WP The importance of combined user and data behavior analysis in anomaly detection | Imperva

The importance of combined user and data behavior analysis in anomaly detection

The importance of combined user and data behavior analysis in anomaly detection

Muqeet Khan, Head of Sales Engineering Australia and New Zealand

For decades security teams have understood the importance of tracking user behavior to identify potential cybersecurity threats. Behavior analysis systems first appeared in the early 2000s, and in 2015 Gartner officially defined User and Entity Behavior Analytics (UEBA) as a market, which is expected to be worth $4.2 billion by 2026.

However, in the face of escalating data breaches, security teams are now searching for ways to bring the context of data into their behavior analysis. To truly mitigate the risk of a data breach, you need to be able to detect and pinpoint threats to your data, no matter where it lives and what form it takes. To do this, you need a behavior analytics tool that creates a contextual behavior baseline by analyzing both user behavior and data access activities. 

Traditional UEBA systems collect data about user and entity activities from system logs, including logs collected and stored in log management and security information and event management (SIEM) systems. It then applies advanced analytical methods to evaluate the activity of users and other entities (eg. hosts, applications, network traffic) to discover anomalies. When the system detects unusual behavior, it alerts cybersecurity teams with actionable insights.

However, where traditional UEBA systems fall short is the ability to track how specific users access and change data to determine what is normal and abnormal behavior. For example, a privileged user accessing data from a new device or source is unremarkable. If we were to observe that same privileged user accessing data from a new source, using an interactive tool to run select commands on sensitive tables/columns that he has never accessed in the past, nor has anyone else in the user’s workgroup ever accessed before, that would be remarkable and likely warrant further investigation. 

By combining both user and data behavior analytics, Imperva Data Security Fabric (DSF) is continuously learning the details of who the users are, and how they typically access databases and use enterprise data. From this, the analytics engine creates a contextual behavior baseline to help discern behaviors that are normal from those that are not and accurately identify critical data threats.

Imperva DSF goes beyond the anomaly detection techniques of other security products by combining it with intelligence around known database attack vectors.It uses purpose-built algorithms capable of identifying signs of malicious insider behavior such as privilege escalation, data exfiltration, or compromised user account activity that other security tools miss.

This approach helps to eliminate false positive anomalies and prioritize only the few high-risk incidents that require immediate investigation, allowing security teams to stay focused and contain a potential threat more effectively. Further, Imperva DSF delivers the details of these security incidents in plain language with context and actionable insights so security professionals can quickly understand what happened and respond. To streamline incident response, these Syslog events can be streamed directly into an existing SIEM such as Splunk, ArcSight, LogRythm, and Sumologic.

Today it is vital that your security strategy is focused on protecting the crown jewels – your data.  Tactics such as setting up perimeter defenses, restricting data access, patching, applying data movement sensors and data encryption can only go so far. In the real world, security teams face the ongoing threats of zero-day vulnerabilities, phishing attacks, stolen credentials, compromised laptops, poor application design, and a hundred other vectors that provide cybercriminals with the entry point they need to find and steal your data. In an instance, these threats can render useless the manifold defenses that the cyber security team worked so hard to deploy. That’s why it’s time for a new security mindset that focuses on the data itself – specifically gaining visibility of it, monitoring it, and being alerted of any suspicious behavior in that data estate.