Co-authored by Dr. Yaron Wolfsthal

While some behavioral analytics methods have been pursued for business intelligence purposes for quite some time, they have been primarily focused on the buying habits of groups of people. In the context of information security, behavioral analytics can be used to carefully and comprehensibly develop models that would support an organization’s ability to conduct risk assessment of resources such as users and computers on an enterprise network to alert against individual entities that may pose a potential threat.

Examples of attacks that can be identified by security behavioral analytics may include a cybercriminal who has gained access to an employee’s legitimate credentials, an insider whose behavior represents a threat to the well-being of the company or a compromised server on the organization’s network that is clandestinely sending corporate data to a command-and-control (C&C) server on the open Internet.

How Security Behavioral Analytics Differ From Cohort Analytics

Superficially, security behavioral analytics may look similar to business intelligence methods like cohort analytics. The latter takes data collected from the usage of products or services, such as an e-commerce or online gaming platform, and breaks it down into related groups for analysis. These related groups, or cohorts, usually share common characteristics within a defined time span.

By properly capturing the different characteristics of cohorts (e.g., the purchasing patterns over time), a company can adapt and tailor its service to specific cohorts (e.g., offering special incentives at critical stages). Thus, cohort analysis is useful in making mass marketing smarter and more effective. However, the success or failure of cohort-based marketing is less critical to the company’s well-being than security behavioral analytics, where the timely detection of an attack on a company’s crown jewels can save the company from losing business.

Identifying Anomalies With Behavioral Analytics

On a basic level, behavioral analytics relies upon anomaly detection — the capability to sift through large amounts of data and to identify patterns that do not conform to those statistically expected. In the context of security, such anomalies might represent a variety of threats: intrusions to networks by an impostor, unwarranted escalation of privileges, transmission of sensitive corporate information across irregular channels and so on.

Take the example of user authentication. Traditional methods have primarily relied upon password-based schemes or biometric methods to authenticate an individual accessing the system. Taking a behavioral analytics approach, an input device can track the interaction profile of the user, such as click speed or geometric patterns of mouse movement, and differentiate impostors from legitimate users based on changes in their interaction patterns.

A good anomaly detection mechanism looks not only for abundance — say, too many failed login attempts that may indicate that someone is trying to breach the system — but also the truly different. As an example, when bank employee A goes on vacation and her role is temporarily filled by employee B, the algorithm should not trigger an alarm merely on seeing different IDs in the access logs unless different systems are accessed by B during A’s vacation period. That would suggest further investigation of the difference. In this example, the algorithm has essentially learned the system access patterns associated with the said role.

Practical Aspects

In deploying behavioral security analytics, a phase of tuning will almost always be required to customize the solution to the specific environment it is in. Moreover, since anomaly detection is based on statistical methods, a baseline for normal system behavior must be established. No system can come completely customized to your organization special needs out of the box. In some systems, a single failed login is a cause for alarm, while in others it might be the norm, and verifying a breach requires the detection of another attack vector like port scanning.

During operation, some of the detected anomalies or misbehaviors may be unrelated to security, with red flags going up due to malfunctioning or new system components. To effectively prioritize and act solely on the true security breaches, the organization needs to have the resources to investigate these issues. A high-quality forensics tool is invaluable for this purpose.

In establishing a sound enterprise security strategy, behavioral analytics provides an advanced level of protection, but it cannot replace — and, in fact, must be built upon — more basic methods. For example, assume that an antivirus tool claims to have successfully cleaned a malware, but other indicators detect a post-breach behavior of this virus. In this case, behavioral analytics can cross-correlate the basic indicators and help reach the right conclusion.

Three Tips for Implementing Security Behavioral Analytics

  1. Collect all the information you can lay your hands on. In this era of big data, the more you have, the better you can find the things you should be looking for. Sometimes, success can come from connecting dots that you didn’t even know you had.
  2. Use state-of-the-art machine learning tools. There are many possible solutions, some of which are even open source, and the best mix is to have a subject matter expert work hand-in-hand with the machine learning expert.
  3. Reiterate. Since you are chasing bad guys who are actively trying to avoid being caught, you must change your methods regularly to keep finding them.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today