Human Behavior Analysis: The Next Big Thing?Analytics Might Help Address the Human Element of Security
Many new security technologies and services may hold the potential to fundamentally change information security paradigms. While some of these might have evolved to address emerging problems, such as advanced attacks and the rising sophistication in malware techniques, others, including behavioral analytics, have the potential to address one of security's fundamental issues - the human element.
See Also: What is next-generation AML?
Experts agree that there is a need, and a market today, for real, thoughtful analytics in security. It is not just a mechanism to collect and share data and plot a dashboard. Analytics goes beyond that to find ways to associate data from different sources, tie them together and make correlations and conclusions out of otherwise seemingly unconnected data points (see: Tapping Analytics In CyberSec, Fraud).
There is room to explore the idea that there is an attribute of risk inherent in people's personality, and somehow apply that understanding to security.
Like other breakthroughs in IT, analytics was first applied to business-specific applications and proved to be a big enabler, as well as a disrupter - having the potential to change business models. With the increased focus on breach detection and response, many solutions providers are now considering new applications of analytics in the security space.
Let me share some insights from conversations with two experts on the subject.
"Surprisingly, with all the discussions around analytics, there has not been the data science discipline and rigor that has happened in some other areas like medicine and others," says Hugh Thompson, CTO at security solutions provider Blue Coat. "The intelligence of this science and correlational algorithms are going to be game changers."
Lawrence Pingree, research director at business consultancy Gartner, says analytics involves considering such factors as users, devices, IP addresses and time, and modeling the behavior within the spectrum of different interactions within an enterprise (see: Security Focus Shifts to Detection).
"Traditional security information and event management products that perform basic analytics functions are linear - they are rules-based. They have individual transactions, which they use to try and perform basic correlations. The challenge is that this is really CPU intensive. So what behavioral analytics and machine learning do, is allow you to build a dynamic model based on behavior, and say when the behavior starts to change."
Both Pingree and Thompson believe that breakthroughs in behavioral modeling can help organizations understand who is likely to make bad security choices.
"The behavioral problem is fascinating, and is quite different from the insider problem," Thompson says. "It brings up questions like what kind of data about a person can be monitored and how can we act based on that data." (See: Hugh Thompson on Simplifying Security).
While monitoring behavior may spark privacy concerns, Pingree says the analytic approach is similar to other approaches already in use. "Essentially the model is just a profile of your past behavior. We are using similar data already when we collect logs and events that are being generated all along," he says.
But applying analytics to human behavior could reduce this information overload by putting it in the context of the user's behavior - potentially reducing false positives found in traditional methods.
Pingree contends that applying analytics could actually improve privacy because instead of monitoring a user continuously, an organization builds a model and only tracks the anomalous behavior.
Policy-based security depends on verifying a checkbox - yes or no, allow or disallow. Appling behavioral analytics, on the other hand, is more nuanced. It involves looking for departures from "typical" behavior. This can sometimes produce false positives, so a very dynamic model needs to be developed to overcome this, Pingree acknowledges.
Blue Coat's Thompson agrees that not a lot of progress has been made in the space of human behavior in security, and there is a lot of scope for innovation.
Behavioral analytics can be used, for example, to help differentiate the behavior of two individuals in an organization - the first having extremely fastidious security habits, and a second, who has poor security hygiene, he says.
The second employee might be great at their job but exhibits inherently risky behavior, such as clicking on bad links and downloading every attachment. The employee might be generally careless about security or could be technologically challenged. So should the same blanket security policies apply to both staffers? Probably not.
Thompson believes there is room to explore the idea that there is an attribute of risk inherent in people's personality, and somehow apply that understanding to security. "It's like how personality tests like Myers & Briggs and others define people's personality attributes - for example attributes that define a person as an introvert or an extrovert."
They are just properties that have been identified about a person that are invariant. Risk could be one such invariant property that is part of a person's behavior, he says, and its treatment doesn't have to be punitive.
The employee with poor security habits, for example, is going to need special attention to treat this inherently risky nature. This could involve applying more resources in the form of controls, monitoring, sand-boxing and multiple layers of security, Thompson says.
"It would be a huge breakthrough if we could apply this intelligently to inoculation technology," he says. This could effectively nip problems in the bud, or help focus security where it's needed most.
Applying behavioral analytics to security is somewhat comparable to the way the insurance industry has devised ways to determine how much risk is embodied in one person versus another.
Applying analytics and correlational analysis to human behavior certainly could be a major step forward in helping organizations and practitioners predict who needs more attention and security controls, based on overall behavior.
The human behavior element in security has always been a big unknown. But current market dynamics seem to dictate it can't be ignored any longer. After all, in the end, isn't security a state of mind?