Bad "Behavior" at RSA 2016

August 27, 2016

I’ve had a number of interesting discussions with co-workers and friends that attended, exhibited at, or reported on RSA this year. Common comments included, “There are more security vendors than ever,” “There has to be some major consolidation coming,” and “Can you believe that there were even vendors there that claimed we can prevent breaches altogether!”  

But the term I heard at RSA more this year than ever before was behavior. More people are talking about behavior as the key to helping us as an industry enable our customers to better protect themselves. And sometimes they’re using the term incorrectly.
What is behavior, anyway?
“Behavior” is used to describe a number of different approaches to security, but that label is not always correct. To set the record straight once and for all, let’s divide it into three broad buckets:
     -Adaptive authentication
     -Behavioral biometrics
     -User and entity behavioral analytics (UEBA)
User Behavior Adaptive Access Control
The term “behavior” is often used in the user authentication market segment when what we’re really talking about is adaptive access control. (In fact, this capability has gone through several different names over the last few years. You may have also heard it called “risk analysis,” “context- based authentication,” or “adaptive access control.”)

So what is it, and why isn’t it “behavior”? Adaptive access control analyzes one or more criteria to assess the risk associated with an authentication request and guide the ensuing authentication workflow. For instance, if a login attempt is deemed risky, you can step up to multi-factor authentication or deny access outright. Low-risk authentications, on the other hand, can be allowed to proceed normally, without the user even knowing there was a risk assessment. The goal is to keep authentication secure while providing a great user experience.

So what are these pre-authentication analysis criteria? They can include:    

  • IP reputation — Comparing the authenticating IP address against threat information can determine whether it is associated with known bad actors or infrastructure associated with anomalous behavior.    
  • Geo-location — Is the user physically in a known good or bad location?
  • Geo-velocity — Have the user credentials been exposed to an improbable travel event? For example, are they being used to log in from Shanghai when they were used just an hour ago from San Francisco?
  • Device recognition — Has the user used this device before and logged on successfully? Has the device changed? Do we trust the device?
  • Group membership and other user attributes — Because hackers often create incomplete identities, checking the identity store can uncover threats. As you can see, these criteria cannot properly be called “behavior,” which is why SecureAuth now uses the more accurate term “adaptive authentication.”

Behavioral Biometrics
Here is where we start to use “behavior” correctly. Behavioral biometrics analyzes user behavior to help verify a user's identity without impacting the daily routine. It continuously collects information about how a user interacts with a given device, such as her keystroke dynamics on a keyboard, her cursor movement for a mouse or touchpad, or her touch-based interaction and how she holds the device for touch-screen devices.

The resulting behavioral biometric user templates are updated over time until the system has confidence that it has learned a user’s unique patterns on a given device. Then it can determine when the current user behavior on that device doesn't match the legitimate user's profile, enabling the system to block a likely attacker.

User and Entity Behavioral Analytics (UEBA)
Now we’re really getting into the interesting stuff. UEBA helps organizations detect anomalous user and entity behavior. It ingests data from a SIEM or other data sources, like application and audit logs or even other security products, and uses it to establish a baseline of behavior. Then it continually looks for deviations from that baseline — in other words, what it considers to be abnormal. For instance, it might detect that someone in your accounting department is steadily accessing and collecting data from around the organization.

Sophisticated machine learning is typically needed to interpret the data and find deviations, and most vendors are doing a really nice job with this. While a rule-based approach can be used to achieve the same goal, it is arguably far less effective, and it requires both initial and ongoing configuration.

You may have also heard the term “user behavior analytics” (UBA). If you’re wondering about the differences between UBA and UEBA, Cindy Ng over at Veronis does a nice job in speaking to this on behalf of Gartner:

Well, I hope that clears up the use of the term “behavior.”  If I'm missing a behavior “bucket” from my list, please tell me about it!

  • SecureAuth

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!