Zscaler analyzes your organization's user behavior trends and builds a risk profile dynamically by assigning User Risk Score to each user. The User Risk Score allows you to tailor your access control policies and security policies to individual users and gain visibility into your organization's user behavioral patterns to determine the security risk associated with those behaviors. By defining policies based on the User Risk Score criteria, you can identify and prevent high-risk users from gaining access to crown jewel applications and other sensitive applications until their risk profile improves. Zscaler evaluates a wide range of users' risky behavior trends, including behaviors that have resulted in past victimization by cyberattacks, near-miss malware infections, and suspicious behaviors, to determine the future risk posed by individual users to the organization's security.

Following are some of the core applications of User Risk Score:

• Implement dynamic access control policies.

  Access control policies are generally static and do not automatically adapt to the constantly changing threat landscape, therefore demanding broad restrictive policies for users. In contrast, Zscaler allows you to create dynamic access control policies by leveraging User Risk Score that assigns a dynamic risk score for individual users and keeps it updated periodically based on the users' latest behavior trends, while taking advantage of Zscaler's latest threat intelligence. By understanding the different types of user risks and behaviors associated with cyberthreats, organizations can implement dynamic access control policies and proactively protect their critical assets and data. Moreover, policies based on user risk profiles can be combined with other dynamic rulesets (e.g., Device Posture Profiles) and static rulesets (e.g., URL Filtering and Cloud App Control) to protect an organization from potential breaches without placing broad restrictions on user access to resources, and therefore strike the right balance between security and end-user productivity. To learn more about dynamic policy configuration, see Enforcing Policies based on User Risk Profiles.

  Close
• Monitor organization's overall risk, assess key factors that can be improved, and prioritize remediation efforts.

  User Risk Score provides deep visibility into an organization's risk posture and allows them to monitor the organization's risk exposure over time, focus on high-risk operation areas, prioritize remediation efforts, and improve their key risk management strategies. Organizations also compare their user risk distribution metrics with peer organizations and benchmark against industry standards. To learn more about the data insights presented by User Risk Score metrics, see Data Visualization and Analytics.

  Close
• Monitor risky users on an individual basis and understand how (and why) their risk is trending.

  On the user level, you can examine the risk score trend for individual users, proactively act on sudden spikes in a user's risk score, review the events or user activities that contributed to the risk score, initiate threat response to an active threat instantaneously, and more. Based on the User Risk Score trends observed, you can also take passive measures to educate and train users on security awareness and risky user behaviors that can be potentially exploited by adversaries. To learn more about the data insights presented by User Risk Score metrics, see Data Visualization and Analytics section.

  Close

User Risk Score serves as a powerful tool to network and security teams to drive zero-trust dynamic access control policies, safeguarding inbound and outbound internal application traffic and internet traffic. It also provides insightful information into an organization's risk posture and helps them adapt their security posture dynamically to the ever-evolving threat landscape. User Risk Score plays a crucial role in Zscaler's Advanced Threat Protection by providing security intelligence and information on how users can be a threat to an organization's network security and helping organizations identify and eliminate threats. To learn how User Risk Score is calculated, see User Risk Score Evaluation.

Benefits of Using User Risk Score

User Risk Score offers the following benefits and enables you to:

• Implement low-maintenance, zero-trust dynamic access control policies based on individual users' risk scores to enhance your organization's security posture and adapt your security infrastructure to evolving threats.
• Enforce a combination of dynamic rulesets (e.g., Access Policy and Device Posture Profiles) and static rulesets (e.g., URL Filtering and Cloud App Control) based on User Risk Score to secure access to crown jewel applications and other high-risk, sensitive applications without placing broad restrictions on user access.
• Accelerate threat detection and response by leveraging the data collected on individual users' risky behaviors recorded for malware infections or suspicious activities.
• Gain deep visibility into your organization's overall risk posture by using the analytics report generated by Zscaler and take preventive measures to safeguard your network against cyber threats.
• Take advantage of User Risk Score's usage across the Zscaler platform, driving policies for ZIA and Zscaler Private Access (ZPA) and feeding data into Risk360 for comprehensive risk visibility and management. Leverage Zscaler's integrations with leading security operations tools to share the same telemetry and incident alert context with third-party tools.

User Risk Score Evaluation

Zscaler analyzes user behaviors and quantifies the security risk exhibited by individual users by using a metric called User Risk Score. The User Risk Score computation happens in ZIA and then it is propagated to ZPA. Each user authenticated to ZIA is dynamically assigned a risk score value after it's calculated using a proprietary algorithm. In ZPA, you can use the computed User Risk Score without any change or you can override the risk score for users at the individual level to allow more flexibility in access policies.

ZIA provides an option to reset the User Risk Score to Low for individual users. To learn more, see About Users.

The User Risk Score consists of two components:

• Static (baseline) Risk Score: A static score is established based on a user's behavior over the past 7 days and is updated every 24 hours.
• Real-time Risk Score: The real-time score updates the baseline (i.e., static score) every two minutes throughout the day, changing whenever a user interacts with known or suspected malicious content. The real-time risk score is reset to the static baseline score at a 24-hour window and the process continues.

To determine the User Risk Score for each user, Zscaler tracks and evaluates a wide range of user behaviors. Zscaler considers over 65 indicators of risky behaviors and classifies them into three major categories to assign appropriate risk scores. User behaviors that fall into one of the following categories affect the risk score:

• Post-infection behavior: Includes user behaviors that have resulted in past victimization by cyberattacks (e.g., presence of botnet traffic or command-and-control traffic indicates that the user or the device has already been compromised). See the list of indicators under this category.

  Indicators of post-infection behavior include blocked actions that were attempted after a user was infected, such as:

  • Botnet traffic
  • Command-and-control traffic

  Close
• Pre-infection behavior: Includes a range of user behaviors that led to near-miss malicious infections (e.g., blocked malware, known or suspected malicious URLs, phishing sites, pages with browser exploits, and more). See the of indicators under this category.

  Indicators of pre-infection behavior include a range of blocked actions that would have likely led a user to be infected, such as:

  • Malware blocked by Zscaler's Advanced Threat Protection or inline Sandbox
  • Blocked known or suspected malicious URLs
  • Blocked websites with known or suspected phishing content
  • Blocked pages with known browser exploits
  • Blocked known or suspected adware and spyware
  • Blocked pages with a high Page Risk Index score
  • Quarantined pages
  • Blocked files with known vulnerabilities
  • Blocked emails containing viruses
  • Detected mobile app vulnerabilities

  Close
• Suspicious behavior: Includes user engagement in suspicious behavior that could lead to a breach in security (e.g., policy violations, risky activities such as browsing URLs placed on the denylist, DLP compliance violations, anonymizing sites, and more). Suspicious behaviors are similar to pre-infection behaviors but are less severe and are less likely to lead to a malicious infection. See the list of indicators under this category.

  Indicators of suspicious behavior include policy violations and attempts to access risky sites, files, etc. that could lead to an infection, such as:

  • Deny-listed URLs
  • DLP compliance violations
  • Pages with known dangerous ActiveX controls
  • Pages vulnerable to cross-site scripting (XSS) attacks
  • Possible browser cookie theft
  • Use of Internet Relay Chat (IRC) tunneling
  • Anonymizing sites
  • Blocks or warnings from secure browsing about an outdated/disallowed component
  • Peer-to-peer (P2P) site denials
  • Webspam sites
  • Attempts to browse blocked URL categories
  • Mobile app issues including denial of the mobile app, insecure user credentials, location information leaks, personally identifiable information (PII), information identifying the device, or communication with unknown servers
  • Tunnel blocks
  • Fake proxy authentication
  • SMTP (email) issues including rejected password-encrypted attachments, unscannable attachments, detected or suspected spam, rejected recipients, DLP blocks or quarantines, or blocked attachments
  • Intrusion Prevention System (IPS) blocks of crypto mining and blockchain traffic
  • Reputation-based blocks of suspected adware/spyware sites
  • Disallowed use of a DNS-over-HTTPS site

  Close

The user risk scoring varies across the categories due to the different levels of threat impact presented by the indicators within each category. For example, a blocked malicious URL (i.e., suspicious behavior) does not pose a serious threat to a security breach compared to an active malware infection (i.e., post-infection behavior). When users exhibit these behaviors, a threat is typically detected in the user's traffic during the security policy evaluation and the transaction is logged against the policy blocking the traffic. The policy match information in the log data serves as a basis for identifying whether a user has engaged in a risky behavior and then it is subsequently used in the User Risk Score computation process.

When the log data is collected and aggregated for a user, the risk score computation begins. During risk score computation, various factors that influence the impact and effectiveness of each indicator are taken into consideration and scaling factors are used where necessary to ensure a more accurate risk assessment for the users. Examples of these variables include but are not limited to:

• The category to which the indicator belongs
• The severity of the imminent threat or the actual threat detected
• The frequency of the threat occurrence and the length of infection

Enforcing Dynamic Policies based on User Risk Score

This section provides information on how organizations can take advantage of the dynamic nature of User Risk Score to implement dynamic access policies and security policies, customized to individual users' risk profiles.

By defining User Risk Score as a policy criteria, you can configure the following policies in ZPA and ZIA to provide controlled user access to applications and services and safeguard your critical assets and data:

• Access Policy in ZPA

  Access policies allow you to define granular access controls for your organization's users. You can use different parameters and attributes as criteria to determine which user can access which applications. By using User Risk Score as criteria, you can choose to allow only the low-risk users to access crown jewel applications. For example, you can add a low risk score criteria to all rules with Rule Action set to Allow Access. To learn more, see Configuring Access Policies.

  Close
• URL Filtering Policy in ZIA

  URL filtering allows you to apply granular policies to restrict access to malicious websites, control bandwidth usage and user productivity, and limit an organization's exposure to liability. By defining User Risk Score as a policy criteria, you can choose to prevent users from accessing certain web content unless they meet the required risk score. For example, you can configure a policy to block access to URLs belonging to the Newly Registered and Observed Domains category for users with a high risk score. To learn more, see Configuring the URL Filtering Policy.

  Close
• Cloud App Control Policy in ZIA

  This policy allows you to control access to cloud applications at a granular level, based on users, tenants, domains, and activities. By defining User Risk Score as a policy criteria, you can choose to block access to high-risk applications for users unless they meet the required User Risk Score. For example, you can configure a policy to restrict users with high and medium risk scores from accessing File Sharing applications, such as OneDrive or Dropbox. To learn more, see Adding Rules to the Cloud App Control Policy.

  Close
• Data Loss Prevention (DLP) Policy in ZIA

  DLP policy allows you to monitor, detect, and prevent the leakage of sensitive data from your organization. By defining User Risk Score as a policy criteria, you can choose to restrict users from transmitting sensitive data unless they meet the required User Risk Score. For example, you can configure a policy to block traffic of users with high risk scores when they access or transmit sensitive data (e.g., Social Security Numbers, Passport Number, etc.) matching a pattern. To learn more, see Configuring DLP Policy Rules with Content Inspection and Configuring DLP Policy Rules without Content Inspection.

  Close

To learn more about the individual policies and how User Risk Score can be used as the policy criteria, see the policy configuration articles.

Data Visualization and Analytics

You can access a graphical representation of the User Risk Score metrics generated by Zscaler to perform data analysis. In the ZIA Admin Portal (Analytics > Company Risk Score), a comprehensive view of the organization's overall risk score metrics are displayed, including the top risky users with the highest User Risk Scores. Using the Top Risky Users widget, you can drill down the metrics for individual users to gather information including but not limited to:

• User's current risk score and risk score trend over a specific timeline
• List of events that influenced the risk score in a chronological order
• DLP violations made by the user
• List of unsanctioned cloud applications accessed by the user
• List of risky URLs that the user attempted to access

Furthermore, the risk score assigned to the users influences your organization's overall risk score. By using the Company Risk Score Report, you can examine how risk scores are distributed across your users and locations and also compare your organization's risk score distribution with your peer organizations and benchmark against industry standards. To learn more, see About the User Risk Report and About the Company Risk Score Report.

In addition to accessing the built-in analytics report, you can set up configurations to feed the log data into Risk360 for comprehensive, real-time risk management and gain actionable insights into investigating and remediating critical issues. You can also leverage Zscaler's integrations with leading security operations tools to allow the same telemetry and incident alert context that feeds into risk scoring to be shared with tools like Security Information and Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), and Extended Detection and Response (XDR) to streamline workflows.