kantver - Fotolia


User behavior analytics: Building a business case for enterprises

User behavior analytics can be beneficial to enterprises, but there are complexities involved. Expert Ajay Kumar explains what companies should know about this new technology.

The threat landscape continues to grow year-on-year, with more and new types of threat actors. Proportionally, cybersecurity incidents are growing both in volume and sophistication.

According to the "2016 Cost of Data Breach Study" by the Ponemon Institute, 48% of all breaches in 2016 were caused by malicious or criminal insiders (employees, contractors or other third parties).

Traditional security systems were built to find the bad guys by searching for known signatures or exploits at a selected location during a single point in time. Attackers are continuing to penetrate and evade enterprise defenses. What today's digital enterprises need are rapid detection and response capabilities enabled through behavioral analytics.

Every enterprise today generates a huge amount of log data from user actions, server activity, applications and network devices across the organization's IT ecosystem. However, organizations are unable to get insights from this log data, and challenges remain for security teams to provide contextual value out of the logs to secure and manage the operations of the digital enterprise.

User behavior analytics is an innovation in security technology, and it could help enterprises in taking security and risk management to the next level. The technology makes it easier for enterprises to gain visibility into user and asset behavior patterns to find malicious insiders or external threats, without disrupting the business.

To introduce and implement any new technology in the enterprise, it is necessary that you understand the architecture, as well as how the technology works in a particular environment under certain conditions. A user behavior analytics platform consists of the following three primary components:

Data integration: This is the foundational requirement to build user behavior analytics capabilities. It should be able to integrate with the required log sources of the enterprise, including structured or unstructured information example logs from security information and event management systems, VPN gateways, network flow data and application logs, as well as ingest logs from CSV files and syslogs.

Data analytics: Data analytics' primary purpose is to enrich and analyze data, use analytical algorithms to learn an environment -- such as server versus user activity, or normal users versus executive users or privileged users -- and make sense of it. In addition, this component is designed to be able to analyze the user and system behavior and to distinguish between normal and malicious activity.

Data presentation & visualization: This shows the data analytics results in a manner useful to the enterprise and security team, so that patterns and trends in user interactions are readily apparent and can be acted on by drilling down into the detailed level events.

Building user behavior analytics capabilities

The best approach to building new capabilities in the enterprise is to start with small steps, and then move one step at a time to cope with the ongoing changes. This allows stakeholders to understand the user behavior analytics technology and the business case for it being implemented, as well as what value it brings to the table with respect to advancing the enterprise security posture.

Moreover, the user behavior analytics market is composed of various vendor products and services that can help find individuals, whether they are malicious or accidental insiders or external threats, who are responsible for security violations. Vendors can help detect various types of offending entities, such as a user, system or IP address, and distinguish between them by using the ability to roll up and analyze the data and to connect an individual to groups or other entities engaged in malicious behavior.

There are several phases enterprises should consider for user behavior analytics deployment.

Phase one: Companies should identify and research the products and services available on the market, as well as how user behavior analytics technology may be integrated into their existing security product categories.

They should find out who the top vendors are; what technologies, capabilities or services they offer; and complete the vendor assessment based on various sets of questionnaires. These questions should focus on the licensing models, cloud versus on-premises deployment models, hardware appliance versus virtual appliance deployments, available preconfigured reports versus customization capabilities, and other factors.

At this stage, businesses will get a fair understanding of the technologies and their functionalities, as well as how the vendors' offerings could work in the enterprise with respect to meeting the unique security requirements of the company and aligning with a vendor's product roadmap.

Once a high-level understanding is gained at the end of phase one, it's time to start moving to phase two, which requires digging deeper into the top five or six vendor offerings and drilling down into the details.

Stay tuned for part two of this series on user behavior analytics, which will explore additional phases of the deployment process, as well as enterprise benefits and uses of the technology.

Next Steps

Read more on the ingredients of a strong intrusion response plan

Discover how to monitor outbound network traffic for potential risks

Learn more about Windows hardening techniques for Windows 10

Dig Deeper on Security analytics and automation

Enterprise Desktop
Cloud Computing