Can User Behavior Analytics Help IT Security Mitigate Risk to Corporate Networks?

Make no mistake, corporate IT security teams have never been under more pressure than they are today. The cybersecurity skills gap continues to widen, remote workers continue to be a target for cybercriminals, and the dramatic uptake in cloud services and IoT devices continue to expand the corporate attack surface. At the same time, attackers are constantly sophisticating their techniques and leveraging advanced tools like machine learning.  

 As a result, it’s no longer a question of if you will be attacked, but when. And according to IBM’s Cost of a Data Breach Report 2021, it takes an average of 287 days to identify and contain a data breach. Concerningly, this is seven days longer than in 2020.  

So, how do we protect our corporate systems and boost network security in this increasingly hostile cyber landscape? User behavior analytics (UBA) could provide the answer.  

What Is User Behavior Analytics & Why Do We Need It?

While firewalls and similar tools do a good job of defending the network perimeter, companies struggle to pinpoint threats that come from real user accounts within the network. These could be insider attacks where an employee with authorized access knowingly or unknowingly abuses their privilege. Or it could be an external attacker conducting account takeover (ATO) fraud to infiltrate the network and move laterally to steal data or wreak havoc.  

In simple words, insider threats and ATO fraud highlight the need to adjust our IT security approach from solely maintaining the perimeter to defending against threats already lurking in the network. This is where user behavior analytics comes in.   

User behavior analytics examines user behaviors, habits, and patterns to model and predict their actions. By leveraging advanced profiling, organizations become better equipped to understand the difference between expected user behavior and anomalous behavior that could indicate a cyber attack. UBA gives us a baseline and looks for deviations from that baseline. It’s important to note that while UBA doesn’t stop a hacker from getting into your network, or an insider from misusing their privileges, it does help quickly identify unusual (and potentially nefarious) actions so you can take immediate action.  

UBA uses various analytics methods to achieve this. For example, basic techniques like rules-based signatures and pattern matching can be leveraged, as well as advanced analytics like supervised and unsupervised machine learning.  

You may have also heard the term UEBA, or user behavior and entity analytics. Research firm Gartner added the “E” a few years back to recognize the fact that we can also profile other entities besides users. Some examples could be managed and unmanaged endpoints, applications, networks, and various external threats.  

What’s the Difference Between SIEM & User Behavior Analytics?

You might be thinking that UBA sounds suspiciously similar to Security Information and Event Management (SIEM). And while you wouldn’t be entirely incorrect, you wouldn’t be right either. UBA and SIEM are close cousins, but they have some crucial differences.  

SIEM uses a complex set of tools and technologies to provide a comprehensive view of the security of your IT network. SIEM systems collect and log event records from user devices, firewalls, network switches, intrusion protection systems, servers, and more, to provide real-time analysis and alerts for everything happening within your network. So, why do you need UBA if you already have security analytics? 

Here’s the bottom line. SIEM systems are a core aspect of IT security for many organizations and a capable security management tool. However, they lack the intelligent threat detection and response needed to safeguard corporate systems today. SIEM systems typically spot correlations through predefined rules, so anything that falls outside these rules may be missed. This is one of the reasons why hackers are becoming increasingly adept at bypassing SIEM.  

At the same time, since SIEM solutions typically focus on log and event data, they don’t allow you to create a standard baseline in the highly accurate way UBA solutions do. Moreover, SIEM solutions typically focus more on real-time threats and are less successful at detecting extended attacks that can be equally as damaging.  

Using SIEM in user behavior analytics in conjunction can help organizations defend against threats much more effectively.  

The Pros and Cons of User Behavior Analytics

Let’s start with the pros.  

Better IT security management: Gaining a comprehensive insight into user activity and threat activity can tell security teams a lot about how attackers behave within the network. The IT security team can then use this information to develop better security strategies and guidelines.  

Identify compromised accounts: ATO presents a significant security risk for organizations today. With UBA, organizations can quickly detect account compromise and take immediate steps to prevent damage.  

True anomaly detection: UBA offers more accurate and timely detection and response than SIEM solutions alone by leveraging user behavior instead of just system events.  

Identify insider threats: Employees typically have access to sensitive data, and often, more of it than they need to do their jobs. UBA allows companies to understand who is accessing sensitive data and why.  

Reducing the attack surface: User behavior analytics can highlight any potential weak points within the network, empowering network security teams to make better decisions regarding reducing the attack surface.  

While user behavior analytics offers many benefits, it does have a few cons you need to consider. Namely, UBA can’t help you detect Black Swan events. Black Swan events are unpredictable and have severe consequences or widespread ramifications. 

An event must meet these two requirements to be considered a Black Swan. So, while a Tsunami might be devastating to local populations and wildlife (severe consequences), they’ve happened before plenty of times (not unpredictable). Some examples of Black Swans in the real world are the fall of the Soviet Union, both World Wars, and the 2008 financial crash.  

So, UBA can’t help you detect truly unpredictable events, but neither can SIEM or any other network security tool. And thankfully, Black Swan events are rare.  

The second thing to consider is that machine learning is in its infancy, which impacts how much trust people have in it. While machine learning tools have proven very effective in cybersecurity, many people, including high-ranking decision-makers, are still reluctant to adopt them. This is less a drawback of UBA and more something to consider if you want to implement UBA in the near future. Cybersecurity tools ultimately need the buy-in from senior staff.  

Final Thoughts 

So, rounding back to our first question: can user behavior analytics help IT Security mitigate risk to corporate networks? Yes, absolutely. UBA is an excellent addition to any corporate security stack. User behavior analytics technology is advancing every year and becoming increasingly sophisticated at mitigating threats inside the network.