User Behavior Analytics: What It Is and How It Advances Digital Security

May 19, 2021
| |
4 min read

Organizations are struggling to pinpoint threats that come from real user accounts. Take insider threats, as an example. In a 2020 report, 68% of IT and security experts felt their employers were somewhat or very at risk to insider attacks. Over half (53%) said it had become at least somewhat harder to detect an insider attack after migrating to the cloud. About the same proportion admitted that it was more difficult to detect insider threats than external attacks. When asked why, 59% said it was because insiders already had credential access to the network and services. User behavior analytics (UBA) presents one way to solve these problems.

Insiders aren’t the only ones using honest accounts to their advantage, either. Researchers saw a 300% increase in instances where external attackers conducted account takeover (ATO) fraud. Those incidents gave attackers the chance to spread out across their victims’ networks. In fact, 70% of digital attacks in 2020 involved attempts to move sideways across the network, per a study covered by Health IT Security. It’s not surprising, as lateral movement is crucial for targeting key assets and stealing sensitive information from the network.

Both insider threats and ATO fraud highlight the dangers of relying solely on security tech that faces outward to detect account misuse. Firewalls and similar tools focus on maintaining the perimeter, an outdated concept in the age of distributed systems, cloud computing and remote work. They aren’t equipped to defend against threats that are lurking in the network and using a trusted account for malicious purposes. So, you need to adjust the approach. But how?

Oh, Behave!

The key is to begin taking advantage of UBA. This solution collects information about each authorized user account and uses it to spot strange behavior. UBA tools perform this data collection, conduct their analysis and issue alerts with the help of artificial intelligence and machine learning.

A fictional example might be helpful. Say there’s an employee named ‘Alex’ at ‘ACME Tech,’ which uses UBA. Having just purchased and deployed a new UBA solution, ACME Tech sets up a baseline set of behaviors for Alex by itself. These include working standard business hours on the West Coast and downloading an average of 50 MB of data a day.

One weekend, the security team at ACME Tech receives an alert from the UBA solution about Alex. The alert shows that someone logged in to Alex’s work account at 2 a.m. local time. It also conveys that the account then attempted to download several gigabytes over the span of two hours. The UBA solution locks Alex’s account, giving the defenders time to look into what happened. Then they can trace the compromise back to a successful phishing attack and take further steps to solve the problem.

The Perks of UBA

The example provided above highlights speed as one of the central benefits of UBA. Security experts need to spot a potential incident as soon as possible in order to minimize its scope and impact. With UBA, security personnel can leverage automated visibility into user behavior to minimize certain threat categories confronting their employers.

The role of automation in UBA is also crucial. Sure, security teams could try on their own to establish a baseline into users’ behavior. But they’re human. They can’t monitor all user accounts equally and at once. Nor can they afford to just monitor user behavior on any given day.

With UBA, you can sidestep this step and spare security teams the tedious task of having to perform manual user behavior monitoring. This allows the teams to focus on other tasks that could have a more meaningful impact on the digital security posture.

How to Implement User Behavior Analytics

To implement UBA well, first invest in a robust UBA solution. Blockbird Ventures notes that this tool should consist of three components. First, it should have custom-built architecture that allows admins to answer queries relevant to them. Second, it needs to run in real time to query data almost instantly. Third, it must be scalable so that teams can continue to leverage the same platform as their business evolves.

At that point, organizations can then configure their UBA tools in such a way that directly contributes to their digital defense efforts. This should involve collecting all the information they can to construct user baselines. Doing so will provide them with more changes to spot odd behavior and to connect the dots in potential problems.

But UBA can only go so far on its own. Most solutions can’t fix deviant user behavior by themselves, for instance. With that said, security teams can pair their UBA tools with other tech to add context to their incident response and remediation processes. They should also look to integrate their UBA with a SIEM. By adding user activity to log data, threat intelligence, vulnerability scan data and other sources of information, you can gain even more complete insight into what’s going on in the network. This can help you to better see the attack chain and to mount an effective response.

Getting Realistic With User Behavior Analytics

UBA can help address the risks that come with insider attacks. That’s because UBA isn’t fixated on the edges of the network. It’s concerned with what’s going on with the users themselves.

As a result, you can benefit from putting UBA in place as part of a broader approach. This could include using UBA together with multi-factor authentication (MFA), micro-segmentation and other controls to build a zero trust network. Organizations need to ensure that authorized user accounts aren’t engaging in suspicious activity after each successful login. With UBA, you can track that.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more