User Behavior Analytics

Reducing Cyber Risk With AI and User Behavior Analytics

By Dr. Christine Izuakor

At the end of 2019, Security Intelligence released a report on trends that should influence your security planning for 2020. Near the top of the list was the need for visibility, alignment, and analytics when it comes to cybersecurity. Leaders are coming to terms with the idea that being able to see, understand, and have reliable records of what users are doing with their corporate assets can provide valuable insights when trying to reduce cybersecurity risks within your organization.

One Forbes article touched on several key themes as well. The growth of IoT and smart devices has shifted the way that security perimeters were previously managed. Today, there are no true perimeters, and it’s hard to track every device that touches your company. Risk must be addressed creatively both within and beyond traditional firewalls. Also, there is a heightened focus on the concerning risk that employees and contractors can introduce to companies, whether malicious or not.

These shifts are fueling the growing need for risk management programs that focuses on monitoring user activity. Regardless of the perimeter, the volume of devices, and more, creating a user behavior analytics function can help you gain greater visibility and control over fluid risks to your company.

Overview of user behavior analytics

User behavior analytics (UBA) is a process that measures and evaluates normal user activities, to see when something abnormal is occurring, such as a hacked account. The fundamental operating principle of user behavior analytics is to establish a snapshot of typical activities a user might make in an organization through logs and other data sources. Anytime new user activities occur, analysis is done based on artificial intelligence and machine learning models to see if the activity matches what is considered normal. If there is a significant deviation, it may be a cause for alarm.

History and evolution of user behavior analytics

In the early 2000s, businesses sought to monitor and track consumer behavior for better marketing and product sales in the e-commerce industry. As time passed, impactful applications of behavior analytics surfaced in other sectors such as gaming, social media, and even information security. After realizing how much data is available in the digital age and the level of insight that could be gained, the concept snowballed in popularity. Using machine learning algorithms, big data from a variety of sources could be ingested and correlated to assess user activity and evaluate cyber risk in near real-time. User behavior analytics technology is now considered a fundamental component of a robust cybersecurity program.

How user behavior analytics works

Step One: Define Normal

Understand what’s considered normal user activity and create a baseline. This can be achieved by collecting numerous data points from your systems, such as account access, file activities, chat, and instant messaging usage, geolocation, application usage, and more.

Step Two: Analyze User Activity

Conduct analysis against current user activity to find the anomalies using statistical models. User activities collected overtime are overlaid with information regarding current actions completed by the user such as transaction type, session duration, time of day, geographical location, and more to determine where activity may be suspicious. For example, if a user profile was marked as a mailroom clerk role, but the user account is behaving like a senior network administrative role, the transaction may be considered anomalous user behavior.

Step Three: Apply Intelligence

Apply context and intelligent considerations to ensure accuracy and reduce false positives or false negatives. This step can help you better determine if the anomalous behavior is indeed malicious. In the previous example, the user could have finished her tech certifications and gotten a promotion to a network administrator. While it may still be worthwhile to verify that the user activity is not malicious, without intelligent context, traditional anomaly-based tools were often flooded with false positives. Thanks to advances in artificial intelligence and machine learning technology, you can take analyzing and correlating big data to the next level. By adding context such as 3rd party risk and situational data, you can calculate more accurate activity risk scores and resulting alerts.

Step Four: Alert on Anomalies

Alert and report findings so that action may be taken to reduce threats. Using the insight gained from the first three steps, you have the information you need to take action to mitigate threats and risks to your company.

How user behavior analytics can be applied to reduce business risks

Quick breach detection:

In 2019, insurance provider Dominion National notified customers of a recently discovered security breach that happened in 2010. They found out almost nine years later. According to the IBM 2019 Data Breach Report, the average time to detect a breach is about 206 days.

User behavior analytics can help reduce the risk of undetected attacks and help you detect and respond more quickly. There are quite a few tell-tale signs that can suggest a company may have been compromised. Common symptoms that may hint that an organization has been compromised can include activities like a single device using numerous user accounts. Or the opposite, finding that one user account is logging into many different devices. In addition, attackers are continually finding new ways to trick traditional alerting technology. Without a solution intelligent enough to conduct deep learning and adapt quickly, attackers can outsmart traditional detection tools to avoid setting off alarms.

Insider threat detection:

According to the 2019 Verizon Data Breach report, insiders caused almost 40% of all breaches. Furthermore, the average cost of a breach involving insider threat-related incidents is just over half a million dollars, with some cases hitting up to $11 million in the United States.

Insider threats are employees, contractors, and other entities who have some form of legitimate access to your company systems, and who have the ability to expose cyber risk, whether intentional or unintentional.

Mastering insider threat detection, and being able to prevent these types of attacks is paramount to every organization’s cybersecurity strategy. User behavior analytics can help you evaluate, often difficult to analyze, human-related concepts such as sentiment, sabotage, abuse of access or authority, and other violations of policy that are often detected as anomalous user activity.

Access and privilege abuse alerts:

Attackers often escalate user access permissions to gain access to more critical resources and potentially inflict greater damage.

According to Centrify’s report on access management, 74% of breaches involved access to a privileged account. It’s critical to understand and closely monitor all activity done using privileged accounts. It’s also essential to be able to detect risky behavior on these accounts and alert quickly as this is one of the tell-tale signs of a breach. User behavior analytics can help by conducting an in-depth analysis of user activity explicitly done on these accounts, whether it appears to be an authorized user or not.

Fraud detection:

According to a PWC report, roughly fifty percent of global organizations say they have been a victim of fraud in the last two years with cases often costing price tags of over a million dollars. Contrary to common beliefs, individual consumers are not the only victims of identity theft.

Fraud in the form of business identity theft continues to grow.

Banks often protect consumers from fraud by alerting when their spending habits seem off. The same can be done for companies using user behavior analytics. If fraudulent transactions are being requested by users, including financial transactions, with the right context, user behavior analytics can alert your administrators of potential fraud.

Key functionalities to look for in a user behavior analytics solution that addresses the above risks

A robust user behavior analytics solution should empower you to perform these five crucial tasks:

 

  1. Monitor all user activity around the clock. The best user behavior analytics technology can ingest relevant data, such as network activity, emails, instant messaging, keystrokes, and more. Even better, some solutions offer dark web tracking, psycholinguistics, and more advanced user activity considerations.
  2. Analyze everything using machine learning. Analyzing all of the data associated with user activity can result in massive storage outputs or Big Data. Leveraging artificial intelligence algorithms to review and understand this data at a much faster rate than human beings is a user behavior analytics differentiator that should not be overlooked when exploring solutions.
  3. Alert your team when there’s a threat. Getting alerts as quickly as possible will allow your team to act fast. It’s essential to find a solution that has a low false-positive rate in order to ensure your team isn’t wasting endless hours on irrelevant analysis. A mature solution will empower you to focus on the most critical threats.
  4. Immediately enable your team to review the evidence and investigate. Advanced user behavior analytics solutions equip you with the ability to investigate alerts right away by presenting relevant records and even screenshot video playback options. Without this capability, time is wasted, gathering evidence across different systems and tools if the information is even available at all. It can take days, weeks, or even months to figure out what happened without playback features. With functions like this, you can also learn the extent of the threats and if fraudsters acted alone or with other users.
  5. Respond with speed, confidence, and the artifacts to pursue legal action if required. When you have hard evidence, you can confidently and quickly take action against discovered threats. Whether you need to get your HR team or law enforcement involved, with the right user behavior analytics solution, you can have evidence ready to present immediately to mitigate the risk to your company.

How user behavior analytics differs from SIEM

SIEM, or Security Information and Event Management, solutions are designed to accomplish goals very similar to that of user behavior analytics. SIEMs aims to collect and correlate data from logs across the company and apply rule-based algorithms to alert on what could be anomalous. These solutions are designed to detect and analyze threats in real-time. They weren’t developed to take long-term patterns into account and context to make more intelligent and informed conclusions about user activities.

Another differentiator is that where SIEM focuses on technology and system events, user behavior analytics focuses on people. Behind every action, there is usually a human being, an individual user. This makes focusing on user behavior analytics valuable. Traditional SIEM solutions that do not incorporate machine learning and user behavior analytics practices are often plagued with false positives and false negatives that take a lot of time to adjust and fine-tune. As attackers become more familiar with the typical rules leveraged by SIEM solutions, they have gotten much better at learning how to evade them and fly under the radar to avoid triggering alerts.

This does not mean that user behavior analytics should replace SIEMs. Depending on your organizational goals, either or both solutions could support your needs. Think of user behavior analytics as the next-generation approach to monitoring your enterprise with one of your greatest assets in mind, people.

Conclusion

User behavior analytics empowers companies to look beyond traditional rules-based anomaly detection to more accurately detect and respond to cyber threats from a variety of threat actors, including insider threat detection. This shift is necessary as the lines of enterprise network perimeters and corporate device inventories become more blurred than ever, thanks to the cloud, IoT, and other trends. Interested in exploring risk mitigation through user behavior analytics solutions? Learn more about the award-winning Veriato Cerebral solution and give it a try today.

Insider Risk – How Prepared Are You?

Insider Risk – How Prepared Are You?

Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.

About the author

Dr. Christine Izuakor
Dr. Izuakor is the Senior Manager of Global Security Strategy and Awareness at United Airlines where she plays a critical part in embedding cyber security in United’s culture. She is an adjunct professor of cyber security at Robert Morris University, and independently helps corporations solve a diverse range of strategic cybersecurity challenges.

Insider Risk & Employee Monitoring Resources

Smart Year-End IT Investments- A Trifecta for ROI

Smart Year-End IT Investments- A Trifecta for ROI

Drive Productivity, Reduce Insider Risk, Enforce Compliance As the year wraps up, many IT, security, compliance, and HR teams have unspent budgets that won't roll over. Rather than scrambling for last-minute, low-value purchases, why not make smart, strategic...

Is IAM, SIEM, and DLP Enough to Combat Insider Risk?

Is IAM, SIEM, and DLP Enough to Combat Insider Risk?

Key Takeaways: Closing the Gaps in Traditional Security Tools: IAM, SIEM, and DLP are vital but insufficient in addressing insider risks. They focus on access control, event logs, and data protection without understanding the behavioral context that signals insider...