How to: Get started with Behaviour Analytics

Thursday, 22 February, 2018 In Editorial, Featured News

That’s strange… he/she/it never did that before! If you haven’t yet met behaviour analytics (BA), this short phrase sums up a large part of what this discipline is all about. In this sense, BA is used to identify behaviour that deviates from what would normally be expected. This is of immediate interest in information security, for example. After all, people, things or circumstances only present a security risk when they start to act strangely, compared to “normal” secure behaviour.

Behaviour analytics can also offer other insights, like understanding people’s habits or reactions when faced with a given situation. This too has applications in security. If you can spot bad habits, you can take measures to replace them with good habits. Alternatively, you can change a system so that it no longer causes insecure situations to arise. To understand how BA might help you in your enterprise or organisation, in security and in other domains too, let’s see more about where BA comes from, typical applications, challenges and opportunities, and how you can start using it.

Part 1 – BA Roots: From Online Sales Development to Insider Threat Protection

Some of the first software applications for behaviour analytics were in tracking visitors in ecommerce and websites, over a decade ago. Amazon used the information about where shoppers went and what they did, to refine its sales tactics. Google offered the capability of tracking users to anyone who had a website. In fact, if you have already used Google Analytics, you have already taken a first step in using behaviour analytics. For example, you might see that visitors to your website often seem to get stuck at a certain page and then leave your website. Once you’ve spotted this behaviour, you can try changing your page to make it more attractive or easier to understand, to encourage visitors to continue instead of abandoning their visit.

Advances in IT, data science, and artificial intelligence, including machine learning, have helped BA to develop further. BA applications and systems have become more powerful. They are better able to handle larger amounts of raw data. They are smarter about picking out typical behaviours and baseline, normal behaviour. They offer enhanced insights about what people or things are doing. Since its first applications, BA has also found its way into online games, political campaigns, and IT and network security, to cite other examples.

In some cases, there were opportunities to be exploited. In others, there were pressing requirements to be met. In information security, for instance, traditional solutions such as antivirus programs, firewalls, and security information and event management (SIEM) platforms were running out of steam, faced with new generation security threats. Behaviour analytics or “user and entity behaviour analytics” brought much needed smarter, more powerful ways to guard against security threats, including the insider threat, one of the biggest.

Part 2 – BA Use Cases: Paths, Groups, Funnels, and Oddities

Applications of behaviour analytics in business may only be limited by your imagination. The diversity of the use cases below shows how creative enterprises have been:

  • Ecommerce. Shoppers may search for specific products, read reviews, and make purchases. They may then return to go through the same process for other products. “Recommendation engines” look for these links to piece together overall behaviour and paths taken through the site, to then offer the same additional products to other customers who have just started their product search and purchase.
  • Internet of Things. BA helps to understand if machines need preventive maintenance to avoid costly, unscheduled downtime. Groups of machines or devices can also be monitored to see if each member of the group is accomplishing its tasks as expected.
  • Online banking. Visitors to these sites will usually see a range of services being offered, say, from current accounts to car or house purchase loans. The visitors will then enter a “funnel” with various stages, such as picking a service, confirming financial status information, deciding on different repayment options, and so on. Not all the visitors entering the funnel will arrive at the other end (a signed loan agreement, for example). Funnel analysis using BA can show where visitors are dropping out and if “dropouts” have a common group characteristic: for example, people under the age of 25 don’t follow through on applications for mortgages.

In information security, the detection of “oddities” is a priority. Use cases for user and entity behaviour analytics (UEBA) may include the detection of:

  • Shared, compromised or usurped system and application accounts
  • Abuse of privileged access
  • Unwarranted changes (increases) in access privileges, including account creation
  • Account lockouts not caused by simple typos by authorised users
  • Abnormal data transfers between systems as well as out over the network (“exfiltration”)
  • Risky behaviour by employees or other insiders, such as accessing dubious websites from company systems.

Part 3 – BA Challenges and Opportunities: Often Two Sides of the Same Coin

Behaviour analytics are by nature backward-looking. You only know what people or things have done, rather than what they will do. In some domains, this retrospective information can be turned to advantage. Data science can help show how situations are likely to evolve, letting you proactively manage them. Recommendation engines in ecommerce are a good example.

On the other hand, it is a much more delicate matter to try to guess what employees may do after, say, making a data transfer or system access out of line with their normal behaviour. In this case, a BA system must alert management to such abnormal behaviour for immediate investigation. For example, an employee exceptionally working from home and accessing a company system is not the same security problem as a hacker using compromised account credentials from another location.

Other challenges with BA are applying such analytics to data in the first place. Many enterprises have mountains of unused data. Even after processing, it can take a long time for organisations to follow through on the insights that BA affords. For such follow-through to occur, insights and alerts must be actionable. This means they must be easy to understand with obvious paths of action afterwards. From the viewpoint of information security, this also leads to opportunities. The first is to plug security holes that BA helps uncover. The second is to run training and awareness campaigns to root out undesirable behaviour like surfing the web from a machine holding confidential customer data.

Part 4 – BA in Action: How to Get Started

There are two ways of implementing behaviour analytics: buy in a ready-made solution or do-it-yourself. Which choice makes the most sense will depend on where and how you want to apply BA. Solution availability and cost will also be factors: cost includes initial purchase, time and effort to deploy, and ongoing use and maintenance. For a DIY approach, the basic steps will be the following.

  • Define your goals. Are you using BA to improve sales, keep production lines running, protect your IT environment, or for some other reason? Do you want more revenue, less downtime, or higher security, and if so, to which level?
  • Identify relevant events. For information security, for instance, you’ll want to know about types of data transfer, account access, network connections, and so on. You should also document these different categories and types of event, and update your list regularly.
  • Identify users and systems. You’ll need to know who or what is doing the behaving and causing the events, preferably in a way that lets you easily access profile or background information on users or systems of specific interest.
  • Put cross-platform BA in place, as needed. In ecommerce, you may want to analyse each platform separately, for example, Android versus iOS versus Windows. In information security, on the other hand, you’ll need to see behaviour across platforms, as users on mobiles access servers or cloud applications, for instance.
  • Define critical event levels and thresholds. In information security, “false alert fatigue” is a potential problem. Enterprises find themselves overwhelmed by too many alerts that are unimportant, and end up missing the handful of alerts that flag more serious issues.
  • Test your system. Check that events and behaviours are being detected and analysed as they should. Be prepared to initiate sample abnormal behaviours after having established suitable baselines of normal behaviour for comparison, to check that you then receive alerts correctly.
  • Generate your actionable insights. Along a path, across a group, or in other ways, you need the bigger picture as well as the event by event detail. Keep the output as simple and as understandable as possible, bearing in mind that non-specialist or non-technical users may need to use your BA solution too.

Alternatively, when an effective, affordable, and easy-to-use solution exists, you may find it more advantageous to buy rather than make. For information security using UEBA, Zonefox enables you to accomplish all the above within the budget of most small and medium businesses. It also meets the needs of larger corporations. In addition, Zonefox automatically “learns” all your IT environment in just a few hours after you start using it, bringing you critical protection rapidly and easily.

Time for You to Put BA to Work?

Whatever your area of interest in behaviour analytics, it’s likely that you can leverage BA for significant business advantage. In information security, BA (UEBA) will continue to grow in power and precision, helping you to knock out vulnerabilities and defend against cyberattacks. The right UEBA information security solution will also leverage further developments in artificial intelligence and machine learning to do an even better job in protecting your data, applications, and systems. Meanwhile, hackers and cybercriminals have already created new forms of attacks and the insider threat is always a major concern. So, whatever your choice of solution, putting in suitable cyber protection based on behaviour analytics is a firm recommendation for any business today.