Applying User Behavior Analytics to Web Access Management Systems

Blog Post created by marda30 Employee on Apr 28, 2016

Getty_166273198_14.jpgWeb access management systems see a lot of user behavior. Were these systems trained to recognize exceptional behavior from typical behavior, they might act to highlight or even mitigate the risk of the exceptional behavior. Is a user accessing new or unusual data based on past history?  Is an application experiencing unusual access load or patterns? Is a certain geography exceptionally active, do users seem to suddenly originate from a certain geography that falls out of the range of typical usage? Are user authentications or authorizations for a given user spiking for some reason?

These questions and many more could be answered in real time using heuristics and a carefully assembled knowledge base.  The data is already in web access management systems today. It is in audit or access logs, health monitor data, and other data sources.  Often this data isn’t used until a breach is detected and the exceptional behavior that caused it has long passed along with the opportunity to prevent it. With an evolving knowledge base fed by continuous real time access data, an analytics engine might be trained to recognize suspicious or exceptional user access as it occurs so that meaningful mitigation processes could be enforced.  Security staff could be notified; step-up authentication enforced; access could even be blocked in the most extreme and risky circumstances.

This approach is a critical evolution for web access management solutions. Typically, a user who has successfully authenticated and authorized becomes a foot note, or non-event, in such systems. Few questions may be raised as to whether or not the access has come from lost or stolen credentials, hijacked access, or a compromised insider.  How is a valid user sitting at their desk recognized from an imposter that hurriedly sits at their recently vacated laptop to take advantage of their access? Strong authentication means may detect some questionable access during initial authentication, but what of the user compromised after this event?  A stolen phone that isn’t locked to prevent access to critical applications, a hijacked computer in the office, similar misuse of a common computing resource such as a department tablet, or Kiosk?


Applying behavioral analytics to these problems may open a door to future mitigation opportunities and provide a new security control for existing web access management solutions. What do you think?  Feel free to comment or “like” this post to share your opinion.