User Behavior Analysis
Definition
User behavior analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.
Synonyms: Credential Monitoring , and UBA .Technique Overview
Some techniques monitor patterns of human behavior and then apply algorithms and to identify patterns such as repeated login attempts from a single IP address or large file downloads, or abnormal accesses.
Other techniques may have explicit or rigid definitions of "bad behavior" which are then matched against instances in a computer network environment.
Technique Subclasses
There are 12 techniques in this category, User Behavior Analysis.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| User Behavior Analysis | D3-UBA | User behavior analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats. | Credential Monitoring , and UBA |
| - Authentication Event Thresholding | D3-ANET | Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile. | |
| - Authorization Event Thresholding | D3-AZET | Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile. | |
| - Credential Compromise Scope Analysis | D3-CCSA | Determining which credentials may have been compromised by analyzing the user logon history of a particular system. | |
| - Domain Account Monitoring | D3-DAM | Monitoring the existence of or changes to Domain User Accounts. | |
| - Job Function Access Pattern Analysis | D3-JFAPA | Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department. | |
| - Local Account Monitoring | D3-LAM | Analyzing local user accounts to detect unauthorized activity. | |
| - Resource Access Pattern Analysis | D3-RAPA | Analyzing the resources accessed by a user to identify unauthorized activity. | |
| - Session Duration Analysis | D3-SDA | Analyzing the duration of user sessions in order to detect unauthorized activity. | |
| - User Data Transfer Analysis | D3-UDTA | Analyzing the amount of data transferred by a user. | |
| - User Geolocation Logon Pattern Analysis | D3-UGLPA | Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location. | |
| - Web Session Activity Analysis | D3-WSAA | Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior. |