The Five Stages of User Behavior Intelligence Acceptance

We’ve been working with our customers for a while now and we’ve had a chance to see the reactions of security teams that drive security investigations with user behavior intelligence. Exabeam, a user behavior intelligence solution applies dynamic behavior modeling to find credentials that are exhibiting anomalous behaviors. It takes very little time for the security team to start using it as a way to find misconfigurations, policy violations, miscommunication between IT Ops and security and remote controlled malware. Because we’ve taken a log-based approach to behavioral analysis, we simply pull data via API. In all the deployments we’ve done, all the data we need has already been collected–no need for additional hardware or custom configuration. The system “learns” behaviors by initially ingesting about 90 days of data, and is able to monitor in real-time for user behavior and peer group outliers.

What’s interesting is hearing the reaction from the security team once the first sessions (a session is all activity from log-on to log-off) get reviewed. Seeing the credential identity as supplied by Active Directory is something that always amazes the security team. Often, Active Directory will have pictures of employees in the system. As the team dives further into reviewing risky behaviors access behaviors and characteristics, all the customers go through what I’m calling the five stages of awakening. Personally, I’ve never seen this happen with the purchase of any other technology. I’ll elaborate below.

1. Denial – Seeing what users actually do with their credentials is mind blowing. When we showed a customer a session in which a user in an HR department was accessing over 1000 point of sale systems, the first response was, “No way that can happen! We are configured to prevent that! There has to be something wrong with your system!” This is a natural response given the amount of distrust that’s developed over the years by the security team, as they’ve had to deal with so many false positives from so many systems. This also occurs when they see activities that are clearly policy violations.
2. Anger – Anger occurs in two ways. Once when they investigate and determine that the system is telling the truth—that the incident did occur—that people are fallible. There was a misconfiguration that allowed this to occur. Sometimes, it points out that that they’ve missed something that should have been obvious. Another type of anger occurs about the effectiveness of user security education programs. A byproduct is blame. We try to place blame on other departments or groups for what is seen.
3. Bargaining – This is a normal reaction to a feeling of helplessness. All security folks feel this way. They just don’t admit it very often. There’s a deep seeded feeling of inadequacy that happens. Just like normal human beings that have a bit of an ego and take their jobs very seriously, it’s tough for people to see malware that brand new sandboxing solutions missed or that a SIEM correlation would never have picked up on the threat.
4. Depression – The first kind of depression that occurs amongst the security team members is about the practical implications of what they are seeing. The unprecedented level of visibility they get is a shock. There’s a hush that occurs in most meetings where you can see the introspection written on everyone’s face in the room as they silently ponder what else they may have been missing.
5. Acceptance – The realization that starting with user credential behavior and automatically seeing anomalies, following the attacker across identity and IP switches using Stateful User Tracking™, attributing security alerts to user sessions and getting a visualization of the entire attack chain is a better way to prioritize the hundreds or thousands of critical alerts the incident response team has to deal with after SIEM correlation has done its false-positive reduction. Real acceptance is when a customer realizes that a tier-three chore that usually takes days is now a tier-one SOC responsibility that takes minutes. They simply pick up the phone and ask the credential owner if that was user exhibiting the behavior seen in the session.

Want to know more about what we are seeing and experience the Five Stages of User Behavior Intelligence Acceptance for yourself?