What is User and Entity Behaviour Analytics (UEBA) and how are we starting to use it?
Essentially, the bottom line is that preventative measures to defend businesses are no longer enough against the dynamic threats we're seeing today - so we need to develop new approaches to bridging the gap between allowing users to perform actions they wish to do simply and seamlessly and ensuring we're not allowing anyone who isn't you to pretend they are to perform malicious actions whether as a customer or an internal employee of a business.
Simple enough right? Unfortunately not, it's quite a complex and intrusive process which is all encompassing, and therefore why it's not common place today.
The amount of data an Identity & Access Management solution already provides to organisations is quite prolific. From this, we can actively apply machine learning or statistical analysis as a powerful mechanism for providing a highly detailed context of you as a user.
A great example of this is looking at multiple salespeople who work at multiple offices, in different times zones and from different computers. How do you know what timezone or device or office for standard access control policies? Short answer you can't - UEBA takes the approach of understanding what looks normal from access data by computing a standard model which will in turn allow the software to understand when something is abnormal in order to take the correct proactive action of asking for additional information from the user or cutting the session by logging the user out of the platform.
As opposed to rule-based alerting systems, which determines action based on events, this system allows for probabilistic analysis as it measures risk rather than an event being right or wrong based on simple inputs. A sophisticated UEBA system models multiple dimensions at once and learns from its success and failures to get better over time such as Okta's Risk Based Authentication platform (I write about this here). This allows us to just let the platform consume activity data rather than actively managing a massive alerting list to allow us to investigate unusual behaviour moving from a reactive approach to proactive one.
Enter Continuous Authentication (Not a new concept, but being readily adopted)
With continuous authentication we don't simply have a login event where you either successfully enter the credentials we were expecting or don't and the system event either allows you access to perform actions or not. We continually compute scores based on the actions you take on our website. Let's take a banking example as these are the easiest to understand.
A user is logged into the bank and attempts to perform a bank transfer. The access management platform will continually compute a score for that user on how certain the computer is that the account owner is the one actually using the device based on their actions.
For the sake of this example we'll have a score between 0 (Not authenticated) and 1000 (highly confident that this user is actually who they are claiming to be). If we are not confident enough to allow the banking transaction to take place, we can prompt the user to input more information such as their (FaceID or Password). If the software detects an anomaly in what the user is doing it can prompt a logout and alert various other platforms to the incident. With this, banks can set boundaries as to certain action based on tolerable risk scores by specifying the minimum confidence score that it allows.
How far can we go?
This is where it gets a bit scary and invasive from a privacy perspective.
Are you using a banking app on your smartphone? - Research shows the way you hold the phone is unique to you!!!
A system called HMOG (Hand Movement, Orientation, and Grasp) works on the basis of a set of features, including hand movement, orientation, and keystroke patterns of the users to identify if the same person is holding the phone! The application can directly monitor these variables and update the remote server to allow for an authentication score to be calculated!
So - are we ready to go password-less?
Gartner - By 2024, the use of MultiFactor Authentication (MFA) for application access through AM solutions will be leveraged for over 70% of all application access, up from 10% today.
We're getting there - by and large we're slowly fixing the problem of ensuring businesses have 2nd factor authentication of some sort. Although biometrics are becoming easier to use and seem like a great replacement to passwords but unfortunately you can't change them and as such, breaches that release biometric information such as your fingerprint details or your unique behaviour can cause you a world of problems. They are still a great asset in assisting other technologies in completing the authentication process though!
Do I Need A Password Manager?
Password managers take the hassle out of memorising and creating complex, strong passwords across all of the services that you use and make your life considerable easier!
Unfortunately, passwords are stolen all the time. Some of the sites that you visit and the services that you use are a massive target for the data they hold on their customers and sadly security measures in some of these businesses leaves alot to be desired.
So what does it do?
- Create unique and strong passwords in seconds that you don't need to remember!
- Autofill your login details across all your devices.
- Informs you if you are involved in a breach of credentials.
- Ensures you enrol in 2nd Factor Authentication if offered by the online service.
Just to put this in prospective on how much of a problem this is in industry - Troy Hunt collated a few different individual breaches at the start of this year called "Collection #1" which contained 773 million emails, 21 million passwords, and 1,160,253,228 unique combinations of the two which equates to a staggering 87GB of breached user data. Read more here!
So yes, If you're yet to setup a password manager for yourself and are keen to do after reading this article here are my four suggestions:
- Lastpass (Has a Free plan and a monthly subscription)
- 1Password (Paid monthly subscription only)
- Bitwarden (Free & open source)
- KeePass (Free and not cloud based)
(Disclosure: I am in affiliation with these providers as i use their products and support them)