Weekly live demo
Join us every Wednesday for a live demo of Scuba Analytics
Register now

How Behavioral Analytics Can Help Your Organization Identify Cybersecurity Threats

Megan Wells

The threat of a cyberattack should be a daily concern for businesses. In the first half of 2020 alone, data breaches exposed 36 billion personal records. In May 2021, a cyberattack caused the temporary shutdown of one of America’s largest pipelines and disrupted a major meat processor. 

 

Cyberattacks are both costly and detrimental to consumer trust. What’s more, cybersecurity threats are on the rise. When COVID-19 brought sudden and unexpected social distancing mandates, many businesses transitioned to remote work with no cybersecurity plan in place. The FBI’s Cyber Division reported a 400% increase in complaints received compared to pre-pandemic rates. 

 

A new method of protection in cybersecurity is emerging from an untapped resource: behavioral analytics. Well-known for use in market research, customer experience and product intelligence, IT and data security teams are also leveraging behavioral information about users to protect employee and company data from cyber threats. 

Challenges facing organizations when it comes to cyber threats

Company assets contain proprietary and confidential information - not to mention private employee data. To protect it, businesses use precautions like access control, 2-factor authentication, antivirus software and email protection to mitigate risk. 

 

But bad actors, especially insiders, can easily get around these controls, and breaches can happen even without malicious intent. Gaining access to compromised credentials, phishing attacks, and key logging are common schemes for stealing company data. But it’s actually human error that is the main cause of 95% of cyber security breaches. And according to analyst firm Forrester, insiders are responsible for more than half of organizations’ data breaches. Intentional or unintentional insider threats may occur when employees:

 

  • Click on suspicious links that launch ransomware attacks
  • Use stolen login credentials to access company documents
  • Take data with them when they leave 
  • Send private company data to their personal email
  • Get hacked while accessing company data on their personal network

Using behavioral analytics data to identify suspicious behavior

Behavioral analytics can help organizations identify malicious insider activity and curb (or stop) threats like cyberattacks. Abnormal behavior within a network or system is often the first sign of a threat. Therefore, one of the easiest ways to detect attacks is by tracking behavioral patterns for anomalies.

 

Behavioral analytics tools will use data collected over time to create a behavioral profile for each user. By combining this data with machine learning tools, you can begin to track and predict patterns based on usage over time. Finally, your behavioral analytics tool should alert you to aberrations that could pose a threat. You can spot red flags in behavior in the following areas: 

Typing cadence

Just like handwriting, typing cadence has been shown to be unique from person to person. For this reason, typing cadence (also known as keystroke dynamics) is making its way into use as a biometric factor for authentication. Typing that is too fast or slow could signal bot behavior or stolen credentials.

Geographical irregularities

Is the account in question being accessed from the expected browser and IP address? Are you getting multiple login attempts from different overseas addresses with no relation to your company? How about failed login attempts for users who have never had a prior failed attempt, or a failed attempt from a new location. Any of these could signal a potential bad actor attempting to gain access to your systems.

Credential usage

Credential usage poses a big problem in data security, with 61% of breaches attributed to leveraged credentials. Passwords are the most prevalent form of identity management, although they’re easily forgotten, mistyped, or stolen. Unusual credential usage could indicate abuse of privileges if an account user is doing things they don’t have access to do.

Departmental usage habits

Behaviors that don’t align with the department or role could be a clue that something’s wrong. For example, engineering teams would likely run complex server queries but someone on the HR team wouldn’t. 

 

Other endpoint data such as login frequency, date or time of work, unusual data volume transfers, and file, device, or app activity can all tip organizations off to potential threats they need to look into. With an advanced behavioral analytics tool that lets you create ad hoc segments as needed, you can quickly identify which users are potential threats (and dynamically update over time as behaviors change).

What kind of behavioral analytics tool do you need to catch threats?

User identities are not always straightforward. Decades of relying on the “username and password” model of identity management often results in excessive access privileges and multiple accounts per user. 

 

To create a complete and accurate profile, you’ll need a tool that can provide 360-visibility into a user’s access rights and entitlements, current and past activities across all accounts, an up-to-date profile of typical activities, as well as those of their colleagues and peer groups. Thus, to truly understand a user’s behavior patterns and determine the risk of that identity, you need access to data from multiple sources, including:

 

  • Identity management systems
  • Account management systems
  • Directories
  • Log sources
  • Web access logs
  • Internal access logs
  • Intelligence sources

 

Simply gaining access to these datasets isn’t enough - you need a tool that can quickly churn through and deliver insight on these many different threads of behavior. When it comes to thwarting potential cyber attacks, time is of the essence. A continuous intelligence tool can marry behavioral analytics data with machine learning to allow teams to interpret massive amounts of data quickly, tipping them off to potential cyber threats before it’s too late. 

How Scuba can help

Visualizing & alerting you to anomalies

To visualize anomalies, you can use the  journey map or histogram features in Scuba to catch bad actors at work. For example, by layering timestamped data with suspicious events - such as data transfer to an unauthorized USB, user, or geographic region - you can begin to see patterns that allow you flag an potential event before it happens.

 

Then, once an anomaly is detected- either in general, or against a particular threshold, Scuba Signals will generate an alert via email and Slack, and give you real-time feedback. Not only will you always get alerts about suspicious activity, Scuba Signals can also trigger a custom script to stop the action in question (for example by shutting down a port, changing a firewall pay set, or changing inventory to zero). 

Model Drift

Normally in the ML world, model drift is just “part of the deal”. Whether due to data drift or concept drift, models need to be tweaked over time or they’ll become inaccurate. That’s where Scuba comes in. We help existing machine learning models analyze and improve model drift. Some of our clients, like Salesforce, already use Scuba to improve their ML and make more accurate predictions. Because Scuba makes it so easy to iterate, run new queries, and compare patterns, you can still check fraudulent activity despite seasonal behavior, and accommodate for when behaviors change. 

 

Only Scuba Analytics provides the rich source of data, 360-visibility, and agility you need to track up-to-the minute insights. Schedule a demo today. 

 

REQUEST A DEMO