User Behavior Analytics (UBA)

Wondering what this whole User Behavior Analytics (UBA) craze is really about? Think about your security implementation; could you predict where a breach may occur?

Verizon's most recent Data Breach Incident Report (DBIR) found that 74% of organizations feel vulnerable to insider attacks. A separate study conducted by the Carnegie Mellon University Software Engineering Institute showed that 30% of all respondents reported that incidents caused by insider attacks were more costly or damaging than outsider attacks. Often these attacks target personal information housed by organizations for financial gain or public defamation. The standard now is to protect your organization proactively, never reactively.

What does this mean for you? Well, you have to be able to predict, with a degree of certainty, when and where an attack may begin. Anticipating the future isn’t easy, to do so you’ll need data — relevant data, which is where User Behavior Analytics comes into the picture.

There are terabytes upon terabytes worth of data that can be pulled from a standard security implementation using SIEM systems. With these legacy solutions the most prominent question is always, “how do you make sense of it,” or “what is actually important here?”

User Behavior Analytics Tools arm organizations with the specific data needed to understand what typical user behavior looks like, which is then used to identify unusual, or suspicious behavior. In doing so, User Behavior Analytics systems collect data on how users interact with the devices, applications, and other digitally connected assets they’re given.

UBA data has value in every department within an organization. From security to sales, something can be learned from the data provided by User Behavior Analytics. Read on to see if UBA is right for your organization.

What is User Behavior Analytics

According to Gartner, UBA is UEBA (User and Entity Behavior Analytics), and it’s defined in the following way:

“User and entity behavior analytics offers profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods (e.g., rules that leverage signatures, pattern matching, and simple statistics) and advanced analytics (e.g., supervised and unsupervised machine learning). Vendors use packaged analytics to evaluate the activity of users and other entities (hosts, applications, network traffic and data repositories) to discover potential incidents commonly presented as an activity that is anomalous to the standard profiles and behaviors of users and entities. Example of these activities includes unusual access to systems and data by trusted insiders or third parties and breaches by external attackers evading preventative security controls.”

On top of User and Entity Behavior Analytics, UBA is also known as security user behavior analytics (SUBA), and Network Traffic Analytics (NTA), no matter what you call it, the simplified definition of User Behavior Analytics is that it is the process of collecting data on the events generated by your users through their daily activity across different networks and devices, then leverages machine learning, algorithms, statistics and probability to organize that data into logical, useful analytics reports that highlight activity significant to the organization.

This knowledge helps businesses scale processes, ensure compliance rules are met, and more popularly, protects the organization against insider threats and aids with the investigation process in the event of a breach in security.

A Short History of User Behavior Analytics

User Behavior Analytics, an offshoot of Behavior Analytics, is a concept that began in the world of marketing, where products like Google Analytics provide organized reports of server activity logs, which granted marketers much greater insight into who did what while on their website. Granular insight into user interactions let marketers optimize for maximum conversion levels, which correlate with higher revenues.

Now, the same information is beginning to become more necessary and prevalent throughout every department in an organization, particularly regarding security, but also in human resources, sales, and any other process-driven sectors within an organization.

Organizations use data from UBA systems to help optimize individual workflows, understand employee engagement, and of course, to understand and analyze suspicious behavior and potential threats.

The Difference Between SIEM & UBA

SIEM or Security Information and Event Management systems are common core technologies for any security implementation; they provide real-time analysis of security alerts generated by applications and network hardware. These systems alert you to anything and everything that happens within your infrastructure. SIEM Systems collect log and event records from all of your other security systems such as user devices, network switches, firewalls, intrusion protection systems, servers and more, then puts them in one centralized location and analyzes the data. The main benefit here is that SIEM provides near real-time data analysis that uses correlation rules, whitelist matching, and statisical baseline devation to notify additional systems and teams of a noteworthy event.

UBA systems provide specific event data with historical activity data from the user, website, application, and machine, which provides more relevant alerts and a lot more context than just system events.

The biggest difference is this, SIEM applications use specified rules and inputs to analyze behavior in near real time and they're notoriously bad a spotting anomalous behvior outside those rules. UBA applications take a more long-term approach by analyzing behavior over long periods of time to only draw attention to truly anomalous behavior. With SIEM, anything and everything that meets our rules gets flagged in near real time, UBA highlights anomalous behavior based on a historical batch of activity data. SIEM systems offer what becomes a data lake, UBA systems provide data droplets or tactical data points.

Why do I Need User Behavior Analytics?

A 2017 report titled “2017 Cost of Cyber-Crime Study” from Accenture Security states that cyber-attacks show “no signs of slowing down,” and that the only way to stay ahead of them is to invest in innovation. On average, companies are losing more than $11.7 million per company due to cyber-crime, a 62 percent increase in just five years.

Across all emerging technologies, User Behavior Analytics has the second highest spend to cost savings ratio, second to only SI systems, which cost more than three times that of an average User Behavior Analytics system.

Old security methods are no longer effective. Your firewall is not 100% foolproof, your users give passwords to friends and family, rogue employees are lurking unnoticed, and you never know when a simple phishing scam could compromise a user’s account. This ever complex landscape means preventative measures are no longer enough in the world of security today.

Moreover, UBA can add much-needed context to your business intelligence systems by analyzing company-wide and individual workflows. These insights allow companies to then optimizing processes for higher output.

The world of business today is increasingly complex and competitive. In order for established businesses to remain competitive, organizations must constantly evaluate the inner workings of their organizations. At scale, organizations must ensure old processes do not become inefficient. For growing organizations, processes need to be monitored to be sure they scale properly.

How Does User Behavior Analytics Help Organizations?

Is User Behavior Analysis Only for Security Professionals?

Nope! While many people are finding early and obvious uses for user behavior data, some of the more savvy data scientists in the world are finding this information is particularly useful in discovering additional revenues hiding within their organization.

Many organizations experience growth, but few are currently prepared for it. In fact, a study by the Harvard Business Review found that 86% of business managers surveyed said their business processes and the resulting decisions have become so complex that they hinder the companies’ ability to grow in a digital economy.

When companies grow, old processes become inefficient at scale, which means the time value loss grows expentially as you hire more people and they continue to work through inefficient processes. To curb this loss in time value, organizations regularly perform a process called Business Process Mining.

Business Process Mining is the procedure of auditing data that speaks to how work gets done, looking for bottlenecks, then making a data-driven change to the process itself and measuring the resulting output. Business Process Mining can be invaluable while scaling your business, as it ensures the dollars spent on employee salary, tools and oversight is spent wisely.

User behavior data is ideal for performing business process mining because it captures everything that a user does on a computer. This information can be invaluable while preforming a process audit because it actually shows what happened, whether or not the processes are being followed, as well as when and where there is a deviation in the process, then how that deviation effected the output.

How do I Collect User Behavior Event Data?

As with traditional Behavior Analytics, User Behavior Analytics has a number of software technologies that can help organizations collect and analyze user behavior within an organization.

Choosing the right system is critical to your success. Many User Behavior Analytics products vary widely in the information they provide, and how the data is presented. These factors can profoundly influence the insights gathered from user behavior, and ultimately, the success of your implementation.

Pros of UBA

Of course, you already have a security system. If there is a hole, UBA will catch it so you can patch it. According to many leading industry experts, the only way to stay ahead of the curve is to invest in innovation to add to your security stack.

Cons of UBA

How to Get Started with User Behavior Analytics Tools

So, You’ve decided UBA is a good investment, how do you get up and running?

Begin with finding the right reason to invest in a User Behavior Analytics. Are you concerned about detecting threats? Are you worried about an insider threat? Is one department underperforming? Are employees within a department overworked? Are you concerned your processes are not scaling well with your company?

It’s important to ask the right questions before purchasing your UBA software, such as:

• What are our Needs?
• Is it providing the data you need?
• Is it tailorable to my needs?
• Can you extract the data you need?
• Can it integrate with your existing systems? How well?
• How long will the implementation take?
• How much of Implementation is on us? Can we do it?
• Can our Non-tech-savvy users work the program?
• Budget Considerations?
• What are our Needs?

It’s important to get the answers to these questions early in the investigation process, as they will be significant roadblocks if one of these questions remains unanswered.

In Short

UBA is the future of business security. If you’re currently relying on a SIEM system, you’re halfway there, but it’s easy to get lost in the constant barrage of meaningless notifications, you need something more specific. User Behavior Analytics give you security information that is tailored to your organization and prioritized by security risk. User Behavior Analytics Softwares use machines learning, algorithms, statistics, and other advanced data processing methods to develop baseline user profiles, which provide the benchmark for understanding and highlighting user risk. This gives companies that leverage User Behavior Analytics implementations a step ahead of their competition by keeping their security teams focused on the individuals and events that are more critical to the organization’s security.