Behavior Analysis in Practice: How to Build an Accurate Picture of Each User
User Behavior Analytics (UBA) is the great new hope in IT security. Many experts agree that it gives us the potential to uncover “unknown unknowns” by catching those attacks that nothing else can. Of course, these new technologies are always over-hyped by vendors, but the truth is that UBA represents a real opportunity to significantly raise the security level of enterprises. So how does it work?
Users leave their footprints all around the system as they use the company infrastructure. Their actions appear in logs, audit trails and in numerous other places. This is a huge amount of valuable data that already exists. The first step for UBA tools is collect that information. Using the gathered data containing the digital footprints users leave it is possible to build a baseline of what's “normal” for those users. When are they usually active, what services are they using, how they are using those services and so on. UBA products use different machine learning algorithms to create a profile of users. After this baseline is established, these can start comparing activities to the usual behavior of users and identify unusual behavior in real time. An attacker using a hijacked account, or a malicious insider, will interact differently with the system than a normal user would -- by comparing activities to the baseline UBA tools can catch such activities as they are happening and alert the SOC.
The reason why UBA products use several machine learning algorithms to create a profile of users is that the “silver bullet” algorithm exists only in movies. One algorithm may raise the risk score of the user unnecessarily, but when several different algorithms are triggering an alert, it is always suspicious. For example the fact that a user – who always logs in around 8 AM – is logging in at 6 AM is not necessarily suspicious. Perhaps he wants to leave the office earlier for personal reasons. But if he logs in from a strange country at the same time, accesses servers that he never accessed before and uses different commands from the usual pattern, , this is much more suspicious.
UBA tools must collect the most relevant digital footprints in order to be able to find malicious insiders or external attackers. But what kind of digital footprints could be the most useful in such a situation? What kind of digital footprints are able to characterize the users most precisely?
Top 5 Behavior Patterns of Office Workers
People’s work rhythm – when are we working?
Every workday is the same! Lots of bored employees complain about that. They wake up at the same time, do the same routines before going to work and arrive to their workplace at approximately at the same time. Furthermore, they try to have lunch and snacks every day at the same time, and leave the office around the end of their working hours. So they behave very similarly in at least 90 percent of their workdays. For example, I start to work around 8:30 AM every morning and leave the office at 5:30 PM. Based on that, logging in in the middle of the night would be highly unusual!
Used applications – what do we run?
Most of us are using the same applications day by day. For example, I’m usually running MS Word & Excel, Google Chrome, File Explorer, Evernote and sometimes Paint. But I never use SAP, Jupyter Notebook or Emacs, which are applications frequently used by our finance department, data scientists or developers. It means that the usage of these – or other unusual – apps would be highly suspicious.
Accessed files and servers – what are we working on?
Although I’m a curious person, I usually access only the marketing server in my work, where I can find all of the files I need. I’m sure that the HR director would ask me why I downloaded and opened the Excel-sheet, which contains the salary of all of my colleagues.
Work environment – from where and what device do we use?
I work in the same office day by day and spent only a several workdays far away from it, when I visit one of the major IT security conferences of the world. Furthermore, I always bring my corporate notebook when I travel to somewhere, as most of the office workers do that. In other words, I log in to the corporate network from Vietnam, from a host, that I never used before, would be an obvious anomaly.
Keystroke dynamics – how do we type?
Fingerprint reading and retina scanning are the most well-known forms of biometrics authentication – but these are not the only ones. The way we type is also very idiosyncratic. Not only the speed, but the mistakes that we make as we type, and the duration between the pushing of two specific characters varies from person to person – for example, I’m always writing user behavoir instead of user behavior.
The strength of User Behavior Analytics depends on the quality of the analyzed digital footprints. As the idiom says: garbage in, garbage out. Which means that any analytics is only as good as the data that feeds it.
About the Author
Dániel Bagó is the product marketing manager of Blindspotter, a user behavior analytics solution developed by Balabit. He has 12 years of experience in the field of communications. On the agency side Dániel provided communication consultancy services to various multinational technology companies, including Microsoft, Google, Intel, IBM, Samsung, Vodafone and Telenor.
Edited by Peter Bernstein