Understanding Behavioral Analytics

Jeremy Wittkop, CTO


According to Investopedia, Behavioral Analytics is “An area of data analytics that focuses on providing insight into the actions of people.” Contrary to many articles that I have seen, behavioral analytics is neither new nor overly technical. For millennia, those engaging in espionage and counter-intelligence have used behavioral analytics in order to study the behavior of their adversaries in order to identify patterns of behavior in order to predict future actions. Much of what Sun Tzu speaks about in The Art of War is a mix of self-discipline and Behavioral Analytics.

Much of the digital world mirrors the physical world, and the digital security world most closely mirrors the intelligence and military communities in the physical world. It should come as no surprise then that as machines have evolved to possess enough power to process large volumes of data, that information was processed in order to give organizations insight into normal behavior in their environments in an effort to identify patterns of behavior that indicate there is an attack against that environment or to at least identify anomalous behavior that is abnormal in the environment and requires further investigation.

With respect to information security, there are essentially two forms of Behavioral Analytics: First, there is what some call Systematic Behavioral Analytics, or Behavioral Analytics focused on the ways in which systems behave. This form of analytics is most commonly linked to technologies such as Security Information and Event Management (SIEM) technologies. These technologies are improving to the point where they can perform an increasing complexity of correlations and baselining for an increasing number of systems as the technologies are developed to process larger volumes of information faster.

Second, Human Behavioral Analytics is beginning to become more popular. User Behavioral Analytics essentially correlates all activities of a user or entity in order to identify if that user is malicious or if that identity has been compromised. In order to be effective, this type of monitoring must be able to capture and correlate all of a user’s activity across the entire corporate environment. As a result, these types of solutions are still emerging as they require far more comprehensive coverage, and as a consequence, far more processing power than traditional System Behavioral Analytics platforms. The products in this space are often marketed as User and Entity Behavioral Analytics (UEBA) platforms or Insider Threat products. Many of them are very good technologies, but all of them have room to grow with respect to universal coverage.

System Behavioral Analytics

I often reference Locard’s exchange principle when talking about information security. Locard’s exchange principle comes to us from the criminal forensics world and essentially states that any time someone commits a crime, the criminal will leave something at the crime scene that wasn’t there before they arrived, and take something with them that they did not possess before the crime was committed. That is a paraphrased version of the principle, but that pretty accurately portrays the gist of it. Therefore, the heart of criminal forensics is the identification of evidence that was introduced to the crime scene by the suspect and the pursuit of evidence in the suspect’s possession that originated at the crime scene. This principle is the main tenet behind system behavior analytics, which is most often accomplished by a SIEM system or similar technology.

In our analogy, the systems that make up an organization’s computing environment are the crime scene, and the SIEM system is processing the crime scene as a crime scene investigator would in order to provide analysts with abnormal patterns to be investigated. Abnormalities should not be conflated with malice though, as there are often innocuous reasons why systems may change. There may be an organizational change in personnel, a change in an approved business process, or changes with a system as part of an approved change window. The list goes on. As any good intelligence analyst will tell you, an investigation into anomalous behavior cannot be considered complete until only one plausible explanation of the behavior remains. As long as there are multiple plausible explanations for human or systematic behavior, any conclusions that are drawn are essentially theories.

System Behavior Analytics is often the easiest and most cost effective Behavioral Analytics platform to deploy, since many organizations must collect and retain logs for compliance purposes. If that is the case, the organization often has the capability to perform some System Behavior Analytics against those logs using the tools they have in place to store them.

Human Behavioral Analytics

I use the term “Human Behavior Analytics” instead of “User Behavior Analytics” because User Behavior Analytics is the name of a product, and there are other products that help organizations analyze human behavior. This type of analytics is more akin to FBI profiling than it is to the work a detective would perform at a crime scene. Essentially, the programs are designed to build profiles of normal behavior in an environment. When done as well as they can be, those profiles are specific to different roles, departments and levels inside an organization. For example, the normal access and behavior patterns of an executive should not be the same as the normal access and behavior patterns of an entry level employee, for example.

Human Behavioral Analytics is interesting because it is often far more clear how an organization should respond to an individual once their behavior has been categorized than it would be to respond to a system behaving in an abnormal way. In the end, a user or entity is behind every breach or attempted breach of critical information, therefore, Human Behavior Analytics is more effective for organizations who have the resources, both capital and human, to deploy such programs effectively.

It should be said that tying SIEM to System Behavioral Analytics is oversimplifying the discipline. The leading SIEM providers, such as LogRhythm are developing their systems to take Human Behavior into account in the same ways that leading UEBA vendors like Exabeam are developing their solutions to take System Behavior Analysis into account. What we are beginning to see is the convergence of System Behavioral Analysis platforms and Human Behavioral Analysis platforms into broad Security Intelligence Platforms that allow organizations to analyze behavior from both perspectives.


Hopefully this blog demonstrates the principles behind both User Behavioral Analytics and System Behavioral Analytics and how each is applied. Neither is anything necessarily new, although both have been difficult to accomplish in the digital world for a long time due to an overload of information and a comparative lack of computing power. Now that technology has advanced to the point where organizations can harness the power of these disciplines in the digital world, they are rapidly becoming an invaluable part of any Information Security Program. Organizations can leverage these programs to not only determine what is happening in an environment, but more importantly, qualitatively analyze why it is happening, from innocent mistake to intentionally malicious behavior, in order to apply the appropriate response and respond quickly enough to protect an organization from harm. When paired with a comprehensive Critical Data Protection Program, these more advanced intelligence and response programs can be far more effective at protecting environments than signature based approaches common in antivirus platforms or Intrusion Detection and Prevention Systems.