User Behaviour Analytics
User Behaviour Analytics
User behaviour analytics (UBA) is a new area of information security around the tracking, collecting and assessing of user data and activities, designed to spot anomalies in user behaviour to find malicious insiders. Think Edward Snowden and you are about there.
Today, user behaviour analytics tools have more advanced profiling and exception monitoring capabilities than SIEM systems and are used for two main functions. First, UBA tools determine a baseline of normal activities specific to the organization and its individual users. Second, they identify deviations from normal. UBA uses big data and machine learning algorithms to assess these deviations in near-real time.
Traditional security incidents are usually founded on an external actor gaining control of/or access to an asset within the environment to then enable them to escalate privileges, create a new user etc. But over recent months and years a new threat has become prevalent, the ‘insider threat’.
The insider threat poses a significant challenge to organisations because you have to enable your employees to carry out their jobs, which for some users means escalated privileges from the start. Whilst on the whole these users have a legitimate reason for those levels of access, think C-level executives and IT administrators for instance.
If one of those assets are compromised or an organisation has a disgruntled employee, the attacker already has access to the keys to the kingdom and the additional information that then enables them to get to.
Establishing a baseline for ‘normal’ network behaviour within the environment is an incredibly difficult thing to do, now imagine trying to establish normal for every single individual user and what they typically do?
We work with organisations to pro-actively monitor the environment to establish the baseline ‘normal’ user behaviour so this can then be analysed in real-time by security technologies. We then provide the information security teams with a report on why something is suspected to be potentially be a ‘malicious insider’.
These solutions can also be used to identify some types of malware also by monitoring the ‘users’ behaviour. If for instance you see a user who has never browsed to a particular website before and it’s potentially a new domain, with bad reputation, that is a cause for concern, but not something that would necessarily be picked up by traditional security tools within organisations networks today.
These solutions enable you to hold authorised users accountable, investigate suspicious behaviour, respond in real-time, and prevent the next crime using a cross platform “surveillance system” that captures user behaviour and provides intelligence on user activity.