Doron Hendler, CEO and co-founder of RevealSecurity, explains the right way and the wrong way to detect malicious behavior.

Suspicious woman spying outdoors
Image: New Africa/Adobe Stock

Over a decade ago, the security market adopted statistical analysis to augment rule-based solutions in an attempt to provide more accurate detection for the infrastructure and access layers. However, User and Entity Behavioral Analytics (UEBA) failed to deliver as promised to dramatically increase accuracy and reduce false positive alerts due to a fundamentally mistaken assumption: That user behavior can be characterized by statistical quantities, such as the average daily number of activities.

SEE: Mobile device security policy (TechRepublic Premium)

This mistaken assumption is built into UEBA, which characterizes a user by an average of activities. In reality, people don’t have “average behaviors,” and it is thus futile to try and characterize human behavior with quantities such as the average, standard deviation or median of a single activity.

How UEBA falls short in detecting abnormal behavior

As an example of non-average behavior, meet David, a personal banking account manager at a major bank. As part of his normal daily activities, David has a variety of different professional working profiles:

  1. He may be called by a customer to perform a bank transfer on his behalf, either externally, between branches or between accounts at the same branch.
  2. At other times, he may assist a customer with the buying and selling of various stocks.
  3. On a monthly basis, David will generate a status report of all customers under his responsibility and email it to his manager.

Computing an average of the daily activities in David’s workday would be meaningless. We should focus instead on learning David’s multiple typical activity profiles.

In addition to UEBA’s fundamentally mistaken assumption explained above, UEBA has also failed in business applications due to the vast dissimilarities between SaaS and custom-built applications. Models have therefore been developed only for a limited set of application layer scenarios, such as in the financial sector. As a result, bespoke rules written for a specific application continue to be the most common detection solution for applications.

How to detect malicious behavior

While User Behavior Analytics is about a single baseline for each activity and an analysis of each activity on its own, User Journey Analytics looks at sequences of activities and learns for each user the complete set of typical user journeys in an application. The future is in implementing sequence-based detection in the application layer, enabling more accurate detection by performing user journey analysis of a sequence of activities in SaaS and custom built applications.

The real difference between users is not the specific actions we end up making, but the journeys we take as we make them. It is much more difficult for an impersonator to imitate a user’s normal profiles, and insiders looking to misuse or abuse an application will eventually deviate from their normal profiles.

As an example, think of a bank with many rooms, including a vault room with precious articles such as cash, gold and jewelry. The bank of course has a main entrance, and the vault also has its own door, which people go through to deposit or withdraw their precious goods.

People walk through the front door, entering and leaving the bank. They may walk in and out of the vault and perform various activities in that room itself.

Our goal is to find misuse and theft in the vault. However, just monitoring the vault’s door and actions doesn’t provide enough information for accurate detection, as most of the people involved are performing legitimate actions there.

Analyzing the path people take from the moment they enter through the front door of the bank, as they pass throughout the hallways and rooms — to, in and from the vault — enables us to learn which journeys are normal and expected. These normal journeys provide our base for detection.

We find malicious journeys by comparing each user journey to their learned normal journeys, because malicious users are likely to use a journey that is different from normal. Maybe their journey in the bank is longer because they don’t know where they’re going, or maybe they just quickly go in and out as fast as possible to avoid raising any suspicion.

The accurate detection of malicious behavior via analysis of user journeys is based on the underlying assumption that an abnormal session is characterized by a journey which isn’t similar to the user’s typical journeys in an application. Thus, by learning typical journeys and creating normative journey profiles, we can accurately detect abnormal journeys, which are highly correlated to malicious activities.

Doron Hendler

Doron Hendler is the Co-Founder and CEO of RevealSecurity. Doron is an experienced management and sales executive, with a proven track record of growing early-stage technology startups. He has mapped complex business environments in a wide range of global markets, both directly and through partners. Throughout his career, Doron has lead teams selling products, solutions and projects in storage, cyber security, DR/BC, green Energy/EV, Cloud and SaaS at companies such as NICE Systems (NASDAQ:NICE) and Trivnet (Acquired by Gemalto, NASDAQ: GTO), Surf Communication (acquired by Lytx) and mPrest.