Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Detecting advanced threats with user behaviour analytics

Saryu Nayyar, CEO, Gurucul | April 1, 2015
Using big data and machine learning to assess the risk, in near-real time, of user activity.

Meanwhile, impact is based on the classification and criticality of the information accessed, and what controls have been imposed on that data.

Transactions and their computed risks can then be associated with the user who is making the transactions, to determine the risk level. The calculation of user risk typically includes additional factors, such as asset classification, permissions, potential vulnerability, policies, etc. Any increase in these factors will increase the risk score of that user.

Custom weighting values can be used for all the factors in these calculations, to automatically tune the overall model.

In the end, UBA collects, correlates, and analyzes hundreds of attributes, including situational information and third-party threat information. The result is a rich, context-aware petabyte-scale dataset.

UBA's machine learning algorithms can not only weed out and eliminate false positives and provide actionable risk intelligence, but also revise norms, predictions, and overall risk scoring processes based on the information collected.

Changes in information classification as well as operational changes (such as new departments, new job codes, or new locations) are automatically incorporated into the system's datasets. For example, if an IT administrator is temporarily granted a higher level of system access, their risk scores will be altered during that period of time. UBA can also, in automated fashion, determine what custom weighting values have the most operational significance in reducing false positives.

The resulting intelligence can be mined off-line for insights into the enterprise's security posture, often uncovering unsuspected vulnerabilities, such as the provisioning of more user groups than users, the presence of unused credentials, or users with significantly more or fewer access privileges than they should.

Less obvious malicious behavior, such as sabotage, the theft of an enterprise's trade secrets, or longer-term activity like financial fraud, will also produce patterns of anomalous behavior that a UBA system can detect.

Finally, if a user is found to pose a significant risk, the system can react accordingly, from blocking further access to imposing risk-based adaptive authentication that will challenge them for a second form of identification. The user's post-login activities may also be restricted.

UBA is transforming security and fraud management because it enables enterprises to detect when legitimate user accounts/identities have been compromised by external attackers or are being abused by insiders for malicious purposes.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.