CSO: Avoiding Hype Around User Behavior Analytics

By Haystax, September 27, 2017 | SHARE

User behavior analytics (UBA) is enjoying its own moment of high expectations in the security risk community. But many hot technologies and techniques before it (like fuzzy logic and Google Glass) flamed out quickly amid disappointing performance and low adoption. If UBA is to avoid that fate, Haystax Technology CEO Bryan Ware writes in the online magazine CSO, it’s important for the users to understand how it has evolved.

UBA has garnered a lot of attention, particularly for an AI-focused approach that has proved successful in addressing tough challenges like insider threat detection, credential abuse, account takeovers and IP/data loss prevention. As a result, companies across many markets have implemented UBA into their existing security practices, much like they did a decade ago with security information and event management (SIEM) tools.

Ware writes in his regular Security Analytics blog for CSO that UBA’s weaknesses are well known, such as its inability to account for unprecedented ‘black swan’ events, its tendency to generate excessive false positive alerts, the lack of in-house data science expertise needed to run UBA systems, the inadequacy of relying only on network data to find insider threats, and the widespread problem of needed data that is messy, incomplete or simply unavailable.

Less well known is that many of these issues have been solved through advances like the development of probabilistic models and other artificial intelligence techniques, which can analyze evidence from diverse data sources through a deployed UBA platform to drastically reduce false positives while prioritizing real risks to an organization, easing the strain on understaffed security teams and giving decision-makers actionable intelligence they can use with confidence.

Despite some technological advances that are already evident, some influential industry analysts think user behavior analytics is just a passing fad — or even that it will be dead as a standalone market five years from now. Ware argues instead that, much like SIEM and other technologies before it, UBA won’t die but will evolve as time goes by.

Says Ware, “There’s always room for improvement, of course, but if we prematurely write UBA’s obituary I believe we run the risk of overlooking some very real existing achievements — and others that are not too far over the horizon.”

Click here to read Ware’s full CSO piece.