User behavior analytics (also known as UBA or entity behavior analytics) is cybersecurity technology that uses monitoring tools to gather and assess data from user activity in order to proactively find and flag suspicious behavior before it leads to a data breach. By relying on machine learning to learn from how users normally interact with an organization’s technology, apps, and sites, user behavioral analytics can immediately recognize anomalous behavior to stop bad actors from accessing sensitive information. This enables continuous risk assessment and threat detection without complicating the end user experience.
Much like SIEM (Security Information and Event Management), UBA is an approach to information security that relies on automated analysis of big data to detect and stop potential cyberattacks in real time. While SIEM primarily analyzes events that occur behind firewalls, UBA focuses on data generated by user behavior. The data analyzed by UBA can include (but is not limited to) network traffic, login times and geographic locations, session duration, file downloads, and authentication logs. This enables the UBA solution to identify typical user patterns of activity, and then take action if users deviate from these patterns in ways that indicate malicious behavior.
With the global average cost of a data breach at nearly $4 million, data protection is crucial—and 34% of data breaches involve internal actors. This makes it important to be able to recognize insider threats before these bad actors are able to steal sensitive data like health records or intellectual property. However, perimeter-facing enterprise security technology like firewalls or encryption do nothing to stop malicious insiders who have already gained access to an organization’s data through phishing, malware, or credential theft.
What’s more, the widespread adoption of SaaS, cloud, and mobile apps has made risk management more difficult. It’s especially challenging for IT teams to identify and address potential threats across hybrid architectures. Many of these apps and services may not even be officially sanctioned by IT, making it tougher to detect bad actors using them. This creates a need for continuous visibility across apps, users, networks, cloud services, and devices in order to eliminate security blind spots and help IT identify, analyze, and respond to security events proactively.
User behavior analytics address this challenge by continuously monitoring the activity of every user, then using anomaly detection to find and flag anomalous behavior before it leads to a breach. This enables organizations to protect sensitive data inside their systems instead of only protecting their perimeter. Citrix Analytics for Security is a user behavior analytics tool that helps to proactively safeguard the entire Citrix Workspace - a complete digital workspace with Gartner recognized industry-leading capabilities. It is a cloud-delivered add-on service that consumes both cloud-based and on-premises data to automatically take action when certain events occur, understand which users pose the greatest risk to the organization, and ultimately increase security posture.
At a high level, user behavior analytics work by establishing benchmarks or rules for normal user behavior and alerting IT whenever a user deviates from these benchmarks. One example of such a rule is defining normal working hours as 7 AM to 8 PM; that means if a user attempts to sign on and access a sensitive file at 3 AM, the UBA would flag that behavior as unusual and either halt access immediately or alert IT admins. If that user’s credentials had been stolen and used by a hacker, this would have prevented a serious breach.
More sophisticated UBA solutions are capable of more dynamic rule making that creates specific risk profiles for each user. These profiles are created by monitoring how each user in an organization works: what apps they use, their preferred devices and networks, and how they access and share files for their projects. If a user exhibits anomalous behavior, such as unusual usage of an application or excessive file sharing activity, the UBA solution can autonomously take action to block the user’s device or access before data is compromised. This advanced rule-making capability in user behavior analytics is possible through machine learning.
Machine learning is similar to artificial intelligence in that it enables software to self-improve its performance at a specific task by analyzing and learning from relevant data. Nearly 70 percent of IT leaders believe that AI and machine learning are transforming their business, and user behavior analytics are no exception. ML-capable user behavior analytics can create the user-specific rules mentioned earlier by adapting to big data and using it to dynamically transform their capabilities to deliver better results. Here is a high-level view of how machine learning works in user behavior analytics:
All UBA technology aims to prevent data breaches from insider threats, but it’s important to choose security analytics tools that fit your organization’s infrastructure, users, and security operations. Key factors to consider when choosing a UBA solution include:
To begin implementing user behavior analytics in your organization, you need your security team to understand how UBA can learn from user behavior to determine risk profiles and identify potential threats inside your expanding network environment. With this e-book, you can get a closer look at how user and entity behavior rules are defined, how malicious activity is detected, and how incident response can isolate attacks before they turn into breaches.