The Rise of User Behavior Analytics

In August 2014, Gartner published the “Market Guide for User Behavior Analytics.” If you have a Gartner subscription I encourage you to read it. The analysts (Avivah Litan and Mark Nicolett) did a great job defining what had beforehand been a largely undefined market.

User Behavior Analytics (“UBA”) as defined by Gartner, is about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns – anomalies that indicate potential threats.

The space is evolving pretty rapidly, and there are some fairly significant differences in approach from one solution provider to the next. But the fact that user activity and behavior are being increasingly paid attention to is welcome.

Analyzing behavior is something the IT and Information Security community has been doing for a long time.

We have tools that look at the behavior of systems, and use data on the way the system is behaving to predict what will happen next. A disk failure is a good example. Not too hard to predict these days.

We have solutions that analyze the behavior of network traffic, looking at anomalies in flows as a means of detecting things like data exfiltration that a DLP solution simply can’t detect or prevent. Vince Berk and the folks over at Flowtraq are doing some outstanding work in this area.

It’s logical, and in some ways overdue, that we apply similar approaches to the behavior of insiders.

Javvad Malik with 451 Research published an excellent read titled “There is a traitor in our midst – exploring the insider-threat market” in December 2014 that, among other things, speaks to the benefits or monitoring user activity and analyzing user behavior. Javvad also points out some of the unique things that need to be factored in when adding “people analytics” to a security strategy like employee privacy. And he makes a great point – that while behavioral analytics are “key to identifying and isolating a potential rogue user” organizations need to exercise caution and not “prosecute individuals based on mere propensity.”

This leads to a discussion on predictive analytics. People, by their very nature, are difficult to predict. I had an opportunity to have a lengthy discussion with two ex-intelligence operators. These were experts that, when over in Iraq, were tasked with informing the warfighters where Improvised Explosive Devices (“IED”) were placed – a real matter of life and death. One thought that has stuck with me in the time since that discussion was their strong aversion to saying they could “predict” where a person was going to place an IED. Because that person could decide not to stick to the plan (alter their behavior) based on any number of factors – both internal and external – at any time.

It’s the function on user behavior analytics to identify situations where the conditions are ripe for an insider incident. It’s the function of the human operators that receive that information to use it judiciously and wisely.