New Cyber Defense Brand DeepSeas to Unite Newly Acquired Commercial Managed Threat Services Business from Booz Allen Hamilton with Security On-Demand. Learn More

What are Behavioral Analytics? And What are the Benefits?

Behavioral Analytics is a term being tossed around the cybersecurity world in the last couple of years. So what is it? Well, traditionally, Behavioral Analytics are analytics that businesses use that focus on consumer trends, patterns, and activities.  Humans are typically creatures of habit and our use of the Internet is no different.

Through developing and deploying analytics that baseline an individual’s behaviors and trends, companies are able to personalize marketing efforts, improve the customer experience, and even alter product offerings to suit a customer’s particular tastes.  However, Behavioral Analytics doesn’t need to be limited to just analyzing customer behaviors. In fact, applying them to cybersecurity can determine the difference between a major breach and warding off an attack.

A big mistake organizations tend to make is limiting cybersecurity Behavioral Analytics use to be used only on their employees.  Because behavior is often associated with human activity, it is easy for companies to simply focus on user actions to identify insider threats or compromised credentials by establishing a baseline of user activity and looking for anomalies.  However, Behavioral Analytics has so much more potential in the cybersecurity space.

5 Benefits to Using Behavioral Analytics in Cybersecurity

  1. Smarter security monitoring
  2. Generates insights for asking the right questions
  3. Capacity to correlate data across systems
  4. Automate and avoid using manpower
  5. Opens the doors to more powerful analytics and machine learning models

1. Smarter Security Monitoring

The fix? Applying Behavioral Analytics to Not One, But Three Areas. In a corporate enterprise, we typically have three domains that need to be monitored: the network, the users, and the assets.  Applying Behavioral Analytics to each of these individually is valuable to help us understand and baseline normal behaviors.  For example, a typical asset on the network is designed and structured to carry out particular functions.  Through Behavioral Analytics we can develop an understanding of how frequently certain processes and applications on a device are used, who accesses the asset and how often, what other devices the asset communicates with, and so on.  Once the baseline is established, we can now alert on statistical anomalies and investigate why such events may happen. As these events are investigated such learning can be turned around back into the system and our monitoring gets smarter.  In many instances, we are able to identify malicious activity on the asset and remediate the event.

2. Generates Insights for Asking the Right Questions 

More Data Leads to More Questions. However, even that example alone leaves us with a lot of questions. How did the anomalous event occur in the first place? Was there a user who initiated it?  Were other devices also infected or accessed? And so on.  Not only that, but there is still a chance that we have a false positive.  Perhaps the anomalous behavior on the asset looked malicious but was really benign (or vice versa).  Focusing only on asset activity or monitoring and analyzing events in a silo limits the context and prevents event correlation.

3. Capacity to Correlate Data Across Systems

Correlate the data and marry them together. To maximize the use of Behavioral Analytics in security operations, we have to look at behaviors of all three domains AND marry them together.  Correlating behaviors enable us to get the whole picture of what is occurring in the enterprise and to identify truly anomalous activity. In a data breach scenario, it allows us to understand how many and which specific devices were compromised, how the attacker got in, what data may have been taken from the network, how long the hacker was on the network, and what exactly needs to be cleaned.

4. Automate and Avoid Using Manpower

Sifting Data: Finding Threats in Piles. To further automate and optimize our analytics it is important to employ both supervised and unsupervised learning. Supervised learning is generally how Behavioral Analytics work.  In these cases, the analytic is coded to look at specific types of data, baseline that data, and look for anomalies outside of the norm.  Going back to our asset example, if we want an asset to identify behavioral anomalies on how much data is normally transferred to and from the system in a given day, the analytic is coded to read that specific data. It baselines the normal range and then alerts when that norm range is exceeded.

However, more valuable, yet more complicated, is unsupervised learning.  According to “Machine Learning Mastery”: “The goal for unsupervised learning is to model the underlying structure or distribution in the data in order to learn more about the data. These [models] are called unsupervised learning because unlike supervised learning above there are no correct answers and there is no teacher. Algorithms are left to their own devices to discover and present the interesting structure in the data.”

5. Opens the Doors to More Powerful Analytics and Machine Learning Models

Algorithms: The Parent of Unsupervised Learning and Advanced Behavioral Analytics. Simply stated, an algorithm is released among the data and it learns.  It looks at all the data, establishes baselines, and then looks for anomalies.  To paraphrase Forrest Gump, “it’s like a box of chocolates, you never know what you are going to get.”  Unsupervised analytics add considerable value to security operations because it largely automates the hunting process and helps us discover those “unknown unknowns”.  However, they also require patience and understanding and, like anything worthwhile, they take some time to learn. Many of the anomalies discovered may be innocuous and outside the scope of security operations.  That’s ok.  The intent is to find anomalies, with the expectation being that among those anomalies will be malicious activity that we would otherwise miss without them (the proverbial needle in the haystack). Once those malicious anomalies are discovered, we turn those into supervised behavioral analytics. Essentially, the unsupervised analytic becomes our discovery tool.

Simply applying one facet of Behavioral Analytics isn’t enough.  There are too many variables and too many threats. The true definition of Behavioral Analytics must be the application of it to the three levels – asset, user, and network – to find threats quickly, thoroughly, and before they have the chance to do any damage.

About Security On-Demand

Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, analytics technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with an international R&D office and Security Operation Center in Warsaw, Poland.