What is it?
A form of anomaly detection that analyzes and correlates user activity on a computer or network to identify events and patterns that may require further investigation.
Why is it important?
Behavioral monitoring helps security teams quickly pinpoint unusual activity and act upon it. Also known as user and entity behavior analytics (UEBA), behavioral monitoring gathers data to build profiles for different types of users. It can then use those profiles to identify and flag potential threats. It has the potential to catch emerging threats before traditional, signature-based tools.
Why does a business professional need to know this?
Behavioral monitoring is an increasingly important tool for identifying and defending against cyberattacks that is becoming a larger part of security budgets. Gartner predicts that
60% of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, up from less than 10% in 2014(Moore 2016).
A behavioral monitoring system collects and uses data to build profiles for particular types of users based on role or location. Once profiles are built and activated, significant deviations from the profiles alert security analysts to the need for further review.
Here are some examples:
A remote employee usually accesses the virtual private network (VPN) from her home and from a nearby coffee shop. In the space of 30 minutes her login credentials are used from two different cities on different continents. Behavioral monitoring tools can detect the credentials being used from two places thousands of miles apart and raise an alert.
An accounts payable clerk usually works in the corporate office between 8 AM and 6 PM, Monday through Friday. As part of his usual work, he accesses the accounting system, a shared finance folder, the company intranet, and the inventory system. On his lunch break, he usually reads political news websites and occasionally listens to streaming news broadcasts during the day. Behavioral monitoring would flag these actions:
- Logging in from a different location
- Attempting to access different systems or files (source code, human resources files, or mergers and acquisitions information)
- Logging in at 1 AM
- Connecting to servers in China or Russia
Any of these activities taken alone could be legitimate user behavior that a security analyst could verify by talking to the user. Taken together, these events could indicate a security compromise. Behavioral analysis allows companies to move quickly to respond to threats and stop attackers before they can exfiltrate data or cause damage to the company’s systems and data.
- (Zurkus 2015) User entity behavior analytics, next step in security visibility: Zurkus, Kacy (2015). CSO Online.
- (Moore 2016) Prepare for the Inevitable Security Incident: Moore, Susan (2016). Gartner.