The age of Big Brother is upon us. Today, there is an increasing focus on tracking Internet and network usage by companies encompassing virtually all industries and including the US government. In fact, one of the hot buttons for many organizations today is a class of tools called “User Behavioral Analytics”, which is the segment of business analytics that focuses on how and why users of eCommerce platforms, online games, & web applications behave, and increasingly includes network security. We have all experienced this trend, whether we know it or not, on sites that target us with specific products and services we might be interested in.
Early adopters for behavioral analytics have been marketing related. Using a variety of sophisticated analytics tools, customers are profiled to track who bought what, when and through which channels. Companies in all industries stand to benefit from figuring out how customers think and behave. Other applications of behavioral analytics include financial services companies, which use it to strengthen their anti-fraud capabilities, and communications service providers, which use it to figure out network usage patterns as related to subscriber behavior.
One of the key emerging (and important) trends in behavioral analytics is in enterprise security. Even though over $80B is spent on security annually, hackers continue to find ways to penetrate companies’ firewalls and other defenses. However, another source of security breach is surprisingly related to company insiders. Most enterprises spend a disproportional amount of their security budgets on prevention measures (e.g. firewalls), user authentication, antivirus systems, and other technologies in this area. Unfortunately hackers remain one step ahead of the game, as many of the sophisticated ones have figured out ways to beat these prevention systems. Often, companies may not even know they have been attacked until it’s too late.
A good example of how this technology is playing out is in the government. Since the emergence of the notorious hacker Edward Snowden 2 years ago, the National Security Agency (NSA) has dramatically improved its abilities to identify cyber-threats. Their multi-tiered approach include user behavior analytics and a private cloud that provides storage, computing and operational analytics to the intelligence community, according to their CIO Greg Smithberger. Behavioral analytics increasingly includes profiling and anomaly-detection based on machine learning.
U.S. computer networks and databases are under daily cyber attack by nation states, international crime organizations, subnational groups, and individual hackers– John O. Brennan
This technology is gaining rapid acceptance in the corporate community where it is used to detect breaches early by prioritizing the most reliable alerts. As such, we are witnessing a new paradigm in user behavioral analytics, which is based on the intersection of Big Data, Machine Learning and Security, according to Splunk.
Source: Splunk
Recent data from Gartner suggests their client inquiries for UBA technologies increased 10x and on security analytics by 25% through the middle of last year. Various other recent research indicates this is among the top priorities for CIO’s and CISO’s today. Increasingly, companies are not only worried about external threats from hackers and the like, but they also analyze employee activities, whether through monitoring network traffic, or, increasingly, looking at social media (i.e. unstructured data) to detect threatening patterns. In fact, there are some programs that are able to analyze email content, which opens up the privacy can of worms – clearly an area that needs further exploration and discussion. Longer term, the holy grail of the industry is to get to real time analysis of this data, in order to catch security breaches quickly.
By 2020, 75% of enterprises’ information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2012.
– Gartner
Companies today are developing tools that incorporate 5 key technologies:
- Data analytics: machine learning and statistical analysis is increasingly being incorporated into the latest tools
- Data integration: some of the latest tools enable the detection and analysis of both structured and unstructured data
- Data presentation/visualization: trend analysis and other presentation tools are being introduced as visual tools for the end user
- Source system analysis: can be deployed on premise or could be cloud-based, with emphasis on the vendor’s knowledge of the source systems (e.g. SIEM or DLP)
- Service delivery method: either on premise or cloud-based, many vendors require the installation of an appliance into the company network
Many companies, small and large, are targeting this space, which is ripe for consolidation. Starting in the second half of 2015, we started to see this trend play out. For example, Splunk bought a startup called Caspida for $190M, and Microsoft bought Adallom for about $250M. Other interesting companies in this space are listed below:
| COMPANY | DESCRIPTION |
| Bay Dynamics | Automated cyber security and risk solutions for the enterprise |
| Bottomline Technologies | Cloud-based digital banking, fraud prevention, payment, financial document, insurance, and healthcare solutions. |
| Cynet | Unique approach to detecting threats includes the correlation and analysis of indicators across files, users, networks and endpoints. |
| Dtex Systems | Focused on insider threats, provides human analytics and behavioral risk engine |
| E8 Security | Machine learning based algorithms to profile user and device behaviors |
| Exabeam | Integrates with SIEM systems such as Splunk and QRadar, uses machine learning to create profiles of users and peer groups |
| Fortscale | Machine learning based algorithms to provide profiles of users and peer groups |
| Gurucul | Peer group analytics based on users’ activities and access patterns |
| Interset | Machine learning and advanced analytics based tool |
| LightCyber | Uses machine learning to detect anomalous activities and to profile user |
| Lockheed Martin | Uses structured and unstructured data to detect inside threats |
| Microsoft | Uses machine learning and user/peer group profiling to detect activities |
| Mobile System 7 | Provides detection controls (cloud and on-premise) |
| Niara | Profiles users, peer groups, and devices using machine learning |
| ObserveIT | Monitors desktop and user activity |
| Rapid7 | Uses its Metasploit penetration testing product as a basis for its profiling of users and peer groups |
| Raytheon | Focuses on insider threats |
| Securonix | Detects both insider and external threats near real-time |
| SpectorSoft | Focuses on employee monitoring and insider threats |
| Splunk | Uses machine learning to correlate entity behavior |
| Varonis | Rule-based engine and statistical functionality focused on insider threats |
Source: Gartner
With so many players, the market will likely consolidate through M&A, as some of the larger players get more focused on this segment. As employees, we must all be aware that internal IT departments are closely monitoring our online activities. No doubt hackers will remain a threat but we remain optimistic that the plethora of technology companies focused on this problem will present solid solutions over the next several years. As these technologies further develop, privacy concerns will also need to be addressed. This is definitely a hot space to watch.
BitNavi is a blog conceived by Karl Motey in the heart of Silicon Valley, dedicated to emerging technologies and strategic business issues challenging the industry.
Follow them on Twitter: @bitnaviblog