Co-authored by Dr. Yaron Wolfsthal

While some behavioral analytics methods have been pursued for business intelligence purposes for quite some time, they have been primarily focused on the buying habits of groups of people. In the context of information security, behavioral analytics can be used to carefully and comprehensibly develop models that would support an organization’s ability to conduct risk assessment of resources such as users and computers on an enterprise network to alert against individual entities that may pose a potential threat.

Examples of attacks that can be identified by security behavioral analytics may include a cybercriminal who has gained access to an employee’s legitimate credentials, an insider whose behavior represents a threat to the well-being of the company or a compromised server on the organization’s network that is clandestinely sending corporate data to a command-and-control (C&C) server on the open Internet.

How Security Behavioral Analytics Differ From Cohort Analytics

Superficially, security behavioral analytics may look similar to business intelligence methods like cohort analytics. The latter takes data collected from the usage of products or services, such as an e-commerce or online gaming platform, and breaks it down into related groups for analysis. These related groups, or cohorts, usually share common characteristics within a defined time span.

By properly capturing the different characteristics of cohorts (e.g., the purchasing patterns over time), a company can adapt and tailor its service to specific cohorts (e.g., offering special incentives at critical stages). Thus, cohort analysis is useful in making mass marketing smarter and more effective. However, the success or failure of cohort-based marketing is less critical to the company’s well-being than security behavioral analytics, where the timely detection of an attack on a company’s crown jewels can save the company from losing business.

Identifying Anomalies With Behavioral Analytics

On a basic level, behavioral analytics relies upon anomaly detection — the capability to sift through large amounts of data and to identify patterns that do not conform to those statistically expected. In the context of security, such anomalies might represent a variety of threats: intrusions to networks by an impostor, unwarranted escalation of privileges, transmission of sensitive corporate information across irregular channels and so on.

Take the example of user authentication. Traditional methods have primarily relied upon password-based schemes or biometric methods to authenticate an individual accessing the system. Taking a behavioral analytics approach, an input device can track the interaction profile of the user, such as click speed or geometric patterns of mouse movement, and differentiate impostors from legitimate users based on changes in their interaction patterns.

A good anomaly detection mechanism looks not only for abundance — say, too many failed login attempts that may indicate that someone is trying to breach the system — but also the truly different. As an example, when bank employee A goes on vacation and her role is temporarily filled by employee B, the algorithm should not trigger an alarm merely on seeing different IDs in the access logs unless different systems are accessed by B during A’s vacation period. That would suggest further investigation of the difference. In this example, the algorithm has essentially learned the system access patterns associated with the said role.

Practical Aspects

In deploying behavioral security analytics, a phase of tuning will almost always be required to customize the solution to the specific environment it is in. Moreover, since anomaly detection is based on statistical methods, a baseline for normal system behavior must be established. No system can come completely customized to your organization special needs out of the box. In some systems, a single failed login is a cause for alarm, while in others it might be the norm, and verifying a breach requires the detection of another attack vector like port scanning.

During operation, some of the detected anomalies or misbehaviors may be unrelated to security, with red flags going up due to malfunctioning or new system components. To effectively prioritize and act solely on the true security breaches, the organization needs to have the resources to investigate these issues. A high-quality forensics tool is invaluable for this purpose.

In establishing a sound enterprise security strategy, behavioral analytics provides an advanced level of protection, but it cannot replace — and, in fact, must be built upon — more basic methods. For example, assume that an antivirus tool claims to have successfully cleaned a malware, but other indicators detect a post-breach behavior of this virus. In this case, behavioral analytics can cross-correlate the basic indicators and help reach the right conclusion.

Three Tips for Implementing Security Behavioral Analytics

  1. Collect all the information you can lay your hands on. In this era of big data, the more you have, the better you can find the things you should be looking for. Sometimes, success can come from connecting dots that you didn’t even know you had.
  2. Use state-of-the-art machine learning tools. There are many possible solutions, some of which are even open source, and the best mix is to have a subject matter expert work hand-in-hand with the machine learning expert.
  3. Reiterate. Since you are chasing bad guys who are actively trying to avoid being caught, you must change your methods regularly to keep finding them.

more from Intelligence & Analytics

CISA Certification: What You Need to Know

The globally-recognized Certified Information Systems Auditor (CISA) certification shows knowledge of IT and auditing, security, governance, control and assurance to assess potential threats. As you can imagine, it’s very much in demand. It can also be confusing.  Is CISA Certification Related to the Cybersecurity and Infrastructure Security Agency? CISA, the certification, is related to CISA, the federal agency, right?  Wrong.…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…