Co-authored by Dr. Yaron Wolfsthal

While some behavioral analytics methods have been pursued for business intelligence purposes for quite some time, they have been primarily focused on the buying habits of groups of people. In the context of information security, behavioral analytics can be used to carefully and comprehensibly develop models that would support an organization’s ability to conduct risk assessment of resources such as users and computers on an enterprise network to alert against individual entities that may pose a potential threat.

Examples of attacks that can be identified by security behavioral analytics may include a cybercriminal who has gained access to an employee’s legitimate credentials, an insider whose behavior represents a threat to the well-being of the company or a compromised server on the organization’s network that is clandestinely sending corporate data to a command-and-control (C&C) server on the open Internet.

How Security Behavioral Analytics Differ From Cohort Analytics

Superficially, security behavioral analytics may look similar to business intelligence methods like cohort analytics. The latter takes data collected from the usage of products or services, such as an e-commerce or online gaming platform, and breaks it down into related groups for analysis. These related groups, or cohorts, usually share common characteristics within a defined time span.

By properly capturing the different characteristics of cohorts (e.g., the purchasing patterns over time), a company can adapt and tailor its service to specific cohorts (e.g., offering special incentives at critical stages). Thus, cohort analysis is useful in making mass marketing smarter and more effective. However, the success or failure of cohort-based marketing is less critical to the company’s well-being than security behavioral analytics, where the timely detection of an attack on a company’s crown jewels can save the company from losing business.

Identifying Anomalies With Behavioral Analytics

On a basic level, behavioral analytics relies upon anomaly detection — the capability to sift through large amounts of data and to identify patterns that do not conform to those statistically expected. In the context of security, such anomalies might represent a variety of threats: intrusions to networks by an impostor, unwarranted escalation of privileges, transmission of sensitive corporate information across irregular channels and so on.

Take the example of user authentication. Traditional methods have primarily relied upon password-based schemes or biometric methods to authenticate an individual accessing the system. Taking a behavioral analytics approach, an input device can track the interaction profile of the user, such as click speed or geometric patterns of mouse movement, and differentiate impostors from legitimate users based on changes in their interaction patterns.

A good anomaly detection mechanism looks not only for abundance — say, too many failed login attempts that may indicate that someone is trying to breach the system — but also the truly different. As an example, when bank employee A goes on vacation and her role is temporarily filled by employee B, the algorithm should not trigger an alarm merely on seeing different IDs in the access logs unless different systems are accessed by B during A’s vacation period. That would suggest further investigation of the difference. In this example, the algorithm has essentially learned the system access patterns associated with the said role.

Practical Aspects

In deploying behavioral security analytics, a phase of tuning will almost always be required to customize the solution to the specific environment it is in. Moreover, since anomaly detection is based on statistical methods, a baseline for normal system behavior must be established. No system can come completely customized to your organization special needs out of the box. In some systems, a single failed login is a cause for alarm, while in others it might be the norm, and verifying a breach requires the detection of another attack vector like port scanning.

During operation, some of the detected anomalies or misbehaviors may be unrelated to security, with red flags going up due to malfunctioning or new system components. To effectively prioritize and act solely on the true security breaches, the organization needs to have the resources to investigate these issues. A high-quality forensics tool is invaluable for this purpose.

In establishing a sound enterprise security strategy, behavioral analytics provides an advanced level of protection, but it cannot replace — and, in fact, must be built upon — more basic methods. For example, assume that an antivirus tool claims to have successfully cleaned a malware, but other indicators detect a post-breach behavior of this virus. In this case, behavioral analytics can cross-correlate the basic indicators and help reach the right conclusion.

Three Tips for Implementing Security Behavioral Analytics

  1. Collect all the information you can lay your hands on. In this era of big data, the more you have, the better you can find the things you should be looking for. Sometimes, success can come from connecting dots that you didn’t even know you had.
  2. Use state-of-the-art machine learning tools. There are many possible solutions, some of which are even open source, and the best mix is to have a subject matter expert work hand-in-hand with the machine learning expert.
  3. Reiterate. Since you are chasing bad guys who are actively trying to avoid being caught, you must change your methods regularly to keep finding them.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…