Vulnerabilities / Threats
10:30 AM
Tom Pendergast
Tom Pendergast
Connect Directly

Behavioral Analytics: The Future of Just-in-Time Awareness Training?

It's high time we leveraged modern threat detection tools to keep users on the straight and narrow road of information security.

My mom bought a new car the other day and like most new cars today, it comes equipped with all the modern bells and whistles, including driver assistance features. If she starts wandering out of her lane, beeps and flashing lights direct her to get back in her lane. Or if she gets too close to the car ahead of her, the car brakes automatically. Great stuff for those who aren’t always paying close attention, right?

I’d say it’s high time we brought these kinds of features into the information security space, because right now we’re trusting employees to drive our “cars”— or expensive IT infrastructure – and the precious information that flows through it. But humans are fallible, and too often they’re just not paying close enough attention. As a result, they’re getting into accidents that are costing us dearly.

The good news is User Behavior Analytics (UBA) tools offer the promise of solving this problem – if they evolve in the right direction. These tools — which draw information from various other data gathering systems in the market, such as security information and event management (SIEMs), data loss pevention (DLP) systems, etc. — are providing real value in identifying patterns and signs that reveal the presence of bad actors in the IT environment.

These bad actors are typically malware or system vulnerabilities, but also insiders who are trying to commit malicious acts. Once identified, those bad actors can be dealt with, and risk reduced. It’s really positive, but it can go even further.

Right now, UBA and these other threat detection tools are great at identifying and addressing the symptoms of technical failure (such as system vulnerabilities), but we’ve only just tapped into their capacity to really track and respond to the symptoms associated with human failure. But this can and I believe will change.

For my tastes, the scope of UBA needs to be broader, to expand beyond identifying and tracking the traces left by malicious insiders, system vulnerabilities, and malware, and into tracking and then directly addressing patterns of human ignorance* and inattention. (*Author’s note: I’m using “ignorance” to mean “lack of understanding” or “unawareness,” not to imply that end users are ignorant!)

It will start when UBA takes a lesson from phishing simulations. The information security community loves phishing simulation tools – and why not? These tools do a great job at identifying employees who put the organization at risk by clicking on (fake) phishing attempts. Once you know who falls prey to phishing, you can target them with just-in-time education and (ideally) improve their performance and their ability to protect the organization. It works perfectly – or so say advocates.

However, phishing simulations have some real limitations; they’re too easy to manipulate to get the results you want; they can make employees feel “violated;” some phishing lures can scare IT or HR; and phishing is just one threat among many, after all. Despite those negatives, they do deliver just-in-time education — they are the warning light when employees drift “out of their lane.” That’s a real positive – and this is where UBA tools come in, because of their capacity to identify so many more problems.

Imagine, if you will, a robust UBA system that identified and addressed human risks related to data classification, access controls, password reuse, remote connectivity, inappropriate use of cloud computing, etc., coupled with correctives to guide the user back to safety.  Here’s how it might work:

The first time Joe Employee saves a document to an unapproved cloud storage site (for example), he gets a system-generated pop-up that directs him to company policy on the use of cloud storage. Problem solved, 70% of the time—but not always.

So the next time he does it, the system provides a two-minute video on the problems with unapproved cloud usage. More improvement. But, Joe is among the 5% who still don’t get it, so when he does it again the system enrolls him in a required 15-minute training course on Acceptable Use policies.

Despite that, there will be .1% who still do it wrong – and that’s where human intervention or termination might need to come into play.

Now imagine this kind of identification and correction across the spectrum of human risk. I’m not talking about malicious acts, but rather inadvertent acts, or acts committed out of ignorance or inattention —the very same problems we too often try to correct with boring policies and lengthy security awareness training courses.

Can we “tune” UBA systems to identify these kinds of triggers? I believe we can. Pair these risk triggers with a flexible deployment of just-in-time training and you’ve created “lane assistance” warnings for information security, with the added benefit of only training those who need it and not wasting the time of those who don’t. 

Tom Pendergast is the chief architect of MediaPro's Adaptive Architecture(tm) approach to analyze, plan, train, and reinforce to deliver comprehensive awareness programs in the areas of information security, privacy, and corporate compliance. Tom has a Ph.D. in American ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
1/21/2016 | 4:19:22 PM
Re: What are the Pros and Con - Features In Solutions
Kshaurette, thanks for your comment. One of the interesting providers that I'm keeping an eye on is ObserveIT, take a look there. But I do expect to see more firms like this (and those you mentioned) using their data gathering capacities to shine a light on user behavior, especially the "Insider Threat" posed not just by the Snowden's of the world, but also by those with far more innocent intentions.
User Rank: Author
1/21/2016 | 4:16:51 PM
Re: What are the Pros and Con - Features In Solutions
Thanks for your kind words! I'm flattered.
User Rank: Apprentice
1/21/2016 | 6:37:54 AM
Re: What are the Pros and Con - Features In Solutions
Writing with style and getting good compliments on the article is quite hard, to be honest.But you've done it so calmly and with so cool feeling and you've nailed the job. It is my favorite subject. This article is possessed with style and I am giving good compliment. Get more information about IT security training
User Rank: Strategist
1/20/2016 | 10:58:01 AM
What are the Pros and Con - Features In Solutions
This is a very good article and i believe higher end analytics of behavior based activity tracking coudl become the 2016 and beyond trend.  Solutions with the right features become the best way to catch unusual (anamolous) activity like performed by a Snowden that could indicate behavior not normal as compared to what goes on daily, weekly, monthly based on a lot of possible comparisons.  The larger the repository of User Bahavior to perform analytics against the great the potential to detect activity that stands out as unusual.  What are some of hte most popular tools, I'm aware of Aristotle Insight, and probably bigger vendor solutions like Arcsight, Qradar, but what are typicaly feature sets that these tools exhibit that make them an accepted practice?
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.