Martin Kuppinger - User Behavior Analytics: Can We? Should We? Must We? And if, How to Do It Right?

Yeah, I've brought up this definition in the morning. So basically when we talk about UBA, it's a process about detection of patterns of human behavior. And so in fact, really looking at what is the normal pattern and when do we observe anomalies in these patterns? I think this is a very, very important and very logical thing to do because when we look at how attacks these days frequently run, then it's that someone tries to get access to the account of someone else to do things that person potentially can do, but would not do itself. So the pattern of behavior should change in what we observe.

And from that perspective, basically it is something which adds. So we, we say, okay, it's also, I think, fits quite well into this zero trust notion. And the thing in the sense of we assume breach, we don't trust. We verify. And this is part of that we look at is this really the normal behavior? Or is this an anomaly?

It's a not easy thing because so, so you might have people who do virtually the same things all year, but by the coming close to the end of the business year, they start doing different things because they're in the bookkeeping in the finance department and they have to do some anomalies. So it's something we need to keep in mind. There might be anomalies, which are not anomalies, but which are just, if you take a long enough period of observing things, they are not an anomaly anymore. So when you look at it first year, it's an anomaly.

If you take five years, it's a total normal behavior that at the end of the year, things are changing. So we need to be a little bit careful as I've said, all this builds on, we have a lot of elements, a lot of layers in our security, everything is under attack and we have a lot of technologies to deal with these attacks. Traditionally, the technologies, we're looking more at technical aspects, packets flowing through the firewall and stuff like that. So traditional theme looks at locks and events and at so to speak in include as a packet, focus in the sense of what is happening.

But it's always difficult to say when we just look at what is happening to understand, this is the right thing. So if we know who is doing what, it's easier to come to the why, and this is the why really this thing we should happen when you only know there is something going on, it's, it's, it's far more difficult to, to draw correct conclusions out of that. And so UBA in fact adds one layer. So in this current blank areas, which is really the identity, the account, the way that people deal.

So the perspective of identity and access and authentic and access to which, which files are accessed, which entitlements are used, what is really happening, what are the people doing in their network? And that also adds to, or goes beyond what for instance, identity access management commonly does. So when we look at identity and access management, we have this traditional notion of access entitlement with grant. And so you might have someone who is an operator in your it department. Who's entitled to do certain types of backups or deal with certain types of backups. Okay?

If this person does that. So from aesthetic perspective, that's one thing, but if a little bit simplified, there are two bags backs a week, instead of one you had before, that might be a hint of a change in behavior hinting to a fraudulent behavior, because maybe he takes the second tape. If you're still singing tapes back home, because the, whatever, the text data he wants to sell to someone that's on the table, whatever else. So behavior is another element and it goes beyond aesthetic stuff.

We see, and we need other technologies. So we have this who and the what, and can better probably conclude to why. And we need other technologies, which are more advanced analytics where cognitive technologies come in. But what I've said before, and I'll touch to the next slide, not everything which is UBA is necessarily AI also. And with the term AI, we, anyway, as I've said, a couple of times already, we need to be very careful. Most of what is sold as AI is at best narrow AI. And in several cases, it's anything but AI, so these are artificial nor intelligent or so to speak.

No, it is something which is just simple or not simple mathematics, but it's not really AI. Okay. You might argue, everything goes down to mathematics in some way, but a lot of this is really pattern matching a technology and, and, and also algorithms which are out for tens of years, which are well-documented, which are well known, where it's really a way of how can I deal with patterns? And so at the risk of oversimplifying here, how looks, how does the concept look like?

Very, very, very, very basically. So we have someone and we drag for instance, which days of the week is that person accessing from which country?

So, as I've said, super simplified. So from Monday to Friday from Germany, Okay.

Next week, same picture the third week. Oh, There's something different because there was also an access on Saturday, the week after that becomes a Little bit more strange. I'm here. There's something from the us the week after. Okay. There's also something in from Russia. So I made the aggregation a little wrong, but excuse for that. So I think it should be that one should be in fact over here.

Anyway, don't care about that. Basically. We Have something where we say we have a pattern and we have some things which are sort of outliers of the normal behavior. And then there might be someone that's where, where things really start getting tricky.

So, so just getting the data and saying, okay, This is sort of what happens all the time. These are things which are Not happen, happen happening every time. That's one part Concluding From that to, is this Something which is recurring thing, which is Sort of maybe acceptable because we know some people sometimes come in on whatever Saturday, some do some part of their work or access the systems or Sunday. And these are things which are Really critical.

So we, We, we might, we, we need some, probably More information also to really goodness, obviously also one of the challenges we have with the entire UBA stuff. So the one thing is collecting all the data and we need a lot of data. I talked about it. So when we look at, when we have collected data of whatever, 50 working weeks and the two weeks for the end of year closure are lacking, then we don't have enough data. If we have five years of data, probably it's much better, but over these five years, the, the way the people work might have changed again. So we need a lot of data.

One thing, the other thing is we need to be good and making the right conclusions. So it's always this false, positive, false, negative thing we need to look at and we need to understand, and this is where, where things really start getting tricky. On the other hand, we right now have a lot of technology where we can do some things quite good, But Definitely We need to be careful with The conclusions we draw. So I think that conclusion Is relatively simple to draw theoretically, because Most likely someone will be at the same time, same day here in Germany, in the Us.

So the next day only in Germany, but that person just might have used something like an Nu or so, just entering with an IP address, which is rooted through the us. And then our data is misleading. So we need to also put in some good analytical technology and some good human ends in the way we deal with the data. On the other hand, I think it's very obvious that we need that type of technology. So when we look at, and that's a slide I've, I've created a couple of years right now ago, but I think it fits very well into, to the entire thing. Why do we need other types of technologies?

And this is when we look at the known versus unknown seeing in the attack pattern. So when we look at how an attack works, we started a sort of an red faith, which is someone is creating an attack. Obviously there's red danger, there's something going on and it gets even worse because them, this attack vector is used. So attacks are happening. And we don't really know about it. Then from red slowly moving to yellow, we will end up in green. Someone detects this detects, or there are certain types of attacks running.

And we need to analyze that we have a patch development and distribution, and maybe a year after half of the systems are patched depending on the type of systems, etcetera, but take the heart bleed numbers one year 50% horrible. But at some time we get more and more green. So decreasing number of unpatched systems. What we have is we have an unknown attack pattern. We have a known attack pattern.

So here we don't know, as, as the, so that person who created obviously knows it, but the rest doesn't know until someone detects there's something going on, raises it and finds out, okay, this is the way they are attacking us. And then there's the known attack pattern where we can handle differently. And the point is here, we can only protect us, but identification of anomalies. And we have this period here where we might be under attack. And the typical way attacks run are they are after our accounts, particularly after our highly privileged accounts.

And so when we observe the behavior of such accounts, there might be exactly the anomalies. And that's where UBA comes into play in such things, helping us to detect there's something going on and to better. So have a higher level of resilience against these types of attacks. And obviously then we can go to the simpler things and factually here. So in the broader sense was also, again, quote us for cognitive security, the more advanced technologies coming to believe, which help us across the entire phase when things are used. And traditional technologies only helped, helped to a certain part.

That's the same, you know, we could also say, okay, where, where does our, our standards, whatever identity management technology, looking at their entitlements, cetera, help, they only help to part of the challenge. They don't help the entire journey along. And so we need such technologies because at the end, we also have this challenge of, so to which extent, can we really deal with all these, with all these things that are happening somewhere in our network? So there's another aspect, which is to some extent or of the skill or, or human factor. And so we need technology.

UBA plays into that field, which helps us to focus on the critical things. So I've talked about this earlier.

I said, you know, when you look at this green and yellow and red things, so that the perceived anomalies in the statistics you've made, you still need to understand what's about it. But basically if you have the right technology and use it the right way, it helps us to reduce the, the number of things we need to look at and to focus on the things where we are, are, are not secure about. And so we are collecting events from various areas and that might be the user behavior that might be other types of data we put together in a system.

So UBA frequently is combined with all the other perspectives of packets in the network, et cetera. And then we need to understand what are the potential incidents? So where are the anomalies? Where are the things that are not as they should be? And basically there are three types of things which cannot come out of there. They are the black ones, which are known incidents.

Honestly, they are not a problem. I say, I tell you why in a minute, they are the gray ones, the unknown events, that is our real issue. And they are the white ones, the known regular events.

And, and we end up a sort of a pyramid of events and incidents with the black ones, the gray ones and the white ones. So I don't wanna care much about the black ones because we know them what we know we can deal with. So if we know going back to the picture I had with the, the access from Russia, I marked this red. If we know there's something, which is definitely an anomaly, we can set up something to handle that anomaly automatically. We can say, block it, do debt or debt or that. So if it's clear that it's black, we can automate our reaction. That's the easy part.

That's super easy, but relatively easy. The white ones where I know, okay, this is the standard access, no anomalies at all. Okay. We might have still some, some automated reactions where we say, okay, some things are still not ideal or should be different, or we root that, or blah, blah, blah, or whatever.

But again, the easy part, the challenge is so to speak, what has been yellow and the other slide before the things where we not exactly know what it is, because this is where we need to think about. And obviously our target of technology must be by using technology in a way that we minimize the gray area, because the gray areas, which requires human intervention, the gray areas where the, the, the, the, the friction for the users come from. So is this really something we need to, we are allowed to block or not.

These are the things where we really need to concentrate on, and that's where we need the technology. We need the technology, obviously also to get a lot of, to know what is black, but basically the target always must be minimized that because this is where the work comes from. So we have whatever our incident management system done saying, here's an anomaly that, or that has been triggered here or identified, what do we do? So we need to minimize the number of that.

Again, this is where technology helps us. And the better the technology is the better. It helps us in minimizing that. But we also need a lot of business knowledge in there. We need to understand what does it really mean? What is our business process? What is set behavior? What are the exceptions or exceptions of something like the closure of our, our books by the end of the, the fiscal year, things like that, we need to know it. We need to factor it in.

It's a question I, by the way, laugh to, to, to ask the, the, the vendors, when they come up and say, oh, we have this solution for whatever privileged, privileged behavior analytics. And then I say, okay. And they tell it, and there's a lot of secret sauce in there. So something goes in secret sauce, something comes, comes out and they won't tell you what the secret sauce is. They trust, tell you, we know how to do it. Then I ask. Yeah. But if I have, for instance, this maintenance window, if I have this years end closure, these exceptions, can I configure these?

Can I tell the system, there will be something there will be an Analyst, so to speak, usually answers. No. And that's where we definitely have a long way to go. So how can we bring in our business knowledge into the systems? So obviously they also help us technologies having the right information. So what is cognitive technology, or what is this about? Just a quick definition. So cognitive technology is modern machine learning. It's machine learning, blasted, draining data, plus the human expertise.

So the machine learning technology for itself is one part, but it's, it's like with kids, it's not a one time thing you need to, or to educate, to govern, to do things again and again, over the time. And so, so it's also, you know, systems, which say we are trust machine learning, and there's no answer on training and human expertise and review. These are pretty weak approaches on doing that from my perspective. So we have a cognitive technology and the cognitive solution is done applying this technology to certain business case. And that is in fact what we are doing with UBA.

We have a cognitive technology, and if we use it right, then we end up with really a cognitive solution, which helps us to get better in tracking the users. So these technologies help us then supporting our cyber defense center or our security operation center, however, you'd name it. So they are part of this journey from, so when you go back a couple of years, our focus has been very much on prevention. So put a firewall in place. It prevents that stuff coming in and you're done. We all know that's not the reality.

So it's about identifying preventing, detecting, responding, recovering, increasing resilience. And I believe the, the main emphasis anyway, should be on improving your resilience today. So how can your business survive and attack and improve the entire thing? So we have various elements in there, and there are a couple of elements, in fact, where these advanced technologies, including UBA playing, because they in particular help us in, in doing this detect better than we could do it before. And then we should, on the other hand, be able to conclude from that, what do we need to do with that?

So how do we deal with that information? So we detected something, how do we deal with that incident management had it before, how do we improve the system or the way we deal, the organizational rules, all that stuff. So we need to look at it as part of a bigger story. And I think this is the important element of my story here. So UBA is not a standalone technology.

UBA is something which is part of a bigger process in your, or around your cyber defense center, which includes a lot of other things that we, so that we get better in doing this on technology helps us, but technology for itself won't solve the problem. So fool was a tool, still a fool tools are important, but they are only a very small part of the entire story.

And again, the, the point is identifying anomalies is one element, but understanding whether it's really an anomaly and what to do, and what does it mean for a business process? That is the difficult part. So should we do it how to do it, etcetera, are we allowed to do it without ending up in a long discussion about privacy, GDPR workers, councils, et cetera, basically the recital 49 of the EU GDPR is very clear on that. So the recitals are just sort of all the text before the, the formal paragraphs, which sort of adds detail to that, which are part of the regulation.

So this rec, this is part of the GDPR and it's where, where it becomes, I would say most clear without reading everything, the processing of personal data to ensure network and information security constitutes legitimate interest. So it's very clearly defined. So legitimate interest is in most cases for GDPR, it's totally fussing here. It's a very clear thing. Obviously it also says as little data as you need, etcetera, be careful and blah, blah, blah. But basically the GDPR is very clear on yes, UBA is allowed if you need it to ensure your network and information security.

That is I think something which with said, without going too much into detail on the discussions around, around that go through the GDPR. And it's very worse, really reading both the, the, the paragraphs and all the recital. So the recitals are heavily unstructured, but anyway, read through it in contrast to most regulations, that GDPR is very clear in what it says very precise, and there are far less gray areas than most people claim they are in. So is that UBA is part of, has an interplays identity are brought up to slide in the morning.

So we have this user behavior, we collect data we use or analyze data in UBA. And that is where then again, how to do it, where, where the things become really important. I am not a believer in technology, which tells us what goes, what is going wrong without helping us to fix it. So every technology which just identifies problems without helping and fixing the problems is maybe a 10% solution because at least leaves the, the main part open. So how do I do it better? And that is what UBA obviously has to deliver.

So it analyzes, it understands or not, but if that's right, should deliver us information about the animal is what is going wrong, or what does it mean, which we then deliver back to target system. And that is again on the identity management as one of the target systems, which allows us to say, okay, we use it for instance, for adaptive authentication.

So we use that information to better control the way we also indicate and say, okay, if there's an perceived risk or an identified risk with this account, we, for instance, request an additional authenticator Decatur, we say, okay, you need to add, enter an additional pass for you. Normally don't have to use, but here, because we have some hints on a malicious behavior or a malicious use of this account, you have to enter it. And this is what we really bring up here. So we need to close The circle.

And if we do it, we need to solve this understanding what our really animal is, understanding the business case behind having the right technology to how to do it. And so to speak, closing the loop and for the stats user behavior analytics Really becomes an interesting and important element in our sort of cognitive security Heat map.

So what, where our technologies This year, how mature they are, user behavior analytics is not bad from a maturity Perspective and which security impact do they have. They can have done right. A very significant security impact. It comes Usually as part of other technology. So there Are still some standalone UBA lender, But Increasingly UBA is part of Different tech technologies, such, such as identical governance administration, Such as The next generation scene And others.

So we see that there are various key capabilities interest of time as keep or go pretty quickly through that. So the ability to aggregate data, to deal with large amounts of data, machine learning algorithms, having Concrete use cases. So not just being a tool, but being a solution cognitive solution Presented in the front, we can use, we can work with inter IM and Other things. These are sort of key capabilities. There are various innovative features. We see.

So, so good integration kits, minimal coding. So some of these are still very coding heavy at the end, and we should work on ways where we don't. So where the, the level of knowledge of a data scientist goes down. So he needs to understand the business problem, but not too much technology integrated with the solutions, reduce false positives, go to lower duration, baselining periods. Obviously that's a tricky thing to do, but we need to look at these things. There are masses of vendors trust the list. I didn't check everyone recently.

So there might be one or two or three, which already out of business are required. But basically you see, there are definitely, I don't claim this is a complete list, but there are a lot of vendors in the space. Many of them like Exabeam, like BBI, like Palo Alto networks, delivering UBA is part of other things with that. I hope a gate could give you a, a quick and rapid overview on the topic of user behavior analytics, and I'm more or less perfect in time. So I think we can pick one question or so before I hand over to Chris, so if there are any questions.