User Behavior Analytics: Perfect for Analysis but Not Security

How many times have you read or heard about user behavior analytics (UBA)? Today this term applies to security managers and auditors but not to security administrators. User behavior analytics enable IT teams to track and quickly analyze user behavior anomalies and monitor watch-lists, trends and many other factors relative to users. UBA is a useful tool for analytics and statistics, but IT professionals should not confuse it with security.

User Behavior Analytics: Great for Monitoring, Bad for Security

UBA is not a good starting point for security analysts. In general, it is both ethically incorrect and an inefficient use of resources to monitor all users’ habits and activity all the time. This type of monitoring should be reserved for specific investigations, not security.

Think about it in terms of your home. Would you provide free access to anyone just because you are monitoring every room, door and corner in and around your home? Despite the active monitoring, you would not be able to keep the strangers in your home from committing theft or otherwise violating your environment. Of course you can analyze and identify the source of a violation, but this would make for a weak approach to security.

To continue the analogy, you must know every corner of the house like the back of your hand. How many doors do you have, and which of them are open? Determine where your most precious treasures are located, identify the most critical or vulnerable points and restrict access accordingly. You may be able to identify a thief with UBA, but recovering stolen goods is another story.

Instead of relying on monitoring techniques, IT leaders should implement the most extreme security measures on their critical assets and focus on prevention. Prevention helps security analysts determine by what techniques cybercriminals might target those assets and how these attacks can be rejected. Such a rejection requires a complete understanding of the possible consequences.

Security Equals Knowledge

Using UBA as a security instrument means acting after a breach has already occurred rather than actively thwarting it. Rather, IT leaders should think of security as a synonym for knowledge. This knowledge encompasses security risks in every area of IT, including emerging sabotage techniques. This level of security requires a well-implemented and strongly enforced security policy.

Such knowledge enables security analysts to engage in entity behavior analytics (EBA) instead of UBS. This new approach enables IT teams to establish a baseline of normal activity based on resource usage and identify anomalies in real time using big data and cognitive capabilities. EBA evaluates the potential impact of each behavior and assigns a score based on the sensitivity of the data affected by that behavior. It enables security teams to prioritize threats and restrict access to the resources under review.

An effective security policy and methodical control of resources enables the security administrator to respond to anomalies and threats efficiently without the need to run remediation after a successful theft. With this foundation in place, security leaders can adopt EBA solutions to shore up the infrastructure and simplify the security administrator’s responsibilities.

Share this Article:
Luigi Perrone

Senior Security Specialist, IBM

Luigi Perrone is a senior security specialist with IBM Security where he is involved in the development of new security solutions using IBM Security QRadar Technology and Mainframe z/Secure suite. Luigi has over 27 years of experience in IBM Security solutions on mainframe and distributed platforms. He has led security projects and solutions for major financial institutions and enterprise customers.