How Zscaler’s Dynamic User Risk Scoring Works

Access control policies aim to balance security and end user productivity, yet often fall short due to their static nature and limited ability to adapt to evolving threats. But what if there was an easy way to automate access control per user, considering individual risk factors and staying up-to-date with the latest advanced attacks? 

Zscaler User Risk Scoring takes dynamic access control and risk visibility to the next level using records of previous behavior to determine future risk.

Similar to how insurance companies use driving records to determine car insurance rates, or banks use credit scores to assess loan eligibility, user risk scoring leverages previous behavior records to assign risk scores to individual users. This allows organizations to set dynamic access control policies based on various risk factors, accounting for the latest threat intelligence.

User risk scoring empowers organizations to restrict access to sensitive applications for users with a high risk score until their risk profile improves. By considering factors such as past victimization by cyberattacks, near-misses with malicious content, or engagement in behavior that could lead to a breach, organizations can ensure that access control policies are tailored to individual risk profiles.

How does user risk scoring work?

User risk scoring plays a crucial role across the Zscaler platform, driving policies for URL filtering, firewall rules, data loss prevention (DLP), browser isolation, and Zscaler Private Access (ZPA); and feeding into overall risk visibility in Zscaler Risk360. By leveraging user risk scores within each of these security controls, organizations can better protect all incoming and outgoing traffic from potential threats.

The risk scoring process consists of two components: the static (baseline) risk score and the real-time risk score. The static risk score is established based on a one-week lookback at risky behavior and is updated every 24 hours. The real-time risk score modifies this baseline every 2 minutes throughout the day, updating whenever a user interacts with known or suspected malicious content. Each day at midnight, the real-time risk score is reset.

Zscaler considers more than 65 indicators that influence the overall risk score. These indicators fall into three major categories: pre-infection behavior, post-infection behavior, and more general suspicious behavior. The model accounts for the fact that not all incidents are equal; each indicator has a variable contribution to the risk score based on the severity and frequency of the associated threat.

Pre-infection behavior indicators encompass a range of blocked actions that would have led to user infection, such as blocked malware, known and suspected malicious URLs, phishing sites, pages with browser exploits, and more. 

Post-infection behavior indicators include things like detected botnet traffic or command-and-control traffic, which show that a user/device has already been compromised. 

Suspicious behavior indicators are similar to pre-infection indicators but are less severe (and less guaranteed to lead to infection), covering policy violations and risky activities like browsing deny-listed URLs, DLP compliance violations, anonymizing sites, and more. 

*A more detailed sampling of these indicators is included at the bottom of this article.

How can Zscaler customers use risk scoring?

User risk scores can be found in the the analytics and policy administration menus of both Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). They are also woven together with a range of additional inputs in Zscaler Risk360, which allows security teams to delve deeper into their organization’s holistic risk.  

Zscaler also has deep integrations with many leading security operations tools, allowing the same telemetry and incident alert context that feeds into risk scoring to be shared with tools like SIEM, SOAR, and XDR via a REST API to streamline workflows. 

These scores can be used to:

Drive access control policies

User risk scoring gives network and security teams a powerful tool to use to drive low-maintenance zero trust access control policies, controlling both incoming and outgoing internet and application traffic. It can be combined with other dynamic rulesets (e.g., device posture profiles) and static rulesets (e.g., URL and DNS filtering and app control policy) to protect organizations from breaches without unnecessarily restricting user productivity.

Monitor overall organizational risk and key factors that can be improved

Admins can monitor their company risk over time to assess the top areas of overall company risk and prioritize remediation efforts. They can see how risk scores are distributed across users and locations, and can benchmark their risk score against other companies in their industry.

Monitor risky users on an individual basis and understand how (and why) their risk is trending

If a user’s risk score spikes, admins can take action, whether that be isolating that user’s machine to deal with an active threat, or simply training a user that certain behaviors are posing an unacceptable risk. 

Overall, Zscaler User Risk Scoring, with its categorization of threats and aggregation of logs, offers valuable insights into an organization's security posture. By understanding the different types of risks and behaviors associated with cyberthreats, organizations can implement dynamic access control policies and proactively protect their critical assets and data. With risk scoring, organizations can navigate the ever-changing threat landscape with confidence.

To learn about more of Zscaler’s unique inline security capabilities, check out our Cyberthreat Protection page.

Sample Indicators for User Risk Scoring

Pre-infection behavior includes a range of blocked actions that would have likely led a user to be infected, such as: 

• Malware blocked by Zscaler’s Advanced Threat Protection or inline Sandbox
• Blocked known and suspected malicious URLs
• Blocked websites with known and suspected phishing content
• Blocked pages with known browser exploits
• Blocked known and suspected adware and spyware
• Blocked pages with a high PageRisk score
• Quarantined pages
• Blocked files with known vulnerabilities
• Blocked emails containing viruses
• Detected mobile app vulnerabilities

Post-infection behavior includes a range of blocked actions that were attempted after a user was infected, such as:

• Botnet traffic
• Command-and-control traffic

Suspicious behavior includes policy violations and other risky sites, files, and conditions that could lead to infection, such as:

• Deny-listed URLs
• DLP compliance violations
• Pages with known dangerous ActiveX controls
• Pages vulnerable to cross-site scripting attacks
• Possible browser cookie theft
• Internet Relay Chat (IRC) tunneling use
• Anonymizing sites
• Blocks or warnings from secure browsing about an outdated/disallowed component
• Peer-to-peer (P2P) site denials
• Webspam sites
• Attempts to browse blocked URL categories
• Mobile app issues included denial of the mobile app, insecure user credentials, location information leaks, personally identifiable information (PII), information identifying the device, or communication with unknown servers
• Tunnel blocks
• Fake proxy authentication
• SMTP (email) issues including rejected password-encrypted attachments, unscannable attachments, detected or suspected spam, rejected recipients, DLP blocks or quarantines, or blocked attachments
• IPS blocks of cryptomining & blockchain traffic
• Reputation-based blocks of suspected adware/spyware sites
• Disallowed use of a DNS-over-HTTPS sit