Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Tom Pendergast
Tom Pendergast
Connect Directly
E-Mail vvv

Behavioral Analytics: The Future of Just-in-Time Awareness Training?

It's high time we leveraged modern threat detection tools to keep users on the straight and narrow road of information security.

My mom bought a new car the other day and like most new cars today, it comes equipped with all the modern bells and whistles, including driver assistance features. If she starts wandering out of her lane, beeps and flashing lights direct her to get back in her lane. Or if she gets too close to the car ahead of her, the car brakes automatically. Great stuff for those who aren’t always paying close attention, right?

I’d say it’s high time we brought these kinds of features into the information security space, because right now we’re trusting employees to drive our “cars”— or expensive IT infrastructure – and the precious information that flows through it. But humans are fallible, and too often they’re just not paying close enough attention. As a result, they’re getting into accidents that are costing us dearly.

The good news is User Behavior Analytics (UBA) tools offer the promise of solving this problem – if they evolve in the right direction. These tools — which draw information from various other data gathering systems in the market, such as security information and event management (SIEMs), data loss pevention (DLP) systems, etc. — are providing real value in identifying patterns and signs that reveal the presence of bad actors in the IT environment.

These bad actors are typically malware or system vulnerabilities, but also insiders who are trying to commit malicious acts. Once identified, those bad actors can be dealt with, and risk reduced. It’s really positive, but it can go even further.

Right now, UBA and these other threat detection tools are great at identifying and addressing the symptoms of technical failure (such as system vulnerabilities), but we’ve only just tapped into their capacity to really track and respond to the symptoms associated with human failure. But this can and I believe will change.

For my tastes, the scope of UBA needs to be broader, to expand beyond identifying and tracking the traces left by malicious insiders, system vulnerabilities, and malware, and into tracking and then directly addressing patterns of human ignorance* and inattention. (*Author’s note: I’m using “ignorance” to mean “lack of understanding” or “unawareness,” not to imply that end users are ignorant!)

It will start when UBA takes a lesson from phishing simulations. The information security community loves phishing simulation tools – and why not? These tools do a great job at identifying employees who put the organization at risk by clicking on (fake) phishing attempts. Once you know who falls prey to phishing, you can target them with just-in-time education and (ideally) improve their performance and their ability to protect the organization. It works perfectly – or so say advocates.

However, phishing simulations have some real limitations; they’re too easy to manipulate to get the results you want; they can make employees feel “violated;” some phishing lures can scare IT or HR; and phishing is just one threat among many, after all. Despite those negatives, they do deliver just-in-time education — they are the warning light when employees drift “out of their lane.” That’s a real positive – and this is where UBA tools come in, because of their capacity to identify so many more problems.

Imagine, if you will, a robust UBA system that identified and addressed human risks related to data classification, access controls, password reuse, remote connectivity, inappropriate use of cloud computing, etc., coupled with correctives to guide the user back to safety.  Here’s how it might work:

The first time Joe Employee saves a document to an unapproved cloud storage site (for example), he gets a system-generated pop-up that directs him to company policy on the use of cloud storage. Problem solved, 70% of the time—but not always.

So the next time he does it, the system provides a two-minute video on the problems with unapproved cloud usage. More improvement. But, Joe is among the 5% who still don’t get it, so when he does it again the system enrolls him in a required 15-minute training course on Acceptable Use policies.

Despite that, there will be .1% who still do it wrong – and that’s where human intervention or termination might need to come into play.

Now imagine this kind of identification and correction across the spectrum of human risk. I’m not talking about malicious acts, but rather inadvertent acts, or acts committed out of ignorance or inattention —the very same problems we too often try to correct with boring policies and lengthy security awareness training courses.

Can we “tune” UBA systems to identify these kinds of triggers? I believe we can. Pair these risk triggers with a flexible deployment of just-in-time training and you’ve created “lane assistance” warnings for information security, with the added benefit of only training those who need it and not wasting the time of those who don’t. 

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
1/21/2016 | 4:19:22 PM
Re: What are the Pros and Con - Features In Solutions
Kshaurette, thanks for your comment. One of the interesting providers that I'm keeping an eye on is ObserveIT, take a look there. But I do expect to see more firms like this (and those you mentioned) using their data gathering capacities to shine a light on user behavior, especially the "Insider Threat" posed not just by the Snowden's of the world, but also by those with far more innocent intentions.
User Rank: Author
1/21/2016 | 4:16:51 PM
Re: What are the Pros and Con - Features In Solutions
Thanks for your kind words! I'm flattered.
User Rank: Apprentice
1/21/2016 | 6:37:54 AM
Re: What are the Pros and Con - Features In Solutions
Writing with style and getting good compliments on the article is quite hard, to be honest.But you've done it so calmly and with so cool feeling and you've nailed the job. It is my favorite subject. This article is possessed with style and I am giving good compliment. Get more information about IT security training
User Rank: Strategist
1/20/2016 | 10:58:01 AM
What are the Pros and Con - Features In Solutions
This is a very good article and i believe higher end analytics of behavior based activity tracking coudl become the 2016 and beyond trend.  Solutions with the right features become the best way to catch unusual (anamolous) activity like performed by a Snowden that could indicate behavior not normal as compared to what goes on daily, weekly, monthly based on a lot of possible comparisons.  The larger the repository of User Bahavior to perform analytics against the great the potential to detect activity that stands out as unusual.  What are some of hte most popular tools, I'm aware of Aristotle Insight, and probably bigger vendor solutions like Arcsight, Qradar, but what are typicaly feature sets that these tools exhibit that make them an accepted practice?
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.