Behavioral analysis is one of the best authentication methods – especially when it’s part of persistent validation. Authentication is “one-and-one” is something that simply shouldn’t happen anymore. Then again, I’ve argued the same thing about using unencrypted SMS as a form of multi-factor authentication, and sadly I still find that it’s being listed by a lot of companies. Fortune 1000 use.
While most enterprise CISOs are fine with behavioral analysis on paper (on a whiteboard? As an announcement in Microsoft Teams/GoogleMeet/Zoom?), they are resistant to rapid widespread roll-out because it requires creating profiles for every user – including partners, distributors, suppliers, major customers and anyone else who needs to access the system. Those profiles can take more than a month to create to get an accurate and consistent picture of each person.
I don’t want to make this worse, but there are now arguments that security administrators don’t need to one records for every user, but maybe dozens or more.
Why? Let’s say you run the user (transparently to the user, of course) through various monitoring sessions and define everything you can, such as typing speed, angle of user holding mobile device, pressure used to type keys, misspellings per 100 words, number of words typed per minute, etc.
You now have a behavior profile of that user. However, that profile may be based on normal user behavior during normal business days. What about when that user is exhausted, maybe after arriving at the office from a pink eye flight? Or ecstatic ecstasy or horribly depressed? Do they behave differently in an unfamiliar hotel room than from the comfort of their home office? Do they act differently after their boss yells at them for 10 minutes?
For any machine learning system to really recognize the user and provide some false negatives, it needs to correctly recognize the user in a variety of circumstances. That means researching users for longer and in as many different environments/situations as possible. For a business with a whopping six-figure workforce, that is a daunting task indeed.
Scott Edington, CEO of Deep Labs (a company that specializes in behavioral analytics), offers an interesting example: “A person visiting NYC from Southern California walked out of a restaurant in the middle of winter to make a call. car. She suffers when the weather is cold and suddenly starts to type her phone more quickly and thoughtfully, because she is cold and her fingers are numb. This way provides context. It’s not a bad guy or a hacker, although their behavior is different. It’s the same person, just acting in a different – and logical – way.”
Edington’s example is interesting, but it’s difficult to see a realistic way to reproduce that in a normal analysis interval. This testing needs to be done with minimal or no interference – or even interaction – with the user to keep the process friction-free. (Of course, it’s unlikely you’ll see users doing this kind of frigid outdoor activity without being prompted—at least not during the usual testing period.
It’s an interesting conundrum for companies that rely on behavioral analytics to stay safe. It may simply be that the CISOs will have to accept a higher than ideal number of false alarms during the initial testing period. That could mean profiles consistently becoming more accurate over a long period of time (say, a year or two) when these atypical behaviors occur.
This brings us to the typical chicken and egg problem. The earliest day/week of the behavior analysis deployment will be: A, when the system has the worst accuracy, discarding many false alarms. And B, when the user and the head of the LOB will decide whether they will accept this authentication method or resist it.
No one ever said cybersecurity would be easy.
Copyright © 2022 IDG Communications, Inc.
https://www.computerworld.com/article/3650675/behavioral-analytics-is-getting-trickier.html#tk.rss_all Behavioral analysis is getting more and more complex