User Behaviour Analytics (UBA) is one of the latest advancements to have gained the attention of the security community. It’s based on the premise that human beings have distinct patterns of behaviour, and identifying any deviations in these patterns can point to criminal activity. Thanks to the digital footprint which users leave behind whenever they log on to the network, access files or systems, we can build an accurate profile of what normal behaviour looks like – and spot abnormal behaviour which might otherwise have disappeared under the radar.
This comes at a time when organisations need better ways to pinpoint the ‘threat from within’. Increasingly, for many companies, a large proportion of security incidents can – and do – start inside the business, often as a result of privileged misuse. Whether it’s an employee, partner or contractor, the insider threat poses a real and very present danger which has typically been notoriously difficulty to protect against. We can build the walls around the perimeter higher, but it’s more difficult to guard against hackers who may have gained access to a privileged users’ credentials or an impostor using a hijacked user account.
UBA can fill this gap, helping to strengthen an organisation’s security posture, identifying risky behaviour, and preventing breaches before they occur.
Building a unique profile
Every user leaves a trail of evidence as they access the network, which will appear in logs, audit trails and in many other places on the infrastructure. This valuable data can be harnessed to build a baseline of what is normal – such as when users are usually active, what services they typically log into and how they use them. Different machine learning algorithms will create these profiles, and can then continue to log and compare activities against the usual user behaviour, allowing them to identify unusual behaviour in real time. Establishing this baseline and drawing comparisons with what is actually happening on the network is critical; a hacker using a hijacked account, or a malicious insider, will interact differently with the system than a normal user. Once this suspicious activity is highlighted, UBA tools are able to alert the SOC to the attack before a data breach occurs.
UBA products must use several machine learning algorithms simultaneously to create the complete profile of each user. This is because we need context to build a complete picture of what’s really going on and to avoid triggering false positives. Information in isolation – such as the times of day a user is logging in – are useful, but we need a more complete picture with information such as where the user is logging in, or what s/he is accessing, to raise the alarm of suspicious activity or prompt further investigation.
So what are the key work behaviours typically monitored by UBA tools?
Timing is everything
It may be a complaint of workers that the typical workday is always the same, but this routine provides valuable information on which UBA is based. Routine is the key here: every day individuals wake up at the same time, and arrive at their workplace at approximately the same time. They do similar work at similar times, have lunch at the same time, and leave the office at the same time in the evening. Deviations from someone who has a normal workday pattern of 9 -5 would point to unusual behaviour.
Apps and access
UBA will also examine what applications an employee is running – most of us use the same apps all the time. Someone who only uses MS Word or Excel but then suddenly starts running SAP would raise a red flag. Similarly, it will look at which files are being opened and downloaded; if an IT employee were to access payroll files only typically used by the HR department, this would alert the SOC to suspicious activity.
Most people also use the same devices and log on from the same locations for business. Someone logging in remotely who is only ever office based, or from a device that is not recognised on the network, would indicate an anomaly.
The distinctions in human behaviour can even be as subtle as our typing patterns. We all have a unique typing pattern – from the typical speed we type at, to the pauses that are made unconsciously. If someone other than the normal user were to start typing on their keyboard, this could be detected by UBA. In the future we may able to use even more advanced data to assess activity and identify unusual behaviour. For example, the way an individual uses and moves their mouse, or even their heart rate and brain wave analysis, could all be used to provide an accurate user profile.
As cybercriminals use ever-more sophisticated means to infiltrate networks, or gain access to user credentials, data such as this will prove to be invaluable as a means of detecting and preventing any breaches of data. However, it is important to remember that the quality of the analysed digital footprints depends on the strength of the UBA tool a company use. Any analytical data is only as good as the programme supplying it, so ensure you take the time to investigate and use a UBA tool which is based on the latest analytical research.
Dániel Bagó, Product Marketing Manager at BalaBit Europe