Article

The Role of User Behavior Analytics in Threat Detection

Rather than simply stealing data, malicious actors are changing it to disrupt processes and cast doubt on information integrity. The threat extends to identity data and user credentials, which could be manipulated to gain physical access to secure facilities or logical access to sensitive data.

In light of this threat, organizations are advised to rethink their identity and access management (IAM) policies. Multifactor authentication can boost security in many respects but is of little value if the authentication data itself cannot be trusted. In light of that, organizations must monitor the IT environment for suspicious user behavior that could indicate compromised credentials.

User behavior analytics tools have emerged in response to these kinds of threats. Machine learning is used to establish a baseline of normal activity for each user; then, real-time monitoring tools gather user activity data and compare it to the baselines. When deviations are detected, IT security personnel are alerted so they can investigate. Thresholds can be set, depending on the risk sensitivity of the user group or IT assets being accessed.

Other types of security monitoring tools focus on events, often generating so many alerts that actual threats get lost in the “noise.” A 2015 study by the Ponemon Institute found that organizations received an average of 16,937 security alerts each week, but only 19 percent of those alerts were considered reliable, and only 4 percent were investigated. User behavior analytics work in concert with traditional monitoring tools to provide context around events, making it easier for IT security teams to pinpoint a threat or attack.

The ability to identify threats quickly is essential to minimizing the damage caused by a security breach. In a recent RSA survey, however, only 8 percent of respondents believed they could do so, though 88 percent were collecting data from perimeter security devices. Only 55 percent said they collect data from IAM systems, and only 49 percent from network packet flows. When organizations do collect data from multiple sources, they aren’t aggregating it; only 21 percent of organizations said they had one fully integrated and normalized security data structure. To address these gaps, 32 percent of survey respondents said they planned to implement user behavioral analytics within the next 12 months.

This dovetails with a recent 451 Research report noting that user behavior analytics was a top security trend in 2016, with many new products introduced. The report puts these tools into three broad categories:

  • User and network behavior analytics, which analyze log data and network traffic patterns to spot malicious actors trying to steal user credentials.
  • Insider monitoring systems, which look at all of a user’s activity for noncompliance with security policies or access to resources outside the scope of the user’s role.
  • Web behavior analytics, which look for automated attacks on websites, such as bots trying various username and password combinations to gain access.

By combining user behavior analytics with IAM data, organizations are better equipped to address the threat of data manipulation and malicious insiders. These tools help you overcome the “needle in a haystack” challenge of security and monitor for suspicious activity at the user level.

Leave a Comment