User Behaviour Analysis

The Goal: Understanding Behaviour, Identify Problems and Opportunities

Many organisations would like to better understand their employees or other systems users. By capturing and analysing details about their activity it is possible to build this understanding, identifying both desirable behaviour such as working hard and less desirable behaviour indicating a problem to be checked-into further such as indicators that an employee may be preparing to act in a detrimental way. Security analytics can be used for assessing risk, identifying malicious behaviour within the environment and for meeting compliance mandates.

According to the SANS Analytics and Intelligence Survey security professionals are ingesting security data from all over their enterprises in an attempt to detect threats faster. Despite vast amount of data, organisations often lack the visibility they need to detect, scope and address threats in their enterprises. They need better analytics with machine learning to connect the dots to give them the insight to act.

Many attacks begin with internal credentials, used either by insiders or stolen by infiltrators. Many automated security approaches, such as MSSPs, cannot fully identify these threats. For critical data assets in many industries, reacting after a breach is too late; security needs to pro-actively identify and prevent threats.

Thorium brings expertise integrating user data to identify risks. We apply statistical and machine learning techniques across behavioural data including proxy and DNS (web surfing), email and IM, printer logs, USB activation, application and data usage, and many other data sets. In some industries, we can apply this capability to fulfil business needs and regulatory mandates such as for trade surveillance and reconstruction requirements of Dodd-Franks, EMIR, and similar legislation.

Thorium has skilled data science professionals with security and user behaviour analytics experience ready to apply to building the insights your organisation needs. We can help from exploring what would be possible to building fully automated processes for collating and analyzing data and to producing effective detection and response strategies. Contact us for a free initial discussion of what you would like to achieve.

Data Selection

We can help organisations determine which data from across the sources available to them they should focus on ingesting into their analysis platforms depending on the kind of insights they are seeking. Our experience with clients has helped clients to find and develop sources of data both internally and externally to drive analysis of behaviour within their corporate systems, websites and apps. Sometimes the route to capturing this data is less than obvious with possibilities from users operating systems, Intranet and Web access logs, Sharepoint, MS Office & Office 365 often providing a surprisingly rich set of data which just needs to be captured and knitted together.

Currently, the most common types of data being gathered and aggregated for use with analytics platforms include application logs and events, network security events and vulnerability management data. Host-based anti-malware tools and other endpoint security tools are also popular today.

Feature Development

The analytic process of cleansing and purifying data massages vast amounts of crude data towards a more structured framework. At this stage we aim to aggregate to reduce the volume of data without losing granularity we may need and to dispense with information that is not useful. It takes experience and intuition to be really effective at the key aims of this step: adding meaning and cutting volume.

Analysis and Understanding

Armed with the data and an understanding of it, we can form and investigate hypotheses. This continues the theme of mixing art and science, it also varies with each organisation. Typically this involves business intelligence tools, statistical and data mining packages.

Baselining “normal”

An understanding of normal behaviour in your environment must be established to accurately detect, inspect and block anomalous behaviour. Social Physics doctrine helps Thorium to develop approaches that measure individuals involvement in groups, contact with other and exploration of ideas tangential to their work.

Social Physics: Social science just got quantitative

In a related field, Thorium have been instrumenting electronic communication and using that data to calculate the Social Physics of organisations. It enables focussed action to be taken to improve creativity, idea flow and collective intelligence. These include the communication networks within the organisation, influencers, the flow of information, who are experts in a field, who networks with which clients / suppliers and who has informal relationships. The aim is to produce analysis with rich visualisations of communication, creativity and productivity across the organisation.

Thought leaders and star players are detected and highlighted, but the system also helps with searching for boredom, lack of motivation or wrong-doing or risky behaviour. Key communication topics, both positive and negative, are highlighted in context. For example support issue trends are identified as they begin to build and emerging thoughts are identified at the point that they are about to go viral through the organisation.

Actionable Outcomes

Monitor for risky insider behaviour, policy violations and indicators of dangerous activity.
Identify user accounts that appear to have been compromised such as multiple accounts working in close collaboration in an apparent automated way.
Highlight inappropriate use of privileged access. Only by spotting this and acting quickly can damage be restricted.
Block brute force attacks by identifying programmatic attacks targeting multiple aspects of your infrastructure.
Track access to data: is all access necessary and appropriate for the job being done?
Model growth in your infrastructure size and its usage. Does it correlate with growth in sales/revenue activity.