Behavioral Analytics is a term being tossed around the cybersecurity world in the last couple of years. So what are they? Well, traditionally, Behavioral Analytics are analytics that businesses use that focus on consumer trends, patterns, and activities. Humans are typically creatures of habit and our use of the Internet is no different. Through developing and deploying analytics that baseline an individual’s behaviors and trends, companies are able to personalize marketing efforts, improve the customer experience, and even alter product offerings to suit a customer’s particular tastes. However, Behavioral Analytics don’t need to be limited to just analyzing customer behaviors. In fact applying them to cybersecurity can determine the difference between a major breach and warding off an attack.
A big mistake organizations tend to make is limiting cybersecurity Behavioral Analytics use to only focusing on their employees. Because behavior is often associated with human activity, it is easy for companies to simply focus on user actions to identify insider threats or compromised credentials by establishing a baseline of user activity and looking for anomalies. However, Behavioral Analytics have so much more potential in the cybersecurity space.
The fix? Applying Behavioral Analytics to Not One, But Three Areas
In a corporate enterprise, we typically have three domains that need to be monitored: the network, the users, and the assets. Applying Behavioral Analytics to each of these individually is valuable to help us understand and baseline normal behaviors. For example, a typical asset on the network is designed and structured to carry out particular functions. Through Behavioral Analytics we can develop an understanding of how frequently certain processes and applications on a device are used, who accesses the asset and how often, what other devices the asset communicates with, and so on. Once the baseline is established, we can now alert on statistical anomalies and investigate why such events may happen. As these events are investigated such learning can be turned around back into the system and our monitoring gets smarter. In many instances, we are able to identify malicious activity on the asset and remediate the event.
More Data Leads to More Questions
However, even that example alone leaves us with a lot of questions. How did the anomalous event occur in the first place? Was there a user who initiated it? Were other devices also infected or accessed? And so on. Not only that, but there is still a chance that we have a false positive. Perhaps the anomalous behavior on the asset looked malicious but was really benign (or vice versa). Focusing only on asset activity or monitoring and analyzing events in a silo limits the context and prevents event correlation.
The Solution: Data Correlation
To maximize the use of Behavioral Analytics in security operations, we have to look at behaviors of all three domains AND marry them together. Correlating behaviors enable us to get the whole picture of what is occurring in the enterprise and to identify truly anomalous activity. In a data breach scenario, it allows us to understand how many and which specific devices were compromised, how the attacker got in, what data may have been taken from the network, how long the hacker was on the network, and what exactly needs to be cleaned.
Sifting Data: Finding Threats in Piles
To further automate and optimize our analytics it is important to employ both supervised and unsupervised learning. Supervised learning is generally how Behavioral Analytics work. In these cases, the analytic is coded to look at specific types of data, baseline that data, and look for anomalies outside of the norm. Going back to our asset example, if we want an asset to identify behavioral anomalies on how much data is normally transferred to and from the system in a given day, the analytic is coded to read that specific data. It baselines the normal range and then alerts when that norm range is exceeded.
However, more valuable, yet more complicated, is unsupervised learning. According to “Machine Learning Mastery”: “The goal for unsupervised learning is to model the underlying structure or distribution in the data in order to learn more about the data. These [models] are called unsupervised learning because unlike supervised learning above there are no correct answers and there is no teacher. Algorithms are left to their own devices to discover and present the interesting structure in the data.”
Algorithms: The Parent of Unsupervised Learning and Advanced Behavioral Analytics
Simply stated, an algorithm is released among the data and it learns. It looks at all the data, establishes baselines, and then looks for anomalies. To paraphrase Forrest Gump, “it’s like a box of chocolates, you never know what you are going to get.” Unsupervised analytics add considerable to value to security operations because it largely automates the hunting process and helps us discover those “unknown unknowns”. However, they also require patience and understanding and, like anything worthwhile, they take some time to learn. Many of the anomalies discovered may be innocuous and outside the scope of security operations. That’s ok. The intent is to find anomalies, with the expectation being that among those anomalies will be malicious activity that we would otherwise miss without them (the proverbial needle in the haystack). Once those malicious anomalies are discovered, we turn those into supervised behavioral analytics. Essentially, the unsupervised analytic becomes our discovery tool.
Simply applying one facet of Behavioral Analytics isn’t enough. There are too many variables and too many threats. The true definition of Behavioral Analytics must be the application of it to the three levels – asset, user, and network – to find threats quickly, thoroughly, and before they have the chance to do any damage.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.