IBM Security MaaS360

Introducing IBM Security MaaS360 with Watson User Risk Management

By Ajay Krishnan posted Wed September 09, 2020 05:22 PM


Co-authored by Priti Patil

Challenges with a device-centric approach to unified endpoint management (UEM)

In a world where working remotely is becoming the new normal, organizations want to enable their employees to be productive—no matter what location those employees are in or what device they are using—without compromising security. A unified endpoint management (UEM) solution has, thus, become a necessity for any secure enterprise.

“A device is in/out of compliance”—this is the device-centric mantra that many organizations have let guide their endpoint management strategy. Devices are the focus for any activities and the primary point for any control actions.

This approach overlooks the fact that it is the user who is performing the activities on the device. By not taking risky user behaviour across all devices into consideration in an aggregate picture, an administrator’s visibility is limited. This is further exacerbated by the fact that employees use, on average, at least three devices on a daily basis.

User-based risk management brings the user into focus, assigns a risk score to them according to their various daily activities, and gives the administrator the needed visibility into the user’s behavior across all their devices—along with the user’s past activities. With that, the administrator knows who (user) rather that what (device) poses the greatest risk to their security.


So, what exactly is User risk management?

As mentioned above, MaaS360 uses its cloud-based, AI-driven risk engine to analyze users’ activities on all their devices to generate risk score for each user.

The security dashboard aggregates all of this risk information and presents the administrator with a holistic view of their organization’s risk profile. Admins can use the security dashboard to monitor overall risky trends as well as identify the most risky users.  


There are risk rules, which define the parameters used to identify risk incidents. Administrators can view and modify these risk rules using the risk rule configurator.


Admins can exclude rules from being evaluated and change the severity associated with the goal of configuring a set of rules that matters most to their organization.  It is important to note that although the risk rule may be in the enabled state, the administrator may still have some pre-requisites to configure to detect these incidents.

User risk model – the core of user risk management

Risk rules define what qualifies as a risk incident. Each rule, and hence each risk incident, is categorized by severity – High, Medium, or Low. The higher the severity, the more the incident will impact and raise a user’s risk score. These incidents are then aggregated across all the users’ devices to continuously calculate the total score.

The risk engine evaluates the enabled risk rules for all devices in regular intervals. Each risk incident has two states – active and resolved. When the risk incident is detected it is in the active state. Once the user corrects or remediates the condition, it goes into the resolved state. However, its risk score contribution will not immediately come down to zero. The risk score associated with the resolved incident will gradually decrease each day, and if a user does not trigger new risk incidents, the score will eventually go down to 0. This decrease is called the “risk score decay.”

Risk incidents are deleted after 60 days starting from their last detection.  If the same incident is detected again after retention period, that incident will be recreated.

The Security Dashboard  - the risk analytics you need

The security dashboard aggregates risk information and gives a holistic risk profile of an admin’s organization—as well as widgets for average risk score and trend data to give a real-time view of an organization’s risk level. If the average risk score increases over a 60 day period, it means more incidents are consistently occurring within the organization.

Severity level of the historical incidents can be viewed with the risk incident trend chart. Similarly, the risk trend chart shows all the incidents which were contributing to the higher score, including both active and resolved incidents.


Admins can also view the top risk incidents within their organization. These are arranged according to frequency, and by clicking the affected number of devices, admins can drill down into a list of specific devices and users affected.



Identifying top risky users

The top 5 risky users are shown in the top risky users widget. All risky users can also be viewed—in order of descending risk score—by clicking on the ‘View more’ link at the end of the list top 5 list.


The risky users table gives you a preview of why the user’s risk score is the way it is.
You can sort the risky users table based on the severity of incidents the user has committed or based on a specific risk score range.


A user can be associated with risk incidents which have more than one severity level, meaning if the ‘High risk incidents’ filter is applied, any user that appears with high risk incidents may very well have medium and low risk incidents associated as well that need remediation.


User risk profile

Clicking on the user name will navigate to the users’s risk profile. The page shows all the risk related information associated with the user. The admin can view the user’s past risky activities via the trend widget—as well as view the current incidents contributing to the user’s risk score.



The device table shows all the devices the user is associated with and how they contribute to the user’s risk score. It also shows the risk incidents organized by the devices on which those incidents had been committed.

You can get more details about the incidents by clicking on them.



So what’s the big fuss about?

MaaS360 User Risk Management gives administrators a way to quantify the risk associated with the user. This allows for a measured and accurate security response to ensure the highest level of security without impacting user productivity.

1 comment



Wed November 11, 2020 03:35 PM

Is the Security Dashboard an add-on? I don't see it in my security tab.