Cybersecurity In-Depth

The Edge

When All Behavior Is Abnormal, How Do We Detect Anomalies?

Identifying normal behavior baselines is essential to behavior-based authentication. However, with COVID-19 upending all aspects of life, is it possible to build baselines and measure normal patterns when nothing at all seems normal?

Necessary Complexity
While behavior-based analysis for authentication (and threat detection) is necessary for many organizations, it is anything but simple.

"The focus on network-based behavior is always going to be fraught with complexity and lack in key context to make effective decisions," Woolwine says. "Think about network-based behavior analytics as being able to understand the travel patterns of commuters but not understand what they do before, after, and during their commute."

Says Chris Rothe, co-founder and chief product officer at Red Canary: "Anomaly detection is inherently difficult, but it is basically impossible if you don't have baseline of what normal is to compare against. Depending on what you used to establish that baseline, it may be completely invalid when a fundamental change in where or how your employees are working." 

Still, Woolwine says, "Anyone tossing behavior-based detections out the window due to the shift in work habits doesn't really get behavior-based detection in the first place. While we did see a temporary decrease in the effectiveness of network-based behavior detections against authentication gateways, the algorithms recovered within 48 hours."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.