10 key steps in using behavioral analytics to improve security

  • September 12 2017, 4:00am EDT

10 key steps in using behavioral analytics to improve security

Security executives can get help from data in spotting potential risky individuals or groups.

Traditional identity and access management controls are static.

Once a malicious user gains access, they are free to exploit the affected information system in healthcare organizations, according to business software vendor CA Technologies. However, deploying a security approach that brings together user behavioral analytics and anomaly detection can help detect risky activity and automatically trigger mitigating controls. However, there are 10 issues to consider.

Content Continues Below

1. Applying the basics of behavioral analytics

User behavioral analytics enables an organization to continuously assess risk and quickly detect malicious activity—they take a stream of data about how a given identity or group interacts with services or applications, then assesses a level of risk associated with the identity or group. Mitigation could automatically limit a high-risk individual’s access to sensitive apps or data repositories.

2. Mitigating risk

After a high-risk individual or group is identified, automated mitigation processes enable an enterprise to take steps that mitigate risk and thwart detected malicious activities by changing how access is controlled, based on the risk output of user behavioral analytics.

3. Managing identities

The user behavioral analytics function comprises two components—feature extraction and the risk classifier. The feature extraction component processes an activity stream and extracts a set of relevant features, which are characteristics of an individual identity that have been observed over time.

Content Continues Below

4. Pinpointing behavior

Possible malicious characteristics to watch for include:

* The identity is using an unknown mobile device.

* The identity is operating in a remote location.

* The identity is coming from a suspicious IP address.

* The identity is a member of a privileged group.

* The identity used a specific service outside of their normal operating time.

5. Understanding complications

Feature extraction is more complicated than it appears because it’s not simply extracting characteristics about an ongoing transaction. Although an activity stream arrives as a sequence of discrete events, the real input is the complete activity stream from the beginning of time. This enables a security executive to understand aggregate usage and behavior about each identity or group. Without examining the full activity history, that executive would need to evaluate risk solely on each discrete event.

6. Assessing enterprisewide risk

By examining all activities, threat analytics provides an enterprise with more insight than has previously been available to assess risk and detect malicious activity. The enterprise now can assess risk based on past activities, and specific information about individual or group identities.

Content Continues Below

7. Crunching data

The benefit of a full activity stream requires an organization to process a large amount of data. However, the task is eased by performing feature extraction. This eliminates or aggregates redundant data while highlighting the information needed by the second part of task, which involves assessing risk.

8. Classifying risk

The risk classifier is an analytic function that converts the feature extraction function into three discrete levels of risk:

Good: The identity poses minimal risk.

Suspect: The identity has been associated with events or activities that pose risk, but the risk does not demand immediate action.

Bad: The identity is considered a high risk and merits immediate attention, and the classification system will initiate automated mitigation and alerts according to the enterprise’s policy.

9. Creating an organizational view

Another aspect of classifying risk is assessing not just individuals but risk levels for a particular group. For instance, a healthcare organization could examine if a group is accessing resources with more devices than is normal for the group; if a group is operating outside its normal scope; and if a group also is in an inappropriate large number of other groups.

Content Continues Below

10. Expanding the scope

“By looking at a group of identities rather than identities in isolation, you can get a high level of useful population statistics against which you can compare the individual identities,” according to CA Technologies. “Of course, this comes with a cost. Instead of processing merely the entire activity stream for an identity, this requires performing feature extraction on the full activity history of the entire organization.”

More information

The complete report from CA technologies is available here.