Man using virtual analytics screen showing user behavior analytics

Why User Journeys Are Critical to Application Detection

The cause of increasing threats for enterprise business applications lies within rogue insiders and external attackers. External hackers steal information to penetrate business applications, while insiders are not properly monitored in SaaS and home-grown applications. These two, combined, create a risky situation by employees and administrators who might misuse or engage in malicious activities.

The market-wide shift from on-prem to SaaS applications for business-critical functions, such as finance, HR, and operations, has widened the opportunity for malicious activities to take place, creating a greater market need for solutions that address Application Detection and Response (ADR) in a way that scales across multiple different applications. Even when a perfect deployment with no application layer vulnerabilities occurs, there are still opportunities for malicious insiders and imposters. Core business applications today are often poorly monitored, and as a result attacks are detected only after complaints from victims. The detection of these breaches usually includes manual sifting through tons of log data from multiple sources when suspicion is raised. This makes ADR a massive pain point for enterprises, particularly with their core business applications (often home-grown, custom-built applications).

The detection landscape gap

Today, cybersecurity detection solutions focus on malicious activities at the access, network infrastructure and operating system layers. A wide range of solutions are available for users, networks, and devices, such as NDR on the network layer, EDR on the device layer and UEBA and CASB for the user/access layer. They are based on two main technologies:

  1. Defining illegal or malicious behavior by rules and patterns
  2. User Entity Behavior Analytics (UEBA): statistical volumetric/frequency methods, based on averages and standard deviations of activities, such as the number of logins, number of emails, etc.

However, UEBA has failed when it comes to the application layer, due to the vast dissimilarities between applications. Models are therefore developed only for a limited set of application layer scenarios, such as in the financial sector. As a result, individualized rules written for specific applications continue to be the most common detection solution for applications.

Rules: The first generation

The first generation of cybersecurity detection technology is rules, but rules only detect known patterns. Individualized rules require expensive experts to maintain: each application is unique, and one must be extremely familiar with its business logic, log formats, how it is used, etc., in order to write and manage rules for detecting application breaches. However, this does not eliminate false positives and is why rule-based detection solutions are notoriously problematic.

UEBA: The second generation

Over a decade ago, the security market adopted statistical analysis to augment rule-based solutions in an attempt to provide more accurate detection for the infrastructure and access layers. However, UEBA failed to deliver as promised to dramatically increase accuracy and reduce false positive alerts due to a fundamentally mistaken assumption – that user behavior can be characterized by statistical quantities, such as the average daily number of activities. This mistaken assumption is built into UEBA, which characterizes a user by an average of activities. In reality though, people don’t have “average behaviors,” and it is thus futile to try and characterize human behavior with quantities such as “average,” “standard deviation,” or “median” of a single activity.

User journey analytics: The third generation

The main criteria for success in a detection solution is accuracy, which is dictated by the number of false positives, and the number of false negatives. The evolution of detection solutions led to the third generation of solutions analyzing Sequences of Activity, i.e. Journeys, to contextualize activity and improve detection accuracy.

User Journey Analytics is based on implementing this concept of sequence-based detection in the application layer, to detect abnormal user journeys highly accurately. User journeys are the sequence of activities performed by the user in any application, both SaaS application and custom-built.

Analysis of user journeys accurately detects imposters, as it is very difficult to imitate a user’s normal journey in an application. It will also accurately detect insiders looking to misuse or abuse an application as they would then deviate from their normal user journey profiles.

The accurate detection of malicious behavior via analysis of user journeys is based on the underlying assumption that an abnormal session is characterized by a journey which isn’t similar to the user’s typical journeys in an application. Thus, by learning typical journeys and creating normative journey profiles, we can accurately detect abnormal journeys, which are highly correlated to malicious activities.

While User Behavior Analytics is about a single baseline for each activity and an analysis of each activity on its own, User Journey Analytics looks at sequences of activities and learns for each user the complete set of typical user journeys in an application. This enables extremely accurate detection.