The Missing Link for User Behavioral Analytics: Focus on Sensitive Data
To address these shortcomings, security analytics solutions are starting to incorporate user behavioral analytics (UBA).
What is User Behavior Analytics?
User Behavioral Analytics has been used in other disciplines outside of security: to understand the customer experience or buying patterns, to improve ad targeting, as well as to identify fraudulent activities. In the context of security, Gartner defines user behavioral analytics as profiling and anomaly detection based on machine learning. UBA profiles and baselines user activities and their peers to assess what constitutes an individual’s normal vs. unusual behavior. Other entities aside from users may also be profiled, such as devices, applications, and endpoints. The distinguishing feature of UBA is the use of machine learning and statistical models, beyond rules to detect abnormal user behaviors that could be a threat. The use of machine learning enables previously unknown patterns to be identified, the reduction of false positives triggered from static rules that don’t adapt to each user or changing behaviors, and the need to define rules for every potential violation.
How is UBA Focused on Sensitive Data Different from Other UBA?
Some network gateway, Security Information and Events Management (SIEM) and endpoint security solutions are starting to incorporate UBA into their threat detection capability. The UBA incorporated into these solutions mainly focuses on analyzing events and logs from networks and endpoints. They detect threats from malware on endpoints as well as attacks coming through network firewalls or exfiltration activities exposed through the scanning of network packets.
While UBA applied to the network and endpoint layers are useful to provide defense in depth, additional context, such as location and device from where data is accessed, what data is accessed in the same session, volume, typical access pattern for similar data and data stores, time and seasonality of access, can be brought to bear when applying UBA around the data itself, especially when the data is sensitive. Information about the data itself, level of sensitivity, its provenance, how the user typically access the data and data store can provide further indication to determine whether the activity is abnormal. Data access across multiple related data stores can also be analyzed together for additional context.
What Benefits Can You Get from a Data Focused UBA?
Applying UBA at data store access points (e.g. databases, file repositories, applications, etc.) can provide additional context that is not available at the network and endpoint layer. Because of the additional context, you can better baseline an insider’s normal vs. unusual behavior, detecting malicious or rogue insiders as well as activities from stolen credentials, which would not be apparent from just analyzing activities on the network. The type of attack from a privileged user like Snowden can only be detected by applying UBA on the data and data stores he accesses.
A data focused UBA baselines the user’s behavior against the specific data stores, types of data and access patterns for those data. Abnormal behaviors around the characteristics, volume, and combination of data or data stores an employee accesses are more likely to be detected from a data focused UBA. The additional context supports greater detection accuracy to operationalize more timely protection or remediation to potential threats on sensitive data.
Just like applying prevention, detection, and analytics at different layers of security is useful for defense in depth, similarly, applying UBA to the different layers of security, especially that closest to the data, lends additional insights for higher accuracy and faster detection. For this reason, look for user behavioral analytics capabilities in your data security solutions as well.
 Market Guide for User and Entity Behavior Analytics, Avivah Litan, September 22, 2015.