Guido Vrola - Fotolia


Incorporating user behavior analytics into enterprise security programs

User behavior analytics can be used for a number of different objectives within an enterprise. Expert Ajay Kumar examines some of the most important features and capabilities.

User behavior analytics is an emerging technology area that is rapidly gaining attention from enterprises because of its potential to improve visibility into security risks. Specifically, the technology collects data on both user and IT asset behavior patterns to find irregularities that may indicate an insider threat or breach.

The previous article in this series outlined the components of a user behavior analytics platform, including data analytics, integration and visualization, and a phased approach to selecting and deploying a product or service. The first phase required companies to research and identify vendors that offer user behavior analytics platforms or other security products that incorporate such functionality, such as a security information and event management system.

Phase two: This phase requires time and effort to go over select vendor solutions. You must convert three to five requirements into use cases to set up a proof-of-concept (POC) environment with each vendor product or service. This phase is also called the evaluation phase.

At this stage, it is critical to understand what data sources with which a particular vendor supports direct integration, as well as if those data sources will support your unique enterprise security use cases. Many vendors ingest log data from multiple sources directly, while some require connectors to get the data from log sources to a user behavior analytics platform.

In the evaluation phase, the enterprise should ask user behavior analytics vendors what use cases they primarily support, and if they can be demonstrated in a POC environment. Some of the use cases that can be set up in the POC environment include detecting compromised user credentials or insider threats by establishing a normal baseline for specific employees and identifying when abnormal or risky actions are taken by those employees. User behavior analytics should be able to detect if attackers have gained control of a user's credentials, regardless of an underlying attack or malware infection.

In addition to standard employee credentials, enterprises also have to worry about the compromise of a privileged user's credentials, such as the credentials of a system administrator or a database administrator. This is a more challenging area because these users' activities are not performed with the same established pattern as nonprivileged users. Therefore, setting up usage patterns or profiles, and then detecting deviation from normal usage, may be difficult. In addition, compromised privileged user accounts can do much more damage within an enterprise, and might require an emergency response.

Enterprises also use various service accounts to run applications, services or operating systems, and these accounts typically have many more privileges than normal user accounts. As such, these are the favorite accounts for bad guys to attack. A user behavior analytics platform should be able to automatically identify and flag abnormal behavior if it occurs in these privileged user and service accounts.

In addition to the above use cases, some vendor offerings also provide more specialized and advanced capabilities. Here are a few examples:

Software-as-a-service security

Cloud application usage continues to grow, with almost every enterprise today using some type of software are a service (SaaS) offering. However, security of SaaS applications and data is still lagging behind, though some of the security needs are addressed by cloud access security brokers.

User behavior analytics can offer enterprises much more visibility into their employees' use of SaaS applications to see if their access is being misused, abused or compromised. Analytics works the same way as on-premises applications, and should be considered an essential component for the secure use of cloud applications.

In the case of cloud apps, user behavior analytics vendors utilize application APIs provided by SaaS vendors to ingest the application data and logs into their platforms to perform analytics. These APIs provide visibility and insight into the enterprise.

Threat hunting

A few user behavior analytics vendors also offer threat detection, or threat hunting, capabilities that allow security teams to query the platform for user activity containing specific attributes. For example, an alert could be triggered due to malware activity from a system with which a user was associated or by phishing email activity being detected on other endpoint devices.

The platform should be able to assist in determining anomalous behavior patterns, prioritizing high-risk behavior and reducing the noise to allow security analysts to focus on high-priority alerts.

Machine learning

In order to find the threats in an environment, it's important for today's digital enterprises to have the ability to automatically discover and learn about new threats by leveraging the information available in the logs.

Several user behavior analytics platforms rely on machine learning algorithms to continually develop a more accurate baseline for normal user behavior, and for what constitutes anomalous behavior or a potential threat. For example, an employee in his day-to-day activities uses his own system to perform his duties, and he, in a few instances, accesses the file servers, which looks legitimate. However, if the same user tries to access an executive's system in the network, that is not considered a normal activity.

Therefore, a user behavior analytics platform should be able to learn the relationship between users and assets, and how those relationships change over time, and automatically alert the security team if malicious behavior is detected.


At the end of the second phase, enterprises should have the required information with respect to their unique security requirements, the products and services available in the market, how those vendor offerings can meet the specific requirements of each enterprise, and what capabilities those platforms bring to the enterprise.

This is the time to get the senior management, specifically the CISO or CIO, aligned with the goal by walking them through a presentation displaying the work that has been done in the first two phases to get approval to move into the purchasing and implementation phase.

The presentation should include the clear business case that will be addressed by the selected user behavior analytics platform in order to get funding for one of the top three product choices. It should also include pros and cons for each option, such as costs and features, as well as potential risk reduction, and the potential dangers of not implementing a user behavior analytics platform.

Next Steps

Find out how trapdoored primes have undermined encryption

Read more on the ingredients of a strong intrusion response plan

Discover how to monitor outbound network traffic for potential risks

Dig Deeper on Security analytics and automation

Enterprise Desktop
Cloud Computing