Every cyber attack and potential data breach begins with some illicit activity. Of course the entire exploit, whether successful or not is illicit. But it is in detecting that first step, often tiny and apparently insignificant, at the earliest possible stage the all cyber security tools perform best in repelling attacks and preventing damage. There are many techniques for detecting such early attacks but they are all subject to the challenge of a sophisticated and growing cyber criminal community.

A huge part of of that is the constant development of new forms of threat delivered by even smarter technologies. It is now a full scale war and not just a battle, as anyone dealing with an organisations security management is all too aware.


Defeating the enemy today is not as focussed on the perimeters any more, although that continues to be an important element of cyberdefence. But with the mobile and online worlds we live and work in today there are multiple ‘perimeters’ and attack surfaces and they change all the time – often in minutes. So the security experts have generally moved to instant and real-time defence as the more effective approach. Which is fine provided you can identify an attack, especially at the crucial earliest stagess. The statistics vary but most commentators agree, that the time to detect breaches is normally over 200 days.


That is where User Behaviour Analytic is an enormously valuable modern security tool in data and systems protection. Essentially, this is a set of tools to monitor users, data and systems to create a baseline or profile of normal activity which enables anomalous or illicit activity to be detected quickly bringing that time to detect from hundreds of days to minutes. It tracks and collects data on the millions of transations that occur between users, data and systems.


A variant term is User and Entity Behaviour Analytics (UEBA) because of course the attack may be from other entities such as managed and unmanaged endpoints, applications (including cloud, mobile and other on premise applications) and networks as well as external threats. A good example is cryptolocker, the ransomware tool that gains entry past the perimeter by aquiring genuine user credentials. But once it starts to open and modify files at a rapid rate it will be detected immediately and will trigger an automated defence response. Similarly, UBA will alert to so-called zero-day exploits with malware or software weaknesses that have not been identified previously and so will noy be caught by traditional signature-based security tool.


We work with Varonis Systems a leading data governance and security provider, but there are other products on the market. UBA offers a number of advantages over and above traditional security software although it is intended to compliment rather than replace such tools. It can also feed into and link with on-site or managed SIEM solutions. Any attackers will cause deviation from normal behaviour patterns, no matter how skilled they are. UBA is also particularly suited to analysing and thwarting insider attacks, which of course will be using genuine credentials so hard to detect. The techniques have been gaining credibility with information security professionals because of their ability to find both malicious and unintentional insider threats as well as planned, highly sophisticated external attacks. The key is the data and metadata built up by a UBA system. It can be linked to other security tools and provides an additional layer of intelligence, which can be customised to an organisations own business rules and security requirement requirements. We are moving into a digital world where analytics provides intelligence to gain advantage. In IT Security and governance, UBA i now providing that advantage against those looking to cause damage to our clients, both financial and reputational.

Want to know more? Please do not hesitate to contact us here 

Brendan McPhillips

Brendan McPhillips – Director, Security & Governance Practice Lead