• United States




Catch insider threats with User Behavior Analytics

May 26, 20165 mins
AnalyticsData and Information SecurityData Breach

Tracking every movement of insider threats

maze confused insure future
Credit: Thinkstock

Securing and protecting confidential data and Intellectual Property (IP) assets has been always a challenge for organizations despite having various tools including data loss prevention (DLP) added to the cybersecurity strategy. According to Ponemon Institute’s 2015 study, most costly cybercrimes are those caused by malicious insiders, followed by denial of services and web-based attacks.

Mitigation of malicious insiders requires enabling advanced technologies such as User Behavior Analytics – an emerging technology that could provide data protection and fraud detection capabilities that otherwise would go unnoticed. UBA uses a specialized security analytics algorithms that focuses beyond an initial login and includes tracking every movement of user activities in connection with systems that they use to perform their day-to-day operations and roles.

[ ALSO: 11 tips for spotting insider threats ]

User behavior analytics technology performs two main functionalities. First, it helps determine a baseline of the normal activities that a user performs, and second, it can quickly identify deviations from the normal behavior that trigger an action for security analysts to conduct investigation. The anomalous or negligent behavior might not be the malicious at first look but requires security analysts to investigate and determine legitimate vs malicious behavior.

UBA uses statistical analysis and machine learning techniques to analyze and learn the user behavior and patterns on the go to detect and assess risky user behavior in the enterprise. The UBA technology proactively helps hunt for insider threats, frauds, detect advanced malware activity, follow user actions to automatically identify risky behavior, and present a risk profile of a user to security analysts. All of this without having analysts spend long hours and days in looking through thousands of noise alerts. UBA effectively consolidates and prioritizes security alerts.

[ RELATED: Behavioral analytics vs. the rogue insider ]

A simple UBA use case can be a privileged user trying to access an organization’s file server in the middle of the night – which he never did in the past. However, there could be a maintenance activity scheduled that night as generally performed, and he is needed to access the server. At the same time, this could be an incident of compromised credential wherein an attacker was trying to exfiltrate the data out of the server to steal the information or intellectual property. UBA technology can help to model and profile user behavior, and automate such incidents in near real-time. It can also alert security analysts to take action, otherwise the behavior would go un-noticed resulting a successful data breach.

The value User Behavior Analytics technology

UBA can offer a huge value on a number of fronts. It can provide visibility into potential insider threats showing early red flags when a privileged account is being compromised by external attacker luring a user, to measuring change of behavior in user’s normal vs anomalies actions.

UBA uses many technology components – data sources, data integration, data mining, correlation, enrichment, data presentation and visualization and service delivery. Various vendor have been optimizing their capabilities around a specific security use cases and domains. However, the success of these capabilities relies on the collection of structure and unstructured information.

Analytics engine capability would greatly depend on feeding the right sources of data and applying the right context to the information, knowing which data and variables need to be analyzed, and how much weight is given to the key variables that are used to analyze risk rating functions.

Getting the right data feeds into the engine with business context is the key step to get optimal value of the investment in UBA technology. The raw data sources could include VPN gateway logs user connecting to enterprise network from remote, Active Directory logs, Windows and Unix servers logs, security event logs from firewall, DLP etc., to connect the dots right from when a user successfully connects to the VPN gateway and establishes a session, login into an application server, access data from sensitive systems, the time he spent processing and moving data around, and if he transfers any data out of a server to external systems.

Lastly, IP theft and data exfiltration, fraud detection, malware detection and analyzing employee’s social media activities are some of the use cases that UBA technology can help detect and flag early warnings to the security teams. Once a vendor solution is selected and deployed in the enterprise, the next big step is to establish initial baseline by watching the user activities for few weeks before getting the actual results or value.

If the technology is not based lined and fine-tuned then it’s another tool generating thousands of noisy alerts. To get the optimal results, one needs to spend quality time to watch and understand user behavior in the enterprise and distinguish normal vs anomalous behavior. Self-learning algorithms, machine learning and statistics can help highlight abnormal behavior and frequencies in identification, and detect critical insider threats and targeted advanced attacks.


Ajay Kumar is an information security and risk management consultant with more than 15 years of experience in various industries. Ajay has predominantly worked on initiatives involving enterprise mobile security, cybersecurity, data protection and privacy, security operations, security analytics and identity and access management.

The opinions expressed in this blog are those of Ajay Kumar and do not necessarily represent those of IDG Communications Inc., or its parent, subsidiary or affiliated companies.

More from this author