Acting as a cyber-security defense line, user behavior analytics (UBA) consist of monitoring the human behavior patterns that emerge from interacting with an IT system, establishing the normal zone and identifying any anomalies that could signal vulnerabilities or threats.
This behavior-focused continuous audit is especially benefiting enterprises. Having numerous employees that interact with the company’s cyber system poses various risks. It is unrealistic to assume that individual cyber-security awareness would suffice in preventing and protecting, and it may prove costly to rely on other methods, such as SDP (software-defined perimeter), MFA (multi-factor authentication) or air-gapping parts of your system.
Traditionally employed in the marketing field, UBA migrated towards cyber-security since many major security events turned out to have a human weak-entry point. This big data application allows efficient control over a cyber-organizational environment – and it converged with the fact that SaaS providers extended their automation capabilities.
What to look for in user behavior analytics providers’ offers?
Some crucial UBA differentiators would be:
- Integration mechanisms (that establish the data sources used in defining system patterns);
- Time-frame (primary, for establishing the baseline system schematics; and secondary, the necessary TTR -time for results): longer times for baseline establishment are better since the reference frame would be more accurate, while clearly defined results and a reasonable time frame for actionable results would be best for the second goal;
- Interface flexibility in what concerns the UBA tool manipulation; the dashboard may allow only professional operators to intervene or it can be customized for on-premises reporting and interaction.
User behavior analytics – goals
To establish an overall image of what such an automated cyber defense tool is supposed to accomplish, we can have a look at a few UBA solutions service-descriptions.
Splunk UBA includes in its offer malware, APTs and insider threats detection, in parallel with identifying, visualizing and classifying system anomalies (user-centric monitoring).
Varonis UBA focuses on different aspects of user activity: networking, application use, accessed files (user, type and timing when considering regular activities determine normality patterns). Following user activity serves as a data-processing beacon and organizes the information collected. Otherwise undetected cyber threats can be identified using user-activity markers, or, to put it the other way round, any patterns anomaly triggers extra investigative measures.
Balabit UAB considers users their “new perimeter”: their Blindspotter tool has the tagline “more monitoring, less control”. Integrating contextual data, standard log data and Privileged Account Management (PAM) data, the tool is capable of intervention, if necessary, by suspending or blocking access when risks are involved.
Gurucul clearly lists all its objectives, from data exfiltration prevention and insider threat deterrence to self-audit. Big data analytics combine with mathematical algorithms to provide alerts and trigger investigation when necessary.
Therefore, in what algorithms are concerned, once establishing a baseline, UBA tools deploy monitoring and comparison systems that detect changes and trigger event analysis – while suspending or blocking alarming user activity. The abnormal elements may be interpreted (or discovered to be) identity theft, malware or unauthorized activities.
In a not-so-far-fetched parallel, UBA can be seen as the virtual equivalent of location security – a constant presence that determines the periodical patterns and alerts the system when unusual events occur. “Normality” is defined for both human and virtual factors, and, for example, a behavioral switch may be a sign of an ongoing attack.
Future of user behavior analytics
While some may still consider that traditional cyber-security methods suffice (strong passwords, regular updates, capable system firewalls and anti-virus software), the challenge of human weak entry points has been revealed over and over again with almost each recent instance of data loss and data theft and in notorious compromised system cases.
As a decision cyber-security factor, a specialist may rely on enhanced personnel training and raised cyber-awareness, or might choose to improve the AI protection. UAB tools fall into the AI protection category – sophisticated, integrated software that processes data and notifies the responsible human factors about unusual patterns and possible system risks. User-centralized monitoring allegedly provides more than notifications and alerts, it includes the precise description of the elements involved in the system event, making it easier for the enterprise to block the attacks or recover the data. In cases of urgency, isolating the affected part of the system is critical – and every second matters. Investigating the entry point and the infection level can take time and increase the loss. By warning the persons in charge of the exact timing and location (virtual and physical) of the suspicious activity, any viable UAB tool speeds up the defense reaction chain.
In an interesting article (although actually an extended advertorial for one of the UAB providers we’ve compared above) pertaining to a businessperson from a technology advisory firm, the author underlines an extra element that automated user behavior analytics tools have, while a human specialist might just fail at the same element: the tools perform their tasks thoroughly and can withstand pressure. For example, the process of building a baseline cannot be rushed, and the monitoring process cannot be biased – any (good) automated tool delivers exactly what it promised when its parameters are precisely respected.
The future of UAB tools looks interesting. Although avoiding or stopping cyber-attacks that “might have been” would never reach the headlines (as opposed to every notorious data breach, data loss event, and other types of large scale attacks), this type of tools offer a valuable contribution in building and maintaining enterprise cyber-security. With the challenges brought on by the Internet of things, this contribution might prove essential, by providing cyber-security extra compliance and a more secure situation to every company preoccupied in protecting its cyber-environment.
As AI develops rapidly, such tools will improve – in a synchronized movement. The neural networks methodology is common to both AI schematics and UAB automated activities – the more sophisticated and efficient they get, the better “virtual brain” processes will fulfill their tasks. The more concerned readers can also check materials such as “Neural Signatures of User-Centered Security”, to form a better image of how the future cyber-security monitoring tools may look like.
