In Safetica NXT, each event is assigned one of four risk levels (high-risk, medium-risk, low-risk, or info) based on various indicators that determine how likely it is to cause a data leak.
The calculation of risk level is based on our built-in policies, but we also add several more risk indicators into the equation:
Indicator Description
| Event occurred at an unusual time |
If event fall outside the user's standard activity period. The period is not fixed. We look at personal activity period of every individual and take into consideration things like time zones or different work styles. If triggered, the risk level tooltip will include: Event occurred outside user's standard activity period. |
| Event contained sensitive data |
If triggered, the risk level tooltip will include: Sensitive content found. |
| Safe workspace for web uploads |
Popular web domains are usually part of a company "safe zone", so Safetica NXT decreases their risk level accordingly. The risk level tooltip will include: Target domain for this operation was identified as not risky (frequent usage by many endpoints). |
| Safe workspace for email domains |
Safetica NXT can distinguish internal emails sent to domains within the company and evaluates them as less risky than emails leaving the company. If an email was sent to several recipients, some of which are within the safe zone and others are not, its risk level will not be decreased. The risk level tooltip will include: Target domain evaluated as not risky (frequent usage by many endpoints). |
| Safe workspace for external devices (USB) |
Safetica NXT analyzes external storage devices (e.g. USB keys) and based on their usage patterns assigns some of them to a virtual safe zone. All events involving such safe devices are evaluated as less risky |
| Uncommon destination type |
Safetica detects user behavior that doesn't fit the normal pattern for the user and the company |
The final risk level is a combination of all of these indicators.
Safetica NXT does not overrule custom policies created by the admin.
The admin can thus explicitly define which events should be considered high-risk or info. If the admin creates a policy that makes e.g. upload to a certain website safe, then Safetica NXT does not increase the risk level of matching events, even when they trigger other risk indicators.