, and a database server with the analysis services. Symantec ICA can be installed on one server or multiple servers. Symantec recommends using at least two servers for the production environment. The physical components are as follows:

Prerequisites and Privileges for Installing and Administrating Symantec ICA | Page 37 Production and Development Sizing Recommendations for Symantec ICA

l Web and application server hosts the Symantec ICA application pool and the Symantec ICA web site. The physical server has Microsoft Internet Information Service (Microsoft IIS) web server.

See Also: "Microsoft SQL Server Requirements for the Web and Application Server Hosting Symantec ICA" on page 40, and "Microsoft IIS Server Requirements for the Web and Application Server Hosting Symantec ICA" on page 41 for the requirements for the application server

l Database server has the Symantec ICA database, database utilities, and analysis services with the Symantec ICA cube, measures, and so on. The physical server has Microsoft SQL Server Database Engine, and Microsoft SQL Server Analysis Services (Microsoft SSAS) installed on it.

NOTE: Microsoft SQL Server Database Engine and Microsoft SSAS can be installed on the same server or separate servers. If Microsoft SQL Server and Microsoft SSAS are installed on the same server, then allocate 50% of the memory to Microsoft SQL Server and 50% to Microsoft SSAS. The setting is available on the Memory Settings properties of the Microsoft SQL Server.

The rest of this chapter describes the requirements for the application server and the database server.

See Also: Microsoft documentation for information about optimizing the TEMPDB database and data files, and instant file initialization

Production and Development Sizing Recommendations for Symantec ICA The sizing recommendations for Symantec ICA depend on the use of the server, such as production or development, and the server architecture. The following tables list the recommended sizes for the different uses and architectures.

Sizing for Three Server Architectures The following table lists the recommended sizes for the production environment in a three- server architecture.

Table 4-1 Sizing for Three Server Production Environment

CPU TEMPDB Storage Server Memory Ethernet Database Storage in GB Cores in GB Microsoft SQL 16 64 GB 2 x 512 GB 512 GB Server 1GigE Microsoft SSAS 16 64 GB 2 x 512 GB for database and Not applicable 1GigE file system

Page 38 | Prerequisites and Privileges for Installing and Administrating Symantec ICA Sizing for Two Server Architectures

CPU TEMPDB Storage Server Memory Ethernet Database Storage in GB Cores in GB Web and 8 32 GB 2 x 64 GB for file system Not applicable Application 1GigE

The following table lists the recommended sizes for the development environment in a three- server architecture.

Table 4-2 Sizing for Three Server Development Environment

CPU TEMPDB Storage Server Memory Ethernet Database Storage in GB Cores in GB Microsoft SQL 16 64 GB 1 x 512 GB 512 GB Server 1GigE Microsoft SSAS 16 64 GB 1 x 512 GB for database and Not applicable 1GigE file system Web and 8 32 GB 1 x 64 GB for file system Not applicable Application 1GigE

Sizing for Two Server Architectures The following table lists the recommended sizes for the production environment in a two- server architecture.

Table 4-3 Sizing for Two Server Production Environment

CPU Database TEMPDB Server Memory Ethernet Cores Storage in GB Storage in GB Microsoft SQL Server and 16 128 2 x 512 GB to 1 TB 512 GB to 1 TB Microsoft SSAS GB 1GigE Web and Application 8 32 GB 2 x 64 GB for file Not applicable 1GigE system

The following table lists the recommended sizes for the test environment in a two-server architecture.

Table 4-4 Sizing for Two Server Test Environment

CPU Database TEMPDB Server Memory Ethernet Cores Storage in GB Storage in GB Microsoft SQL Server and 16 128 1 x 512 GB to 1 TB 512 GB to 1 TB Microsoft SSAS GB 1GigE Web and Application 8 32 GB 1 x 64 GB for file Not applicable 1GigE system

Prerequisites and Privileges for Installing and Administrating Symantec ICA | Page 39 Server Requirements for Symantec ICA

The following table lists the recommended sizes for the development environment in a two- server architecture.

Table 4-5 Sizing for Two Server Development Environment

CPU Database TEMPDB Server Memory Ethernet Cores Storage in GB Storage in GB Microsoft SQL Server and 16 96 GB 1 x 256 GB 256 GB Microsoft SSAS 1GigE Web and Application 4 32 GB 1 x 64 GB for file Not applicable 1GigE system

Server Requirements for Symantec ICA

Symantec ICA needs certain requirements on the servers. The following sections list the software and other requirements needed:

l Microsoft SQL Server Requirements for the Web and Application Server Hosting Symantec ICA

l Microsoft IIS Server Requirements for the Web and Application Server Hosting Symantec ICA

l Microsoft SQL Server Requirements for Hosting the Symantec ICA Database

l Microsoft SQL Server Analysis Services Settings for Symantec ICA NOTE: Symantec recommends setting server power options to High Performance. Power options are available in the Control Panel under Power Options Advanced Settings.

Microsoft SQL Server Requirements for the Web and Application Server Hosting Symantec ICA The following table lists the Microsoft SQL Server requirement for the application server hosting Symantec ICA. This is the server that has web and application services. The required software allows the application server to communicate with the database server.

Table 4-6 Requirements for Application Server Hosting Symantec ICA

Software Requirement Microsoft .Net Microsoft .Net framework 4.7.1 framework https://www.microsoft.com/en-us/download/details.aspx?id=56115

NOTE: Microsoft .Net framework 4.7.1 must be installed on the database server and the application server.

Page 40 | Prerequisites and Privileges for Installing and Administrating Symantec ICA Microsoft IIS Server Requirements for the Web and Application Server Hosting Symantec ICA

Microsoft IIS Server Requirements for the Web and Application Server Hosting Symantec ICA The following table lists the requirements for the Microsoft IIS server hosting Symantec ICA:

Table 4-7 Microsoft IIS Server Requirements for Server Hosting Symantec ICA

Software or Requirement Role Web Server Enabled on the target Microsoft Windows Server 2012 SP1 host. When adding the Web (Microsoft Server (Microsoft Internet Information Services (Microsoft IIS)) role for the first time, IIS) role install the following role services:

Web Server (IIS) under Windows Server Web Server Role (Microsoft IIS):

l Common HTTP Features l Default Document

l Directory Browsing

l Health and Diagnostics l HTTP Logging

l Performance l Static Content

l Static Content Compression

l Security l Windows Authentication NOTE: Ensure that Extended Protection is set to Off.

l Application Development l .NET Extensibility 4.5

l ASP.NET 4.5

l ISAPI Extensions

l ISAPI Filters Web Server Enabled on the target Microsoft Windows Server 2012 SP1 host. When adding the Web (Microsoft Server (Microsoft IIS) role for the first time, install the following role features: IIS) features .NET Framework 3.5 Features:

l .NET Framework 3.5 .NET Framework 4.5 Features:

l .NET Framework 4.5

l ASP.NET 4.5

l WCF Services l HTTP Activation

l TCP Port Sharing

Prerequisites and Privileges for Installing and Administrating Symantec ICA | Page 41 Microsoft SQL Server Requirements for Hosting the Symantec ICA Database

NOTE: If the Microsoft IIS server does not have all the required features, then it is necessary to install and enable the features before installing Symantec ICA. Refer to the following Microsoft Deployment Imaging Servicing Management (DISM) document for information about installing the features https://docs.microsoft.com/en-us/windows- hardware/manufacture/desktop/configure-a-windows-repair-source

Microsoft SQL Server Requirements for Hosting the Symantec ICA Database Symantec ICA requires the following infrastructure on the database server that will host Symantec ICA:

NOTE: Symantec recommends installation of Microsoft SQL Server Management Studio for managing Microsoft SQL Server.

Table 4-8 Microsoft SQL Server Requirements for the Symantec ICA Database Server

Software Requirement Microsoft SQL One instance of Microsoft SQL Server 2016 Enterprise Edition with cumulative Server update (CU) 5 or later cumulative updates with the SQL Server Agent Microsoft Microsoft Windows Server 2012 R2 or later Windows Server Microsoft SQL One instance of Microsoft SQL Server Analysis Services 2016 Enterprise Edition CU 5 Analysis Services or later cumulative updates

NOTE: Microsoft SQL Server Developer Edition can be used for non-production environments of Symantec ICA

Microsoft SQL Server Analysis Services Settings for Symantec ICA Symantec recommends the following Microsoft SQL Server Analysis Services (Microsoft SSAS) settings. The settings are in General Settings properties on Microsoft SSAS.

Table 4-9 Microsoft SQL Server Analysis Services Settings

Setting Recommendation Server Mode Multidimensional and Data Mining Mode ExternalCommandTimeout 360000 ExternalConnectionTimeout 360000 Log\Flight Recorder\ False Enabled

Memory\TotalMemoryLimit l In a shared environment with Microsoft SQL Server and Microsoft SSAS on same server: 45 NOTE: This should be set in conjunction with setting the SQL Server

Page 42 | Prerequisites and Privileges for Installing and Administrating Symantec ICA TCP Port Requirements for Symantec ICA

Setting Recommendation Relational Engine memory configuration to 50% of available server memory.

l In shared environment with Microsoft SSAS is on a standalone server: 75 ServerTimeout 360000

See Also: "Microsoft Analysis Services Query Performance Top 10 Best Practices" at https://technet.microsoft.com/en-us/library/cc966527.aspx TCP Port Requirements for Symantec ICA

Symantec ICA utilizes a Microsoft IIS website that uses several TCP ports to communicate with the Symantec ICA. If the host is equipped with an endpoint firewall, then the ports must be open for inbound and outbound traffic.

Table 4-10 TCP Ports Used with Symantec ICA

Usage Default Port Configurable HTTP port 80 Yes HTTPS port 443 Yes SQL Server 1433 Yes Analysis Server 2382 Yes Analysis Server 2383 Yes

Required Installation Privileges and Credentials

The following table lists the necessary privileges required when installing Symantec ICA.

Table 4-11 Required Installation Privileges

Environment Privilege Can be removed (Yes/No) Windows Administrator No Server SQL Server sysadmin Yes (conditional)

Requires sysadmin or dbcreator because a system level query is performed during installation or upgrade to determine available databases. The sysadmin privilege can be removed after installation or upgrade, but db_owner is still required.

Prerequisites and Privileges for Installing and Administrating Symantec ICA | Page 43 Account Credentials for Symantec ICA Installation

SQL Administrator No Analysis 1 Server

Account Credentials for Symantec ICA Installation The following account credentials are needed during installation of Symantec ICA:

l The Microsoft SQL Server Analysis Services (Microsoft SSAS) impersonation account credentials: The impersonation account is the Microsoft SSAS account that has permission to access Microsoft SQL Server data. The account must have administrator rights on Analysis Services.

l The Symantec ICA Service account credentials: The Symantec ICA server service account is the account that brokers communication between the Microsoft Windows server hosting Symantec ICA application and web services, and the SQL Server hosting the Symantec ICA database. NOTE: If the account used for installation is not the service account, then ensure the account has Windows Server administrator privilege, SQL Server sysadmin privilege, and the SQL Analysis Server administrator privilege

Symantec ICA Server Installation Privileges for the Application Server Hosting Symantec ICA Microsoft Windows requires administrator privileges to complete the Symantec ICA installation. Symantec ICA server setup must also be run with administrator privileges. It is recommended that the prerequisite software and Symantec ICA Server software be installed using the Symantec ICA server service account.

The following table lists the necessary privileges required for the service account.

Table 4-12 Service Account Privileges

Environment Privilege Can be removed (Yes/No) Windows Server Administrator No SQL Server Not applicable Not applicable

Symantec ICA Server Installation Wizard Privileges for Database Server Hosting Symantec ICA The Symantec ICA server installation wizard requires Microsoft Windows administrator privileges to run successfully. The administrator can connect to an existing database or create a database. When connecting to an existing database, the SQL system administrator

1This account is also referred to as the impersonation account.

Page 44 | Prerequisites and Privileges for Installing and Administrating Symantec ICA Required Steady State Privileges

(sysadmin) privilege is required. This privilege is required because a system level query is performed to determine available databases for installation.

When creating a new database, the SQL dbcreator privilege is required. The privilege can be removed after installation, but the db_owner user must remain for the database. Alternatively, the administrator can select to create a new database, and then enter the name of an existing database in the dialog box to connect to it. Connecting to an existing database using this method removes the need for the SQL sysadmin privilege. The db_owner is still required for the database.

The following table lists the necessary privileges required for using the setup wizard.

Table 4-13 Symantec ICA Server Setup Wizard Privileges

Environment Privilege Can be removed (Yes/No) Windows Server Administrator No SQL Server sysadmin, or dbcreator No

NOTE: Microsoft IIS configuration takes place during the Symantec ICA server setup, and requires Windows administrator privilege.

Performing Symantec ICA administrative activities usually require administrator privileges on the database server hosting Symantec ICA. To reduce the likelihood of permission-related errors, Symantec recommends disabling User Account Control (UAC) on the Symantec ICA host machine during installation and configuration of Symantec ICA.

For more information about UAC, refer to http://support.microsoft.com/kb/2526083 Required Steady State Privileges

The following table lists the necessary privileges required when administering Symantec ICA after installation:

Table 4-14 Required Administration Privileges

Environment Privilege Can be removed (Yes/No) Windows Server Administrator No SQL Server sysadmin Yes2 SQL Analysis Server Administrator No

2If sysadmin is removed, then the user permissions for the administrator must be modified. Refer to "Permission Settings to Run Symantec ICA" on the next page for procedure to modify permissions.

Prerequisites and Privileges for Installing and Administrating Symantec ICA | Page 45 Symantec ICA Server Service Account and Steady State Usage Accounts

Symantec ICA Server Service Account and Steady State Usage Accounts The Symantec ICA server service account brokers communication between the Microsoft Windows server hosting Symantec ICA and the SQL Server hosting the Symantec ICA database. The Symantec ICA server service account user must be a member of the local administrator’s group on the Windows Server hosting Symantec ICA, and must have the SQL db_owner privilege for the database being used by Symantec ICA.

The following table lists the necessary privileges required for the service account, and for steady state usage accounts on the database server hosting Symantec ICA:

Table 4-15 Service and Steady State Usage Accounts

Environment Privilege Can be removed (Yes/No) Windows Server Administrator No SQL Server db_owner of the Symantec ICA database No SQL Analysis Server Administrator No

Permission Settings to Run Symantec ICA

The sysadmin role has the correct permissions to run Symantec ICA database jobs. It also has unlimited privileges to administer the servers. Your security policies probably limit the users with the sysadmin role. If that is the case, then the db_owner role can be updated to have the permissions to run the Symantec ICA database jobs.

Setting Permissions with Microsoft SQL Server Management Studio To set user permissions to run Symantec ICA database jobs, do the following:

1. Log in to Microsoft SQL Server on the server hosting Symantec ICA. 2. Open Microsoft SQL Server Management Studio, and connect to Database Engine. 3. Expand Security, and then expand Logins. 4. Right-click the database user name that will have permissions for running Risk Fabric jobs, and select Properties. 5. Click Server Roles. 6. Ensure the public and setupadmin privileges are enabled. 7. Click User Mapping. 8. Ensure the user has db_owner permissions for all system databases and data warehouses related to the Symantec ICA instance. 9. Click Securables. 10. Ensure the user has the following permissions: l Alter any linked server

l Alter any login

Page 46 | Prerequisites and Privileges for Installing and Administrating Symantec ICA Setting Permissions Using Scripts

l Connect SQL 11. Expand Server Objects, and then expand Linked Servers. 12. Right-click the Symantec ICA linked server, select Properties, and then select Security. 13. Select Be made using this security context: for the connection, and enter the user log in and password. 14. Connect to Analysis Server.

15. Right-click the server, select Properties, and then select Security. 16. Verify the user has access to the Analysis Services database as a server administrator.

Setting Permissions Using Scripts The following scripts can be used to set permissions to run Symantec ICA jobs. In the scripts, DOMAIN is the Symantec ICA domain set during installation, and user is the user account name.

NOTE: There are no scripts for setting up the permissions for Linked Server or Analysis Server. Those permissions are set using Microsoft SQL Server Management Studio, as described in "Setting Permissions with Microsoft SQL Server Management Studio" on the previous page.

Script to set server-level user:

USE [master] GO CREATE LOGIN [DOMAIN\user] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english] GO

Script to set server-level role:

ALTER SERVER ROLE setupadmin ADD MEMBER [DOMAIN\user] GO

Script to set server-level permissions:

USE master GO GRANT ALTER ANY LINKED SERVER TO [DOMAIN\user] GO GRANT ALTER ANY LOGIN TO [DOMAIN\user] GO GRANT CONNECT SQL TO [DOMAIN\user]

Prerequisites and Privileges for Installing and Administrating Symantec ICA | Page 47 Script to set access to Symantec ICA databases:

Script to set access to Symantec ICA databases: These are the databases that the user needs to access including the system databases master, msdb, and tempdb.

USE master GO CREATE USER [DOMAIN\user] FOR LOGIN [DOMAIN\user] WITH DEFAULT_SCHEMA=[dbo] GO EXEC sys.sp_addrolemember @rolename = N'db_owner', @membername = N'DOMAIN\user' GO USE msdb GO CREATE USER [DOMAIN\user] FOR LOGIN [DOMAIN\user] WITH DEFAULT_SCHEMA=[dbo] GO EXEC sys.sp_addrolemember @rolename = N'db_owner', @membername = N'DOMAIN\user' GO

USE tempdb GO CREATE USER [DOMAIN\user] FOR LOGIN [DOMAIN\user] WITH DEFAULT_SCHEMA=[dbo] GO EXEC sys.sp_addrolemember @rolename = N'db_owner', @membername = N'DOMAIN\user' GO USE SymantecICADatabase GO

CREATE USER [DOMAIN\user] FOR LOGIN [DOMAIN\user] WITH DEFAULT_SCHEMA=[dbo] GO EXEC sys.sp_addrolemember @rolename = N'db_owner', @membername = N'DOMAIN\user' GO

Page 48 | Prerequisites and Privileges for Installing and Administrating Symantec ICA Script to create the user for any other databases or data warehouses:

Script to create the user for any other databases or data warehouses: These are databases or data warehouses that the user needs to access, such as Microsoft ActiveDirectoryDW, Symantec DLPDW, and DemoDataDW.

USE ActiveDirectoryDW GO CREATE USER [DOMAIN\user] FOR LOGIN [DOMAIN\user] WITH DEFAULT_SCHEMA=[dbo] GO EXEC sys.sp_addrolemember @rolename = N'db_owner', @membername = N'DOMAIN\user' GO

Prerequisites and Privileges for Installing and Administrating Symantec ICA | Page 49 Page 50 | Chapter 4 Chapter 5

Installing Symantec ICA

Symantec ICA (Information Centric Analytics) installation involves the following tasks:

Task 1: Reviewing the Configuration Recommendations

Task 2: Installing and Provisioning Using the Symantec ICA Setup Wizard

Task 3: Installing Integration Packs

Task 4: Processing Risk Fabric SQL Server Agent Jobs

Task 5: Verifying Installation and Operation of Symantec ICA

NOTE: An additional task is performed when installing Symantec ICA Analysis Server on its own server instead of the Microsoft SQL Server server, and the data source authentication is set to Windows Integrated Authentication. Refer to "Passing Kerberos Credentials to the Symantec ICA Application Server and Microsoft SQL Server" on page 57 for credential information, and the task steps.

Performing Symantec ICA administrative activities, such as installation, usually requires administrator privileges on the Symantec ICA host machine. To reduce the likelihood of permission-related errors, Symantec recommends disabling User Account Control (UAC) on the Symantec ICA host machine during installation and configuration of Symantec ICA.

See Also: "Symantec ICA Installation on Server Core for Microsoft Windows Server 2012" on page 153 Task 1: Reviewing the Configuration Recommendations

Symantec ICA is a combination of a risk analytics platform and a data warehousing platform. The server and database administration teams should implement configurations that combine the needs of each platform for performance and efficiency. The following recommendations should be reviewed before starting the Symantec ICA installation.

Installing Symantec ICA | Page 51 Task 2: Installing and Provisioning Using the Symantec ICA Setup Wizard

NOTE: Symantec ICA performance, particularly the run times of the nightly jobs, may be impacted if the following recommendations are not followed:

l Software should be downloaded in advance, and placed in a Symantec ICA software repository with a well-defined directory structure. Using this approach allows for a repeatable installation process across multiple environments.

l Symantec ICA jobs can have long run times, and frequently run several hours each night. Any configurations that terminate or suspend long-running jobs should be disabled for Symantec ICA.

l Backup jobs should be scheduled at times that do not interfere with the Symantec ICA nightly job.

l Maximize parallel processing and threading parameters. In particular, the maximum degree of parallelism (MAXDOP) should remain at zero.

l Data drives should use 64 KB block sizes, and be optimized for read/write throughput.

l TEMPDB space should be very large, and implemented using multi-file architectures on fast spindle pools.

l If the nightly job duration becomes long due to large data imports, then investigate the use of the intraday job to break up the nightly import into smaller chunks performed throughout the day. Task 2: Installing and Provisioning Using the Symantec ICA Setup Wizard

During the installation, the setup program creates a new web application. The application is either an application virtual directory (default is /RiskFabric) inside a new site (default is Symantec ICA), or within an existing site of the organization. The web application should be part of the application pool named RiskFabric_AppPool.

To install and provision the Symantec ICA SQL server using the wizard, do the following:

NOTE: To return to a previous step or page during installation, click the page name on the navigation bar in the wizard.

1. Log in to the host using an account that has administrator rights to the host. 2. Go to Administrative Tools, and select Services. 3. Ensure that the SQL Server agent is running. 4. Copy the Symantec ICA installation files to a folder on the host server. 5. Navigate to the installation folder, and run the SymantecICAInstaller.exe file with administrator rights to launch the Symantec ICA Installation Wizard. NOTE: If User Account Control is on, then run the Microsoft Installer (MSI) using the Administrator role. If the MSI menu does not list the Run as administrator option,

Page 52 | Installing Symantec ICA Task 2: Installing and Provisioning Using the Symantec ICA Setup Wizard

then use the MS-DOS command prompt as an administrator, and run the following command: msiexec /i SymantecICAInstaller.exe

6. Click Start in the Full Install section of the initial wizard page. 7. On the License Agreement page, read the license agreement, and select the I have read, understood, and agree with the terms of the license agreement check box, if you agree with the terms. 8. Click Next. 9. Check the prerequisites for the server hosting Symantec ICA. The prerequisites page automatically runs software checks for Symantec ICA. If the prerequisite checks identify missing software, then download the appropriate packages from Microsoft, and check the prerequisites again. See Also: "Prerequisites and Privileges for Installing and Administrating Symantec ICA" on page 37 to review the Symantec ICA requirements

10. Configure the Microsoft IIS website as follows: a. Enter the Microsoft IIS website name (default is RiskFabric) or use an existing website. NOTE: Symantec recommends creating a new website. Using an existing website may result in configuration conflicts and runtime errors in Symantec ICA.

b. Select a port for communication with Symantec ICA over HTTP (default is 80). To test if a port is currently in use, click Check Port next to the port number. An available port number is green, and an unavailable port number is red. If you entered an unavailable port, then contact the network administrator for an available port.

NOTE: When creating a Microsoft IIS website, the wizard allows you to choose the port to communicate with Symantec ICA. When reusing an existing Microsoft IIS website, the wizard uses the first-found HTTP port binding.

c. Enter the path to the installation directory. d. Enter the service account domain, user name, and password. NOTE: The password is confirmed after clicking Next. If the password does not match your existing service account password, then a message is displayed requesting that you re-enter your name and password.

e. Enter the administrator account domain and user name. f. Click Next to continue. 11. (Optional) Configure notifications as follows: a. Select Enable Mails. b. Enter the SMTP server and port. c. Enter the sender email address.

Installing Symantec ICA | Page 53 Task 2: Installing and Provisioning Using the Symantec ICA Setup Wizard

d. (Optional) Select Enable SSL. e. (Optional) Enter an address for a test email message in the Send Test Email To field. f. (Optional) Select Enable Vulnerability Summary Emails. NOTE: The default schedule is weekly on Wednesdays at 8:00 a.m. The job schedule can be changed after installation using Microsoft SQL Server Management Studio.

g. (Optional) Enter a sender email address in the Override From Email Address field. h. (Optional) Select Enable Scan Exclusion Emails NOTE: The default schedule is daily at 8:00 a.m. The job schedule can be changed after installation using Microsoft SQL Server Management Studio.

i. (Optional) Enter a sender email address in the Override From Email Address field. j. (Optional) Select Enable Global False Positive Emails. k. (Optional) Enter a sender email address in the Override From Email Address field. l. (Optional) Enter a recipient address in the Recipient Email Address field. m. (Optional) Select Enable Severity Override From Email Address. n. (Optional) Enter a sender email address in the Override From Email Address field. o. (Optional) Enter a recipient address in the Recipient Email Address field. p. (Optional) Select Enable License Expiration Emails. q. (Optional) Enter a sender email address in the Override From Email Address field. r. (Optional) Enter a recipient address in the Recipient Email Address field. 12. Click Next to continue. 13. Configure data sources as follows: a. Enter the Microsoft SQL Server server name, and then click Connect. b. Enter the name of the Symantec ICA SQL database (default is RiskFabric) or select an existing database if reinstalling the database. c. Enter the Analysis Services server name, and then click Connect. d. (When using two servers) Select the credential connection for the servers. Enter the domain, user name, and password for the connection when not using Kerberos. e. Enter the default domain. This domain is added to account names that do not include a domain. NOTE: The default domain must match the domain or work group of the host server. To check the domain or work group, do the following: i. Open File Explorer. ii. Right-click This PC, and select Properties. The domain or work group is shown on the Properties page.

f. Click Next.

Page 54 | Installing Symantec ICA Task 2: Installing and Provisioning Using the Symantec ICA Setup Wizard

14. Click the check box to install the database utilities, and enter the path for the files. These files are installed on the database server that has Microsoft SQL Server and Microsoft SQL Analysis Server for Symantec ICA. 15. Click Next. 16. Review the integration warnings. The warnings alert the administrator of possible integration conflicts. If there are no warnings, then click Next. NOTE: If there are warnings, then you must correct the issues before continuing the installation. Use the Recheck option to check your system after correcting the issues.

17. Click Next. 18. Enter the license activation key, and click Next.

If the server cannot connect to the internet to activate the license, then do the following:

a. Select Activate Offline. b. Continue the installation procedure. 19. Review the installation parameters. If a change is needed, then click the section title on the navigation bar to go to that section. 20. Click Install to install the software. NOTE: Progress is displayed during the installation. To view the verbose version of the progress, click the Verbose Logging check box.

21. (Optional) Save the log files by clicking each log name, and entering a file name. 22. Open Microsoft IIS Manager, and ensure the following: l ASP.NET Impersonation is disabled for Symantec ICA

l ASP.NET .NET Trust Levels is set to Full 23. Click Launch Site or Close after the installation has completed. If you choose to launch the website, then note that some options are not available until data has been imported into Symantec ICA. 24. If the license was not activated because the server could not connect to the internet, then do the following:

a. Copy the software license file (.slf) to the server that was used to install Symantec ICA. b. Run the RiskFabric.Installer file with administrator rights to launch the Symantec ICA Installation Wizard. c. Click Start in the Manual License Activation area. d. Navigate to the location of the binary file. e. Click Activate to activate the license.

Installing Symantec ICA | Page 55 Task 3: Installing Integration Packs

Task 3: Installing Integration Packs

Symantec ICA requires installation of one or more integration packs depending on the products that will integrate with Symantec ICA. Integration packs use queries to pull data from the source, and then map the data to the corresponding fields and tables in Symantec ICA. Predefined integration packs available from Symantec include a user guide with information about prerequisites and installation. You can create integration packs for data pulled from sources not included in the set of available Symantec packs by using the integration wizard.

See Also: Symantec ICA Integration Guide Task 4: Processing Risk Fabric SQL Server Agent Jobs

To process Risk Fabric agent jobs, do the following:

1. Ensure that the Risk Fabric server installation and integration pack configurations have completed successfully. 2. Log in to Microsoft SQL Server, and connect to Database Engine. 3. Expand SQL Server Agent, and then expand Jobs. 4. Process the Risk Fabric processing job as follows: a. Right-click the Risk Fabric Processing job, and select Enable. b. Right-click the Risk Fabric Processing job, and select Start Job at Step…. c. Select Step 1 of the Risk Fabric Processing Job, and click Start. This process takes some time to complete. Wait until the process finishes before continuing this procedure. This job performs daily processing on several cubes.

d. Right-click Risk Fabric Intraday Processing job, and select Enable. The Risk Fabric Intraday Processing job performs hourly processing on several cubes. e. (If Scan Exclusion Emails was set) Right-click Risk Fabric Send Scan Exclusion Notifications, and select Enable. f. (If Vulnerability Emails was set) Right-click Risk Fabric Send Vulnerability Summary Emails, and select Enable. Task 5: Verifying Installation and Operation of Symantec ICA

All preceding tasks need to complete before verifying the installation. To verify the installation and operation of Symantec ICA, do the following:

1. Log in to Microsoft SQL Server, and connect to Database Engine. 2. Expand SQL Server Agent, and then select Job Activity Monitor to check how the Symantec ICA jobs ran.

Page 56 | Installing Symantec ICA Passing Kerberos Credentials to the Symantec ICA Application Server and Microsoft SQL Server

3. Open Microsoft Internet Information Services Manager, and select the Symantec ICA site in Applications. 4. Click Authentication, and confirm that Windows Authentication is enabled for the site. 5. Launch the Symantec ICA website. 6. Select Symantec ICA Health dashboard. This dashboard shows the status of the SQL jobs, integrations, and data import. 7. Select the other dashboards to ensure they are displaying properly. 8. Select Analyzer to ensure that the cube is available. Passing Kerberos Credentials to the Symantec ICA Application Server and Microsoft SQL Server

When the Symantec ICA application server is installed on a different server from the Microsoft SQL Server server, and the data source authentication is set to Windows Integrated Authentication, then the servers must be able to pass Kerberos credentials between the servers. The following graphic shows how Symantec ICA can be installed on multiple servers.

Kerberos Credential Setting Prerequisites The following are the prerequisites when setting the Kerberos credentials on the servers:

l You must have Domain Admin privileges to perform the procedure. If you do not have Domain Admin privileges, then the configuration fails.

l If the Symantec ICA Application Server application pool that Symantec ICA Application Server specified in Microsoft Internet Information Services (IIS) Manager has a domain account, then the procedure must also be done for that account.

Using the setspn Command to Pass Kerberos Credentials The following procedure uses the setspn.exe command. This command makes changes to the computer account and the service account in Microsoft Active Directory.

Installing Symantec ICA | Page 57 Troubleshooting Kerberos Credential Settings

See Also: Microsoft Technet Web site for information about the setspn.exe command at http://technet.microsoft.com/en-us/library/cc731241(WS.10).aspx

1. From Microsoft Active Directory, set the server on which the Symantec ICA Application Server is hosted to Trust this computer for delegation to any server (Kerberos only). 2. Use the following commands to add the following Service Principal Names (SPNs) to the Symantec ICA Application Server: setspn - S http/netbiosName netbiosName setspn - S http/fully_qualified_domain_name netbiosName In the preceding commands, netbiosName is the SPN, and fully_qualified_domain_name is the fully-qualified domain name for the SPN, such as asServer.example.com.

3. Use one of the following commands on Microsoft SQL Server, depending on the type of account: l Local account: setspn.exe -S MSSQLSvc/fully_qualified_domain_name \ host_netbiosName

l Domain Account: setspn.exe -S MSSQLSvc/fully_qualified_domain_name \ Domain\SQLServer_startup_user_name

4. Restart the systems to have the changes take effect. 5. Ensure that the following conditions are true for the Microsoft Active Directory service accounts settings:

l The Account is sensitive and cannot be delegated setting is not enabled for delegated service accounts.

l The Account is trusted for delegation setting is enabled for the service domain accounts.

l The Trust computer for delegation to specified service (Kerberos only) setting is enabled for all the computers that are involved in the process. For example, for the application server, the service should be Microsoft IIS.

Troubleshooting Kerberos Credential Settings If there is trouble setting the Kerberos credentials, then use Microsoft Kerberos Configuration Manager for SQL Server as follows:

1. Download the configuration manager from Microsoft. It is available at https://www.microsoft.com/en-us/download/details.aspx?id=39046

2. Install the configuration manager. 3. Double-click the KerberosConfigMgr.exe file.

Page 58 | Installing Symantec ICA Troubleshooting Symantec ICA Processing When Using Kerberos

4. Do one of the following, depending on the connectivity issue: l SQL Server issue: Connect to the target computer with the domain user account that has user permission for that computer.

l SQL Reporting Services issue: Connect to the target computer with the domain user account that has administrative permissions for that computer. 5. Go to the command line. If troubleshooting SQL Reporting Services, then launch the command line as the administrator. 6. Navigate to the folder that has the KerberosConfigMgr.exe file. 7. Enter the following command to generate the SPN list: KerberosConfigMgr.exe -q -l

8. Click Fix All to fix any bad connections. See Also: https://www.microsoft.com/en-us/download/details.aspx?id=39046

Troubleshooting Symantec ICA Processing When Using Kerberos If the Kerberos credentials are not set correctly for each hop between servers, then there can be issues with analyzer processing and loading the Data in Motion page. This issue occurs when using the three-server architecture, and the following errors are shown: l Analyzer error: NT AUTHORITY\ANONYMOUS LOGON l Data in Motion page error in the Symantec ICA log: (Inner Exception #0) System.Data.SqlClient.SqlException (0x80131904): Cannot set the initialization properties for OLE DB provider "MSOLAP" for linked server

If these errors occur, then do the following: l Confirm the service account being used as the Microsoft SQL Server service account l Ensure the service account has Unconstrained Delegation set in Microsoft Active Directory. l Use the Microsoft Kerberos configuration tool to verify that the Kerberos SPNs are properly set on the Microsoft SQL Server and Microsoft SQL Server Analysis Services (Microsoft SSAS) server. If a SPN is missing, then click Generate to get the script to run on the server. After updating the server, restart all Symantec ICA servers. The configuration tool is available at https://www.microsoft.com/en-us/download/details.aspx?id=39046 l Confirm the Linked Server Security Properties are set to use the current security context.

Installing Symantec ICA | Page 59 Page 60 | Chapter 5 Chapter 6

Symantec ICA Configuration

The Symantec ICA (Information Centric Analytics) administration section allows administrators full control over server settings, data sources, content display, user rights management, dashboards, and other settings. The administration section is available to those users that have administrator privileges. After Symantec ICA installation, you and your team should configure Symantec ICA to ensure a successful implementation, as well as maximize the functionality and capabilities of Symantec ICA.

The following is the recommended way to set up Symantec ICA:

1. Configure integration packs. See Also: Symantec ICA Integration Guide

2. Run Symantec ICA Processing Job using Microsoft SQL Server Management Studio to import the data from sources. This will bring in the following: l Organizations and Regions

l Policies

l Users 3. Define Incident Settings. Set loss impact before policies because policies include loss impact to the organization. See Also: "Incident Settings" on page 104

4. Define data-in-motion (DIM) event groups and rollups. See Also: Symantec ICA User Guide for information about event groups and rollups

5. Define DIM remediation actions. See Also: "Remediation Action Types" on page 109

6. Set up Symantec ICA privileges. The following must be available before specifying privileges: l Organizations

l Countries

l Metrics

l Policies

Symantec ICA Configuration | Page 61 Chapter 6: Symantec ICA Configuration

l Queues

l Remediation actions

l Custom entity actions, if using custom entity actions in Symantec ICA

l Custom dashboard groups, if using custom dashboard groups in Symantec ICA

l Custom dashboards, if using custom dashboards in Symantec ICA See Also: Privileges configuration information in Symantec ICA Administrator Guide

The following chapters describe in detail how to configure Symantec ICA:

l Settings Configuration

l Dashboards Configuration NOTE: For information about enabling Cisco DUO multi-factor authentication, refer to Symantec ICA Administrator Guide

Page 62 | Symantec ICA Configuration Chapter 7

Settings Configuration

The Settings section in the Symantec ICA (Information Centric Analytics) administration section includes all configuration options for the Symantec ICA server, some of which are populated during post-installation tasks. This section allows you to change general settings, and configure policies, notifications, entity actions, and so on.

The following option groups are configured based on security personnel needs:

l General: Applies to the overall Symantec ICA interface. Administrators use these settings to identify the database server and SMTP settings, and other hardware settings. The page also includes sections for defining the notification settings, risk scoring, and advanced settings. See Also: "Configuring General Settings" on page 65

l Data In Motion: Defines the incident settings, remediation actions, and remediation notifications for data-in-motion incidents and events pages. See Also: "Configuring Data in Motion Settings" on page 104

l Policy: Aligns Symantec ICA reporting with your corporate data loss prevention initiatives. Symantec ICA policies mimic other policies configured in your organization’s data loss prevention tools but in a broader fashion. For example, Symantec ICA policies can be associated with one or more data loss prevention policies, however an individual corporate data loss prevention policy can only be associated to one policy in Symantec ICA. See Also: "Configuring Policy Settings" on page 112

l Queues: Groups data loss prevention incidents that are related by some common attribute. Multiple users can work with individual queues to resolve incidents of a similar nature. Administrators set which users and roles can view queues, and who can assign items to the queues. See Also: "Configuring Queue Settings" on page 112

l Web Activity: Sets which web activities are allowed and which activities are blocked, as the activities relate to user actions.

Settings Configuration | Page 63 Chapter 7: Settings Configuration

See Also: "Configuring Web Activity Settings" on page 114

l Vulnerability Management: Allows you to set a vulnerability to be a global false positive event, or change the severity level. A justification and approver must be included with the change. See Also: "Configuring Vulnerabilities Settings" on page 114

l Residual Risk Settings: Sets the Initial values and ranges for residual risk. Residual risk is the potential risk to an asset after applying all security measures. Each threat to an environment incurs residual risk. See Also: "Configuring Residual Risk Settings" on page 116

l Action Plan: Defines the status, resolution, reason and priorities attributes for action plans. Action plans serve as workflows that let a mitigator interact with other security personnel to resolve the events and vulnerabilities that have been identified by Symantec ICA. See Also: "Configuring Action Plan Settings" on page 116

l Details Grid Configuration: Allows display of additional tabular data within Symantec ICA. The data is typically a more granular level than what is displayed in other sections. This feature utilizes entity actions to run queries that call records and additional details from a SQL database or a cube in Symantec ICA, allowing users to drill into the data. Administrators can modify or create new queries to display the specific data, and apply that to portions of Symantec ICA. See Also: "Configuring Details Grid Configuration Settings" on page 118

l Entity Actions: Gives users additional functionality when viewing data within Symantec ICA, based on entity type. An entity is a person or object that can cause or receive a security event. These entity actions are applied to rows with the details grid view and act as a shortcut for other tasks associated with the data, such as View Files, Search for Event, or Search for User. See Also: "Configuring Entity Actions Settings" on page 118

l Notifications: Allows administrators to create notifications such as approval requests or assignment notifications. The notifications can be set for individuals and roles. See Also: "Configuring Notifications" on page 120

l Organizations and Regions: Allows you to create an organization hierarchy that represents your organization's businesses structure. This allows users the option of filtering data by specific corporate unit, region or country. The hierarchy displays as a tree model with selectable and collapsible nodes, providing a visual representation of your organization. See Also: "Configuring Organizations and Regions Settings" on page 121

l Operating Systems: Allows you to set the rules for the operating system data imported into Symantec ICA.

Page 64 | Settings Configuration Configuring General Settings

See Also: "Configuring Operating Systems " on page 122 Configuring General Settings

General settings include configuration options for the Symantec ICA server including risk scoring settings, notification settings, and server settings for email notifications. To configure general settings, select Settings under Administration, and then select General. The following sections describe the general configuration settings and how to add custom settings:

l Configuring Advanced Settings

l Configuring Action Plan Settings in General Settings

l Configuring Application Notification Settings

l Configuring Application Startup Tasks Settings

l Configuring Branding Settings

l Configuring Core Processing Settings

l Configuring Custom Help Links Settings

l Configuring Dashboard Settings

l Configuring Data In Motion Settings in General Settings

l Configuring Data Retention Settings

l Configuring Database Maintenance Settings

l Configuring Email Settings

l Configuring Event Enrichment Settings

l Configuring Event Scenario Settings

l Configuring Labels Settings

l Configuring Licensing Settings

l Configuring Metric Settings

l Configuring Normality Scoring Settings

l Configuring Residual Risk Settings in General Settings

l Configuring Risk and Compliance Settings

l Configuring Risk Model Settings

l Configuring Risk Scoring Settings

l Configuring Risk Scoring - Overall Settings

l Configuring Scan Exclusions Settings

l Configuring TAXII Client Settings

l Configuring User Access Review Settings

l Configuring Vendor Notifications Settings

Settings Configuration | Page 65 Configuring Advanced Settings

l Configuring Vulnerability Notifications Settings

l Adding a New Setting

Configuring Advanced Settings Advanced settings affect the overall Symantec ICA interface, such as password length, default landing page, and which sections are displayed to which users.

To configure advanced settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Scroll to the Advanced Settings section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-1 Advanced Settings Configuration Options

Setting Description Account Name Label Sets the account name label. Admin Access Denied HTML Provides the denied access message when an unauthorized user Message tries to access the Administration section. Agent Required Threshold Sets the threshold for agent-required incidents. Percentage Allow CE2V History table or Enables compression of the computer endpoint vulnerabilities index compression for history table or index. Compliance Issue State Allow disabling or enabling of Enables creation of computer endpoint vulnerabilities history CE2V History indexes for index. Compliance Issue State Allow disabling or enabling of Enables creation of computer endpoint vulnerabilities index. CE2V indexes for Compliance Issue State Allow Symantec DeepSight Enables Symantec DeepSight integration pack to update integration to update vulnerability definitions. vulnerability definitions Analysis Access Denied HTML Provides the denied access message when an unauthorized user Message tries to access the Reports section. Analysis Home Page Sets the home page for Symantec ICA. Analysis Services Database Identifies the Analysis Services database. This database is usually named Symantec ICA. Analysis Services Server Identifies the Analysis Services. Analysis Services Timeout in Sets the Analysis Services timeout value, in seconds. Seconds Application Offline Sets the application offline.

Page 66 | Settings Configuration Configuring Advanced Settings

Setting Description Application Offline Default Provides the application offline message. Message Application Offline Message Sets the path for the application offline message text file. Path At Risk Days Sets the number of days prior to the requested completion date for action plan status to change to At Risk. Batch Size for Staging Qualys Sets the number of records to pull from the source tables for Hosts each batch job related to hosts data. Batch Size for Staging Qualys Sets the number of records to pull from the source tables for Vulnerability Detections each batch job related to vulnerability data. Behavior Organization Attribute Provides the behavior organization abbreviation. Behavior Organization Label Provides the behavior organization label. Behavior Tool Excluded Policy Sets the policy identifiers to exclude for behavior findings. IDs Behavior Tool Excluded Protocol Sets the protocol identifiers to exclude for behavior findings. IDs Busy Count Last Updated Hour Sets the time out limit when an action plan display update fails Timeout to complete for an action plan. The default time is 5 hours. Changing Event Classification Enables setting an event to "Mitigated" when changing an event Can Set Mitigation classification. Changing Event Classification Enables setting an event to "Unmitigated" when changing an Can Unset Mitigation event classification. Dashboard Caching Enabled Enables dashboard caching. Data Flow Access Denied HTML Provides the denied access message when an unauthorized user Message tries to access a data flow. Data Flow Add Device Help Enables including a text message when associating additional devices. Data Flow Application Owner Provides a hint to the data flow application owner. Hint Data Flow Empty List Text Informs a user that the user does not have any assigned data flows. Data Flow Linked Server Type Sets the linked data flow server types. Database Query Timeout Sets the timeout limit for database queries. Date of Last Processed Event for Ground Speed Violation Default Cache Duration Sets the amount of time to keep cached data. Default Configuration Issues Sets the default severity filter options for configuration issues. Severity Selection Default Domain Sets the default domain.

Settings Configuration | Page 67 Configuring Advanced Settings

Setting Description Default File Import Delimiter Sets the delimiter, such as a comma, used when importing files. Default Invalid User Message Sets the default message when an invalid user name is entered. Text Default Landing Page Sets the default landing page for Symantec ICA users. The default can be overridden in a user's privilege settings. Default Number of Additional Sets the number of job threads for the staging process during Job Threads a Parallel Job can the nightly processing job. Setting the value to 1 turns off run processing parallel jobs. Default Photo for Users Sets the default image for users. Click Set Image, and navigate to the image. When you have selected the image, click Save. This image is used when a user does not have a photo associated with their account. Default Vulnerabilities Detection Sets the default detection type filters for the Vulnerabilities Type Selection pages. The filters are listed in the drop down list. More than one filter can be selected from the list. Default Vulnerabilities State Sets the default state filters for the Vulnerabilities pages. The Selection filters are listed in the drop down list. More than one filter can be selected from the list. Default Vulnerabilities Status Sets the default status filters for the Vulnerabilities pages. The Selection filters are listed in the drop down list. More than one filter can be selected from the list. Disable Auto-Provisioning Users Disables automatic access to Symantec ICA based on asset based on HasSelfServiceAccess ownership, scoping and membership in Microsoft Active logic Directory group. Display Verbose Error Messages Enables verbose error messages in a pop-up window. in Pop Up Display Version Number Enables display of the Symantec ICA version on the navigation menu. Dropbox Connection Timeout Sets the timeout value for a drop box connection. Time is set in (ms) milliseconds. Dropbox File Transfer Timeout Sets the timeout value for drop box file transfers. Time is set in (m) minutes. Edit Distance Includes Name Enables comparison of the sender's name on an email message Checking to the recipient using an edit-distance similarity algorithm. Edit Distance Includes Sort Enables comparison of the sender's name on an email message Checking to the recipient, using an edit-distance similarity algorithm when the first and last names are transposed in the addresses, based on alpha-ordering of strings. Edit Distance First Name Boost Works with Edit Distance Includes Name Checking. If there is no Factor last name match but there is a first name match, then the first name boost factor is applied.

Page 68 | Settings Configuration Configuring Advanced Settings

Setting Description Symantec recommends not changing the boost factor value. Edit Distance Last Name Boost Works with Edit Distance Includes Name Checking. If there is a Factor last name match, then the last name boost factor is applied. The default boost factor for the last name is higher than for the first name because a last name match indicates a higher likelihood that the email addresses belong to the same user.

Symantec recommends not changing the boost factor value. Edit Distance Sorted String Works with Edit Distance Includes Sort Checking. A higher boost Boost Factor factor means a greater emphasis is placed on calculations using the alpha-ordering of strings.

Symantec recommends not changing the boost factor value. Edit Distance Upper Bound Works with Edit Distance Includes Name Checking. The first and Name Check Booster last name boost factors are not applied if the score has already reached the upper bound.

Symantec recommends not changing the boost factor value. Enable Authentication Enables the Authentication section. Enable Authentication Enables Symantec ICA to predicatively classify authentication Classification Prediction behaviors based on previous classifications. Enable Debug Mode Enables debugging mode. Enable DIM Classification Enables DIM classification prediction based on similar incidents. Prediction Enable Entity Based Compliance Enables entity-based compliance findings. Findings By default, compliance findings are created by queues. Select this option to create compliance findings based on entities. Enable Import Admin Enables import administration. Enable License Expiration Email Enables email messages to be sent prior to license expiration. Alerts See Also: "Configuring Licensing Settings" on page 89 Enable Newsletter Admin Enables the newsletter administration option. The newsletter option appears on the Symantec ICA menu. Enable PII Data Masking in Enables masking of personally-identifiable information (PII) in Analyzer the analyzer. When the option is enabled in Settings, then the following items are masked in the analyzer:

l User or person identifiers and account names

l First and last names

l Email addresses

l Phone numbers

l Job titles

l Addresses (city, state, country, and postal code)

Settings Configuration | Page 69 Configuring Advanced Settings

Setting Description

l Organizations

l Departments

l File names

l Network endpoint identifiers The masking uses the following format:

l User attributes: User-ID

l Person attributes: Person-ID

l File name: File-ID

l Country: Country-ID

l Organization name: Org-ID

l Sub-organization name: SubOrg-ID

l Network endpoint identifier: NE-ID Enable Vulnerabilities Portal Enables Vulnerabilities menu option in Symantec ICA. Entity Association Is Current Sets the number of days for entity associations to be considered Days current. Exception Approval or Denial Enables exception email notification for approval and denial Email Notification Enabled messages. Exception Draft Message Sets the default exception message. Exception Email Notification Sets the email address for exception notifications. Default From Address Exception Instructions Sets the text for the exception instructions. Exception Key Identifies which XML tag to use as the base tag when reading and parsing data for exceptions. Exception New Submission Enables exception email notification for new submissions. Email Notification Enabled Exception New Submission Sets the email address for new exception notifications. Email Notification To Address Exception Request Types to Defines the types of exception requests to display in the user Display interface. Exception Simplified Form Enables the simplified form for exceptions. Exception Simplified Workflow Enables the simplified work flow for exceptions. Enabled Exception Status-driven Sets the compliance issue reasons for exceptions. Compliance Issue Reasons Exception Submit Message Sets the submission message for exception requests. Exception Tool Sources Sets the source tools available to Symantec ICA for exceptions, such as Microsoft Active Directory and Qualys. External Authentication Group Sets the external authentication group.

Page 70 | Settings Configuration Configuring Advanced Settings

Setting Description External Authentication Port Sets the external authentication port. External Authentication Server Sets the external authentication server. Flip the Action bit to 1, when a Marks an incident as actioned when the instance's event status is changed after incident statuses are changed in Symantec DLP. is added to a group If set to 1, will enable detailed Enables detailed search logs. logging of searches in Log_ DataTransformationGroup/Log_ DataTransformation Inherent Risk Description Describes the reasoning about inherent risk. The description appears when a user selects the help icon on the Risk Assessment tab . Intraday Job Specifies the intraday job for Symantec ICA. Invalid User Message Text Path Sets the path for the invalid user message text file. IT Analytics Server URL Local Time Zone Name Specifies the time zone of the server. The time is displayed when scheduling dashboard export messages. Location of header image on Identifies the location of the logo file on the server. (TaskRunner) server Location of header image on Identifies the location of the logo on the web server. web server Maximum coefficient of Sets the standard deviation from the mean when calculating variation value for setting the scheduled behavior. IsScheduledBehavior flag to true Minimum Date Range Value for Sets the minimum date range for scheduled behavior Setting the IsScheduledBehavior calculations. For example, setting the value to 90 would cause Flag to True. the calculations to compare the last 90 days of similar events. Minimum miles per hour speed Sets the minimum speed for data transmission to be considered to be considered ground speed a violation. For example, a person logs in from San Francisco, violation and 20 minutes later that same person logs in from Tokyo. There is no way the same person can log in from those two locations. Minimum Record Count for Sets the minimum record count for scheduled behavior Setting the IsScheduledBehavior calculations. Flag to True. Minutes of Inactivity to Sets the timeout value in minutes for integration jobs that have Consider Running Integration stopped processing. Wizard Job Dead Nightly Job Specifies the Symantec ICA nightly job. Nightly Job Failure Alert Emails Identifies the email addresses that receive nightly job failure messages.

Settings Configuration | Page 71 Configuring Advanced Settings

Setting Description Nightly Job Failure Alert Sets the threshold in minutes for the nightly job failure alert. Threshold No Host Prefix Sets the prefix when the host is not otherwise identified in the system. Number of Days of Data in Sets the number of days to retain event detail data. LDW_EventDetail Number of Days of Data in Sets the number of days to retain event details as archive data. LDW_EventDetailArchive Number of Days of Events in Sets the number of days to retain action plan events after closing Closed Action Plans to Preserve an action plan. The default is 30 days. Number of Days of Events in Sets the number of days to retain events used in risk models. Risk Models to Preserve Number of Days of Events in Sets the number of days to retain events used in scenarios. Scenarios to Preserve Number of Days to Update Set the date interval for checking computer endpoint agents. Computer Endpoint Agent Applicability Organization All Logo Sets the logo on scorecards for the All category. Organization Attribute Sets the organization attribute. Organization Display Field Sets the display text for Incidents, Issues, and Metrics when searching Vulnerabilities, and User Behavior pages. Options are Name to display full organization names and Abbreviation to display abbreviated organization names. Organization Label Defines the organization label or alias. Organization None Label Sets the text when an organization label has not been provided to the system. Organization Plural Label Sets the title and message for organization settings when using a plural value. Organization Singular Label Sets the title and message for organization settings when using a singular value. Path to Database Utilities Identifies the server location of the database utility files. Percent to Trim Off Edges From The percentage of high and low event distance to remove from Distance in Seconds Between the scheduled behavior calculations. Events when Calculating IsScheduledBehavior Portal Access Denied HTML Provides the denied access message when an unauthorized user Message tries to access the Symantec ICA section. Predict Source And Destination Sets the date for the source, destination, and IP address Computer Endpoint And IP watermark. Watermark

Page 72 | Settings Configuration Configuring Advanced Settings

Setting Description Previous Threat Status Sets the previous threat status. Print To PDF Instructions Sets the text for the print-to-PDF option when exporting a Override dashboard. Query Log Threshold, in Sets the threshold time for the query log, in seconds. Seconds Region Display Field Sets the region label on dashboards. Options are Name to display full country names and Abbreviation to display abbreviated country names. Region Display Levels Sets the display level for regions. Options are Name to display country names, and Abbreviation to display country abbreviations. l A value of 1 shows the region.

l A value of 2 shows the region and country. Region None Label Sets the text when a region label has not been provided to the system. Region Plural Label Sets the title and loading message for Region settings when using a plural value. Region Singular Label Sets the title and loading message for Region settings when using a singular value. Request Database Query Sets the text for the query timeout message. The message Timeout Message appears when there is a SQL query timeout. Request Exception Message Sets the text for the request exception message. The message appears when there is a code or interface exception. Risk Scores Retention Days Sets the number of days to retain an entity's risk scores. The default is 90 days. Risk Vectors Retention Days Sets the number of days to retain entity's risk vectors. The default is 90 days. Scan Exclusion Default From Sets the default sender address for scan exclusions. Address Scan Exclusion Email Override Sets the email override for scan exclusions. Scan Exclusion Email Recipients Sets the list of scan exclusion email message recipients. The entries are a comma-separated list. Scan Exclusion Enable Enables sending scan exclusion notifications. Notifications Scan Exclusion Notification URL Sets the URL for the scan exclusion notifications. Show User Entity Incident Enables showing the user entity incident rollup. Rollup SQL Command Time Out Sets the query timeout value in seconds for SQL queries. (seconds) Sub-organization Label Sets the sub-organization label of an organization.

Settings Configuration | Page 73 Configuring Action Plan Settings in General Settings

Setting Description Suborganization None Label Sets the text when a sub-organization label has not been provided to the system. The Default Setting for DIM Enables the default setting for DIM policies. The default setting is Policy Enablement false. The Last Year Reflected In The Sets the last year to use in the date dimension. Date Dimension Use Only Host Name when Sets the computer endpoint names to the host name, without Computer Endpoint is the domain when there is more than one domain associated Associated with Multiple with the computer endpoint. Domains NOTE: When this option is not selected, the default computer endpoint name has the following format: computerName_domainName User Scorecard Mode Sets the way that pop-up scorecards are displayed in Symantec ICA. Options are as follows: l None: Scorecards do not pop-up when hovering over a name.

l Mouse Over: Scorecards pop-up when hovering over a name.

l On Click: Scorecards pop-up when the user clicks on a name. This is the default. Vendor Summary Sets the vendor summary authentication threshold. Authentication Threshold VIP Label Sets the VIP label as the title of the VIP in the application. Web Activity Days to Process Sets the number of web activity days to process. Web Activity Default Action Lists the type of default actions for blocked web activity, such as Taken Blocked List blocked or denied. Website Address of Symantec Sets the Symantec ICA URL. ICA Whitelist of External Widget Identifies the external URLs that can be used with external URLs content widgets on dashboards.

4. Click Save Settings to apply the changes.

Configuring Action Plan Settings in General Settings To configure action plan settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Action Plans section. 3. Configure the settings as needed. The following table lists the configuration options. Table 7-2 Action Plan Settings Configuration Options

Page 74 | Settings Configuration Configuring Application Notification Settings

Setting Description Date Sets the recipient address for notifications when action plan dates are Change changed in the system. Notification To Address Disabled Disables the Action Plans option on the navigation menu. Notification Sets the default BCC email address for action plan notifications. BCC is BCC Address the abbreviation for blind carbon copy. These recipients will receive the email message, but will not be shown in the email message. Notification Sets the default CC email address for action plan notifications. CC Address Notification Sets the default sender's email address for action plan notifications. From Address Notifications Enables sending of action plan notifications. Enabled

4. Click Save Settings to apply the changes.

Configuring Application Notification Settings Application notifications settings include configuration for enabling notifications and a polling interval. These notifications inform users when they have to do an activity, and send general notifications about Symantec ICA. To configure application notification settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Application Notifications section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-3 Application Notifications Settings Configuration Options

Setting Description Application Notifications Enabled Enables application notifications. Application Notifications Mark As Sets the time in milliseconds before an item is Read Delay (ms) marked as read. Application Notifications Polling Enables polling of the notifications. Enabled (ms) Application Notifications Polling Sets the time in milliseconds for polling. Interval (ms)

4. Click Save Settings to apply the changes.

Settings Configuration | Page 75 Configuring Application Risk Scoring Settings

Configuring Application Risk Scoring Settings Application risk scoring settings include configuration options for displaying vectors, and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual application pages in the Assets section. To configure application risk scoring settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General Settings. 2. Go to the Application Risk Scoring settings section. 3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events. Table 7-4 Application Risk Scoring Settings Configuration Options

Setting Description Display the vector scores sorted by Enables the sorting and display of application ordinal, true, or false to be sorted vector scores. by application's vector scores Enable Application Risk Score Enables calculation of risk scores for applications. Calculation Include the Unrated applications as Enables the inclusion of unrated applications part of the percentage of low counted in the percentage of low-risk applications. Literal threshold (inclusive) for Sets the raw risk score for applications to be Critical risk ratings considered critical risk. Literal threshold (inclusive) for High Sets the raw risk score for applications to be risk ratings considered high risk. Literal threshold (inclusive) for Sets the raw risk score for applications to be Medium risk ratings considered medium risk. Number of days back to use in Sets the number of days used to calculate calculating application risk score application risk score ratings. ratings Number of desired Critical Sets the number of applications considered application risk score ratings critical. Percentage of desired High Defines the percentage for the high category for application risk score ratings the application risk score. The default is the top 2 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score. Percentage of desired Low Defines the percentage for the low category for application risk score ratings the application risk score. The default is the bottom 66 percent.

Page 76 | Settings Configuration Configuring Application Startup Tasks Settings

Setting Description NOTE: Administrators can add, delete and change the vectors used for the risk score. Suppress vectors whose values for Disables the vectors from being displayed when application, peers, and the computer endpoints have a value of zero. organization are all zero. The maximum number of vectors Sets the maximum number of risk vectors to to be displayed in the vector graph display on the vector graph. Enter 0 to display all risk vectors with a score greater than zero. The minimum number of vectors to Sets the minimum number of risk vectors to be displayed in the vector graph display on the vector graph. Use the literal threshold to assign Enables the use of the literal threshold for risk risk ratings ratings.

4. Click Save Settings to apply the changes.

Configuring Application Startup Tasks Settings Application start up tasks settings include options for removing hard-coded settings. To configure application startup tasks settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Application Startup Tasks section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-5 Application Startup Tasks Settings Configuration Options

Setting Description Remove Hard-Coded Enables Symantec ICA to use default values. The Detail Connections from Details Grids definitions are stored in XML format in the Grid Queries if they Match database, and contain the connection information for Stored Connections the queries. Remove Hard-Coded Metric Enables Symantec ICA to use default values. The metric Dashboard Configuration dashboard definitions are stored in XML format in the Connections on Application database, and contain the connection information for Startup the queries.

4. Click Save Settings to apply the changes.

Configuring Branding Settings The Symantec ICA interface colors and logo, referred to as "branding" in Settings, can be customized for your environment.

Settings Configuration | Page 77 Configuring Branding Settings

In the preceding image, the following items can be changed:

1. Header color 2. Header logo 3. Navigation menu item selected indicator color 4. Selected menu item color 5. Expanded menu background color 6. Menu font color 7. Menu icon color 8. Navigation menu color 9. Header icon color 10. Header font color NOTE: The notifications alert color, hovered-over menu item color, and expanded navigation menu color can also be changed by the administrator.

To configure branding settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Scroll to the Branding Settings section. 3. Configure the settings using hexadecimal values for colors, as needed. The following table lists the configuration options: NOTE: To use the default color or logo, leave the setting field blank.

Table 7-6 Branding Settings Configuration Options

Setting Description Background color of Sets the color of the expanded navigation bar. the expanded left navigation bar

Page 78 | Settings Configuration Configuring Branding Settings

Setting Description Background color of Sets the background color for the expanded navigation menu items. the expanded left navigation menu item Background color of Sets the background color for the left navigation bar. the left navigation Background color of Sets the background color for the navigation item when hovering the the left navigation mouse over the item. menu item being hovered over Background color of Sets the background color for the notification alerts. the notification alerts Background color of Sets the background color for the selected menu item. the selected left navigation menu item Background color Sets the background color for risks rated critical. used to denote critical This option works with the Risk rating text color used to denote critical risk risk option. Background color Sets the background color for risks rated high. used to denote high This option works with the Risk rating text color used to denote high risk risk option. Background color Sets the background color for risks rated low. used to denote low This option works with the Risk rating text color used to denote low risk risk option. Background color Sets the background color for risks rated medium. used to denote This option works with the Risk rating text color used to denote medium medium risk risk option. Background color Sets the background color for risks that are not rated. used to denote This option works with the Risk rating text color used to denote unrated unrated risk risk option. Color of the header Sets the color for the header. Color of the header Sets the color of the header font. font Color of the header Sets the color of the header icons. icons Color of the left Sets the color of the navigation font. navigation font Color of the left Sets the color of the of the menu icons. navigation icons Color of the left Sets the color of the selected navigation item. navigation selected indicator

Settings Configuration | Page 79 Configuring Branding Settings

Setting Description Color used to denote Sets the color to show a decrease in risk scores on charts. an decrease in risk score Color used to denote Sets the color to show an increase in risk scores on charts. an increase in risk score Color used to denote Sets the color to show no change in risk scores on charts. no change in risk score Color used to signify a Sets the trend color for bad trends. bad trend Color used to signify a Sets the trend color for good trends. good trend Color used to signify a Sets the trend color for neutral trends. neutral trend Color used to signify Sets the trend color for improvement trends. an improving trend Color used to signify Sets the trend color for new data trends. the trend has new data Color used to signify Sets the trend color for no data. the trend has no data Path to home page Specifies the path to the logo for the home page. logo NOTE: Total height for the logo area is 85 pixels. Symantec recommends sizing the logo to 65 pixels high, with an additional 10 pixels for the top and bottom margins, respectively. The width should be scaled to match the height. Risk rating text color Sets the rating text color for risks rated critical. used to denote critical risk Risk rating text color Sets the rating text color for risks rated high. used to denote high risk Risk rating text color Sets the rating text color for risks rated low. used to denote low risk Risk rating text color Sets the rating text color for risks rated medium. used to denote medium risk Risk rating text color Sets the rating text color for risks that are not rated. used to denote unrated risk

Page 80 | Settings Configuration Configuring Computer Endpoint Risk Scoring Settings

Setting Description Risk score text color Sets the score text color for risks rated critical. used to denote critical This option work with the Background color used to denote critical risk risk option. Risk score text color Sets the score text color for risks rated high. used to denote high This option work with the Background color used to denote high risk risk option. Risk score text color Sets the score text color for risks rated low. used to denote low This option work with the Background color used to denote low risk risk option. Risk score text color Sets the score text color for risks rated medium. used to denote This option work with the Background color used to denote medium risk medium risk option. Risk score text color Sets the score text color for risks that are not rated. used to denote This option work with the Background color used to denote unrated risk unrated risk option. Text color used to Sets the text color for bad trends. signify a bad trend Text color used to Sets the text color for good trends. signify a good trend Text color used to Sets the text color for neutral trends. signify a neutral trend Text color used to Sets the text color for improvement trends. signify an improving trend Text color used to Sets the text color for new data trends. signify the trend has new data Text color used to Sets the text color for no data. signify the trend has no data Top Risk button color Sets the color for the Mitigated and Unmitigated buttons in the Top Risks section of entity pages. Top Risks Risk title text Sets the text color for the Mitigated and Unmitigated text in the Top Risks color section of entity pages.

4. Click Save Settings to apply the changes.

Configuring Computer Endpoint Risk Scoring Settings Computer endpoint risk scoring settings include configuration options for displaying vectors, and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual

Settings Configuration | Page 81 Configuring Computer Endpoint Risk Scoring Settings

a computer endpoint pages in the Assets section. To configure computer endpoint risk scoring settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General Settings. 2. Go to the Computer Endpoint Risk Scoring settings section. 3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events. Table 7-7 Computer Endpoint Risk Scoring Settings Configuration Options

Setting Description Display the vector scores Enables the sorting and display of computer endpoint sorted by ordinal, true, or false vector scores. to be sorted by computer endpoint's vector scores Enable Computer Endpoint Enables calculation of risk scores for computer Risk Score Calculation endpoints. Include the Unrated computer Enables the inclusion of unrated computer endpoints endpoints as part of the counted in the percentage of low-risk computer percentage of low endpoints. Literal threshold (inclusive) for Sets the raw risk score for computer endpoints to be Critical risk ratings considered critical risk. Literal threshold (inclusive) for Sets the raw risk score for computer endpoints to be High risk ratings considered high risk. Literal threshold (inclusive) for Sets the raw risk score for computer endpoints to be Medium risk ratings considered medium risk. Number of days back to use in Sets the number of days used to calculate computer calculating computer endpoint endpoint risk score ratings. risk score ratings Number of desired Critical Sets the number of computer endpoints considered computer endpoint risk score critical. In a company with 100 computers, the ratings number may be 10, and in a company with 20,000 computers, the number may be 50. Percentage of desired High Defines the percentage for the high category for the computer endpoint risk score computer endpoint risk score. The default is the top 2 ratings percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score. Percentage of desired Low Defines the percentage for the low category for the computer endpoint risk score computer endpoint risk score. The default is the ratings bottom 66 percent.

Page 82 | Settings Configuration Configuring Custom Help Links Settings

Setting Description NOTE: Administrators can add, delete and change the vectors used for the risk score. Suppress vectors whose Disables the vectors from being displayed when the values for computer endpoint computer endpoints have a value of zero. are all zero The maximum number of Sets the maximum number of risk vectors to display vectors to be displayed in the on the vector graph. Enter 0 to display all risk vectors vector graph with a score greater than zero. The minimum number of Sets the minimum number of risk vectors to display vectors to be displayed in the on the vector graph. vector graph Use the literal threshold to Enables the use of the literal threshold for risk ratings. assign risk ratings

4. Click Save Settings to apply the changes.

Configuring Custom Help Links Settings The Help section of the Symantec ICA navigation bar can include custom help links. To include custom help links settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Custom Help Links section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-8 Custom Help Links Settings Configuration Options

Setting Description Help Custom Link Name 1 Sets the name of the first custom link. Help Custom Link Name 2 Sets the name of the second custom link. Help Custom URL 1 Specifies the URL for the first custom link. Help Custom URL 2 Specifies URL for the second custom link.

4. Click Save Settings to apply the changes.

Configuring Dashboard Settings Dashboard settings include configuration options to set dashboard cache, colors and timeout. To configure dashboard settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Dashboard Settings section. 3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger notifications based on the previous day's events.

Settings Configuration | Page 83 Configuring Data In Motion Settings in General Settings

Table 7-9 Dashboard Settings Configuration Options

Setting Description Dashboard Sets the timeout for dashboard cache, in minutes. Cache Timeout Dashboard Sets the time limit for widget queries. Time is in seconds. Widget Timeout Default Sets the default colors for dashboards. Up to 20 colors can be set in Colors hexadecimal format. Enter the colors as a comma-separated list. These colors are used on all dashboards, and analyzer charts. Enable Enables the export of dashboards on schedules set by the users. Scheduled NOTE: The SMTP email address setting must be configured with a valid Export of email address. That address appears as the sender of the Dashboards dashboard export. Refer to "Configuring Email Settings" on page 86 for information about the email address setting. Export Sets the watermark for exported dashboard PDFs and Microsoft Excel Watermark spreadsheets. Show Enables label and value information to be displayed for low values when balloons for hovering over a dashboard chart. low values

4. Click Save Settings to apply the changes.

Configuring Data In Motion Settings in General Settings The Data In Motion settings define what users see when viewing data-in-motion (DIM) incidents. The settings include configuration for enabling data-in-motion email notifications, toolbar options, and remediation actions. To configure data in motion settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Data In Motion section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-10 Data In Motion Settings Configuration Options

Setting Description Cache Data In Motion Sets the refresh interval for cached data in motion searches. Advanced Search Parameter Refresh Interval Cache Data In Motion Enables data in motion advanced search parameters.

Page 84 | Settings Configuration Configuring Data In Motion Settings in General Settings

Setting Description Advanced Search Parameter Values Can View Sensitive Sets the label for the DIM sensitive content (payload) option when Content Label viewing details. The default label is "View DIM Data." Data In Motion Incident Impacts metric rollup cube join operations for DIM incidents. Behavior Type Data In Motion Rank Specifies the number of days for ranking data in motion incidents. View Day Range DIM Default Tab Sets the default page displayed in the Data in Motion section. Options are Summary, Detail, or Differences. Display Remediation Enables the divider on remediation action page. Actions Divider Email to Notify of Enables remediation source email message about system status. Remediation Source System Status Enable Data In Motion Enables DIM drill-through capability. This capability allows users to Drill-through access the View in DLP option. Enable DIM Notification Enables sending DIM notification email messages. Emails Enable DIM Remediation Enables DIM remediation. Enable DIM Remediation Enables custom resending of DIM remediation notifications. Custom Notification Resending Enable Enhanced DIM Enables enhanced data in motion data. Data Enable Generation of Enables DIM incident remediation actions set using earlier versions of Legacy DIM Incident Symantec ICA. Groups on Remediation Action Enable Legacy Screen for Enables remediation actions defined using XML in earlier versions of Remediation Action Symantec ICA. Configuration Enable Send Assign To Enables sending an email message when a user is assigned to training. Training Email Enable Send Escalate Enables sending an email message when an event is escalated. Email Enable Viewing My Data Enables users to view their own data in motion incidents. In Motion Incidents NOTE: This setting is used with the user and role privilege Can View Own DIM Incidents. If this Data in Motion setting is not enabled, then users with the privilege cannot see their own DIM incidents.

Settings Configuration | Page 85 Configuring Data Retention Settings

Setting Description Hide Occurred Date Hides the Occurred Date field or column on Data in Motion pages. Occurred date is the date the incident was detected by the endpoint detection security database, not the Symantec ICA database. Number of days to retry Sets the number of days to retry sending custom DIM notifications. sending custom DIM notification Override Remediation Enables the sender address of override remediation action messages. Action From Address Override Remediation Enables the recipient address for override remediation action Action To Address messages. Payload Details Window Sets the window title for a details window. Title Remediation Access Provides the denied access message when an unauthorized user tries Denied HTML Message to access the User Behavior and Vulnerabilities sections. Show Incident Entity Add Allows users to add comments to data in motion incidents. Comment Use Violations Service For Enables the incident violation service from the DLP API to retrieve DLP Sensitive Content additional detailed violation information. User Can View Data Label Sets the data label. Watermark For Last DIM Sets the watermark for the last DIM incident. Incident Assigned to Default Queue

4. Click Save Settings to apply the changes.

Configuring Data Retention Settings Data retention is the amount of time to keep relationship data for computer endpoints, such as IP address to computer endpoint. To set the amount of time for relationship data, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Data Retention section. 3. Enter the number of days to retain data relationships in the Entity Relationship Retention Days field. 4. Click Save Settings to apply the changes.

Configuring Email Settings In order for notifications to be sent from Symantec ICA, the email settings need to be configured in this section. The settings include setting SMTP credentials and enabling SSL. To configure email settings, do the following:

Page 86 | Settings Configuration Configuring Event Enrichment Settings

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Email section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-11 Email Settings Configuration Options

Setting Description Enable Emails Enables email to be sent from Symantec ICA. Enable SSL Enables SSL (secure sockets layer) on the SMTP server. SMTP Credentials Specifies the SMTP (Simple Machine Transfer Protocol) password. Password Leave blank to use the default. SMTP Credentials Specifies the SMTP user name. Leave blank to use the default. Username SMTP Email Sets the SMTP email address. Address NOTE: This address must be set when the Enable Schedule Export of Dashboards option is enabled in Dashboard Settings. This address appears as the sender of the dashboard export. SMTP Port Identifies the SMTP port. SMTP Server Identifies the SMTP server.

4. Click Save Settings to apply the changes.

Configuring Event Enrichment Settings Symantec ICA uses event enrichment to supply event attributes when the imported data is missing attributes. Symantec ICA uses data from other tables to determine the missing attributes. For example, imported endpoint data may be missing the source computer name, but have the IP address and user name. Symantec ICA analyzes other tables to find the user and IP address, and extrapolates the source computer name. Administrators can query the tables to see which attributes were enriched by Symantec ICA.

To set enrichment, do the following:

NOTE: By default, Symantec ICA has enrichment turned on.

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Event Enrichment section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-12 Event Enrichment Settings Configuration Options

Setting Description Enrich Events Missing Computer Allows Symantec ICA to determine missing Endpoints computer endpoint data.

Settings Configuration | Page 87 Configuring Event Scenario Settings

Setting Description Enrich Events Missing IP Allows Symantec ICA to determine missing IP address data. Enrich Events Missing User Allows Symantec ICA to determine missing user data.

4. Click Save Settings to apply the changes.

Configuring Event Scenario Settings To configure event scenario settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Event Scenario section. 3. Configure the settings as needed. The following table lists the configuration options. Table 7-13 Event Scenario Settings Configuration Options

Setting Description Days to wait before Sets the number of days to wait before sending the next level creating higher level email message about the event scenario. The default is one Step Up instances day. Days to wait before Sets the number of days before resetting the event scenario resetting back to Level threshold to level 1, based on when the last email message 1 was sent. Default is 90 days. Step Up Email From Sets the sender address for event scenario notifications. Address Step Up Last Level Enables notifications be sent after last level of event scenario Setting has been reached and more instances are generated for the entity.

4. Click Save Settings to apply the changes.

Configuring Labels Settings To configure labels settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Labels section. 3. Configure the settings as needed. The following table lists the configuration options. Table 7-14 Labels Settings Configuration Options

Setting Description Application Category Sets the label displayed for applications on the navigation

Page 88 | Settings Configuration Configuring Licensing Settings

Setting Description Label Alias menu, top risk titles, entity type, and so on. Application Label Sets the plural version of the applications label on menus. Plural Application Label Sets the singular version of the application label on menus. Singular Application Sets the subcategory label for applications displayed on menus. Subcategory Label Alias

4. Click Save Settings to apply the changes.

Configuring Licensing Settings Symantec ICA requires a valid license, and that license has an expiration date. Administrators can set an alert to be notified before the license expires. To configure the licensing settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Licensing section. 3. Configure the settings as needed. The following table lists the configuration options. Table 7-15 Licensing Settings Configuration Options

Setting Description Enable License Enables the alert about license expiration. Expiration Email Alerts License Expiration Sets the number of days to send the alert prior to the Alert Intervals (Days) expiration. Separate day values with commas, such as 1,5,30. License Expiration Indicates the expiration date. This is a read-only field set by the Date system during installation. License Expiration Sets the recipients for the alert. Recipient Addresses License Expiration Sets the sender's address for the alert. Sender Address

4. Click Save Settings to apply the changes.

Configuring Metric Settings Metric settings include configuration for the metric window, and periods. The metrics appear on dashboards and scorecards. To configure metric settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Metric Settings section.

Settings Configuration | Page 89 Configuring Metric Settings

3. Configure the settings as needed. The following table lists the configuration options: Table 7-16 Metric Settings Configuration Options

Setting Description Allow Sorting on the Metric Enables sorting on metric pages. Display Bypass drill down on one Enables bypassing a scorecard drill-down page when there is only item one metric for the scorecard group. Default Height for Metric Sets the default metric window height. Window Default Sort Column for Sets the default sort of the metrics. The options are as follows: Metric Display l Current value

l Change value

l Metric name

l Metric section

l Previous value

l Trend Default Sort Direction for Sets the sort direction, ascending or descending, for the metrics. Metric Display Default Width for Metric Sets the default metric window width. Window Display Metric Regions Enables the display of metric regions. Display Summary Value on Enables the number of changes to be displayed on the top-level Landing Page scorecard dashboard, in addition to the percentages when using rollup view. NOTE: Compact Mode must also be selected when configuring the scorecard dashboard. Forward fill metric history Enables addition of metric history data. data Hide the detail button on Disables the Show Details option when viewing the cell details on a the Metric Overview scorecard. When this option is selected, users only see the summary Window page when clicking a scorecard name. Hide the Metric List View Disables the List option on dashboard scorecards. When this option is selected, users only see the metrics rollup view. Metric Country All Label Sets the text for the All option when viewing country lists. Metric Country None Label Sets the text when a country label has not been provided to the system. Metric Display Section Name Enables where to show the section name on the summary report. Inline Metric Display Status Arrow Enables display of the status arrow in scorecards. Metric Display Status Enables display of the status indicator in scorecards. Indicator

Page 90 | Settings Configuration Configuring Normality Scoring Settings

Setting Description Metric Display Trend Line Enables display of the trend line in scorecards. Metric Infinity Label Sets the value to display when number from the underlying metrics is too large. Metric Organization All Label Sets the value to display when the All dimension node is used in queries against the cube. Metric Period Display Order Sorts the metric periods on scorecards in either ascending or descending order. Metric Periods Sets the period for the metrics. Options are weekly, monthly, or quarterly. Metric Periods Label Sets the label for the displayed periods. Options are date and period. The number of periods shown depends on the Metric Periods to Display option. Metric Periods To Display Sets the number of metric periods to display on a scorecard. Metric Region All Label Sets the text for the All option when viewing region lists. Metric Scorecards Should Enables showing the numerator and denominator on metric Show the Numerator and scorecard. Denominator when Applicable Metrics Access Denied Defines the access denied message for metrics. HTML Message Period Comparison Mode Defines how to compare metrics. Options are EndPeriod and SamePeriod. l Previous Period End Date compares values between current date and last date of previous period.

l Previous Period Same Day compares values between current date, and the same day in the previous period. Remove the Scorecard Filter Removes the filter options when viewing a dashboard scorecard. Show Region Selector Enables the Region selector on scorecard dashboards. Suppress No Data Enables suppression of metrics on scorecards when there is no data. Suppress Organization Sets the message that appears when an organization metric does Slicing Message not have a drill down to a sub-organization. An asterisk appears on organization metrics that do not have sub-organizations.

4. Click Save Settings to apply the changes.

Configuring Normality Scoring Settings Normality scoring settings are used to calculate the normality ratings for authentication events. To configure normality scoring settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Normality Scoring section.

Settings Configuration | Page 91 Configuring Person Risk Scoring Settings

3. Configure the settings as needed. The following table lists the configuration options: Table 7-17 Normality Scoring Settings Configuration Options

Setting Description Authentication Event Days To Sets the number of days for processing Process authentication events. Core Processing includes Normality Enables core processing to include normality scoring scoring algorithms. Days Back to Update Base Scores if Sets the number of days to update base scores, if they are NULL the scores are null. Days Back to Update Temporal Sets the number of days to update temporal Scores scores. Enable Authentication Event Enables normality calculations of authentication Normality Calculation events. Enable DIM incident Normality Enables normality calculations of DIM incidents. Calculation Enable EP Event Normality Enables normality calculations of endpoint Calculation events. Enable Web Activity Normality Enables normality calculations of web activity. Calculation Threshold In Days For Normality Sets the number of days for the normality Scoring scoring threshold. Watermark For Last Scored Sets the watermark for the last-scored Authentication Event authentication event. Watermark For Last Scored Web Sets the watermark for the last-scored web Activity activity.

4. Click Save Settings to apply the changes.

Configuring Person Risk Scoring Settings Person risk scoring settings include configuration options for the high and low risk scores, and rating options. The vectors and ratings appear on the Risk Level tab of the individual person pages in the Identities section. To configure person risk scoring settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General Settings. 2. Go to the Person Risk Scoring settings section. 3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events. Table 7-18 Person Risk Scoring Settings Configuration Options

Page 92 | Settings Configuration Configuring Person Risk Scoring Settings

Setting Description Display the vector scores Enables the sorting and display of person vector sorted by ordinal, true, or scores. false to be sorted by person's vector scores Enable Person Risk Score Enables calculation of risk scores for persons. Calculation Include the Unrated persons Enables the inclusion of unrated persons counted in as part of the percentage of the percentage of low-risk persons. low ratings Literal threshold (inclusive) for Sets the raw risk score for people to be considered Critical risk ratings critical risk. Literal threshold (inclusive) for Sets the raw risk score for people to be considered high High risk ratings risk. Literal threshold (inclusive) for Sets the raw risk score for people to be considered Medium risk ratings medium risk. Number of days back to use Sets the number of days used to calculate person risk in calculating person risk score ratings. score ratings Number of desired Critical Sets the number of persons considered critical. In a person risk score ratings company with 75 employees, the number may be 8, and in a company with 20,000 employees, the number may be 50. Percentage of desired High Defines the percentage for the high category for the person risk score ratings person risk score. The default is the top 2 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score. Percentage of desired Low Defines the percentage for the low category for the person risk score ratings person risk score. The default is the bottom 66 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score. Suppress vectors whose Disables the vectors from being displayed when the values for person, peers, and person, peers or organization have a value of zero. organization The maximum number of Sets the maximum number of risk vectors to display on vectors to be displayed in the the vector graph. Enter 0 to display all risk vectors with vector graph a score greater than zero. The minimum number of Sets the minimum number of risk vectors to display on vectors to be displayed in the the vector graph. vector graph

Settings Configuration | Page 93 Configuring Residual Risk Settings in General Settings

Setting Description Use the literal threshold to Enables the use of the literal threshold for risk ratings. assign risk ratings

4. Click Save Settings to apply the changes. NOTE: Consider the relationship between the critical number and the high risk number so that they do not overlap each other. For example, if there is a company of 100 users and set the top 2% as high and top 50 users as critical, half of the users will show as critical, and at most two will show as high risk users.

Configuring Residual Risk Settings in General Settings Residual risk settings define how residual risk is calculated, and how recommendations are shown. To configure residual risk settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Residual Risk section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-19 Residual Risk Settings Configuration Options

Setting Description Currency Sets the currency symbol to use with residual risk values. Symbol Currency Sets the location of the currency symbol. Options are before and Symbol Location after the residual risk value. Residual Risk Sets residual risk to be a value, share or not shown on application Mode entity pages and risk model list pages.

4. Click Save Settings to apply the changes.

Configuring Risk and Compliance Settings Risk and compliance settings set risk and compliance on the Vulnerability dashboard. To configure risk and compliance settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General 2. Scroll to the Risk and Compliance section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-20 Risk and Compliance Configuration Options

Setting Description Chart Title - Sets the code chart title on the Open Vulnerabilities tab. Code

Page 94 | Settings Configuration Configuring Risk Model Settings

Setting Description Chart Title - Sets the configuration chart title on the Open Vulnerabilities tab. Configuration Chart Title - Sets the host chart title on the Open Vulnerabilities tab. Host Chart Title - Sets the web application chart title on the Open Vulnerabilities tab. Web Application Compliance Sets the number of days for compliance issue to be considered aged Issue Aged out. Days Do Not Close Allows duplicate vulnerability to the same computer endpoint to be Cloud Agent closed. Setting this option to 0 allows the most-recent vulnerability to New IP remain open, and closes the older duplicate vulnerability. Setting this Vulnerabilities option to 1 allows duplicate vulnerabilities to be in the system. The default is 0. Enable Enables the Retest button on vulnerability toolbars. Vulnerabilities Retest Button Enable Sets the menu options in the Vulnerability section. Vulnerability Navigation False Positive Sets the instructions that appear on the false positive submission Instructions page. False Positive: Indicates if false positive report requires evidence. If this option is Require selected, then evidence is required when submitting a false positive Evidence report. If this option is not selected, then only a reason is required when submitting a false positive report. Open Enables the source filter for open vulnerabilities. Vulnerability Source Filter Vulnerability Sets the vulnerability exception type. Exception Type

4. Click Save Settings to apply the changes.

Configuring Risk Model Settings To configure risk model settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Risk Models section.

Settings Configuration | Page 95 Configuring Risk Scoring Settings

3. Configure the settings as needed. The following table lists the configuration options: Table 7-21 Risk Model Configuration Options

Setting Description Default Sets the default remediation cost per hour for risk models. Remediation This setting allows cost to be calculated based on the remediation time Cost / Hour for the model. For example, if the default remediation cost is $120.00 per hour, and the remediation time is 15 minutes, then the risk model shows $30.00 for the remediation cost. Enable Enables risk model administrators to include the cost estimate for Remediation remediation. Cost Enable Enables risk model administrators to include the time estimate for Remediation remediation. Time Include Adds the likelihood percentages in risk models. Likelihood Percentage in captions

4. Click Save Settings to apply the changes.

Configuring Risk Scoring Settings Entity risk scoring settings include configuration options for the high and low risk scores, and rating options. The vectors and ratings appear on the individual pages in the Assets and Identities sections. The following assets and identities use risk scoring:

l Applications

l Computer endpoints

l IP addresses

l Persons

l Users To configure risk scoring settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the relevant entity risk scoring settings section. 3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events. NOTE: In the following settings, object is the entity name, such as Person or Computer Endpoint.

Table 7-22 Entity Risk Scoring Settings Configuration Options

Page 96 | Settings Configuration Configuring Risk Scoring - Overall Settings

Setting Description Display the vector scores sorted Enables the sorting and display of vector scores. by ordinal, true, or false to be sorted by vector scores Enable object Risk Score Enables score calculations. Calculation Include the Unrated object as Enables the inclusion of unrated objects counted in part of the percentage of low the low-risk percentage. ratings Number of days back to use in Sets the number of days used to calculate risk score calculating object risk score ratings. ratings Number of desired Critical Sets the number of objects considered critical. object risk score ratings For example, in a company with 75 employees, the number may be 8, and in a company with 20,000 employees, the number may be 50. Percentage of desired High Defines the percentage for the high category for the object risk score ratings risk score. The default is the top 2 percent. NOTE: Administrators can add, delete and change the vectors used for the risk score. Percentage of desired Low Defines the percentage for the low category for the object risk score ratings risk score. The default is the bottom 66 percent. NOTE: Administrators can add, delete and change the vectors used for the risk score. Suppress vectors whose values Disables the vectors from being displayed when the for object are all zero objects have a value of zero. The maximum number of Sets the maximum number of risk vectors to be vectors to be displayed in the displayed in the risk radar graph. vector graph The minimum number of Sets the minimum number of risk vectors to be vectors to be displayed in the displayed in the risk radar graph. vector graph

Configuring Risk Scoring - Overall Settings The Risk Scoring - Overall section applies to all risk scoring configurations. To configure risk scoring settings, do the following:

Settings Configuration | Page 97 Configuring Scan Exclusions Settings

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Risk Scoring - Overall section. 3. Configure the settings as needed. The following table lists the configuration options. Table 7-23 Risk Scoring - Overall Settings Configuration Options

Setting Description Forward fill risk Loads imported risk scoring data. scoring data Risk Scoring Sets the watermark (date) for the data import. The watermark causes Watermark only new data to be imported to Symantec ICA.

4. Click Save Settings to apply the changes.

Configuring Scan Exclusions Settings Scan exclusions are IP addresses that are not scanned by Symantec ICA. Scan exclusion settings include configuration options for enabling scan exclusions, and messages associated with scan exclusions. To configure scan exclusions settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Scan Exclusions section. 3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events. Table 7-24 Scan Exclusions Settings Configuration Options

Setting Description Blacklist Scan Exclusion CIDR Sets scan exclusions as violations as they come into the system. Enable Vulnerabilities Scan Enables scan exclusions to be displayed in Exclusions Symantec ICA. Message: CIDR Scope Restriction Sets the CIDR (Classless Inter-Domain Routing) Error scope restriction error message. Message: CIDR Scope Restriction Sets the CIDR scope restriction warning message. Warning Message: Reconciliation Scope Sets the reconciliation scope restriction error Restriction Error message. Message: Reconciliation Scope Sets the reconciliation scope restriction warning Restriction Warning message. Message: Single Scope Sets the single scope restriction error message. Restriction Error Message: Single Scope Sets the single scope restriction warning message. Restriction Warning

4. Click Save Settings to apply the changes.

Page 98 | Settings Configuration Configuring SKETCH Settings

Configuring SKETCH Settings To configure SKETCH settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the SKETCH section. 3. Configure the settings as needed. The following table lists the configuration options. Table 7-25 SKETCH Settings Configuration Options

Setting Description Enable Enables events with similar timestamps and keys to be SKETCH compression listed as one entry in a timeline. The timeline entry includes the first and last times, and the number of events. Number of seconds Sets the number of seconds for the timestamps to be before a SKETCH key is considered "similar" for authentication events. cutoff for Authentication Events Number of seconds Sets the number of seconds for the timestamps to be before a SKETCH key is considered "similar" for endpoint events. cutoff for EP Events Number of seconds Sets the number of seconds for the timestamps to be before a SKETCH key is considered "similar" for web activities. cutoff for Web Activity

4. Click Save Settings to apply the changes.

Configuring TAXII Client Settings TAXII (Trusted Automated eXchange of Indicator Information) settings are used to pull and poll data from external sources. The settings include options for designating the TAXII client settings. To configure TAXII client settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the TAXII Client section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-26 TAXII Client Configuration Options

Setting Description TAXII Auth Sets the authentication client certification file path. The file is in personal Client exchange format (.pfx). Certificate TAXII Client Sets the client certificate key. Certificate

Settings Configuration | Page 99 Configuring User Risk Scoring Settings

Setting Description Key TAXII Identifies the type of data collection, such as IP addresses, domain, or Collection URLs. Taxii Identifies the read TAXII messages location. Message Read Location TAXII Identifies the saved TAXII messages location. Message Save Location TAXII Sets the collection method. Options are push data from the client or poll Method data from the feed. TAXII Specifies the password for the TAXII server. Server Password TAXII Specifies the URL for the TAXII server. Server URL TAXII Specifies the user name associated with the TAXII server. Server Username TAXII Start Allows the administrator to change the date sent when polling STIX Date (Structured Threat Information eXpression) data. This option is usually Override used when back-filling data from the feed. Taxii-less Enables TAXII-less STIX message format. STIX Message Format

4. Click Save Settings to apply the changes.

Configuring User Risk Scoring Settings User risk scoring settings include configuration options for displaying vectors, and setting risk ratings. The vectors and ratings appear on the Risk Level tab of the individual user pages in the Identities section. To configure user risk scoring settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General Settings. 2. Go to the User Risk Scoring settings section. 3. Configure the settings as needed. The following table lists the configuration options. The thresholds trigger a notification based on the previous day's events. Table 7-27 User Risk Scoring Settings Configuration Options

Page 100 | Settings Configuration Configuring User Risk Scoring Settings

Setting Description Display the vector scores Enables the sorting and display of user vector scores. sorted by ordinal, true, or false to be sorted by user's vector scores Enable User Risk Score Enables calculation of risk scores for users. Calculation Include the Unrated users as Enables the inclusion of unrated users counted in the part of the percentage of low percentage of low-risk users. Literal threshold (inclusive) Sets the raw risk score for users to be considered for Critical risk ratings critical risk. Literal threshold (inclusive) Sets the raw risk score for users to be considered high for High risk ratings risk. Literal threshold (inclusive) Sets the raw risk score for users to be considered for Medium risk ratings medium risk. Number of days back to use Sets the number of days used to calculate user risk in calculating user risk score score ratings. ratings Number of desired Critical Sets the number of users considered critical. In a user risk score ratings company with 75 employees, the number may be 8, and in a company with 20,000 employees, the number may be 50. Percentage of desired High Defines the percentage for the high category for the user risk score ratings user risk score. The default is the top 2 percent.

NOTE: Administrators can add, delete and change the vectors used for the risk score. Percentage of desired Low Defines the percentage for the low category for the user risk score ratings user risk score. The default is the bottom 66 percent.

Settings Configuration | Page 101 Configuring Vulnerability Notifications Settings

NOTE: Consider the relationship between the critical number and the high risk number so that they do not overlap each other. For example, if there is a company of 100 users and set the top 2% as high and top 50 users as critical, half of the users will show as critical, and at most two will show as high risk users.

4. Click Save Settings to apply the changes.

Configuring Vulnerability Notifications Settings The vulnerability summary emails settings include configuration for enabling vulnerability email messages sent from Symantec ICA. During installation, the settings for vulnerability notifications may have been set. You can change the initial settings in this section. To configure vulnerability summary email settings, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Go to the Vulnerability Notifications section. 3. Configure the settings as needed. The following table lists the configuration options: Table 7-28 Vulnerability Notifications Settings Configuration Options

Setting Description Enable Vulnerability Enables vulnerability summary email messages. Notifications False Positive Approval Enables sending of false positive notifications when a request is or Denial Email approved or rejected. Notification Enabled A false positive report is a vulnerability that was marked as a risk by the system but the cause is known, and has a business decision associated with it. False Positive Email Sets the default sender's email address for false positive notifications. Notification Default From Address False Positive New Enables email notifications to be sent when a false positive report is Submission Email submitted to the system. Notification Enabled False Positive New Sets the default recipient email address for false positive notifications. Submission Email Notification To Address Global False Positive Sets the sender's email address for global false positive approval Email Notification messages. A global false positive is a vulnerability that is considered a Default From Address false positive event any time it occurs in the environment. Global False Positive Enables false positive approval messages. Email Notification

Page 102 | Settings Configuration Adding a New Setting

Setting Description Enabled Global False Positive Sets the recipient's email address for false positive approval messages. Email Notification Recipient Maximum Number of Sets the maximum number of false reports allowed for each submission. Individual False Positive Report Per Submission Number of days in Sets the day interval for sending the messages. between vulnerability summary notifications Severity Override Email Sets the sender's email address for severity override messages. Notification Default From Address Severity Override Email Sets the recipient's email address for severity override messages. Notification Recipient Severity Override Enables severity override messages. Positive Email Notification Enabled URL for Vulnerabilities Identifies the URL for the Vulnerabilities section that is included in the Portal email notification. It is an active link that the reader can click to access Vulnerabilities section. Vulnerability Summary Sets the size of the batch file for vulnerability summary email messages. Email Batch Size Vulnerability Summary Sets the recipients for the vulnerability summary email messages. Email Recipient Whitelist Vulnerability Summary Sets the email address of the server receiving the messages, when Email To Address default address is overridden. Override Vulnerability Summary Sets the email address of the server sending the messages. From Email Address

4. Click Save Settings to apply the changes.

Adding a New Setting Administrators can add settings to the Settings page. To add a setting, do the following:

1. In the Symantec ICA administration section, select Settings, and then select General. 2. Click Add New Setting. 3. Enter text the following fields:

l Setting Name: The name of the setting.

l Value type: The types are check box, fixed list, text, encrypted, and integer.

Settings Configuration | Page 103 Configuring Data in Motion Settings

l Value: The value for the setting. NOTE: If value type is Fixed List, then enter a comma-separated list of values for the fixed list.

l Display Name: The name that appears on the Settings page.

l Group: The grouping area for the setting, such as General or Branding. Leave blank to have the setting in the Advanced group.

l Comment: Information about the setting. 4. Click Save to save the setting. 5. Click Save Settings. Configuring Data in Motion Settings

Data in Motion settings are configurable attributes for the event scorecards displayed on the Data In Motion page. By default, the ranking sections are high severity unusual incidents, multiple methods per hour incidents, and saved searches.

The following sections describe the Data in Motion settings:

l Creating an Incident Channel

l Creating an Incident Protocol

l Creating an Incident Severity

l Creating an Incident Status

l Creating a Remediation Resolution

l Creating a Remediation Reason

l Creating a Loss Impact

l Task 1: Setting the Loss Impact for a Policy

l Adding a Remediation Action Type

l Setting Default Columns for Data In Motion Pages NOTE: Symantec recommends configuring the event settings before configuring the data- in-motion settings. Many of the event settings are used when configuring the data-in-motion settings.

Incident Settings Incident settings are configurable attributes for incidents displayed within the Events section of Symantec ICA. The incident attributes for status, resolution, and reason are used in data-in- motion remediation action types.

The following sections describe the incident settings:

l Creating an Incident Channel

l Creating an Incident Protocol

l Creating an Incident Severity

l Creating an Incident Status

Page 104 | Settings Configuration Incident Channels

l Creating a Remediation Resolution l Creating a Remediation Reason l Creating a Loss Impact l Setting the Loss Impact for a Policy Incident Channels An incident channel is the type of event that triggers or applies to an incident, such as network, endpoint or encryption.

Creating an Incident Channel To create an incident channel, do the following:

1. In the Symantec ICA administration section, select Settings, select Data in Motion, and then select Incident Settings. 2. Click New Channel. 3. Enter a name in the Channel Name field. 4. Click the Is In Use check box, if the channel is currently used. Selecting the check box enables the incident channel. 5. Click OK. NOTE: To set the display order of the incident channel, select the channel and click the up or down arrows to change the order.

Incident Protocols An incident protocol is the specific medium or network layer the incident occurred on, such as removable media, HTTP, FTP, or network share.

Creating an Incident Protocol To create an incident protocol, do the following:

1. In the Symantec ICA administration section, select Settings, select Data in Motion, and then select Incident Settings. 2. Click New Protocol. 3. Enter a name in the Protocol Name field. 4. Click the Is In Use check box, if the protocol is currently used. Selecting the check box enables the incident protocol. 5. Click OK. NOTE: To set the display order of the incident protocol, select the protocol and click the up or down arrows to change the order.

Settings Configuration | Page 105 Incident Severities

Incident Severities Incident severity is the level of impact or urgency that a data-in-motion incident represents to the business, such as low, medium, high, confidential, and company-proprietary.

Creating an Incident Severity To create an incident severity, do the following:

1. In the Symantec ICA administration section, select Settings, select Data in Motion, and then select Incident Settings. 2. Click New Severity. 3. Enter a name in the Severity Name field. 4. Click the Is In Use check box, if the severity is currently used. Selecting the check box enables the incident severity. 5. Click OK. NOTE: To set the display order of the incident severity, select the severity and click the up or down arrows to change the order.

Incident Statuses The incident status within the response life cycle, or the resolution response for the data-in- motion incident. If an data-in-motion action type includes a status update, then the incident status is automatically set when the data-in-motion incident is acted upon.

See Also: "Remediation Action Types" on page 109

Creating an Incident Status Incident status options include classification and mitigation options such as a classification of Investigate, and a mitigation option of Unmitigated. The incident status can also include a rule. Setting a rule provides additional information to the machine learning and behavior analytics processes. For example, if you configure a rule for the Dismissed incident status that states if the reason selected is "Data is customer's own information," then the incident is marked with a classification of Acceptable and mitigation value of Mitigated. Any incident that is set to Dismissed with that reason is automatically classified and marked mitigated.

To create an incident status, do the following:

1. In the Symantec ICA administration section, select Settings, select Data in Motion, and then select Incident Settings. 2. Click New Status. 3. Enter a name in the Name field. 4. Click the Is In Use check box, if the status is currently used. Selecting the check box enables the incident status.

Page 106 | Settings Configuration Incident Remediation Resolutions

5. (Optional) Select the classification for the status. 6. (Optional) Select a mitigation option for the status. 7. (Optional) Add a rule for the status as follows: a. Click New Rule. b. Select an attribute name. c. Select an attribute value. d. Select a classification. e. Select the mitigation type. f. Click Apply. 8. Click Save. NOTE: To set the display order of the incident status, select the status and click the up or down arrows to change the order.

Incident Remediation Resolutions The resolution for a data-in-motion incident. The resolution field is available when the field is enabled for a data-in-motion action type. Resolutions include personal use, submitted for training, and malicious intent.

Creating a Remediation Resolution To create a remediation resolution, do the following:

1. In the Symantec ICA administration section, select Settings, select Data in Motion, and then select Incident Settings. 2. Click New Resolution. 3. Enter a value and a description. 4. Click OK. Incident Remediation Reasons The reasons for a data-in-motion incident. More than one reason can be set for an incident. The reason field is available when the field is enabled for a data-in-motion action type. Reasons include broken business process, false positive, and policy tuning.

Creating a Remediation Reason To create a remediation reason, do the following:

1. In the Symantec ICA administration section, select Settings, select Data in Motion, and then select Incident Settings. 2. Click New Reason.

Settings Configuration | Page 107 Incident Loss Impact

3. Enter a value and a description. 4. Click OK. 1. In the Symantec ICA administration section, select Settings, select Data in Motion, and then select Incident Settings. 2. Click (pencil) next to the remediation reason name. 3. Modify the description. 4. Click OK. Incident Loss Impact The incident loss impact is the description and loss value for a data-in-motion incident. The values, along with the user-set risk assessment values, are used when calculating values for assets in Symantec ICA.

Creating a Loss Impact To create a loss impact, do the following:

1. In the Symantec ICA administration section, select Settings, select Data in Motion, and then select Incident Settings. 2. Click New Loss Impact. 3. Enter a name, description, and value. A larger value indicates a larger impact. 4. Click OK. Incident Policies The policies associated with incidents. The policies are set in the Policy Settings section of Symantec ICA. The loss impact and mode are set in this section.

Setting the Loss Impact for a Policy To set the loss impact for a policy, do the following:

NOTE: Loss impacts must be set in the Incident Loss Impact section before setting a loss impact to a policy.

1. In the Symantec ICA administration section, select Settings, select Data in Motion, and then select Incident Settings. 2. Select the loss impact. The options are defined in the Loss Impacts section. 3. Select the loss impact mode. Options are Per Incident, Per Incident Match Count, Per Incident Condition Match Count, Per File Count, and Exclude. 4. Click Save.

Page 108 | Settings Configuration Remediation Action Types

Remediation Action Types Remediation action types are the options on the Data in Motion toolbar. By default, Symantec ICA includes Escalate, Resolve, and Dismiss as remediation action types. They can be configured to meet your organization needs. The other options on the toolbar, such as Assign User, are not configurable.

Adding a Remediation Action Type Remediation action types define the options on the remediation pages. The remediation options, except Assign User, are configurable. Select an option, and click Move Up and Move Down to set the display order of the remediation action option.

The available options when setting a remediation type, such as Reason and Resolution, are based on the settings defined in Event Settings.

See Also: "Incident Settings" on page 104 for information about event settings

To add a remediation action type, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Data In Motion. 2. Select the Remediation Action Types tab. 3. Click Remediation Action. The window has sections for window configuration, toolbar configuration, actions, and notifications.

4. (Optional) Select Allow Multiple Selection to allow users to select more than one item when using this action. 5. In the Window Configuration section, do the following: a. Enter the name in the Title field. b. Enter text for the button in the Button Text field. This field is required when there is a title. c. Enter instructions. The instructions appear at the top of the action window when a user selects the action. d. (Optional) Click Glossary to add terms and definitions. The terms and definitions appear when a user selects the action. For example, include a glossary of reasons that correlate to the reasons for the action. 6. In the Toolbar Configuration section, do the following: a. Enter text for the button in the Button Text field. b. Enter the width of the button pixels. The default is 100 pixels. c. (Optional) Click Icon to display icon images, select an icon, and then click Accept. To not display an icon, click Cancel.

Settings Configuration | Page 109 Adding a Remediation Action Type

d. Select Is Button Enabled to enable the button on the toolbar. e. Select Is Button Displayed to display the button. 7. (Optional) In the Actions section, do the following: a. Select Update Status, and then select an option. b. Select Update Source System to update the source system. c. Select Update Assigned To to update the assignment. l Select an option. The options are All, Fixed List, Static Value. Fixed List and Static Value can have more than one item.

l If Static Value was selected, then select Visible to make the option visible.

l Enter a field name in Source System Field.

l Select Required if this value is required. d. Select Update Reason to update the reason.

l Enter the source field to use in Source System Field.

l Set the type of reason. Options are All, Fixed List or Static Value. If Fixed List or Static Value are selected, then specify the reason. More than one reason can be selected for Fixed List.

l If Static Value was selected, then select Visible to make the option visible.

l Enter the source field to use in Source System Field.

l Select Required if this value is required. e. (Optional) Select Update Resolution to update the resolution.

l Enter the source field to use in Source System Field.

l Set the type of resolution. Options are All, Fixed List or Static Value. If Fixed List or Static Value is selected, then specify the resolution. More than one resolution can be selected for Fixed List.

l If Static Value is selected, then select Visible to make the option visible.

l Select Required if this value is required. f. Select Update Comment to update the comment.

l Enter the source field to use in Source System Field.

l Select Add Note in Source System to add the comment to the source system in the Note column.

l Set the character limit for the comment. When writing back to a DLP source system, only the first 924 characters are written to the source system. The full comment is stored in the Symantec ICA database.

l Select Required if this value is required.

Page 110 | Settings Configuration Setting Default Columns for Data In Motion Pages

g. Select Update Case Number to update the case number.

l Enter the source field to use in Source System Field.

l Select Required if this value is required. h. In the Update Last Actioned By section, enter the source field in the Source System Field to record who performed that last update action. 8. (Optional) In the Notifications section, do the following: a. Select Use Custom Notifications Rules to have custom rules, and then select a template in the Template field. b. Select Override Template Distribution List to change the sender's and recipients' email addresses. NOTE: Use semi-colons to separate names when entering more than one address in a field.

9. Click Save to save the action type, or Cancel to cancel.

Setting Default Columns for Data In Motion Pages Administrators can select the displayed columns as the default view for the Data In Motion pages. However, if a user sets their own preferences, then the user's preferences are retained for the user by the system. Any time a user changes their column layout, the column layout gets saved for the user.

NOTE: The Load Your Column option displays the last layout viewed by the user. When a user changes their layout, then loads the default layout, and then selects Load Your Column Layout, then the last layout that was not the default layout is displayed.

To select columns, do the following:

NOTE: Default views for identities and assets pages can also be set by selecting the identity or asset page, selecting the columns, and then saving the page as described in this procedure.

1. Select an event on the Data In Motion page. 2. Click the arrow in a column header in the details table. 3. Select Columns. 4. Select the columns to display. 5. Select Save Default Column Layout. This layout becomes the default layout for any user who does not have a default layout saved. 6. Click Yes to confirm the change, or Cancel to cancel the change.

Settings Configuration | Page 111 Configuring Policy Settings

Configuring Policy Settings

Policies align reporting in Symantec ICA with corporate data loss prevention (DLP) initiatives.

Creating a Policy To create a policy, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Policy. 2. Click New Policy. 3. Enter the policy information in the following fields: Table 7-29 Policy Field Settings

Policy Field Description Assigned DLP Policies Assigns specific DLP policies to the Symantec ICA policy. At least one DLP policy must be associated with the Symantec ICA policy. A DLP policy can only be assigned to one Symantec ICA policy. Auto Update Enables Symantec ICA policy to synchronize with the attributes of the associated DLP policy. NOTE: This option is only valid for policies that are assigned to only one DLP policy. Description Provides a detailed description of the policy. Enabled Enables the policy. Policy Specifies the policy name. Risk Weight Sets the weighting value for the policy. The higher the number, the greater the weight. This value affects how policies are displayed in Symantec ICA. Use in Normality Enables the policy to be used in normality scoring.

4. (Optional) Click Move Up or Move Down to set where the policy appears in the list. 5. Click Ok. Configuring Queue Settings

Queues are the grouping of threats and events which are related by some common attribute. The queues can be based on organization, incident type, remediation response, and so on. Multiple users can work with individual queues within Symantec ICA to resolve incidents of a similar nature. Users can have access to all or some of the queues, based on job responsibilities and privileges.

Page 112 | Settings Configuration Creating a Queue

Creating a Queue Queues are assigned to users when setting up the user privileges. To create a queue, do the following:

NOTE: The queue field is available data-in-motion incidents when the Update Assigned To field is enabled for a remediation action type.

1. In the Symantec ICA administration section, select Settings, and then select Queues. 2. Select one of the following:

l DIM Remediation Queue

l Action Plan Queue 3. Click New Queue. 4. Enter a name in the Queue field. 5. Enter a detailed queue description in the Description field. 6. (DIM queues only) Click the Default Remediation Queue check box if the queue will be the default queue for incoming incidents. 7. Expand the Can View Queues section, and do the following: a. Enter the users assigned to view the queue. b. Enter the roles assigned to view the queue. c. Enter the users that have read-only privileges for queues. d. Enter the roles that have read-only privileges for queues. 8. Expand the Can Assign Queues section, and do the following: a. Enter the users that can assign the queue. b. Enter the roles that can assign the queue. c. Enter the users that have read-only privileges for queue assignments. d. Enter the roles that have read-only privileges for queue assignments. 9. Enter the group email alias associated with the queue in the Email field. 10. Enter the sender email address in the From Email field. 11. Enter additional recipients in the CC List field. 12. Enter additional recipients in the BCC List field. BCC is the abbreviation for blind carbon copy. These recipients will receive the email message, but will not be shown in the email message. 13. Click Ok. NOTE: To set the display order of a queue, select the queue and click the up or down arrows to change the order.

Settings Configuration | Page 113 Configuring Web Activity Settings

Configuring Web Activity Settings

Usually the source information includes which web activities (HTTP codes) are blocked and which are allowed. When that information is not provided by the data source to Symantec ICA, then the settings in this section are used to customize which HTTP codes are blocked or allowed. Web activity settings indicate which web activities identified by the web proxy data source are allowed and which activities are blocked, as the activities relate to user actions.

To block a web activity setting, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Web Activity. 2. Click the check box next to a web activity to block it. 3. Click Save to save your changes. Configuring Vulnerabilities Settings

The vulnerabilities shown on the Vulnerability Management page come from the data imported to Symantec ICA from sources such as Symantec DeepSight Intelligence and McAfee Vulnerability Manager. The imported vulnerability settings can be edited to fit the requirements of your environment. For example, a vulnerability may originally be marked as Urgent, but in a pre-production test environment the vulnerability could be considered Informational because the administrators know that it is not an issue during testing.

The Vulnerability Management page shows the total instances of each vulnerability, and how many vulnerabilities are open, exceptions, or false positives. You can filter the list of vulnerabilities by clicking the Filter option, and selecting filters.

Editing Vulnerability Settings To edit a vulnerability setting, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Vulnerability Management. 2. Click (pencil) next to the vulnerability. NOTE: To select all the vulnerabilities on the page, click (pencil) in the toolbar.

3. Select the option for the vulnerability. The options are as follows: l Global False Positive: Indicates that the vulnerability should be consider a false positive event any time it occurs in the environment.

l Override Severity Rating: Sets the severity rating to a different level. 4. Enter a justification for the change in the Justification field. 5. Enter the approver's name in the Approver field. To find the name, enter the first four

Page 114 | Settings Configuration Filtering the List of Vulnerabilities

letters of the name. 6. Click Save to save the changes, or click Cancel to cancel the changes. Click (counter-clockwise arrow) to view the change history for a vulnerability when viewing the list of vulnerabilities.

Filtering the List of Vulnerabilities To filter the list of vulnerabilities, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Vulnerability Management. 2. Click Filter. 3. Select the filters to apply to the list. The following filters are available: Table 7-30 Vulnerability Management List Filters

Filter Description Category Category of the vulnerability, such as File Transfer Protocol or Hardware. More than one category can be selected for the filter. CVE Common Vulnerability and Exposures (CVE) of the vulnerability.

See Also: https://cve.mitre.org/about/ CVSS Range Common Vulnerability Scoring System (CVSS) range for the vulnerability. More than one range can be selected for the filter. CWE Common Weakness Enumeration (CWE) of the vulnerability.

See Also: https://cwe.mitre.org/about/ Only Show Only vulnerabilities marked as global false positive events are listed. Global False Positive Only Show Only vulnerabilities marked as severity overrides are listed. Severity Overrides Severity Severity of the vulnerability. More than one severity can be selected for the filter. Source Source of the vulnerability, such as Qualys QualysGuard or Symantec DeepSight Intelligence. More than one source can be selected for the filter. Source Severity level, such as High or Critical, imported from the source. Severity Vulnerability Type of vulnerability.

4. Click Apply to apply the filter, Cancel to not apply the filter, or Reset to reset the filters to none.

Settings Configuration | Page 115 Configuring Residual Risk Settings

Configuring Residual Risk Settings

The residual risk settings are used to set the values displayed on the Risk Assessment section for applications. To set the ranges, do the following:

NOTE: Administrators must have the Residual Risk Settings privilege to set residual risk.

1. In the Symantec ICA administration section, select Settings, and then select Residual Risk. 2. Click (pencil) next to the residual risk. 3. Modify the name, range, and multiplier value, as needed. The multiplier value is similar to a weight, and is used in calculating the risk. 4. (Optional) Click Enabled to enable the rating. 5. Click Save. Configuring Action Plan Settings

Action plans serve as workflows that let a mitigator interact with other security personnel to resolve the events and vulnerabilities that have been identified by Symantec ICA. An organization can monitor the risk mitigation workflows and track the progress of specific risk mitigation activities. Action plans ensure that every suspicious event and vulnerability is assigned to a mitigator who can resolve and remediate the event and vulnerability, and then report the resolution back to their team or manager. Managers can track the progress of events and vulnerabilities to ensure compliance and resolution.

Action plans provide a method for equipping security personnel with the information they need to make informed decisions towards remediation, and a schedule to investigate, mitigate, and resolve issues. The result is a proactive understanding of all risks related to their environment. The events and vulnerabilities listed in an action plan can be acted on directly in the plan. When an item is mitigated, the item's residual risk value is lessened which affects future calculations of residual risk values.

Action plan settings are configurable attributes. The attributes are selectable options for users when creating and editing action plans.

Creating an Action Plan Status To create an action plan status, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Action Plans. 2. Click (plus sign) in the Statuses section. 3. Enter a name for the status. 4. Click Save.

Page 116 | Settings Configuration Creating an Action Plan Resolution

Creating an Action Plan Resolution To create an action plan resolution, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Action Plan. 2. Click (plus sign) in the Resolutions section. 3. Enter a name for the resolution. 4. Click Save.

Creating an Action Plan Reason To create an action plan reason, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Action Plan. 2. Click (plus sign) in the Reasons section. 3. Enter a name for the reason. 4. Click Save.

Creating an Action Plan Priority To create an action plan priority, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Action Plan. 2. Click (plus sign) in the Priorities section. 3. Enter a name for the status. 4. Click Save.

Editing an Action Plan Attribute To edit an action plan attribute, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Action Plan. 2. Click (pencil) next to the attribute. 3. Edit the attribute name. 4. Click Save.

Deleting an Action Plan Attribute To delete an action plan attribute, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Action Plan. 2. Click V (minus) next to the attribute. 3. Click Yes to the confirm the deletion.

Settings Configuration | Page 117 Configuring Details Grid Configuration Settings

Configuring Details Grid Configuration Settings

The Details Grid Configuration section allows administrators to create and modify tabular data. The details grids are used with entity actions. The following sections describe how to configure the details grid:

l Creating a Details Grid Query

Creating a Details Grid Query To create a details query, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Details Grid Configuration. 2. Click New Details Grid Query to create a new query. 3. Enter the query information in the following fields: Table 7-31 Details Query Settings

Query Field Description Connection Identifies the type of connection for the query. Default is Symantec ICA. Cube Sets the name of the cube that will run query. This field is available for MDX queries only. Database Sets the name of the database that the query will be run. Height Sets the height of the Details Grid window in pixels. Query Type Sets the type of query to be written, either MDX or SQL. Server Sets the name of the server hosting the database where the query will be run. Target Sets the table to query. This field is for SQL query only. Title Sets the title for the Details Grid window. Width Sets the width of the Details Grid window in pixels.

4. Click Save to save the query. The new query is listed under the specific query type heading. 5. Define the query as described in "Configuring Details Grid Configuration Settings" above. Configuring Entity Actions Settings

Entity actions provide additional functionality when viewing data within Symantec ICA. For example, an entity action can be associated with a right-click when viewing a metric to enable an action such as "Search for User" or “Filter this result.”

See Also: Symantec ICA Dashboard Designer Guide for additional information about assigning an entity action to a metric

Page 118 | Settings Configuration Creating an Entity Action

Creating an Entity Action To create an entity action, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Entity Actions. 2. Click New Entity Action. 3. Enter the entity information in the following fields: Table 7-32 Entity Action Field Settings

Entity Field Description Base Entity Dictates the format and source of additional information which is presented Type through the entity action. Base entity types for the new entity action are as follows: l Details Grid: A tabular list of data used to display additional information and based on a query. Detail grids are defined in the Details Grid Configuration section in the Settings section.

l Entity Search: Additional information for remediation of events. Common uses include collecting more details about specific users or events. Configuration Displays the name that is associated with an entity action to a metric. This can be Alias the same name as the descriptive name. See Also: Symantec ICA Dashboard Designer Guide for additional information about associating entity actions to metrics Context Groups entity actions together for multiple layer drill down capability. Choose a Menu Group name for the menu group and ensure that other entity actions to be grouped together have that same value. This field is optional. Icon Lists available icons to represent the new entity action. This field is optional. Name Sets the descriptive name for the new entity action. This name is not displayed in the section. Runtime Alias Sets the name of the entity action that displays when a user right-clicks to display a list of available actions. Symantec recommends using a different name than the one used in the Name field. Type Specific Sets the type-specific properties for the entity action. The property options are as Properties follows: l Search Entity Type: The type of entity to search for, such as computer endpoint or user.

l Target Details Grid: The details grid to associate with the entity action.

4. Click Save to save the entity action. The new entity action is listed on the page.

Settings Configuration | Page 119 Configuring Notifications

Configuring Notifications

Notifications can be alerts, warnings or default messages. Administrators create, edit and delete notifications, as needed. In order to send notifications, the options in the Email section of General Settings must be set to enable messaging.

Creating a Notification Template To create a notification template, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Notifications. 2. Select Notification Templates. 3. Click Notification Template. 4. Select the template type. 5. Enter a name for the template. 6. Enter the subject line for the email message. 7. Enter the text for the email message. Placeholder fields can be entered in the text from the Available Tokens list, based template type. To include a placeholder field, double-click the token name. NOTE: Text must be entered in the Email Body field before adding placeholder fields.

8. Format the text using the toolbar options. Depending on the size of the browser window, use the menu in the toolbar to view additional options such as the following: l Align text right

l Hyperlink

l Numbered list

l Bullet list

l Source edit which allows you to enter HTML elements 9. (Optional) Click Notifications, and enter email addresses in the sender and recipient fields. 10. Click Send Test Email to send a test message. 11. Click Save to save the template when the notification text is correct.

Creating an Application Notification To create an application notification, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Notifications. 2. Select Application Notifications. 3. Click Notification. 4. Select the severity. Options are Default, Warning and Alert.

Page 120 | Settings Configuration Configuring Organizations and Regions Settings

5. Set the start date and end date. 6. Enter the text for the notification. 7. Select the roles that should receive the notification, if applicable. The roles are defined in the Privileges section. 8. Add individuals that should receive the notification, if applicable. The individuals are defined in the Privileges section. 9. Click Save. Configuring Organizations and Regions Settings

Organizations and regions allow administrators to create an organizational hierarchy that represents their businesses structure. Organizations and regions appear on scorecards. In addition, the region maps appear on scorecards when the Region option is selected with the Rollup option.

NOTE: The Display Metric Regions option must be selected in General Settings in order for the Region option to appear on scorecards.

Creating an Organization To create an organization, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Organizations & Regions. 2. Click New Organization. 3. Enter an organization name in the Organization field. 4. Enter a shortened organization name in the Abbreviation field. 5. (Optional) Enter a name in the Sub Organization field to add a sub-organization to display as a child to the parent organization. 6. Click Ok. NOTE: To set the display order of the organization, select the organization and click Move Up or Move Down to change the order.

Adding a Sub-Organization To add an sub-organization, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Organizations & Regions. 2. Right-click the organization name that will have the sub-organization, and then select Add Sub Organization.

Settings Configuration | Page 121 Creating a Region or Country

3. Enter the sub-organization name in the Sub Organization field. 4. Click Ok. NOTE: To set the display order of the organization, select the organization and click Move Up or Move Down to change the order.

Creating a Region or Country To create a region or country, do the following:

NOTE: A country can only be associated with one region.

1. In the Symantec ICA administration section, select Settings, and then select Organizations & Regions. 2. Select Regions & Countries. 3. Click New Region. 4. Enter a region name in the Region field. 5. Enter a shortened region name in the Abbreviation field. 6. Click Ok. NOTE: To set the display order of the region or country, select the region or country, and click Move Up or Move Down to change the order.

Adding a Country To add a country, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Organizations & Regions. 2. Select Regions & Countries. 3. Right-click the region name that will have the country, and then select Add Country. 4. Enter the country name in the Country field. 5. Enter a shortened country name in the Abbreviation field. 6. Click Ok. NOTE: To set the display order of the region or country, select the region or country, and click Move Up or Move Down to change the order. Configuring Operating Systems

The operating system settings allow you to define the rule patterns for the operating systems imported in Symantec ICA. For example, if you want all Linux distributions to be known as Linux, then you would have a rule pattern that includes CentOS, Fedora, and Ubuntu.

Page 122 | Settings Configuration Adding an Operating System Rule

Adding an Operating System Rule To add an operating system rule, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Operating Systems. 2. Click Create Operating System Rule. 3. Enter the name of the operating system in the Operating System Name field. 4. Enter a rule pattern for the operating system. The rule is used to match specific versions of the operating system. Symantec recommends using wildcards (%) at the beginning and end of the rule, such as %Windows 10 Enterprise%. 5. Click Add to add the rule. 6. (Optional) Add more rules for the operating system. You can drag the rules to prioritize them. 7. Click Save to save the operating system rule. NOTE: To set the priority of the operating system rule, select the rule and click Move Priority Up or Move Priority Down to change the order.

Editing an Operating System Rule To edit an operating system rule, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Operating Systems. 2. Click (pencil) in the row of the operating system. 3. Modify the operating system fields as needed. 4. Click Save to save your changes to the operating system.

Changing the Priority of an Operating System Rule To change the priority of an operating system rule, do the following:

1. In the Symantec ICA administration section, select Settings, and then select Operating Systems. 2. Select the row of the operating system. 3. Click Move Priority Up or Move Priority Down as needed.

Deleting an Operating System Rule To delete an operating system rule, do the following:

1. In the Symantec ICA administration section, select Operating Systems. 2. Click V (minus) in the row of the operating system.

Settings Configuration | Page 123 Deleting an Operating System Rule

3. Click Yes to confirm the deletion, or click No to cancel the deletion.

Page 124 | Settings Configuration Chapter 8

Risk Models Configuration

Risk models correlate actions by users and computers with events that may indicate malicious intent. A risk model defines the stages of a cyber attack, and focuses on a single entity. It takes advantage of entity collections and event scenarios to show how events are related to the threat. Each risk model has information about the threat, likelihood, stages, impact types, and the actions required to address the threat. As the Symantec ICA (Information Centric Analytics) administrator, you define the stages, such as potential, suspicious, persistent, and malicious. Each stage is a point to stop the attack.

The following image shows where impact type, likelihood, and time frame settings appear when viewing a risk model instance details page. In the image, "Compliance Breach" is the impact type, "Possible" is the likelihood, and "Within a Week" is the time frame for the risk.

The likelihood text is based on ranges. If the likelihood is 30% or less, then the text is "Possible." If the likelihood is between 31% and 70%, then the text is "Likely." If the likelihood is between 71% and 100%, then the text is "Certain." You can change the likelihood text to meet your organization's requirements.

Each risk model has one or more cards for each stage of the model. Each card consists of the following:

l Card name

l Data set type which is an entity collection or event scenario

l Data set for that data set type, such as multiple methods per hour

l Impact type related to data set type, such as compliance breach or data loss

Risk Models Configuration | Page 125 Creating a Risk Model

l Likelihood of the event and time frame

l Recommended action

l Remediation cost

l Remediation time Creating a Risk Model

You create risk models that align with your organization’s use cases, available data and prevalent types of threats seen in your environment. The risk model should provide information to security personnel, and return a consumable list of risk model instances. Symantec recommends that a risk model include two to four cards per stage, and have no more than six stages.

To create a risk model, do the following:

1. In the Symantec ICA administration section, select Risk Models. 2. Click Add Risk Model. 3. Review the instructions, and then click Next. 4. Enter the model name, threat type, and entity type on the Properties page. 5. Click Next. 6. Do the following for each stage of the risk model on the Stages page: a. Enter a description of the stage in the Description field. b. Click Required if this stage is required to appear in the risk model. c. Click Occurs After Previous Stage if this stage must occur after the preceding stages. Do not select this option if you want the risk model to take effect whether or not the previous stage occurs. This option is not available for the first stage. d. Click Any Card or All for the cards. Cards are scenarios or entity collections. l Any Card means that if any card occurs, then this stage is advanced in the risk model.

l All means that all cards must occur for this stage to advance to the next stage. e. Click Add Card to add a scenario or entity collection to the stage. 7. Enter the following card information: l Data Set Type: The types are Event Scenario or Entity Collection.

l Data Set: The event scenario or entity collection.

l Impact Type: The type of impact related to the risk, such as data loss, integrity, or service disruption. More than one impact type can be on a card.

l Likelihood: The likelihood that the risk will happen. Values are between 1 and 100.

l Time frame: The time frame when the risk may occur, such within the next month or within the next year.

Page 126 | Risk Models Configuration Editing a Risk Model

l Recommended Action: The recommended action to mitigate the risk of this card.

l Remediation Cost: The estimated cost, in dollars, to mitigate the risk. For scenarios, it represents the total cost. For entity collections, it represents the per unit cost. This field is enabled by the administrator, and may not be available for your risk model. NOTE: If you do not enter a value, then the remediation cost is calculated using the default remediation cost divided by the remediation time.

l Remediation Time: The estimated time in minutes to mitigate the risk. For scenarios, it represents the total time. For entity collections, it represents the time per unit. This field is enabled by the administrator, and may not be available for your risk model. 8. Click Save to save the card. 9. (Optional) Click Add Card to add another card to the stage, and enter the card information. Repeat as needed. 10. After adding cards to the stage, click Add Stage to add another stage to the risk model. Repeat as needed. You can change the order of the stages using the chevrons above the stage description fields. 11. (Optional) Set which stages cause a risk model instance to be created as follows: a. Click Advanced Options. b. Select Stage Needed to Trigger Instance check box. c. Select the stages that will create a risk model instance. If a threat or event listed in these stages occurs, then a risk model instance is created, whether or not a threat or event has occurred in any of the preceding stages. d. Click Save. 12. Click Next to view a summary of the risk model. 13. Click Apply to save the risk model. Editing a Risk Model

A risk model may need adjustment in order to provide the results that are beneficial to the organization. For example, a risk model may be too complex, and therefore it does not return results, or it might be too simple, and returns many false positive incidents.

To edit a risk model, do the following:

1. In the Symantec ICA administration section, select Risk Models. 2. Click (pencil) in the row of the risk model. 3. Click Next. 4. Edit the properties as needed, and then click Next. 5. Edit the stages and cards as needed, and then click Next. To modify a card, click

Risk Models Configuration | Page 127 Deleting a Risk Model

(pencil) in its row. 6. Click Apply to save the changes. Deleting a Risk Model

To delete a risk model, do the following:

1. In the Symantec ICA administration section, select Risk Models. 2. Click V (minus) in the row of the risk model. 3. Click Yes to confirm the deletion. Adding a Threat Type

Threat types define the threats used in risk models, such as Malicious Insider and Cyber Attack. Threat types are shown on the risk overview dashboard, and entity details pages. To add a threat type, do the following:

1. In the Symantec ICA administration section, select Risk Models. 2. Click Threat Types, and then click Add Threat Type. 3. Enter the threat type name, and then click Save. Editing a Threat Type

To edit a threat type, do the following:

1. In the Symantec ICA administration section, select Risk Models. 2. Click Threat Types, and then click (pencil) next to the threat type name. 3. Edit the threat type name, and click Save. Deleting a Threat Type

To delete a threat type, do the following:

NOTE: If the threat type is used in a risk model, then the threat type cannot be deleted.

1. In the Symantec ICA administration section, select Risk Models. 2. Click Threat Types. 3. Click Delete in the row of the threat type. 4. Click Yes to confirm the deletion.

Page 128 | Risk Models Configuration Adding an Impact Type

Adding an Impact Type

Impact types define how an event impacts your environment, such as Application Availability and Compliance Breach. Impact types appear on risk overview dashboard and entity details pages. Each impact type has importance levels from None to High. To add an impact type, do the following:

1. In the Symantec ICA administration section, select Risk Models. 2. Click Impact Types, and then click Add Impact Type. 3. Enter the impact type name. 4. Enter a question. Questions should ask the user what affect the impact has on the organization. The question is displayed when a user is setting the residual risk for an application. 5. Click Save. The impact type is created, and has importance levels of None, Low, Medium, and High. Editing an Impact Type

Impact types appear on entity details pages. To edit an impact type, do the following:

1. In the Symantec ICA administration section, select Risk Models. 2. Click Impact Types. 3. Click (pencil) next to the impact type. 4. Modify the impact type name, and question, as needed. 5. Click Save. Editing an Impact Type Importance Value

Impact types appear on entity details pages. To edit an impact type importance value, do the following:

1. In the Symantec ICA administration section, select Risk Models. 2. Click Impact Types. 3. Expand the impact type category, and click (pencil) next to the impact type. 4. Modify the impact importance value. Values are from 0 to 1, such as .33 for 33% and 1 for 100%. 5. Click Save. Deleting an Impact Type

To delete an impact type, do the following:

Risk Models Configuration | Page 129 Editing a Likelihood Setting

1. In the Symantec ICA administration section, select Risk Models. 2. Click Impact Types. 3. Click V (minus) in the row of the impact type. 4. Click Yes to confirm the deletion. Editing a Likelihood Setting

Symantec ICA includes out-of-the-box likelihood settings. The settings have descriptions and ranges, such as Less Likely to Occur with a range of less than 30% probability of occurring in your environment. The likelihood setting is shown on risk overview dashboard, risk model instance details pages and entity details pages. You can edit the descriptions and ranges, as needed. To edit a likelihood setting, do the following:

1. In the Symantec ICA administration section, select Risk Models. 2. Click Likelihood, and then click (pencil) next to the likelihood name. 3. Modify the description or percentage as needed. 4. Click Save.

Page 130 | Risk Models Configuration Chapter 9

Risk Vectors Configuration

Risk vectors show an entity's activities compared other, similar entities' activities. They can be created using the analyzer or a SQL query. Risk vectors can be based on user activity, a scenario, user attribute, basically, anything that can be measured. For example, person risk vectors compare a person's activities, events or incidents to the person's usual activities, other peers in the same department, and peers with the same manager to determine the person's risk level.

NOTE: You can disable risk vectors that are for data not imported into Symantec ICA (Information Centric Analytics). For example, the 5 Emails Blocked/Day risk vector can be disabled if no email message data is imported into Symantec ICA.

The following entities can have risk vectors in Symantec ICA:

l Applications

l Computer endpoints

l IP addresses

l Persons

l Users Creating an Analyzer Risk Vector

To create an analyzer risk vector, do the following:

1. In the Symantec ICA administration section, select Risk Vectors. 2. Click the tab for the type of risk vector, such as Computer Endpoint, or User. 3. Click Create Analyzer Risk Vector. 4. Create or open an analyzer view. You must include a relative date dimension attribute, such as DIM Incident Relative Date Range, as a filter for the analyzer risk vector. 5. Right-click the cell to use for the risk vector, and select Create Risk Vector. 6. Select the entity type. 7. Enter the vector name.

Risk Vectors Configuration | Page 131 Creating a SQL Risk Vector

8. Click the Enabled check box to enable the vector. Enabling a risk vector allows the risk vector to be included in risk score calculations. 9. Click the Displayed check box to display the vector on radar charts. 10. Assign a risk weight. Higher weights contribute more to a risk score than lower weights. 11. Click Save. Creating a SQL Risk Vector

To create a SQL risk vector, do the following:

1. In the Symantec ICA administration section, select Risk Vectors. 2. Click the tab for the type of risk vector, such as Computer Endpoint, or User. 3. Click Create SQL Risk Vector. 4. Enter the vector name. The entity is set by the risk vector tab you chose in step 2. 5. Click the Enabled check box to enable the vector. Enabling a risk vector allows the risk vector to be included in risk score calculations. 6. Click the Displayed check box to display the vector on radar charts. 7. Assign a risk weight. Higher weights contribute more to a risk score than lower weights. 8. Enter the query for the risk vector. 9. Click Save to save the risk vector. Setting the Risk Vector Order

To set the order of a risk vector, do the following:

1. In the Symantec ICA administration section, select Risk Vectors. 2. Select the risk vector on the list. 3. Click the up or down chevron to set the ordinal. Changing one risk vector ordinal affects the ordinals of the other risk vectors.

Page 132 | Risk Vectors Configuration Chapter 10

Entity Collections Configuration

An entity collection is a grouping of a particular entity, such as user, application, or computer endpoint, based on a cell in an analyzer view or an integration pack. The entity collections associated with an entity are shown on the entity details page. An entity collection can be used in a dashboard rank view or a risk model. Symantec ICA (Information Centric Analytics) administrators set which entity collections are highlighted on the details pages, and which entity collections are available for risk models. Creating an Entity Collection

An entity collection is a grouping of a particular entity, such as user or computer endpoint. An entity collection can be used in a rank view on a dashboard or in a risk model. To create an entity collection, do the following:

1. Create an analyzer view or open an existing view for the entity. 2. Right-click the cell that has the entity data you want to use for the collection. 3. Click Create Entity Collection. 4. Select the type of entity. 5. Enter a full name and short name for the collection. 6. (Optional) Select Highlight on Entity Page to have the entity collection appear in the Highlighted Collections section of the header on the entity page. If this option is not selected, then the entity collection appears in the Other Collections section that is shown when More Details is selected by the user. 7. (Optional) Select Allow Use in Risk Models to make the entity collection available when creating risk models. When this option is selected, the entity collection can be used with risk models. 8. Click Save. NOTE: The entity collection can be modified after it is saved. The system identifiers and name are not changed when modifying an entity collection.

Entity Collections Configuration | Page 133 Setting Entity Collection Properties

Setting Entity Collection Properties

To set the properties for an entity collection, do the following:

1. In the Symantec ICA administration section, select Entity Collections. 2. Click (pencil) next to the entity collection name. 3. Modify the name, and short name as needed. 4. (Optional) Select Highlight on Entity Page to have the entity collection appear in the Highlighted Collections section of the header on the entity page. If this option is not selected, then the entity collection appears in the Other Collections section that is shown when More Details is selected by the user. 5. (Optional) Select Allow Use in Risk Models to make the entity collection available when creating risk models. 6. Click Save to save the changes. Deleting an Entity Collection

To delete an entity collection, do the following:

1. In the Symantec ICA administration section, select Entity Collections. 2. Click V (minus) next to the entity collection name. 3. Click Yes to confirm the deletion, or click No to cancel the deletion.

Page 134 | Entity Collections Configuration Chapter 11

Event Scenarios Configuration

Symantec ICA (Information Centric Analytics) event scenarios use event sets to build correlations between events. Event scenarios can be used in risk models, and dashboards. An event set is created by a data-in-motion search or from a cell in an analyzer view. An event set can include more than one type of entity. The correlations can be time-based or a roll-up. A time-based scenario contains more than one event set, and more than one entity type. A rollup scenario contains only one event set and one entity type.

The following are examples of each scenario type:

l A time-based scenario to identify user accounts that use multiple protocols to move data in violation of DLP policies within one hour.

l A time-based scenario to identify users that violate a minimum of three personal information policies during a week.

l A rollup scenario for a group of employees with the same manager who violate the same policy in a month.

l A rollup scenario for employees planning to leave the organization that have unusual incidents three weeks prior to departure. NOTE: Event scenarios do not include vulnerabilities.

Administrators can include event notifications in a scenario to alert repeat offenders about their policy violations and unacceptable behaviors. If a repeat offender does not modify their behavior, then the notifications can increase in seriousness. For example, a user might visit a questionable website, and receive a notification that the website should not be visited again. If the user again goes to the website, then a notification can be sent to the user and the user's manager. If the behavior does not change, then the notifications may start to include the human resources department or the security team.

NOTE: A notification template must be created before adding an event notification.

See Also: Symantec ICA User Guide for information about event sets

Event Scenarios Configuration | Page 135 Creating a Time-based Event Scenario

Creating a Time-based Event Scenario

To create a time-based event scenario, do the following:

1. In the Symantec ICA administration section, select Event Scenarios. 2. Click New Scenario. 3. Enter the scenario name. 4. Enter the scenario label. 5. Enter a description of the scenario. The description is shown on aging view widgets. 6. Click Is Enabled to enable the scenario. 7. Click Configure to start configuring the event scenario. 8. Configure the time-based event scenario as follows: a. Select Time Series as the category. b. Click Next. c. In Start section of the Timeline field, select the event scenario set. d. (Optional) Enable an event count threshold, and the minimum value. e. (Optional) Enable the match count threshold, and the minimum value. f. Select an event scenario, and thresholds in the End section of the Timeline field. g. Expand Correlation. h. Select the entity type. i. Select the period. j. Select the operator. Options are Same, Different, Greater than, Greater than or equal to, Less than, Less than or equal to, and Within. The options depend on the entity. k. Enter the value for the period, and then select the measure for the period. For example, the value could be 12, and the measure hours. l. Select the attributes. m. (Optional) Click Add to add another data set and define the correlation. n. (Optional) Add event notifications as follows:

NOTE: A notification template must be created before adding an event notification.

i. Select the Do you want to add Step Up notifications to this event scenario? option. ii. Click Next. iii. Click Add Level. iv. Enter the level label.

Page 136 | Event Scenarios Configuration Creating a Rollup Event Scenario

v. Click Enable Notification. vi. Select the notification template. vii. Enter the subject line for the notification. viii. Enter the sender email address or select from the list. ix. Enter the recipient email address or select from the list. x. (Optional) Enter the email addresses of those who should also receive notifications about the event in the CC field, or select from the list. xi. (Optional) Enter email addresses of those who should receive notifications about the event in the BCC field, or select from the list. Recipients listed in this field will not appear in the notification. xii. (Optional) Enter additional text for the notification. xiii. Click Save. xiv. (Optional) Create additional levels, as needed. o. Click Next. p. Select the group detail source. q. (Optional) Enable an event count threshold, and the minimum value. r. (Optional) Enable an event match count threshold, and the minimum value. s. Click Next. t. Review the settings. u. Click Apply to confirm the settings, or Previous to change the settings. 9. Click Save to save the event scenario. 10. Click Run Now to run the event scenarios, and ensure the job completes successfully. Creating a Rollup Event Scenario

To create a rollup event scenario, do the following:

Event Scenarios Configuration | Page 137 Creating a Rollup Event Scenario

8. Configure the rollup event scenario as follows: a. Select Rollup as the category. b. Click Next. c. Select the event scenario set. d. Select the entity rollup e. Select the period and date. f. Select and set the rollup attributes. g. (Optional) Select additional rollups. h. Select the detail display type. i. (Optional) Add event notifications as follows:

NOTE: A notification template must be created before adding an event notification.

i. Select the Do you want to add Step Up notifications to this event scenario? option. ii. Click Next. iii. Click Add Level. iv. Enter the level label. v. Click Enable Notification. vi. Select the notification template. vii. Enter the subject line for the notification. viii. Enter the sender email address or select from the list. ix. Enter the recipient email address or select from the list. x. (Optional) Enter the email addresses of those who should also receive notifications about the event in the CC field, or select from the list. xi. (Optional) Enter email addresses of those who should receive notifications about the event in the BCC field, or select from the list. Recipients listed in this field will not appear in the notification. xii. (Optional) Enter additional text for the notification. xiii. Click Save. xiv. (Optional) Create additional levels, as needed. j. Click Next. 9. Review the settings. 10. Click Apply if the settings are correct, or Previous to change the settings. 11. Click Save to save the event scenario. 12. Click Run Now to run the event scenarios, and ensure the job completes successfully.

Page 138 | Event Scenarios Configuration Editing an Event Scenario

Editing an Event Scenario

When viewing or editing an event scenario, the dashboards and risk models that use the event scenario are listed. To edit an event scenario, do the following:

1. In the Symantec ICA administration section, select Event Scenarios. 2. Click (pencil) next to the event scenario name. 3. Modify the fields or scenario as needed.

NOTE: You cannot modify the type of scenario, such as changing a rollup scenario to a time-series scenario. To change the type, you must delete the existing type, and then configure the new type.

4. Click Apply to apply your changes to the scenario type. 5. Click Save to save the changes to the scenario. Deleting an Event Scenario

To delete an event scenario, do the following:

1. In the Symantec ICA administration section, select Event Scenarios. 2. Click Delete in the row of the event scenario. 3. Select one of the options. Options are Generated Instances Only, and Scenario Definition & Generated Instances. 4. Click Yes to confirm the deletion.

Event Scenarios Configuration | Page 139 Page 140 | Chapter 11 Appendix A

Symantec ICA Pre-installation Checklists

The following checklists should be used when planning an installation of Symantec ICA:

l Company Information

l Data Sources for Symantec ICA

l Server Sizing for Symantec ICA

l Events to Process with Symantec ICA

l Server Requirements for Two-Tier Architecture

l Technical Requirements for Two-Tier Architecture

l Server Requirements for Three-Tier Architecture

l Technical Requirements for Three-tier Architecture

l Required Account Privileges

l Symantec ICA Service Account Privileges

l Configuration Requirements for TCP Port

l Kerberos Credentials

l Microsoft SQL Database Server Settings

l Microsoft SQL Server Analysis Server (SSAS) Settings See Also: "Prerequisites and Privileges for Installing and Administrating Symantec ICA" on page 37 Company Information

Enter the company information in the following table:

Company name Address Technical contact

Symantec ICA Pre-installation Checklists | Page 141 Data Sources for Symantec ICA

Company name Email Phone Expected Install Date

Data Sources for Symantec ICA

The data sources checklist helps the team identify what data is being pulled in to Symantec ICA and how it will be used.

Source Server Data Source Name Data Type Access Notes Name Microsoft Active Directory Users Microsoft Active Directory Computers Symantec Data Loss Prevention (DLP) DLP Symantec Endpoint Protection (SEP) Endpoint Protection Symantec ProxySG Web Proxy Symantec Information Centric Encryption Encryption (ICE) Symantec Information Centric DLP Tagging Tagging (ICT)

Server Sizing for Symantec ICA

Use this section to determine the required server hardware for implementation.

Comments and Data Sizing Question Notes Amount of data to be processed.

NOTE: Symantec ICA requires approximately 20% of the total size of the data processed Architecture type (number of servers)

l Two Tier: 1 IIS/Web Application Server, 1 SQL Server/SSAS Server

l Three Tier: 1 IIS/Web Application Server, 1 SQL Server, 1 SSAS Server Number of projected Symantec ICA Users

NOTE: A high number of Symantec ICA users may require additional Web Server resources

Page 142 | Symantec ICA Pre-installation Checklists Events to Process with Symantec ICA

Events to Process with Symantec ICA

Identify the events that will be processed by Symantec ICA.

Events to be processed Record Count Comments and Notes Microsoft Active Directory Symantec DLP Symantec SEP Symantec ProxySG Symantec ICE Symantec ICT

Server Requirements for Two-Tier Architecture

The following are the server requirements for two-tier architecture.

RAM Server Type CPU Disk (GB) Microsoft IIS Web Server 8 32 64 GB Microsoft SQL Database Server 16 128 512 GB - 1 TB NOTE: Microsoft SQL Database Server has a TEMPDB storage requirement of 512 GB - 1 TB.

Technical Requirements for Two-Tier Architecture

The following sections list the requirements when implementing a two-tier architecture:

Microsoft IIS Web Server Infrastructure Prerequisites for Two-Tier Architecture The following are the infrastructure prerequisites for Symantec ICA in a two-tier architecture.

Comments Infrastructure Prerequisites and Notes Microsoft Windows Server 2012 R2 or later with the Web Server (Microsoft Internet Information Service (Microsoft IIS) role.

Web Server Role Services for Two-Tier Architecture The following are the needed Windows Server Web Server (Microsoft IIS) role services for Symantec ICA.

Symantec ICA Pre-installation Checklists | Page 143 Windows Server Features for Two-Tier Architecture

Windows Server Role Services Comments and Notes Common HTTP Features

l Default Document

l Directory Browsing Health and Diagnostics

l HTTP Logging Performance

l Static Content

l Static Content Compression Security

l Windows Authentication Application Development

l .NET Extensibility 4.5

l ASP.NET 4.5

l ISAPI Extensions

l ISAPI Filters

Windows Server Features for Two-Tier Architecture The following are the Microsoft Windows Web Server (Microsoft IIS) features needed for Symantec ICA.

Windows Server Features Comments and Notes NET Framework 3.5 Features:

l .NET Framework 3.5 .NET Framework 4.5 Features:

l .NET Framework 4.5

l ASP.NET 4.5

l WCF Services l HTTP Activation

l TCP Port Sharing

Page 144 | Symantec ICA Pre-installation Checklists Microsoft SQL Database Server for Two-Tier Architecture

Microsoft SQL Database Server for Two-Tier Architecture The following are the Microsoft SQL database infrastructure prerequisites for Symantec ICA in a two-tier architecture.

Comments Infrastructure Prerequisites and Notes Microsoft Windows Server 2012 R2 or later Microsoft SQL Server Enterprise Edition 2016 with cumulative update (CU) 5 or later

NOTE: Microsoft SQL Server Developer Edition can be used for test and development environments for Symantec ICA Microsoft SQL Server Analysis Services (SSAS): 2016 Enterprise Edition CU 5 or later

NOTE: Microsoft SQL Server Developer Edition can be used for non- production environments for Symantec ICA

Additional Software for Two-Tier Architecture The following is the additional software needed for Symantec ICA.

Comments and Additional Software Notes Microsoft .Net framework 4.7.1 at

https://www.microsoft.com/en-us/download/details.aspx?id=56116

NOTE: Microsoft .Net framework 4.7.1 must be installed on the database server and the application server.

Server Requirements for Three-Tier Architecture

The following are the server requirements for three-tier architecture.

RAM Server Type CPU Disk (GB) Microsoft IIS Web Server 8 32 64 GB Microsoft SQL Database Server 16 64 512 GB - 1 TB NOTE: Microsoft SQL Database Server has a TEMPDB storage requirement of 512 GB - 1 TB. Microsoft Analysis Services (SSAS) 16 64 1 TB

Symantec ICA Pre-installation Checklists | Page 145 Technical Requirements for Three-tier Architecture

Technical Requirements for Three-tier Architecture

The following sections list the requirements when implementing a three-tier architecture:

Microsoft IIS Web Server Infrastructure Prerequisites for Three-Tier Architecture Install the following prerequisites when implementing a three-tier architecture

Comments and Infrastructure Prerequisites Notes Microsoft Windows Server 2012 or later with the Web Server (Microsoft IIS) role

Webs Server Role Services for Three-tier Architecture The following are the needed Windows Server Web Server (Microsoft IIS) role services for Symantec ICA.

Roles Comments and Notes Common HTTP Features

l Default Document

l Directory Browsing Health and Diagnostics

l HTTP Logging Performance

l Static Content

l Static Content Compression Security

l Windows Authentication Application Development

l .NET Extensibility 4.5

l ASP.NET 4.5

l ISAPI Extensions

l ISAPI Filters

Page 146 | Symantec ICA Pre-installation Checklists Windows Server Features for Three-tier Architecture

Windows Server Features for Three-tier Architecture The following are the Microsoft Windows Web Server (Microsoft IIS) features needed for Symantec ICA.

Windows Server Features Comments and Notes NET Framework 3.5 Features:

l .NET Framework 3.5 .NET Framework 4.5 Features:

l .NET Framework 4.5

l ASP.NET 4.5

l WCF Services l HTTP Activation

l TCP Port Sharing

Microsoft SQL Database Server for Three-tier Architecture The following are the Microsoft SQL database infrastructure prerequisites for Symantec ICA in a three-tier architecture.

Comments Infrastructure Prerequisites and Notes Microsoft Windows Server 2012 R2 or later Microsoft SQL Server Enterprise Edition 2016 with CU 5 or later CU

NOTE: Microsoft SQL Server Developer Edition can be used for test and development environments for Symantec ICA

Additional Software for Three-tier Architecture The following is the additional software needed for Symantec ICA.

Comments and Additional Software Notes Microsoft .Net framework 4.7.1

https://www.microsoft.com/en-us/download/details.aspx?id=56116

NOTE: Microsoft .Net framework 4.7.1 must be installed on the database server and the application server.

Symantec ICA Pre-installation Checklists | Page 147 Microsoft SQL Server Analysis Services (SSAS) for Three-tier Architecture

Microsoft SQL Server Analysis Services (SSAS) for Three-tier Architecture The following are the Microsoft SSAS requirements for Symantec ICA.

Comments Infrastructure Prerequisites and Notes Microsoft Windows Server 2012 R2 or later Microsoft SQL Server Analysis Services 2016 with cumulative update CU 5 or later

NOTE: Microsoft SQL Server Developer Edition can be used for test and development environments for Symantec ICA

Required Account Privileges

The following are the required account privileges for Symantec ICA.

Can be Environment Privilege removed Comments and Notes (Yes/No) Windows Administrator No Server SQL Server sysadmin Yes Requires Sysadmin or dbcreator because (conditional) a system level query is performed during installation or upgrade to determine available databases. Sysadmin can be removed after installation or upgrade, but db_owner is still required. SQL Administrator No Analysis Server

Symantec ICA Service Account Privileges

The Symantec ICA server service account is the account that brokers communication between the Microsoft Windows server hosting Symantec ICA application and web services, and the SQL Server hosting the Symantec ICA database. Can be Environment Privilege removed Comments and Notes (Yes/No) Windows Administrator No Server

Page 148 | Symantec ICA Pre-installation Checklists Symantec ICA Server Installation Wizard Privileges

SQL Server sysadmin or No Requires Sysadmin or db_owner to create db_owner of and remove system level objects (SQL the Symantec Agent Jobs, as well as temporary on- ICA database demand objects SQL Administrator No Account is used to access data in the Analysis Microsoft SQL Server database Server

Symantec ICA Server Installation Wizard Privileges The following are the required privileges for Symantec ICA installation wizard.

Can be Environment Privilege removed Comments and Notes (Yes/No) Windows Administrator No Requires Sysadmin to create and remove Server system level objects (SQL Agent Jobs, as well as temporary on-demand objects SQL Server sysadmin or No db_creator

NOTE: After installation, open Microsoft IIS Manager, and ensure that ASP.NET Impersonation is disabled for Risk Fabric . Configuration Requirements for TCP Port

Usage Default Port Configurable Comments and Notes HTTP port 80 Yes HTTPS port 443 Yes SQL Server 1433 Yes Analysis Server 2382 Yes Analysis Server 2383 Yes

Kerberos Credentials

The following are the prerequisites when setting the Kerberos credentials on the servers:

Credentials Comments and Notes When the Symantec ICA application server is installed on a Kerberos only needs

Symantec ICA Pre-installation Checklists | Page 149 Microsoft SQL Database Server Settings

Credentials Comments and Notes different server from the Microsoft SQL Server server, and the to be reviewed and data source authentication is set to Windows Integrated considered when Authentication, then the servers must be able to pass installing Symantec Kerberos credentials between the servers. ICA on a 3 tier environment. The following are the prerequisites when setting the Kerberos credentials on the servers:

l You must have Domain Admin privileges to perform the procedure. If you do not have Domain Admin privileges, then the configuration fails.

Microsoft SQL Database Server Settings

The following are the requirements for Microsoft SQL with Symantec ICA.

Settings Comments and Notes If SQL Server and Analysis Services are running on the This setting can be found same server, then Memory/TotalMemoryLimit setting under the Memory Settings should be set to 50% of available server memory. on the properties of the SQL Server.

Microsoft SQL Server Analysis Server (SSAS) Settings

The following are the requirements for Microsoft SSAS with Symantec ICA.

Settings Requirement Comments and Notes ExternalCommandTimeout 360000 This setting is found under the General Settings on the properties of the Analysis Server ExternalConnectionTimeout 360000 This setting is found under the General Settings on the properties of the Analysis Server

Page 150 | Symantec ICA Pre-installation Checklists Microsoft SQL Server Analysis Server (SSAS) Settings

Settings Requirement Comments and Notes Log\Flight Recorder\ False This setting is found Enabled under the General Settings on the properties of the Analysis Server ServerTimeout 360000 This setting is found under the General Settings on the properties of the Analysis Server

Memory\TotalMemoryLimit l 75% of available server This setting is found memory, if SQL Server under the General and Analysis Services are Settings on the running on a standalone properties of the sever Analysis Server

l 45% of available server memory, if SQL Server and Analysis Services are running on the same server

Symantec ICA Pre-installation Checklists | Page 151 Page 152 | Appendix A Appendix B

Symantec ICA Installation on Server Core for Microsoft Windows Server 2012

Microsoft Server Core installation uses the minimum options needed to run Microsoft Windows Server, and includes only essential binaries and features. Using Server Core for Microsoft Windows 2012 reduces management tasks, servicing tasks, and the attack surface of Microsoft Windows Server 2012. Server Core is administered using the command prompt with PowerShell support.

Installing Symantec ICA (Information Centric Analytics) on a server with a Server Core installation involves the following tasks:

l Task 1: Setting Up Web Server Roles and Management on Server Core

l Task 2: Copying Installation Files and Components to Server Core

l Task 3: Installing Symantec ICA and Components on Server Core Task 1: Setting Up Web Server Roles and Management on Server Core

The following procedure describes how to set up the web server roles and management on a server running Server Core.

1. Log in to the server running Server Core. 2. Enter taskmgr.exe, and then press Enter. 3. Select Run new task from the File menu. 4. Enter cmd, and click OK. A command window is displayed. 5. Enter powershell, and then press Enter. The PowerShell window is displayed. 6. Enter the following command to install the web-server role: Install-windowsfeature web-server

7. Enter the following command to install the web management component: Install-windowsfeature web-mgmt-service

Symantec ICA Installation on Server Core for Microsoft Windows Server 2012 | Page 153 Task 2: Copying Installation Files and Components to Server Core

NOTE: Installing the web management component allows remote management of Symantec ICA.

8. Enter the following command to enable remote management: Set-ItemProperty -Path \ HTML:\SOFTWARE\Microsoft\WebManagement\Server \ -Name EnableRemoteManagement -Value 1

9. Restart the web management service using the following commands: Net Stop WMSVC Net Start WMSVC

10. Enter exit to exit the PowerShell interface. 11. Enter exit to close the PowerShell window. 12. Enter the following command at the command prompt, and then press Enter: sc config WMSVC start=auto The preceding command enables the web management service to start automatically. Task 2: Copying Installation Files and Components to Server Core

The following procedure describes how to copy the Symantec ICA installation files and components to the server running Server Core:

1. Log in to the server running Server Core. 2. Enter taskmgr.exe, and then press Enter. 3. Select Run new task from the File menu. 4. Enter cmd, and click OK. A command window is displayed. 5. Change to the C:\ drive. 6. Create a folder for the Symantec ICA files. The following is an example of the command to create the folder: mkdir riskfabricsetup NOTE: Symantec recommends naming the folder riskfabricsetup.

7. Change to the Symantec ICA folder. 8. Open another command window by selecting Run new task from the Task Manager File menu, and then entering cmd. 9. Connect to the remote server that has the Symantec ICA and Microsoft files using a remote desktop session or FTP. 10. Collect the following required installation files and components on a remote server.

l Symantec ICA installation file (RiskFabric.Installer)

l SQL CLR Types 2012 (SQLSysClrTypes.msi)

Page 154 | Symantec ICA Installation on Server Core for Microsoft Windows Server 2012 Task 3: Installing Symantec ICA and Components on Server Core

l SQL ADOMD.NET for analysis services 2012 (SQL_AS_ADOMD.msi)

l SQL Server Shared Management Objects 2012 (SharedManagementObjects.msi)

l Microsoft .NET Framework 4.5.1 (NDP451-KB2858728-x86-x64-AllOS-ENU.exe) 11. Map a temporary drive from the server running Server Core to the remote server with the folder containing the installation files and components using the following command: pushd \\serverName\path In the preceding command, serverName is the name of the remote server, and path is the directory path to the folder.

12. Copy the installation files and components to the riskfabricsetup folder using the copy command. Symantec recommends copying each file and component individually. 13. Use the popd command to remove the mapping to the remote server. Task 3: Installing Symantec ICA and Components on Server Core

The following procedure describes how to install Symantec ICA and the required components on a server running Server Core:

1. Log in to the server running Server Core. 2. Enter taskmgr.exe, and then press Enter. 3. From the File menu, select Run new task. 4. Enter cmd, and click OK. A command window is displayed. 5. Change to the riskfabricsetup directory on the C:\ drive. 6. Install the following components one at a time, using the setup wizard for the component.

l SQL CLR Types 2012 (SQLSysClrTypes.msi)

l SQL ADOMD for analysis services 2012 (SQL_AS_ADOMD.msi)

l SQL Server Shared Management Objects 2012 (SharedManagementObjects.msi)

l Microsoft .NET Framework 4.5.1 (NDP451-KB2858728-x86-x64-AllOS-ENU.exe) NOTE: SQL CLR Types must be installed before SQL Server Shared Management Objects. The Microsoft .NET Framework installation may require restarting the server.

7. Use the following command to start the Symantec ICA setup wizard: RiskFabric.Installer

8. Use the installation prerequisites wizard page to install features that are not currently installed on the server running Server Core. The following are some features that should be installed on the server:

l Microsoft Internet Information Services (IIS) .NET extensibility

l IIS ASP.NET

l Authorization

Symantec ICA Installation on Server Core for Microsoft Windows Server 2012 | Page 155 Task 3: Installing Symantec ICA and Components on Server Core

l Windows authentication

l HTTP activation 9. Follow the installation tasks described in "Installing Symantec ICA" on page 51. 10. Open a port in the firewall server for Symantec ICA using the following command: netsh advfirewall firewall set portopening \ protocol=TCP port=portNumber name=RiskFabric In the preceding command, portNumber is the port number for Symantec ICA.

11. Configure Symantec ICA as described in "Symantec ICA Configuration" on page 61.

Page 156 | Symantec ICA Installation on Server Core for Microsoft Windows Server 2012 Appendix C

Encrypting the Symantec ICA Database

Symantec recommends encrypting the Symantec ICA (Information Centric Analytics) and the Microsoft SQL Server Analysis Services (Microsoft SSAS) databases after installation. Encrypting the databases protects the data at rest. Data in transit is not encrypted, but it is protected by Microsoft SQL Server.

Note the following when encrypting the database:

l Symantec recommends backing up and storing the master key and certificate to a different location. Once encrypted, the database cannot be restored without the master key and certificate.

l If the database is replicated, then the replicated database is not encrypted automatically. The replicated database needs its own encryption.

l FILESTREAM data is not encrypted even when Transparent Data Encryption (TDE) is enabled for the database.

l Files related to buffer pool extension (BPE) are not encrypted when database is encrypted using TDE.

NOTE: Microsoft does not support disk encryption for Microsoft SSAS. To encrypt Microsoft SSAS database, follow the best-practice disk encryption technologies used in your organization. Using Transparent Data Encryption on the Symantec ICA Database

The Symantec ICA database uses TDE technology to encrypt data at rest at the file level. To use TDE, do the following:

1. Log in to the host using an account that has administrator rights to the host. 2. Start Microsoft SQL Server Management Studio, and connect to the Database Engine server that has the Symantec ICA installation. 3. Click New Query. 4. Enter the following commands to create the database master key:

Encrypting the Symantec ICA Database | Page 157 Using Transparent Data Encryption on the Symantec ICA Database

USE master; GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'strong_password1'; In the preceding command, strong_password1 is the password for encryption. Symantec recommends that the password include at least three character sets, and have a minimum of 10 characters.

5. Click Execute to run the commands. 6. Click New Query. 7. Enter the following commands to create the certificate: USE master; GO CREATE CERTIFICATE TdeCert WITH SUBJECT = 'certificate_description'; In the preceding command, certificate_description is the description of the certificate.

8. Click Execute to run the command. 9. Click New Query. 10. Enter the following commands to create the data encryption key (DEK). There are several encryption algorithms, but Microsoft has deprecated support for all algorithms except for AES_128, AES_192, and AES_256.

USE RiskFabric_database_name; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = algorithm ENCRYPTION BY SERVER CERTIFICATE TdeCert;

11. Click Execute to run the command. A warning message about backing up the key is displayed after the command is run. 12. Click New Query. 13. Enter the following command to enable TDE on the user database:

ALTER DATABASE RiskFabric_database_name SET ENCRYPTION ON;

14. Click Execute to run the command. 15. Click New Query. 16. Enter the following command to verify the encryption.

USE master; GO Page 158 | Encrypting the Symantec ICA Database Using Transparent Data Encryption on the Symantec ICA Database

SELECT DB_NAME(database_id) RiskFabric_database_name, encryption_state EncryptState, key_algorithm KeyAlgorithm, key_length KeyLength, encryptor_type EncryptType FROM sys.dm_database_encryption_keys; The following are the status values for the encryption key:

0 No encryption, no database encryption key present 1 Database is not encrypted 2 Database encryption is in progress 3 Database is encrypted 4 Encryption key change is in progress 5 Decryption is in progress 6 Certificate or asymmetric key is being changed for DEK encryption

17. Enter the following commands to back up the certificate and keys.

Use master; GO BACKUP SERVICE MASTER KEY TO FILE = 'C:\full_path\service_master_key_file_name.key' ENCRYPTION BY PASSWORD = 'strong_password2';

BACKUP MASTER KEY TO FILE = 'C:\full_path\database_master_key_file_name.key' ENCRYPTION BY PASSWORD = 'strong_password3';

BACKUP CERTIFICATE TdeCert TO FILE = 'C:\full_path\tde_certificate_file_name.cer' WITH PRIVATE KEY( FILE = 'C:\full_path\tde_certificate_key_file_name.key', ENCRYPTION BY PASSWORD = 'strong_password4' ); NOTE: Symantec recommends that the passwords include at least three character sets, and have a minimum of 10 characters.

Encrypting the Symantec ICA Database | Page 159 Page 160 | Appendix C Appendix D

Configuring SSL

Configuring Secure Sockets Layer (SSL) for Symantec ICA (Information Centric Analytics) provides an encrypted connection between the Symantec ICA server and the client computer. Configuring an encrypted connection for Symantec ICA involves the following tasks:

l Task 1: Obtaining a Server Certificate

l Task 2: Binding the Certificate to a Port

l Task 3: Verifying the Connection to Symantec ICA Using SSL NOTE: Contact the network administrator before configuring a server certificate for a production environment. Task 1: Obtaining a Server Certificate

To obtain a server certificate for use with SSL, do the following:

1. Open Microsoft Internet Information Service (Microsoft IIS). 2. Click the server name that will provide the certificate under Connections. 3. Double-click Server Certificates. 4. Create a certificate based on the environment as follows:

l For a test or lab environment, do the following: a. Click Create Self Signed Certificate under Actions. b. Enter 'Localhost' in the Friendly Name field. c. Select Web Hosting from the Certificate Store menu. d. Click OK.

l For a production environment, select Create Certificate Request under Actions, and follow the network administrator's guidance. Task 2: Binding the Certificate to a Port

To bind the certificate to a port, do the following:

Configuring SSL | Page 161 Task 3: Verifying the Connection to Symantec ICA Using SSL

1. Open Microsoft Internet Information Service (Microsoft IIS). 2. Select Symantec ICA from Web Sites under Connections. 3. Select Edit under Actions, and then click Bindings. 4. Click Add. 5. Select HTTPS from the Type menu. 6. Confirm the use of port 443, or enter a different port number in the Port field. 7. Enter the host name as specified in the certificate. This name is the Microsoft Active Directory name, not the local host name. 8. Select the certificate friendly name from the SSL Certificate menu. 9. Click OK. 10. Click Close. Task 3: Verifying the Connection to Symantec ICA Using SSL

To verify the connection to Symantec ICA using SSL, enter the SSL server name as the URL in a browser window, such as the following:

https://my_server_name If the default port is not 443, then include the port number in the URL, such as https://my_ server_name:465

If the certificate is configured correctly, then the Symantec ICA console appears in the browser with no certification errors.

When verifying the connection, the server name should match the certificate name generated in "Obtaining a Server Certificate" on the previous page.

Page 162 | Configuring SSL Appendix E

Troubleshooting Symantec ICA

This appendix contains the following topics:

l General Troubleshooting Tasks

l Troubleshooting the Nightly Processing Data Load

l Viewing Transaction Logs General Troubleshooting Tasks

When an error occurs in Symantec ICA (Information Centric Analytics), the error has an identifier that corresponds to the record identifier in the error log tables. These tables store application and SQL call issues in Symantec ICA database, and are named Log_Client and Log_SQL, respectively. The Log_Client table contains the exception messages returned by the application when a request fails. The Log_SQL table contains the SQL stack trace information for any issues related to the SQL calls made to the database, such as time outs, and errors.

To query a table for additional information, do the following:

1. Log in to Microsoft SQL Server, and connect to the database engine. 2. Click New Query. 3. Enter one of the following statements:

l To query the Log_Client table: SELECT * FROM Log_Client WHERE LogClientID = error_identifier

l To query the Log_SQL table: SELECT * FROM Log_SQL WHERE SQLLogID = error_identifier

In the preceding commands, error_identifier is the identifier associated with the error message.

4. Click Detail, and copy the content. 5. Open a text editor, and paste the detail content. 6. Review the content to understand the error, and then correct the error.

Troubleshooting Symantec ICA | Page 163 Troubleshooting the Nightly Processing Data Load

Troubleshooting the Nightly Processing Data Load

The Symantec ICA Health dashboard shows the nightly job status, with drill down to the steps of the job. The first part of the nightly processing job loads data from different sources into the Symantec ICA database. If there is a problem loading the data, then check the following files:

l Log_Data_Transformation table: Stores the details for each of the internal tasks performed in each of the storage procedures called during the data-loading steps.

l Log_Data_TranformationGroup table: Stores summary data for the different steps, and storage procedures called during the data-loading steps. Besides checking the tables, review the SQL Server Agent Job Steps Execution History report for details about the processing job steps, and the error logs. Viewing Transaction Logs

The Symantec ICA application layer logs all user page views and interaction activity. The following activity logs are available in Symantec ICA:

l ActivityLog: Logs of every portal user’s activity in the system.

l EmailActivityLog: Logs for all the email messages that are sent from Symantec ICA.

l Log_Client: Log of client activity.

l Log_DataTransformation: Log of data modifications.

l Log_SQL: Log of SQL actions. In addition to the preceding logs, Microsoft SQL Server Audit, part of Microsoft SQL Server Enterprise, can be used to log transactions at the database layer for access, insert, update, and delete.

Page 164 | Troubleshooting Symantec ICA Appendix F

Uninstalling Symantec ICA from a Server

There might be occasion to uninstall Symantec ICA (Information Centric Analytics), such as removing Symantec ICA from the test server after installing it on the production server. To uninstall Symantec ICA, do the following:

1. Log in to the server where Symantec ICA is installed using an account that has administrator rights to the host. 2. Run the RiskFabric.Installer file with administrator rights to launch the Symantec ICA Installation Wizard. 3. Click Start in the Uninstall section. 4. Select the Symantec ICA website from the list. 5. Click Uninstall. 6. Review the component list, and then click Uninstall again. 7. Click Cancel when the procedure has finished. 8. Close the installer window.

Uninstalling Symantec ICA from a Server | Page 165 Page 166 | Appendix F Index

A C account credentials, 43 calculating storage, 27 action plans, 116 cards queues, 113 risk model stages, 126 time out limit, 67 risk models, 125 adding charts impact types, 129 default colors, 84 threat types, 128 checking prerequisites, 35 administrator permissions, 43, 46 colors allocating memory, 30, 38 default, 84 allow use in risk models, 133-134 configuration issues analyzer default filters, 67 default colors, 84 configuration workflow, 61 entity collections, 133 creating risk vectors, 131 entity collections, 133 application pool, 52 event scenarios, 135 architecture, 30 implementation plans, 29 three servers, 25 risk vectors, 131 Kerberos, 57 credentials tiers accounts, 43 integration, 22 Kerberos, 57 presentation, 21 SMTP, 86 processing, 22 currency symbol, 94 two servers, 26 audit compliance, 17 D authentication normality scoring, 91 dashboards default colors, 84 B data-in-motion incidents, 84 data-in-motion queues, 113 blacklisting IP addresses, 98 data drives branding, 77 block size, 52

Index - 167 data encryption, 157 F data imports, 22 data masking, 69 filters data sources, 31 default configuration issues, 67 access, 33 default vulnerabilities, 68 default domain, 54 firewall access, 35, 43, 149, 156 default remediation queue, 113 default views G assets pages, 111 Data in Motion pages, 111 identities pages, 111 global false positives, 114 approval messages, 102 DIM incidents, 84 glossary, 109 disk space, 27 requirements, 37 ground speed violation setting, 71 DLP policies, 112 H E highlight on entity pages, 133-134 editing HTTPS protocol, 35 impact importance values, 129 impact types, 129 I enabling Secure Sockets Layer, 87 impact importance values, 129 encryption impact types, 129 master key, 157 impersonation account, 44 enriching event data, 87 implementation plans, 29 entities, 19 incidents entity actions channels, 105 creating, 118 loss impacts, 108 entity collections policies, 108 availability for risk models, 133 protocols, 105 creating, 133 reasons, 107 highlight on entity pages, 133 resolutions, 107 properties, 134 severities, 106 risk models, 126 statuses, 106 error log files Log_Client, 163 Log_SQL, 163 K event enrichement, 87 Kerberos credentials, 57 event scenarios, 135 risk models, 126 event sets, 135

Index - 168 L two servers, 26 licensing, 89 P likelihood, 125 likelihood settings, 130 parallelism, 52 logo height, 80 passing Kerberos credentials, 57 planning installation, 29 policies M auto update, 112 risk weights, 112 masking data, 69 ports MAXDOP, 52 firewall, 156 memory allocation, 30, 38 HTTP, 43, 53, 149 metrics Secure Sockets Layer, 162 sort direction, 90 TCP, 43, 149 Microsoft IIS, 24-26 PowerShell requirements, 41-42 starting, 153 Microsoft SQL Server prerequisite checks, 35 requirements, 40, 42 privileges Microsoft SQL Server Analysis Services installation, 43 settings, 42 protecting data at rest, 157 Microsoft SSAS, 24, 42 multiplier value, 116 Q

N queues compliance findings, 69 creating, 113 normality scoring, 91 notification email messages default for scan exclusions, 54 R default for vulnerability summaries, 54 notifications, 120 region maps, 121 vulnerabilities, 102 enabling, 91 remediating multiple events, 109 O remediation costs, 96, 127 glossary, 109 offline license activation, 55 time, 127 operating systems requirements rule patterns, 123 deployment, 42 organization size disk space, 37 risk weights, 32 Microsoft IIS, 41-42 three servers, 25 Microsoft SQL Server, 40, 42

Index - 169 TCP ports, 43, 149 server service account, 44, 46, 51, 148 residual risk servers currency symbol, 94 three-server architecture, 25 mode, 94 two-server architecture, 26 risk assessments service account, 148 multiplier value, 116 Service Principal Names, 58 ranges, 116 setspn commands, 58 risk models settings, 63 cards, 125-126 branding, 77 entity collection availability, 133-134 countries, 122 impact types, 129 data in motion, 104 likelihood settings, 130 default colors, 84 remediation costs, 127 details grid configuration, 118 remediation time, 127 entity actions, 118 threat types, 128 event scenarios, 135 risk vectors, 131 general settings, 65 creating analyzer risk vector, 131 incident settings, 104 creating SQL risk vectors, 132 Microsoft SQL Server Analysis Services, 42 deleting, 134 notifications, 120 risk weights, 131-132 operating systems, 123 risk weights, 31, 112, 132 organizations, 121 organization size, 32 policy settings, 112 rollup scenarios, 137 queues, 112 regions, 122 residual risk ranges, 116 S risk vectors, 131 vulnerabilities, 114 scan exclusions web activities, 114 blacklisting IP addresses, 98 SIEM, 25, 34 restriction messages, 98 SMTP credentials, 86 scenarios SPNs, 58 creating rollup scenarios, 137 SQL risk vectors, 132 creating time-based scenarios, 136 deleting, 139 SQL Server Analysis Services impersonation editing, 139 account, 44 risk models, 126 SSL server certificates, 35, 161 scheduled behaviors, 71-72 SSMS permissions, 46 scorecards standard deviation maps, 121 scheduled behaviors, 71 Secure Sockets Layer step up notifications, 136, 138 enabling, 87 storage calculations, 27 port, 162 selecting multiple events for remediation, 109 server certificates, 161

Index - 170 T

Task Manager starting, 153 TAXII client settings, 99 TCP ports, 43, 149 TEMPDB space, 52 threat types, 128 time-based scenarios, 136 TLS 1.2 protocol, 35 toolbars remediation actions, 109 transaction logs, 164 Transparent Data Encryption, 157 troubleshooting, 163 Kerberos, 58 Trusted Automated eXchange of Indicator Information, 99

User Account Control, 52 disabling, 45, 51

V vulnerabilities default filters, 68 global false positives, 114 notifications, 102

W workflow configuration, 61

Index - 171