When zero trust is all about identity, behavioral analytics allows organizations to establish a baseline of “normal” user actions, such as logging in from a particular IP address, using a specific device or logging in every day during a similar timeframe.
Anything that deviates from this baseline can result in an anomaly — for example, logging in from a different country at a different time than usual. Continuous monitoring during the detect stage can flag potential threats and allow for prompt investigation.
Behavioral analytics help to identify unusual patterns of activity that may be happening on the organization’s network or within its cloud applications.
The ability to detect and respond to these types of threats as they surface is critical in ensuring a zero-trust environment, and these behavioral analytics can help to detect outside threats from bad actors as well as inside threats from disgruntled employees or compromised accounts.
“The zero-trust mindset is an implementation of least privilege user and device access at the network, application, and data levels,” says Petko Stoyanov, global CTO of Forcepoint. “Behavioral analytics solutions connect the dots of activities across the users, devices, networks, applications, and data thereby enabling detection, insight and enforcement across network and applications.”
Zero Trust: Rethinking of Security
He explained zero trust is, in many ways, a rethinking of security: how we grant access and how we continuously monitor users and their devices as they access applications and data.
The central technologies finding an application in behavioral analytics for zero-trust security models include machine leaning (ML), artificial intelligence (AI) and data analytics.
“AI and ML are critical to taking the constant noise of activity logs to a meaningful credit-like score of a user and a device,” Stoyanov says. “The credit-like score, or trust scores, are based on a user’s normal behavior and how they compare to their peers’ activities and behaviors.”
Kevin Dunne, president at Pathlock, points out that these two technologies play an essential role in behavioral analytics and applications in a zero-trust security strategy. “There are simply too many users and activities occurring in most systems to be able to detect unusual behavior without some level of intelligence supporting the security team,” he says.
Additionally, there are many evolving threats that do not follow known patterns of attacks in the past, so there is need for systems that can help to mine behavioral data sets to discover unknown threat patterns being seen for the first time.
Dunne explains that behavioral analytics could identify a new user who is performing an unusual activity such as logging in at a non-work hour from a new location and downloading large exports of customer data. “With this information in mind, companies can update their access control policies, for example requiring 2FA when logging in from a new location or restricting downloads to a certain size when logging in at a non-work hour,” he says.
Continuous Analysis, Recommendations
John Yun, vice president of product strategy at ColorTokens, a provider of autonomous zero trust cybersecurity solutions, says if one considers the number of applications and servers in a typical enterprise, it’s a tall order for any team of security analysts to maintain manually. “With the aid of machine learning, security analysts can gain continuous analysis of existing policies as well as recommendations on new policies,” he says.
Yun points to a real-world use case involving a healthcare organization that has employed zero-trust strategy after experiencing increased frequency of ransomware attacks. Maintaining a secure backup of their EHR was the highest priority, and the organization needed to tightly control the processes during backup and at the same time, minimize any exposure.
“Managing this process manually was difficult with so many interconnected systems and flow of data,” Yun explains. “In this case, a micro-segmentation solution powered by machine learning was used to enforce strict policies as well as create new recommended policies to deploy.”
Yun points out that while behavior analytics can play a significant role in zero-trust authentication, it is more often applicable in other stages — for example, concerning inference and prediction, where baselines are measured and compared. “Although machine learning and behavioral analytics can play a big role in authentication, in a zero-trust model, these innovations are best leveraged to aid ongoing management and policy enforcement,” he says.
Dunne adds that behavioral analytics are already quite widespread in the industry and are being used by security teams in many of the largest companies worldwide.
Behavioral Analytics Dependent on ML/AI
Josh Martin, product evangelist at security firm Cyolo, explains that behavioral analytics would not be possible without ML and AI. “The data collected from the detection phase will be fed into multiple AI and ML models that will allow for deeper inspection of access habits to detect patterns or outliers for specific users,” he says.
He outlines a potential use case for behavioral analytics and zero trust focused on a team member working from home. This user logs in every day from their corporate Mac around 8:00 in the morning and will either log into Salesforce or O365 first thing.
“Considering this is normal for the user, the AI/ML mechanisms will start to look for anything outside of this baseline,” Martin says. “So, when the user takes a vacation to a different state and uses a personal Windows laptop to access ADP around 10 o’clock at night, this would raise a flag and shut down further authentication attempts until a security analyst can investigate. In this case, it could have been a malicious entity using stolen credentials to access payroll information.”
From his perspective, behavioral analytics is likely to become the new norm as AI/ML products and knowledge become more accessible to the masses. “Within the next 10 years, we will likely have security tools that can detect breaches miles away from the harmful payload actually being delivered,” Martin says.
Potential to Fill Cybersecurity Skills Gap
Petko Stoyanov, global CTO of Forcepoint, agrees, noting the industry is already seeing basic elements of AI, ML, and analytics in security information and event management (SIEM) and other solutions. “Given the shortage of skilled cybersecurity talent, behavioral analytics solutions are key capabilities to simplify detection and control access,” he says. “They also aid less skilled security analysts by highlighting indictors of behaviors of potential suspicious or less trustworthy user accounts or devices.”
Stoyanov points out that without behavioral analytics solutions guiding and training analysts, we’ll continue to see demand for more and more talent.
Additional security applications for behavioral analytics include detecting variances in how devices communicate with each other, or how cloud workloads communicate between each other, Martin explains. “This could detect abnormal processes spiking in usage or configuration errors when compared against other baselines.”
In the future, companies will look to further augment the data they can assess within their security systems by enhancing the data feeds and sources connected to their analytics systems, Dunne says. Additionally, they will look for ways to integrate the output of analytics solutions with SOAR platforms to unlock abilities to respond to the most impactful risks programmatically without having to wait for human intervention.
“Behavioral analytics are currently being leveraged to respond to threats that are currently underway,” Dunne says. “I believe behavioral analytics will also be expanded to forward-looking use cases, like preventing the next threat before it occurs.”