As cybersecurity woes grow and the challenges of locking down an enterprise increase, organizations are searching for more sophisticated ways to prevent breaches and break-ins. One method that’s gaining traction is behavioral analysis, which focuses on detecting suspicious network or user behavior. “The ability to detect abnormal behavior can aid significantly in securing data,” said Paul Calatayud, chief security officer, Americas, at Palo Alto Networks.
These methods typically revolve around two primary concepts: Network Behavior Analysis (NBA) and User Behavior Analytics (UBA). “Behavioral analysis [provides] baseline tuning for a security-information and event-management approach,” explained Paul Hill, a senior consultant at SystemsExperts Corporation, an independent security-consulting firm based in Sudbury, Massachusetts. Integrating various sources of data and information—ranging from network activity to employee travel patterns—can help an organization confront the hardships of today’s cybersecurity environment, he said.
How and where does behavioral analysis work best? What exactly can it detect? And how can an organization put the concept to work with maximum results? While there are no simple answers, security experts agree that it’s a valuable tool in the security arsenal. “Behavioral analysis puts a sharp lens to security data,” Calatayud noted.
Understanding who is using a network, how they are using it, and whether the actions and activity are acceptable is at the heart of behavioral analysis. The technology relies on packet detection, signature detection, log analysis, and advanced analytics—as well as artificial intelligence (AI) techniques—to detect and block attempts to breach an organization. With a benchmark for “normal” user actions or network traffic, it’s possible to identify when something falls outside a regular pattern and, if necessary, take further action.
The goal is to improve overall detection rates for questionable activities and cut down on false positives. As Calatayud explained: “The problem with many conventional methods is that security revolves around detecting, alerting, and locking systems based on threats. Behavioral analysis attempts to refine this blunt-force approach. It looks for abnormalities that have a much higher likelihood of actually becoming a real problem.”
Behavioral analysis uses specialized algorithms and machine-learning methods. It also can incorporate a broad Security Information and Event Management (SIEM) framework that helps organizations link multiple technologies and gain a more holistic view of the entire security stack.
Behavioral analysis is ideal for detecting certain types of anomalies:
- Schedules. Many employees work on a regular schedule. If an employee logs in or network activity occurs outside “normal” hours, it’s possible that a threat exists. This might trigger further investigation or an additional layer of authentication.
- Applications. An employee using unusual or unauthorized applications can be a red flag. This might include a different browser or a cloud application, such as Evernote or Dropbox, which sends data to other devices. Even relatively secure application platforms, such as Office 365, can present data-storage dangers or regulatory risks.
- Geography. If an employee has logged onto the network from an irregular IP address or geographic location, it could warrant further attention. Ditto for someone using an unusual WiFi network. An employee working in Seattle shouldn’t display an IP address in Boston or Brussels. Likewise, the use of different or changing IP addresses could indicate that the user is using a virtual private networks (VPN) to mask the true location for some reason.
- Devices. A login from an unknown device—one that has a different machine ID—can be a cause for alarm. A thief could be using stolen credentials to access data. A public computer also introduces risks.
- Device behavior. One of the more intriguing aspects of behavioral has to do with the speed that people type, as well as typing patterns, and how they move their mouse and handle other tasks at a computer or with a smartphone or tablet. Any anomaly here could generate an alert.
- Networks. Being sure that your security team understands how data flows under normal conditions can also make anomalous behavior apparent. Network-based behavioral analysis focuses on a core concept: “‘What does a good network look like?'” Calatayud said. “With a clear fingerprint for normal activity, it’s difficult for adversaries to conform to normal network behavior and avoid detection. They stand out.” This approach can spot unusual application behavior, when someone—say a medical worker—is sharing data in an inappropriate or illegal way, or when previously unseen packets—which could represent malware—have suddenly appeared.
Although each of these methods can provide valuable insights, behavioral analytics becomes more powerful when an organization tracks on several or all of these factors simultaneously.
Eliminating bad behavior
There’s no one-size-fits-all approach for using a behavioral analysis framework, Hill said. It’s important for your security team to understand how and where it can benefit an organization. Integrating information about employee time off and travel with a SIEM, for instance, can be very useful in some circumstances. Creating a model of normal network behavior and identifying when anomalies are taking place can greatly enhance protection.
However, Hill points out that an initiative must be “ongoing, and it can be resource intensive.” Moreover, some companies might find that there is a “small ROI” associated with behavioral analysis. Nevertheless, behavioral analysis introduces a more sophisticated cybersecurity framework. “It drives business outcomes that can extend beyond security,” Calatayud concluded.
Vinod Khosla, a co-founder of Sun Microsystems and CEO for strategic venture assistance firm Khosla Ventures, pointed out in a recent Forbes article that behavioral analysis introduces “intelligent continuous monitoring.” He said: “It’s time to break away from business as usual and remember the universal truth: identify abnormal behavior.”