Behavioral analytics are being developed for cyber security applications to address the vast number of interactions between users, devices, applications, data, and networks. However, not all applications operate the same -there are two types of behavioral analytics platforms, and you should consider the differences carefully.
According to the latest Verizon Data Breach Investigations Report, stolen, weak or default credentials were involved in 81 percent of confirmed data breaches. Given that this attack vector is so prevalent it only makes sense to strictly watch user behavior and identify abnormal patterns. Cybersecurity has begun to incorporate methods to monitor user actions to try and distinguish between legitimate and threatening user behavior. This has given rise to a category of security products known as behavioral analytics which focus on the detection of anomalies. While user behavior is a the core of these offerings, there are many more that extend beyond the behavior of the user and can include entities or other elements in addition to users including hosts, devices, etc. (This is known as user and entity behavior analytics (UEBA) which is a topic for another post)
Now back to behavioral analytics; every company has data that are at risk of attack by cyber criminals, and at some point, a user attempts to move that data to exploit it – when this happens user behavior analytics is used to spot attackers who may have gotten past perimeter defenses -- or suspicious behaviors by company insiders and allows organizations prevent and detect incidents and breaches.
While monitoring and analyzing user behavior may seem obvious it raises the question of how to track and analyze behavior - and the choices in methods can have significant implications for deployment cost, time and effectiveness. There are two types products: Algorithm model based and those that perform in a more adaptive "learning " mode.
When going with the algorithm-based model, a deployment can take a couple of months and requires a team of experts to come in and set up the technology racking up professional services fees in the process. This approach needs constant maintenance to refine existing algorithms and create new ones. Which gives an advantage to the offense -not the defense.
On the other hand, products that use artificial intelligence or machine learning typically plug into the existing infrastructure very quickly and start collecting information right away. Through machine learning and analytics, platforms can develop baseline normal activity and process vast amounts to see abnormal patterns of behavior. When anomalies are identified analysts can then data drill down to the see where they may be at risk.
Monitoring user behavior provides a way of flagging suspicious activity which then requires further investigation involving the interactions between the users, devices, applications, data, and networks, so consideration should also be given to how user behavior can be most easily put in the proper contexts.
Typically an incident response workflow can be established that includes email and text alerts, the creation and distribution of incident reports, the collection of data for evidence and the activation of containment and mitigation controls.
While it does take time for a machine learning based platform to process all your data and establish a baseline - it can be put in place in days. And once deployed this type of approach can take incident response times down to minutes and hours rather than a process that takes days and even weeks and enable a security team to react.
So consider the cost and complexity of these approaches as you explore.
This blog reflects the contribution of the HoloNet team and guest bloggers who are security experts. HoloNet Security is led by a team of seasoned security industry professionals with a long, proven track record of successful security products and services.