To Understand User Intent, Consider the Context

Everything from file names to user roles can provides clues to a users’ intent.

istock 518306913

Determining whether a user made a mistake or intentionally compromised sensitive data or systems is one of the trickiest security tasks. But it’s essential information that helps the organization walk the fine line between staying safe and alienating employees or business partners by treating them like criminals.

The key to determining the intent of an action is context – everything else an organization knows about a user’s past activities and their role (or roles) in the organization. “The more contextual information you have, the better an intent call you can make,” says Brandon Swafford, chief technology officer of user and data security at Forcepoint.

Context is Critical

Most organizations have a solid amount of such data from sources such as endpoint protection tools, Web proxies, and email server logs. For example, if an employee uploads a document to a Web page they rarely visit, the additional context might include the file type, the file name, the file source, and the person’s role.

If the file in question is an image, was uploaded by an administrative assistant to a social media site, and has a personal title (“Picnic with new dog”) it probably signals a less urgent threat. If the file contains executable code and was downloaded from a suspect website by a system administrator who has root access to multiple key systems, that requires more urgent attention. As does this scenario: an executive involved in a pending acquisition emails a large spreadsheet to an unknown third party.

Similarly, a user who downloaded a large amount of data to a thumb drive at 5 p.m. on a Friday might trigger suspicion, until further “context” is added, such as an IT service ticket showing the user was scheduled to receive a new laptop Monday morning and would be expected to transfer data to it from their current system. 

Learning more about unusual user behavior before jumping to your “worst case” conclusion will keep organizations focused on the most severe threats, Swafford notes.

Investigate Before Acting

“If you can build basic analytics around behavior or build triggers to derive the [user intent], you can save the business a lot of time and money,” says Swafford. In some cases, this might mean reducing the severity of an alert. It could also lead to the creation of a rule that says, for example, “when an image file from a personal folder is uploaded to a social media site, we’ll allow it the first time, but restrict it on the second or third occurrence,” he says. Such a system might also track such behavior to provide forensic evidence if needed for an investigation.

More than three-quarters of organizations have or are actively researching such behavior monitoring and analysis tools, according to IDG’s Security Priorities 2017 survey of top IT and security executives.

With all the potential context to consider and all the available tools, many organizations don’t know where to start. Swafford offers this advice: “Understand what systems you’re running and patch them properly. Also, go through a basic assessment to understand your most critical assets, how people interact with them, and what you are doing to control them. Such an exercise not only opens your eyes to the systems you’re actually running, but can point you to the right tools and vendors to protect them.” 

Forcepoints’s human-centric cybersecurity systems protect your most valuable assets at the human point: The intersection of users and data over networks of different trust levels. Visit www.forcepoint.com

Copyright © 2018 IDG Communications, Inc.