Don't Let Outliers Sabotage Your Cybersecurity Analytics

Cybersecurity analytics must balance the lessons of user behavior with the need to maintain service levels for workers while always assuming that the intruder is already inside the network.

Lisa Morgan, Freelance Writer

March 10, 2017

4 Min Read

Cybersecurity analytics solutions are becoming more intelligent and nuanced to understand anomalous behavior that's outside the norm and potentially dangerous. Identifying outliers is important, but not every outlier is a threat, nor is every threat an outlier.

"Companies have made hundreds of millions of dollars building tools that look for behavior that's outside a rule or a set of parameters," said Jason Straight, SVP of Cyber Risk Solutions and chief privacy officer at legal outsourcing services provider United Lex. "For machines that works pretty well, for people it doesn't."

Tracking behavior at the machine level can be as simple as monitoring the number of packets sent to and from a particular machine.

Humans behave differently in different contexts. For example, many of us usually work at particular office Monday through Friday during "normal" work hours. However, if we're traveling internationally, we're probably accessing the same corporate network, albeit at a different time from a different IP address that's located somewhere else in the world.

A rule-based system could be programmed to disallow network access under those conditions, but traveling professionals wouldn't get much work done. The trick is to balance the needs of users and the business against potential threats.

"Instead of setting a bunch or rules that say if someone logs in from an IP address that they've never used before, at a time they've never logged in before, and they're accessing part of the network they've never used before, that's a complicated rule that would require constant updating and it would be impossible to manage on a person-by-person basis," said Straight.

User Behavior Analytics Can Help

Enterprise security budgets have been heavily focused on keeping outside threats at bay, but more enterprises are realizing that to protect their assets, they need to assume that their network has been hacked and that there's an active intruder at work.

Similarly, when the average person thinks about a cybersecurity breach, hackers come to mind. However, insiders are a bigger problem. In addition to being responsible for more security breaches than hackers, insiders fail their companies accidentally and willfully.

"If I see a server doing something funny, I can shut it down, take it offline, or reroute the traffic, which doesn't disrupt an organization much or at all," said Straight. "If I do that to people, that could be really disruptive."

User behavior analytics are an effective mechanism for insider threats because they're able to model a user's behavior. For example, when an employee is getting ready to leave a job, that person usually visits certain websites and updates her resume, which isn't the best use of company assets, but it doesn't justify security intervention. However, when that employee starts downloading files to USB drives, uploading files to file-sharing services, and printing volumes of information, intervention is may necessary.

Monitoring a single user doesn't always tell the entire story, however, which is why user behavior analytics enable users to see what an individual is doing within the context of a group. For example, if someone in marketing accessed a part of the network she's never visited before, that's strange. Whether it actually requires action or not may depend on whether others in her department have accessed that same part of the network and if so, when.

While such capabilities sound attractive, many organizations are failing to get value they expected from user behavior analytics, despite spending seven figures, because they don't know how to handle the alerts and intelligence, Straight said.

User behavior analytics can also help determine whether someone's login credentials have been stolen. Unlike traditional rule-based systems, user, machine learning, and AI are used to model an authorized user's behavior and that behavior is associated with that person's login credentials. If someone else tries to use the same User ID and password, her behavior indicates the account has been compromised.

"That's when you start to see an account that's never really used more than a departmental server suddenly scanning the entire network, trying to get into different places and being denied access," said Straight.

Think First

Before investing in a new security tool, it's essential to understand the problem you're trying to solve, which is true of any technology. Different security tools serve different purposes.

"Do you want to understand problems you haven't identified or are you trying prevent data leakage?" said Avivah Litan, vice president and distinguished analyst at Gartner. "You have to be real clear, and then you also need to spend some time training the models and supervising them."

What's your experience? Is your company's cybersecurity getting more sophisticated? If so, how and what still needs to be improved?

About the Author

Lisa Morgan

Freelance Writer

Lisa Morgan is a freelance writer who covers business and IT strategy and emerging technology for InformationWeek. She has contributed articles, reports, and other types of content to many technology, business, and mainstream publications and sites including tech pubs, The Washington Post and The Economist Intelligence Unit. Frequent areas of coverage include AI, analytics, cloud, cybersecurity, mobility, software development, and emerging cultural issues affecting the C-suite.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights