Advertisment

User Behavior Analytics: Protect Your Business from Insider Threat

The insider threat is harming a lot of businesses user behavior analytics can help to detect the threat and protect your valuable data.

author-image
Ashok Pandey
New Update
User Behavior Analytics to Protect Your Business from Insider Threat

Every year multiple cyber attacks impact badly on businesses, small and large. Almost every company use different devices and software to protect themselves from these attacks, but what if the attacker sits inside the office?

Advertisment

According to Verizon's Insider Threat Report, 20% of cybersecurity incidents and 15% of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization. A survey, targeting manufacturing industry, found that 72% of respondents were vulnerable to insider threats.

Insider threat is becoming a major challenge for small and large enterprises. They are struggling to find the threat and protect their network. Here user behavior analytics plays an important role to identify the peril. In a discussion with Harhsil Doshi, Strategic Security Solutions Head, Forcepoint, we tried to look for the role of behavior analytics.

What is advanced user behavior analytics, the key aspects?

Advertisment

Behavior is a very broad term. All activities we carry out, irrespective of whether it is intended for work or not, all constitute behavior. To begin with, the behavior was never a cybersecurity subject. It was used by law enforcement agencies to profile people. There was a fair amount of psychoanalysis involved.

Cybersecurity is a stream of technology; it constitutes three aspects

Technology

Processes

People

Harhsil Doshi, Strategic Security Solutions Head, Forcepoint Harhsil Doshi, Strategic Security Solutions Head, Forcepoint

Advertisment

Over the last 7 to 8 years, there have been trillions of dollars invested by enterprises across the globe, into cybersecurity. Yet there is still a 95% success rate when it comes to attacks. This means that despite the investments and deployments of resources, the attackers are able to breach the organizations.

We delved deeper into this issue and realized that the problem is not external, but internal. This means that the individuals who want to steal an organization’s assets or exploit them do not go after infrastructure or processes, they go after the vulnerability of the human being.

This is where behavioral analytics is becoming increasingly popular in cyberspace. For example, an individual who is not familiar with working in a secure environment may click on a malicious link. This type of behavior is risky for an organization, and this risk is on the inside, not outside.

Advertisment

Now, when we look at behavioral analytics as a technology, it is essentially a method to assess human behavior across a set of vectors. Right from the time the employee enters the premise, punches their card, takes a coffee break, checks their emails, browse social media or speak on the phone; each intricate detail is used to assess behavior and bring out the intent of the individual.

This understanding helps organizations get into a predictive state of security, rather than going through a post mortem and investigate the incident. Advanced behavioral analytics is what takes the organization from a reactive state to a predictive state.

How does data analytics help in cybersecurity?

Advertisment

As I mentioned, enterprises, governments and small medium enterprises have been buying technologies to plug a specific gap. Let me give you an example, they buy an anti-virus solution because they do not want any malware attack from the endpoint, they install a firewall on their perimeters, so that no external attack can get into their organization, or they buy a proxy, so that they can control the kind of browsing that their end-users do.

Enterprises invest in specific technologies to address the problems they face. Yet, data breaches and enterprise espionage happen. These are the challenges faced, so what Forcepoint does is it profiles an individual and creates something we call as a baseline behavior.

For example, Harshil Doshi enters his office at 10 pm and then carries out certain tasks. This is his regular behavior. Now all of a sudden, one day there is a spike of events which are not very regular. He is drifting away from his regular behavior and adding to his risk score. This profiling has been the biggest challenge for enterprises.

Advertisment

We have moved from an industrial revolution to a digital revolution. If we rewind 50 to 60 years ago, there was not much digitization or automation. At that time supervisors had a personal connection with their subordinates, they would know all about their interests and their family life.

But since the digital revolution, automation has taken over many roles, and supervisors are often unaware of the number of people reporting to them, let alone the intricate details of their personality types. Visibility of what an individual does has gone down. This is the biggest challenge faced by enterprises, the lack of visibility.

The second challenge is that as enterprises are purchasing so many products for their organization, there is too much of information brought in from different security devices, that enterprises do not know what to do with all of it. This is known as ‘cyber fatigue’, there are millions of incidents that these security devices throw up.

Advertisment

Forget looking for a needle in a haystack, this is akin to searching for a needle in a stack of needles. Additionally, with the advent of the cloud, these challenges have grown more complex as employees and data are spread all across the globe.

Employees now have access to enterprise data from their personal devices. Businesses have expanded and have taken bold steps towards cloud adoption, mobility, roaming users, etc, but this has only made their security problems more complex.

As we all know that Gmail reads our emails and accordingly pushes advertisements and suggestions to us, what’s your take on this?

That is a fantastic example. Huge media companies like Google and Facebook have been profiling us for a very long time. This is one of their business strategies, to understand the cyber patterns of an individual, his needs, his buying patterns and so forth, to give them contextual information in terms of what to buy and where to buy from. This is something they have been carrying out for a very long time. Similarly, this technology needs to be cascaded to enterprises, governments and so on and so forth.

Data is the new oil; if you have the right information, you are king. Enterprises have a lot at stake, and their need is higher to identify the riskiest profiles. With regard to the information we collect, there is a limit to that. We can go as deep as collecting a voice call and understanding the sentiment of the user, whether the user is angry, the user is trying to violate processes, whether he is trying to do something malicious or whether he is just plain ignorant.

There are many inputs to profiling, such as physical movement, flight risk indicators, the users travel profile, the users' social media profile, and many other aspects that we can collect. This is an area of data science for behavioral analytics which is used to form baseline machine learning.

Machine learning aims at self-understanding or self-learning how an individual behaves, creates a volumetric baseline over a period of time, and then gives you a prioritized risk core.

For example, for a customer who has over 40,000 employees, it is practically impossible to look at the events of all 40,000 at one point. To combat this, what we do is prioritize and create a risk score for every user in comparison to themselves, to their peers and to the entire organization.

We present a list of top 4 to 5 risky users within the organization, in comparison to how much they deviate from their own baseline. We examine the kind of risky activities they have done to see if they fall into the red zone. This makes it very simple for the incident analyst or security analyst as they have to only focus their energies on the riskiest users rather than looking at the plethora of incidents. This is what we offer.

forcepoint threat