User behavior analytics: separating hype from reality

I’ve been involved in the data analytics and high-tech industries long enough to have seen plenty of new technologies subjected to a degree of hype so great they could never ever measure up.

Some of these (fuzzy logic or Google Glass, anyone?) flamed out quickly; others, like artificial intelligence (AI), have had seesawing fortunes spanning decades — here subject to the loftiest expectations only to be followed there by a ‘trough of disillusionment’ (one of Gartner’s hype-cycle stages, and a term I like) as physical, technical and other limitations became evident.

Within the sub-domain of AI for security, a collection of technologies known as user behavior analytics (UBA) is now enjoying its own moment of high expectations, much as security information and event management (SIEM) systems did about a decade ago.

UBA differs from SIEM in not just aggregating and correlating alerts from different network events but by using a combination of AI and analytical approaches — including rules-based, pattern-matching and statistical methods, plus supervised and unsupervised machine learning — to establish baselines of how systems, networks and devices typically behave, and then to detect significant anomalies in their behavior and send alerts to security teams for further investigation.

Gartner industry analysts in particular have spent lots of time thinking about UBA. They note that UBA tools hold several key advantages over SIEM for applications like insider threat detection, credential abuse, account takeovers and IP/data loss prevention. First, they detect threats better (and detect ‘better’ threats) than SIEM tools; second, they analytically decide what matters, then boost those signals while minimizing the ‘noise’; and third, they solve some security problems with less expert labor.

That said, analysts from Gartner as well as from Forrester Research and Enterprise Security Group (ESG) also are mindful of lingering UBA weaknesses, including:

• There are some so-called “black swan” events that a UBA system won’t find because they don’t resemble past events.
• AI-based UBA approaches are good at detecting anomalous behavior, but they also spot lots of other things that analysts need to spend time chasing down, only to discover they were not actual threats but “false positives.”
• Not all organizations have in place the kinds of human expertise required to run a UBA system properly; in particular, many lack data scientists.
• Network data is not enough to find insider threats and other malicious actors; businesses need additional context from non-IT data sources like personnel files, travel records and employment histories.
• Obtaining all that new data and getting it cleaned and integrated properly is not easy, for a variety of organizational and technical reasons.

These firms are in general agreement that UBA won’t replace human analysts any time soon — instead, it should be seen as making them more effective and less prone to alert fatigue. They also tend to agree that SIEM is not going away, and in many cases should be viewed as complementary to UBA. The best UBA systems, one analyst notes, make SIEM ‘smarter’ by focusing on analyzing streaming and batch data rather than on rules.

They do differ, though, on the issue of whether UBA is a passing fad. Some think UBA will be dead as a standalone market category in five years, transformed into next-gen SIEM or folded into adjacent security markets such as endpoint security, identity and access management and data loss prevention, where advanced analytics and behavioral profiling will help these products lower alert volumes while producing more accurate and actionable high-priority alerts.

My experience tells me that the UBA market, like that for SIEM and other technologies before it, won’t die but will certainly evolve as time goes by. (One ESG analyst called this progression “innovative flux.”) I’m not just talking about inevitable industry churn prompted by corporate bankruptcies and acquisitions (which is already starting to happen), or newly coined buzzwords, but a progression of new techniques and technologies as well.

It also matters that user behavior analytics has already produced successes against some of the security community’s toughest challenges. For instance, encoding whole-person behavior into probabilistic models and then running a diverse array of network- and non network-related data sets through the model nodes is a UBA approach that has been proven to drastically reduce alert fatigue while prioritizing real risks to an organization, easing the strain on the already overworked SOC analysts and letting them focus on the risks that really matter. And it also overcomes most of the other UBA weaknesses that I listed above.

I’ll write more about adjacent security markets for UBA in a future blog. I will also address the application of other AI technologies to security because I believe there is in fact still a lot of hype out there, which is unhelpful to those of us who’ve already witnessed some significant advances in critical areas. There’s always room for improvement, of course, but if we prematurely write UBA’s obituary I believe we run the risk of overlooking some very real existing achievements — and others that are not too far over the horizon.