REDUCING CYBER RISK WITH

AI AND USER BEHAVIOR

ANALYTICS

PREPARED BY :

Dr. Christine Izuakor

WHITEPAPER

2020At the end of 2019, Security Intelligence released a report on trends that shouldinfluence your security planning for 2020. Near the top of the list was the needfor visibility, alignment, and analytics when it comes to cybersecurity. Leaders arecoming to terms with the idea that being able to see, understand, and havereliable records of what users are doing with their corporate assets can providevaluable insights when trying to reduce cybersecurity risks within yourorganization. One Forbes article touched on several key themes as well. The growth of IoT andsmart devices has shifted the way that security perimeters were previouslymanaged. Today, there are no true perimeters, and it's hard to track every devicethat touches your company. Risk must be addressed creatively both within andbeyond traditional firewalls. Also, there is a heightened focus on the concerningrisk that employees and contractors can introduce to companies, whethermalicious or not. These shifts are fueling the growing need for risk management programs thatfocuses on monitoring user activity. Regardless of the perimeter, the volume ofdevices, and more, creating a user behavior analytics function can help you gaingreater visibility and control over fluid risks to your company.

V E R I A T O . C O M P A G E 0 1

THE NEED FOR

VISIBILITY , ALIGNMENT ,

AND ANALYTICS

V E R I A T O . C O M P A G E 0 2

OVERVIEW OF USER

BEHAVIOR ANALYTICS

User behavior analytics (UBA) is a process that measures and evaluatesnormal user activities, to see when something abnormal is occurring, suchas a hacked account. The fundamental operating principle of user behavioranalytics is to establish a snapshot of typical activities a user might make inan organization through logs and other data sources. Anytime new useractivities occur, analysis is done based on artificial intelligence and machinelearning models to see if the activity matches what is considered normal. Ifthere is a significant deviation, it may be a cause for alarm.

HISTORY AND EVOLUTION

OF USER BEHAVIOR

ANALYTICS

In the early 2000s, businesses sought to monitor and track consumerbehavior for better marketing and product sales in the e-commerceindustry. As time passed, impactful applications of behavior analyticssurfaced in other sectors such as gaming, social media, and eveninformation security. After realizing how much data is available in thedigital age and the level of insight that could be gained, the conceptsnowballed in popularity. Using machine learning algorithms, big data froma variety of sources could be ingested and correlated to assess user activityand evaluate cyber risk in near real-time. User behavior analyticstechnology is now considered a fundamental component of a robustcybersecurity program.

D E F I N E N O R M A L

A N A L Y Z E U S E R A C T I V I T Y

A P P L Y I N T E L L I G E N C E

A L E R T O N A N O M A L I E S

U N D E R S T A N D W H A T ' S C O N S I D E R E D N O R M A L U S E RA C T I V I T Y & C R E A T E A B A S E L I N E

C O N D U C T A N A L Y S I S A G A I N S T C U R R E N T U S E R A C T I V I T Y T O F I N D T H E A N O M A L I E S U S I N G S T A T I S T I C A L M O D E L S

A P P L Y C O N T E X T & I N T E L L I G E N T C O N S I D E R A T I O N S T OE N S U R E A C C U R A C Y & R E D U C E F A L S E P O S I T I V E S O R F A L S E N E G A T I V E S

A P P L Y A L E R T A N D R E P O R T F I N D I N G S S O T H A T A C T I O NM A Y B E T A K E N T O R E D U C E T H R E A T S

V E R I A T O . C O M P A G E 0 3

USER BEHAVIOR ANALYTICS

SIMPLIFIED

Step One: Define NormalUnderstand what's considered normal user activity and create a baseline. This can beachieved by collecting numerous data points from your systems, such as accountaccess, file activities, chat, and instant messaging usage, geolocation, applicationusage, and more.

Step Two: Analyze User ActivityConduct analysis against current user activity to find the anomalies using statisticalmodels. User activities collected overtime are overlaid with information regardingcurrent actions completed by the user such as transaction type, session duration, timeof day, geographical location, and more to determine where activity may besuspicious. For example, if a user profile was marked as a mailroom clerk role, but theuser account is behaving like a senior network administrative role, the transactionmay be considered anomalous user behavior.

Step Three: Apply IntelligenceApply context and intelligent considerations to ensure accuracy and reduce falsepositives or false negatives. This step can help you better determine if the anomalousbehavior is indeed malicious. In the previous example, the user could have finished hertech certifications and gotten a promotion to a network administrator. While it maystill be worthwhile to verify that the user activity is not malicious, without intelligentcontext, traditional anomaly-based tools were often flooded with false positives.Thanks to advances in artificial intelligence and machine learning technology, you cantake analyzing and correlating big data to the next level. By adding context such as3rd party risk and situational data, you can calculate more accurate activity risk scoresand resulting alerts.

Step Four: Alert on AnomaliesAlert and report findings so that action may be taken to reduce threats. Using theinsight gained from the first three steps, you have the information you need to takeaction to mitigate threats and risks to your company.

V E R I A T O . C O M P A G E 0 4

HOW USER BEHAVIOR

ANALYTICS WORKS

HOW USER BEHAVIOR ANALYTICS

CAN BE APPLIED TO REDUCE

BUSINESS RISKS

Quick breach detection:In 2019, insurance provider Dominion National notified customers of a recently discovered securitybreach that happened in 2010. They found out almost nine years later. According to the IBM 2019Data Breach Report, the average time to detect a breach is about 206 days. User behavior analytics can help reduce the risk of undetected attacks and help you detect andrespond more quickly. There are quite a few tell-tale signs that can suggest a company may havebeen compromised. Common symptoms that may hint that an organization has beencompromised can include activities like a single device using numerous user accounts. Or theopposite, finding that one user account is logging into many different devices. In addition,attackers are continually finding new ways to trick traditional alerting technology. Without asolution intelligent enough to conduct deep learning and adapt quickly, attackers can outsmarttraditional detection tools to avoid setting off alarms.

74% OF BREACHES INVOLVEDACCESS TO A PRIVILEGEDACCOUNT

V E R I A T O . C O M P A G E 0 5

Insider Threat Detection:According to the 2019 Verizon Data Breach report, insiders causedalmost 40% of all breaches. Furthermore, the average cost of a breachinvolving insider threat-related incidents is just over half a million dollars,with some cases hitting up to $11 million in the United States. Insider threats are employees, contractors, and other entities who havesome form of legitimate access to your company systems, and who havethe ability to expose cyber risk, whether intentional or unintentional. Mastering insider threat detection, and being able to prevent thesetypes of attacks is paramount to every organization's cybersecuritystrategy. User behavior analytics can help you evaluate, often difficult toanalyze, human-related concepts such as sentiment, sabotage, abuse ofaccess or authority, and other violations of policy that are often detectedas anomalous user activity.

50% OF GLOBALORGANIZATIONSSAY THEY HAVEBEEN A VICTIMOF FRAUD

V E R I A T O . C O M P A G E 0 6

Insiderscausedalmost

40% of allbreaches.

Fraud detection:According to a PWC report, roughly fifty percent of global organizations say theyhave been a victim of fraud in the last two years with cases often costing pricetags of over a million dollars. Contrary to common beliefs, individual consumersare not the only victims of identity theft.

Fraud in the form of business identity theft continues to grow. Banks often protect consumers from fraud by alerting when their spendinghabits seem off. The same can be done for companies using user behavioranalytics. If fraudulent transactions are being requested by users, includingfinancial transactions, with the right context, user behavior analytics can alertyour administrators of potential fraud.

VERIATO CEREBRALRECEIVED THE 2019 CYBERSECURITY EXCELLENCE AWARD FOR USER & ENTITY BEHAVIORANALYTICS

V E R I A T O . C O M P A G E 0 7

Monitor all user activity around the clock. The best user behavior analytics technologycan ingest relevant data, such as network activity, emails, instant messaging,keystrokes, and more. Even better, some solutions offer dark web tracking,psycholinguistics, and more advanced user activity considerations. Analyze everything using machine learning. Analyzing all of the data associated withuser activity can result in massive storage outputs or Big Data. Leveraging artificialintelligence algorithms to review and understand this data at a much faster rate thanhuman beings is a user behavior analytics differentiator that should not be overlookedwhen exploring solutions. Alert your team when there's a threat. Getting alerts as quickly as possible will allowyour team to act fast. It's essential to find a solution that has a low false-positive rate inorder to ensure your team isn't wasting endless hours on irrelevant analysis. A maturesolution will empower you to focus on the most critical threats. Immediately enable your team to review the evidence and investigate. Advanced userbehavior analytics solutions equip you with the ability to investigate alerts right awayby presenting relevant records and even screenshot video playback options. Withoutthis capability, time is wasted, gathering evidence across different systems and tools ifthe information is even available at all. It can take days, weeks, or even months tofigure out what happened without playback features. With functions like this, you canalso learn the extent of the threats and if fraudsters acted alone or with other users. Respond with speed, confidence, and the artifacts to pursue legal action if required.When you have hard evidence, you can confidently and quickly take action againstdiscovered threats. Whether you need to get your HR team or law enforcementinvolved, with the right user behavior analytics solution, you can have evidence readyto present immediately to mitigate the risk to your company.

KEY FUNCTIONALITIES TO LOOK

FOR IN A USER BEHAVIOR

ANALYTICS SOLUTION THAT

ADDRESSES THE ABOVE RISKS

V E R I A T O . C O M P A G E 0 8

SIEM, or Security Information and Event Management, solutions are designed toaccomplish goals very similar to that of user behavior analytics. SIEMs aims tocollect and correlate data from logs across the company and apply rule-basedalgorithms to alert on what could be anomalous. These solutions are designed todetect and analyze threats in real-time. They weren't developed to take long-term patterns into account and context to make more intelligent and informedconclusions about user activities. Another differentiator is that where SIEM focuses on technology and systemevents, user behavior analytics focuses on people. Behind every action, there isusually a human being, an individual user. This makes focusing on user behavioranalytics valuable. Traditional SIEM solutions that do not incorporate machinelearning and user behavior analytics practices are often plagued with falsepositives and false negatives that take a lot of time to adjust and fine-tune. Asattackers become more familiar with the typical rules leveraged by SIEMsolutions, they have gotten much better at learning how to evade them and flyunder the radar to avoid triggering alerts. This does not mean that user behavior analytics should replace SIEMs.Depending on your organizational goals, either or both solutions could supportyour needs. Think of user behavior analytics as the next-generation approach tomonitoring your enterprise with one of your greatest assets in mind, people.

UserBehavior Analyticsfocuses on

people

CONCLUSIONUser behavior analytics empowers companies to look beyond traditional rules-based anomaly detection to more accurately detect and respond to cyberthreats from a variety of threat actors, including insider threat detection. Thisshift is necessary as the lines of enterprise network perimeters and corporatedevice inventories become more blurred than ever, thanks to the cloud, IoT,and other trends. Interested in exploring risk mitigation through userbehavior analytics solutions? Learn more about the award-winning VeriatoCerebral solution and give it a try today.

HOW USER BEHAVIOR

ANALYTICS DIFFERS FROM SIEM

V E R I A T O . C O M P A G E 0 9

UserBehavior Analyticsfocuses on

people

V E R I A T O . C O M

Contact Us

sales@veriato.comSALES@VERIATO.COM HQ4440 PGA BoulevardPalm Beach Gardens, FL 33410

772-770-5670 EMEA14 Commercial WayWoking, SurreyGU21 6ET, United Kingdom

+44 (0) 1483 662888

TO LEARN MOREABOUT VERIATO'SUSER BEHAVIORANALYTICSTECHNOLOGY

C L I C K H E R E