by Curtis Blount, CSO
In the last blog, I hinted about the work we are doing in Behavioral Analytics and Anomaly Analytics. This week, let’s dive into them a little deeper.
Years ago, while doing consulting working in healthcare, I found the term Behavioral Analytics coming up quite frequently. It describes long-term healthcare for those with pre-existing conditions such as diabetes, HIV, cancer, and so on. Scientists have come up with inventive ways to “predict” behavioral patterns of not only the disease itself, but how the patient, based on multiple factors, reacts to long-term healthcare practices.
This practice is now commonplace across the healthcare Industry, through health and wellness programs.
Later, the advertising & marketing industry started doing their own work in Behavioral Analytics as part of the Business Analytics process. With Behavioral Analytics, advertising agencies can focus on finding out how and why people behave the way they do when using eCommerce platforms, social media sites, online games, and any other web application.
The Science of Prediction
Behavioral Analytics takes Business Analytics’ broad focus and narrows it down, which allows one to take what seem to be unrelated data points and then extrapolate, determine errors, and predict future trends. All of this is done through data exhaust that has been generated by users. All of this is done through the extrapolation of cookie data at the browser level.
In cybersecurity, Behavioral Analytics is starting to become the new buzz world. There are subsets: For example, User and Entity Behavior Analytics have been around for several years. Palo Alto Networks have been exploring this idea primarily around two primary concepts: Network Behavior Analysis and User Behavior Analysis.
This is great. However, these concepts typically center around importing data into a SIEM. If you don’t have a fully configured (and working) SIEM solution, the data get lost in an ocean of information.
Identifying Events that Don’t Conform
You typically hear the term Anomaly Analytics in connection to data mining or machine learning. In data mining, anomaly detection is referred to the identification of items or events that do not conform to an expected pattern or to other items present in a dataset.
Typically, these anomalous items have the potential of getting translated into some kind of problems such as structural defects, errors or frauds. Using machine learning for anomaly detection helps to enhance the speed of detection.
Incorporating Anomaly and Behavioral Analytics not only at the network level but at the packet level allows for in-depth pattern detection by incorporating an AI-based database of “unusual” patterns.
In this case, you have your “normal” pattern of traffic (Behavioral) and then all of a sudden, there is this “unusual” pattern of traffic (Anomaly).
Could it be malware or a misconfiguration of a device? This is the kind of pro-active review and response that is next generation. Typical CVE- or signature-based detection systems would not be able to see this. Down the road, we’ll look at some examples of this.