User Behavior Analytics: Methods and Best Practices

January 14, 2016  |  Garrett Gross

Here’s a daunting question asked by many security professionals today: “How can I discover malicious user behavior more rapidly?”

It’s hard enough after the fact to point at an event and say: “Aha, this was a breach underway.” But that, of course, is far too late. The goal should be to detect such events as they occur, in or as close to real time as possible, and shut them down to minimize any possible business impact.

That’s where things begin to get a bit awkward, because looking for those needles-in-a-haystack isn’t the simplest thing in the world to do. New log data is constantly emerging from the complete IT infrastructure of servers, databases, routers, and other assets. All of it is potentially relevant to security breaches in process.

And while the huge majority of log data is insignificant, the way three or four exceptions combine can mean all the difference between business as usual and a catastrophic loss of sensitive data.

To put this in perspective, consider the difference between the word breaches and the word breeches. They look much the same, and sound much the same… but the first means a devastating failure of the security strategy, and the second only means short pants. Ideally, you’d be able to spot the first and ignore the second — every time — fast.

What is User Behavior Analytics?

That challenge is exactly what’s driven the emergence of User Behavior Analytics (UBA) solutions. These tools leverage machine learning to approximate the expertise that human security specialists use to spot real breaches — but faster! They can often zero in on the tiny percentage of anomalous events that merit a closer look.

If this reminds you of the way marketing analytics tools have worked for some time, that’s no coincidence. User behavior analytics has emerged as a security-specific application of the same basic principles involved in all smart business analytics.

How Does User Behavior Analytics Work?

First, UBA solutions collect information emerging from many points in the infrastructure. Using this, they then create a baseline to determine what normal means under different conditions.

That accomplished, they continue to aggregate data, slicing and dicing it looking for patterns that (depending on how the proprietary algorithms work) are deemed not normal. These determinations assess just how, and how much, a new event is unusual in context, as well as prioritize its significance and possible business impact. Custom rules can also be created by administrators to tailor the solution more closely to the organization — its unique services, data, account classes, business priorities, etc.

One important principle to understand is that UBA tools address anomalous user behavior much more than infrastructural events in general — hence the name of the solution class. This focused approach helps address some of the most vexing issues facing security professionals today, like:

  • Determining when a valid privileged account has been compromised
  • Determining when unusual behavior by such an account is justified vs. when it should be flagged for further examination

For example, it’s one thing for Steve (an American database administrator) to access a database during working hours from inside the firewall, and quite a different thing for Steve to do the same from Uzbekistan at 2am on a Friday. Determining rapidly that the second situation is indeed taking place is easy for humans, but traditionally difficult for automated technology — until now.

When such a determination is made, UBA solutions can take a variety of effective steps. Commonly, they can update monitoring dashboards, e-mail alerts to appropriate team members, and in some cases, take direct action to stop the event. Which brings us to:

The Future of User Behavior Analytics

Gartner estimates that “by 2017, at least 20% of major security vendors with a focus on user controls or user monitoring will incorporate advanced analytics and UBA into their products, either through acquisitions, partnerships or internal development.”

This is a reflection of the rapid growth and maturity in UBA capabilities (referred to by Gartner as UAEB – User & Entity Behavior Analytics) over the last 18 months. This is due in part to general, significant interest and improvements in machine learning, big data, and artificial intelligence across a broad spectrum of industries. But, is specifically being driven into IT security applications because of the difficulty in detecting today’s Advanced Persistent Threats, sophisticated botnets, malicious insider behavior, and a variety of other modern attack methods.

In the very near term, expect to see user behavior analytics solutions integrate more directly with the infrastructure. For instance, firewalls might be configured to take user behavior analytics-derived insight and create new traffic rules immediately, shutting down invasive connections long before human talent would even notice they’re there.

Similarly, databases might be automatically modified to eliminate the access privileges of accounts that have just been deemed compromised.

These capabilities aren’t technologically difficult to implement, but they come with significant concerns over risk. What happens when the system automatically incorrectly shuts down the wrong activities at just the wrong time? An e-commerce site over the holidays? A defense system? A utility? Could the reaction be triggered on purposes in a form of a Denial of Service attack where the purpose is disruption, not theft? Certainly the early days of Intrusion Detection Systems and their many false positives come to mind.

Best Practices in Today’s User Behavior Analytics Tools

For now, however, we can recommend these basic best practices to get optimal results from UBA tools:

  • Take both external and internal threats into account when developing new rules/policies.
  • Look for solutions that feature analytical strengths in areas important to your organization, such as offsite contractors, the relative business significance of different data repositories, etc.
  • Consider carefully which team members should be notified when alerts are generated.
  • Don’t assume standard accounts (without special privileges) are harmless — some attacks create a cascade effect, compromising assets in sequence to arrive finally at control of a privileged account or escalation of privileges on a standard account.

It’s a very promising area — we feel that user behavior analytics capabilities are already well worth a look for almost any security-conscious organization. And as they evolve, the case for them will just get stronger and stronger.

Share this with others

Get price Free trial