About Triggers and adaptive response

  • 2 minute(s) read
Prev Next

Triggers: anomaly detection and risk events

The Segura® platform's Behavior Engine utilizes a powerful combination of behavioral and technical triggers to identify deviations, risks, and signs of compromise in real-time. These triggers serve as intelligent sensors that, upon detecting unexpected patterns, immediately activate automatic responses or alerts for security administrators.

Main triggers monitored

Behavioral

  • Typing anomalies: sudden changes in rhythm, speed, or keyboard pattern compared to the user's baseline.
  • Execution of non-standard commands/systems: commands not usually used, attempts to access sensitive systems or data without history.
  • Atypical times and locations: sessions initiated outside of business hours or from new time zones/locations.
  • Device or endpoint switching: new devices, IPs, browsers, or access environments not previously authorized.

Technical

  • Geo-velocity: detection of access from multiple incompatible geographical regions within a short period.
  • Policy drift/privilege alteration: unplanned changes in permissions or access groups during a session.
  • Suspicious navigation or interaction behavior: abnormal jumps between applications, excessive queries, repeated denied access attempts.
  • External threat signals: events received from SIEM, SOAR, or Threat Intelligence indicating IOCs, vulnerabilities, or related activities.
  • Real-time context change: detection of changes in ITSM ticket status, compromised device, or session revocation by third parties.

Adaptive response: automatic orchestration of responses

When triggers are activated, the Behavior Engine can execute one or multiple automatic responses, customizable according to the organization's policy and the context of the detected event. This approach ensures rapid risk mitigation and reduces incident response time.

Possible Adaptive Responses

  • Step-up authentication: immediate request for additional MFA (OTP, push, certificate, biometrics) for enhanced user validation.
  • Session blocking or pause: temporary suspension or forced termination of the session until human analysis or revalidation.
  • Identity revalidation: requirement of new factors (smartcard, re-login, biometrics) if risky behavior is detected.
  • Smart notifications: automatic alerts via email, dashboards, SIEM, or messaging to security teams.
  • Forwarding to SOAR/forensic analysis: automatic triggering of playbooks on orchestrated response platforms, integrating logs and context for detailed investigation.
  • Command/permission restrictions: immediate blocking of sensitive commands, downloads, transfers, or access to critical data.
  • Increase of risk score: elevation of user or session risk, activating stricter mitigation policies for the entire duration of the session or subsequent sessions.

Practical examples

  • A legitimate user accesses a system as usual, but with an anomalous typing pattern: MFA trigger.
  • Session initiated from an unknown IP at 3 am: automatic blocking and alert.
  • Dangerous command executed in a production environment without prior authorization: automatic response for suspension and audit.
  • IOC signal received from SIEM correlated to an active session: response orchestration to isolate access and immediate investigation.