Vulnerabilities / Threats

10:30 AM
Tom Pendergast
Tom Pendergast
Connect Directly
E-Mail vvv

Behavioral Analytics: The Future of Just-in-Time Awareness Training?

It's high time we leveraged modern threat detection tools to keep users on the straight and narrow road of information security.

My mom bought a new car the other day and like most new cars today, it comes equipped with all the modern bells and whistles, including driver assistance features. If she starts wandering out of her lane, beeps and flashing lights direct her to get back in her lane. Or if she gets too close to the car ahead of her, the car brakes automatically. Great stuff for those who aren’t always paying close attention, right?

I’d say it’s high time we brought these kinds of features into the information security space, because right now we’re trusting employees to drive our “cars”— or expensive IT infrastructure – and the precious information that flows through it. But humans are fallible, and too often they’re just not paying close enough attention. As a result, they’re getting into accidents that are costing us dearly.

The good news is User Behavior Analytics (UBA) tools offer the promise of solving this problem – if they evolve in the right direction. These tools — which draw information from various other data gathering systems in the market, such as security information and event management (SIEMs), data loss pevention (DLP) systems, etc. — are providing real value in identifying patterns and signs that reveal the presence of bad actors in the IT environment.

These bad actors are typically malware or system vulnerabilities, but also insiders who are trying to commit malicious acts. Once identified, those bad actors can be dealt with, and risk reduced. It’s really positive, but it can go even further.

Right now, UBA and these other threat detection tools are great at identifying and addressing the symptoms of technical failure (such as system vulnerabilities), but we’ve only just tapped into their capacity to really track and respond to the symptoms associated with human failure. But this can and I believe will change.

For my tastes, the scope of UBA needs to be broader, to expand beyond identifying and tracking the traces left by malicious insiders, system vulnerabilities, and malware, and into tracking and then directly addressing patterns of human ignorance* and inattention. (*Author’s note: I’m using “ignorance” to mean “lack of understanding” or “unawareness,” not to imply that end users are ignorant!)

It will start when UBA takes a lesson from phishing simulations. The information security community loves phishing simulation tools – and why not? These tools do a great job at identifying employees who put the organization at risk by clicking on (fake) phishing attempts. Once you know who falls prey to phishing, you can target them with just-in-time education and (ideally) improve their performance and their ability to protect the organization. It works perfectly – or so say advocates.

However, phishing simulations have some real limitations; they’re too easy to manipulate to get the results you want; they can make employees feel “violated;” some phishing lures can scare IT or HR; and phishing is just one threat among many, after all. Despite those negatives, they do deliver just-in-time education — they are the warning light when employees drift “out of their lane.” That’s a real positive – and this is where UBA tools come in, because of their capacity to identify so many more problems.

Imagine, if you will, a robust UBA system that identified and addressed human risks related to data classification, access controls, password reuse, remote connectivity, inappropriate use of cloud computing, etc., coupled with correctives to guide the user back to safety.  Here’s how it might work:

The first time Joe Employee saves a document to an unapproved cloud storage site (for example), he gets a system-generated pop-up that directs him to company policy on the use of cloud storage. Problem solved, 70% of the time—but not always.

So the next time he does it, the system provides a two-minute video on the problems with unapproved cloud usage. More improvement. But, Joe is among the 5% who still don’t get it, so when he does it again the system enrolls him in a required 15-minute training course on Acceptable Use policies.

Despite that, there will be .1% who still do it wrong – and that’s where human intervention or termination might need to come into play.

Now imagine this kind of identification and correction across the spectrum of human risk. I’m not talking about malicious acts, but rather inadvertent acts, or acts committed out of ignorance or inattention —the very same problems we too often try to correct with boring policies and lengthy security awareness training courses.

Can we “tune” UBA systems to identify these kinds of triggers? I believe we can. Pair these risk triggers with a flexible deployment of just-in-time training and you’ve created “lane assistance” warnings for information security, with the added benefit of only training those who need it and not wasting the time of those who don’t. 

Tom Pendergast, Ph.D., is the chief architect of MediaPro's Adaptive Awareness Framework, a vision of how to analyze, plan, train and reinforce to build a comprehensive awareness program, with the goal of building a risk-aware culture. He is the author or editor of 26 books ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
1/21/2016 | 4:19:22 PM
Re: What are the Pros and Con - Features In Solutions
Kshaurette, thanks for your comment. One of the interesting providers that I'm keeping an eye on is ObserveIT, take a look there. But I do expect to see more firms like this (and those you mentioned) using their data gathering capacities to shine a light on user behavior, especially the "Insider Threat" posed not just by the Snowden's of the world, but also by those with far more innocent intentions.
User Rank: Author
1/21/2016 | 4:16:51 PM
Re: What are the Pros and Con - Features In Solutions
Thanks for your kind words! I'm flattered.
User Rank: Apprentice
1/21/2016 | 6:37:54 AM
Re: What are the Pros and Con - Features In Solutions
Writing with style and getting good compliments on the article is quite hard, to be honest.But you've done it so calmly and with so cool feeling and you've nailed the job. It is my favorite subject. This article is possessed with style and I am giving good compliment. Get more information about IT security training
User Rank: Strategist
1/20/2016 | 10:58:01 AM
What are the Pros and Con - Features In Solutions
This is a very good article and i believe higher end analytics of behavior based activity tracking coudl become the 2016 and beyond trend.  Solutions with the right features become the best way to catch unusual (anamolous) activity like performed by a Snowden that could indicate behavior not normal as compared to what goes on daily, weekly, monthly based on a lot of possible comparisons.  The larger the repository of User Bahavior to perform analytics against the great the potential to detect activity that stands out as unusual.  What are some of hte most popular tools, I'm aware of Aristotle Insight, and probably bigger vendor solutions like Arcsight, Qradar, but what are typicaly feature sets that these tools exhibit that make them an accepted practice?
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.