Product News

Meet Rippling Behavioral Detection Rules: Better security, automated

Sam GnesinJun 15, 2021

Protecting employees and company data from unauthorized access is a top priority for every team. While multi-factor authentication can be very effective, it’s not always the right tool for the job. That’s why we’re proud to announce behavioral detection rules.

Behavioral detection joins Rippling’s robust identity management solution to make signing in even more secure. It gives your team tons of flexibility governing access to Rippling and the other applications that your company integrates with Rippling.

Why we built behavioral detection rules

Behavioral detection is quickly becoming a standard feature for security, but there were a few gaps we knew Rippling could fill. In addressing these, we’ve made behavioral detection more accessible and powerful than ever before. 

First, we decided that more companies should have access to behavioral detection. Unlike our competitors, who offer behavioral detection as an add-on, we include it for every Rippling customer for free. 

The second issue was rigidity. Other platforms’ behavioral detection rules don’t allow much customization or granularity, which businesses need when trying to balance employee experience with risk tolerance. That’s why Rippling allows you to configure triggers and actions for the use cases that are relevant to your organization.

How behavioral detection rules work

When a user is trying to authenticate, unusual behavior will prompt a trigger. This trigger is attached to a rule, which you and your organization have already set up through Rippling. And that rule causes a specific action to happen—also of your choosing.

missed password attempt

You can apply behavioral detection rules to users logging in to Rippling or signing in to Rippling integrated SAML apps, as well as any request that occurs between a web client and the Rippling platform. These rules can apply to specific teams, locations, individuals, or employment types (like contractors). 

Rippling gives you complete control over which triggers are active. When making rules, you can link multiple triggers, too, so that entire patterns are flagged. 

Reviewing rules is easy. You can see which rules are active, even if they’re not triggered, by checking a sign-in’s activity report. All of the relevant, configured rules will be listed there.

activity report

How rules are triggered

When a user signs in, Rippling will run their IP address details through the custom rules you’ve set up in your company’s security settings. 

If a user is blocked from signing in, your admins will get an email notification. This will show which triggered rules caused the restriction. If the sign-in looks legitimate, you’ll be able to unblock the employee.

Which rules are included

For behavioral detection, we’ve baked in two default rules for all new Rippling accounts. They protect against common security risks, like brute force attacks and traffic from Tor Exit Nodes.

The first of these default rules will be triggered after 5 consecutive incorrect attempts. Even if the password is right on the sixth attempt, the sign-in will still be blocked. The second default rule will block any traffic from Tor exit nodes.

In addition to these default rules, you can choose custom triggers for different groups within your organization. Rippling supports triggers for when a user tries to sign in:

  • From a specific IP address type 
  • From a new city
  • From a new state
  • From a new country
  • Using a new IP address 
  • From pre-approved VPN  IP addresses
  • Using an IP address not listed in a predetermined list 
  • After a specified number of incorrect attempts
  • With an impossible velocity between 2 successive attempts

And remember, you can combine multiple triggers for your rules.

sign in from a new city

Taking action

When a rule is triggered, an action occurs in response. You, as the administrator, can choose actions to correspond with rules. Rippling supports the following actions:

  • Allow the user access, using an “allowlist” 
  • Limit session lifetime, which will override session lifetimes defined in other apps
  • Require an additional factor for MFA 
  • Block the user’s access

In the last of these, you can select how severely to block a user. It can be for just a single attempt. It can be for a period of time, ranging from 15 minutes to a full day. Or you can simply block a user until an admin goes in and manually unblocks them.

sign in blocked

Security at Rippling

Rippling manages data for thousands of companies—and hundreds of thousands of employees. Security is not only an offering to our customers, but a cornerstone of our business and the products we build. 

Behavioral detection is a part of that promise. At Rippling we use behavioral detection rules for every employee internally. Plus, we enforce MFA using FIDO2 for many departments to ensure we are being responsible custodians of customer data. 

Interested in learning more about behavioral detection rules, or any of our other security measures? Schedule a demo with us today to see the product in action.

Related Posts

View All Posts

Product News

Introducing Rippling Learning Management: The easiest way to train your employees and stay compliant

Learning and development has emerged as one of the biggest differentiators in the employee-experience world. According to a LinkedIn study, 94% of employees would stay at their company longer …

Louis HellmanJun 8, 2021

Company NewsProduct News

Rippling teams up with DoorDash to bring office meals to remote teams

Good companies take good care of their people. But with everyone working from home, it’s more challenging to deliver the kinds of perks people love about an office environment. …

Matt MacInnisFeb 24, 2021

Product News

Manage time your way with Rippling’s fully customizable Time & Attendance system

Over 50% of the US workforce is hourly or project-based, yet many HR leaders are still stuck between a rock and a hard place when it comes to finding …

Sachith GullapalliJan 27, 2021