• United States




Protect your unstructured data with user behavior analytics

Mar 22, 20174 mins
AnalyticsEndpoint ProtectionInternet Security

User behavior analytics sniffs out anomalies in users' actions and alerts IT security teams of suspicious behavior

employees technology planning data [Computerworld, January-February 2017 - HR IT]
Credit: Thinkstock

The theft of unstructured data is extremely common. It can be very difficult to safeguard emails and files when a lot of people have access. Even the CIA is not immune, judging by the recent exposure of its hacking tools via WikiLeaks. It’s ironic that the CIA’s hacking guides have been hacked, but it just goes to show how difficult it can be to prevent.

Carelessly handled unstructured data is an easy target, and it can prove very valuable for hackers. Since unstructured data may not be monitored, attacks and successful exfiltrations often go unnoticed for long periods.

For example, the big data breach at Yahoo was only investigated after someone offered to sell millions of accounts on the black market.

Many companies have no idea that they’ve been infiltrated. The global average time between compromise and breach detection is 146 days, according to FireEye. Clearly, there’s a tangible need to cut that down, and user behavior analytics could be the answer.

What is user behavior analytics?

The idea behind user behavior analytics is to establish what normal activity looks like at an organization and to monitor for anything unusual. The focus is firmly on users, and suspicious behavior is flagged so that the IT security team can investigate. Many different actions might be flagged as worthy of further investigation, such as an employee accessing a system at 2 am, suddenly modifying thousands of files or trying to change administrative privileges.

Being able to detect when users access sensitive data is the first step toward securing it properly. The beauty of user behavior analytics is that it’s about keeping a watchful eye on activities that IT security teams are worried about. That might be all activity pertaining to sensitive data, but it can also include mass failed log in attempts, email attachments sent to personal accounts and changes made outside of change control windows.

A lot of time and money we put into information security is centered on software tools, but we know that the weakest link in cybersecurity is employees. It makes a lot of sense to take a closer look at people. Some security incidents can only be detected by analyzing people and their behavior with regard to valuable company data.

A full 88 percent of end users say their job requires them to access and use proprietary information, according to Varonis. Interestingly, 62 percent say they have access to company data they probably shouldn’t see.

Getting into the network through an employee’s account can give a determined attacker access to a lot of unstructured data, some of which will arm them with the ammunition they need to burrow deeper or infiltrate new systems laterally. IT practitioners say insider negligence is more than twice as likely to cause compromise of insider accounts than anything else.

It’s important that we look beyond perimeter defenses. Better firewalls, antivirus software or malware detection are not going to solve the problem, but user behavior analytics could make a real difference.

Uncovering anomalies inside and out

Because user behavior analytics sniffs out anomalies in user behavior, it can determine when a legitimate user’s credentials are being used by an external attacker. But the fact that it quickly identifies any deviation from the norm means it can spot the changes that signal insider theft or sabotage as well. Anything that doesn’t match the usual pattern of daily business sparks an alert.

These kinds of alerts still require an experienced security officer to investigate and assess them, but they can drastically cut down on the time it takes to identify and confirm problems. As user behavior analytics technology improves, it’s likely to encompass more automation and go beyond data breach identification.

All of the best security strategies include a blend of technologies and take a holistic view of the potential risks. The cost of a data breach is so high that it’s essential to take every action at your disposal that might mitigate the risk. Coupled with solid perimeter defenses, user behavior analytics is a powerful asset in the fight against data theft, and it represents an irresistible opportunity for companies to tighten up unstructured data protection. 

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author