Co-authored by Dr. Yaron Wolfsthal

While some behavioral analytics methods have been pursued for business intelligence purposes for quite some time, they have been primarily focused on the buying habits of groups of people. In the context of information security, behavioral analytics can be used to carefully and comprehensibly develop models that would support an organization’s ability to conduct risk assessment of resources such as users and computers on an enterprise network to alert against individual entities that may pose a potential threat.

Examples of attacks that can be identified by security behavioral analytics may include a cybercriminal who has gained access to an employee’s legitimate credentials, an insider whose behavior represents a threat to the well-being of the company or a compromised server on the organization’s network that is clandestinely sending corporate data to a command-and-control (C&C) server on the open Internet.

How Security Behavioral Analytics Differ From Cohort Analytics

Superficially, security behavioral analytics may look similar to business intelligence methods like cohort analytics. The latter takes data collected from the usage of products or services, such as an e-commerce or online gaming platform, and breaks it down into related groups for analysis. These related groups, or cohorts, usually share common characteristics within a defined time span.

By properly capturing the different characteristics of cohorts (e.g., the purchasing patterns over time), a company can adapt and tailor its service to specific cohorts (e.g., offering special incentives at critical stages). Thus, cohort analysis is useful in making mass marketing smarter and more effective. However, the success or failure of cohort-based marketing is less critical to the company’s well-being than security behavioral analytics, where the timely detection of an attack on a company’s crown jewels can save the company from losing business.

Identifying Anomalies With Behavioral Analytics

On a basic level, behavioral analytics relies upon anomaly detection — the capability to sift through large amounts of data and to identify patterns that do not conform to those statistically expected. In the context of security, such anomalies might represent a variety of threats: intrusions to networks by an impostor, unwarranted escalation of privileges, transmission of sensitive corporate information across irregular channels and so on.

Take the example of user authentication. Traditional methods have primarily relied upon password-based schemes or biometric methods to authenticate an individual accessing the system. Taking a behavioral analytics approach, an input device can track the interaction profile of the user, such as click speed or geometric patterns of mouse movement, and differentiate impostors from legitimate users based on changes in their interaction patterns.

A good anomaly detection mechanism looks not only for abundance — say, too many failed login attempts that may indicate that someone is trying to breach the system — but also the truly different. As an example, when bank employee A goes on vacation and her role is temporarily filled by employee B, the algorithm should not trigger an alarm merely on seeing different IDs in the access logs unless different systems are accessed by B during A’s vacation period. That would suggest further investigation of the difference. In this example, the algorithm has essentially learned the system access patterns associated with the said role.

Practical Aspects

In deploying behavioral security analytics, a phase of tuning will almost always be required to customize the solution to the specific environment it is in. Moreover, since anomaly detection is based on statistical methods, a baseline for normal system behavior must be established. No system can come completely customized to your organization special needs out of the box. In some systems, a single failed login is a cause for alarm, while in others it might be the norm, and verifying a breach requires the detection of another attack vector like port scanning.

During operation, some of the detected anomalies or misbehaviors may be unrelated to security, with red flags going up due to malfunctioning or new system components. To effectively prioritize and act solely on the true security breaches, the organization needs to have the resources to investigate these issues. A high-quality forensics tool is invaluable for this purpose.

In establishing a sound enterprise security strategy, behavioral analytics provides an advanced level of protection, but it cannot replace — and, in fact, must be built upon — more basic methods. For example, assume that an antivirus tool claims to have successfully cleaned a malware, but other indicators detect a post-breach behavior of this virus. In this case, behavioral analytics can cross-correlate the basic indicators and help reach the right conclusion.

Three Tips for Implementing Security Behavioral Analytics

  1. Collect all the information you can lay your hands on. In this era of big data, the more you have, the better you can find the things you should be looking for. Sometimes, success can come from connecting dots that you didn’t even know you had.
  2. Use state-of-the-art machine learning tools. There are many possible solutions, some of which are even open source, and the best mix is to have a subject matter expert work hand-in-hand with the machine learning expert.
  3. Reiterate. Since you are chasing bad guys who are actively trying to avoid being caught, you must change your methods regularly to keep finding them.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today