Layer7 Access Management

Applying User Behavior Analytics to Web Access Management Systems

By Anon Anon posted 04-28-2016 10:02 AM


Getty_166273198_14.jpgWeb access management systems see a lot of user behavior. Were these systems trained to recognize exceptional behavior from typical behavior, they might act to highlight or even mitigate the risk of the exceptional behavior. Is a user accessing new or unusual data based on past history?  Is an application experiencing unusual access load or patterns? Is a certain geography exceptionally active, do users seem to suddenly originate from a certain geography that falls out of the range of typical usage? Are user authentications or authorizations for a given user spiking for some reason?

These questions and many more could be answered in real time using heuristics and a carefully assembled knowledge base.  The data is already in web access management systems today. It is in audit or access logs, health monitor data, and other data sources.  Often this data isn’t used until a breach is detected and the exceptional behavior that caused it has long passed along with the opportunity to prevent it. With an evolving knowledge base fed by continuous real time access data, an analytics engine might be trained to recognize suspicious or exceptional user access as it occurs so that meaningful mitigation processes could be enforced.  Security staff could be notified; step-up authentication enforced; access could even be blocked in the most extreme and risky circumstances.

This approach is a critical evolution for web access management solutions. Typically, a user who has successfully authenticated and authorized becomes a foot note, or non-event, in such systems. Few questions may be raised as to whether or not the access has come from lost or stolen credentials, hijacked access, or a compromised insider.  How is a valid user sitting at their desk recognized from an imposter that hurriedly sits at their recently vacated laptop to take advantage of their access? Strong authentication means may detect some questionable access during initial authentication, but what of the user compromised after this event?  A stolen phone that isn’t locked to prevent access to critical applications, a hijacked computer in the office, similar misuse of a common computing resource such as a department tablet, or Kiosk?


Applying behavioral analytics to these problems may open a door to future mitigation opportunities and provide a new security control for existing web access management solutions. What do you think?  Feel free to comment or “like” this post to share your opinion.



04-28-2016 10:52 AM

Thoughtful post Dave. With the global, mobile, internet based workforce we work in today with real-time communication a must to be competitive, we are no longer bound by the physical network perimeter boundaries that traditional web access management systems used to manage. Our own identity is the new security boundary and enforcing that I am the person I claim to be whenever I try and access a company system, wherever I may be in the world, at whatever device I am connecting from is the current and future reality.


Proving who I am needs an additional more intelligent capability that just validating an inputted company credential (e.g. username/password from the corporate user store database). As you say, more granular information is also needed such as where that access request claiming to be me is coming from (am I in a local coffee shop in my home town of Boston or does it seem like I am connecting from Vladivostok where I have never been before). Behavior's such as the keystroke pattern of how I enter a password/passcode on a device or other such things that uniquely identify me as me (and not some internet bot) is important to be validated without making it more difficult and intrusive for me to access the system from my device.


This can only be done with a web access system that has sufficient data collected from my prior successful authentication attempts where that data is searchable by an identity/user behavior analytic engine with security policies my company define that can trigger a desired action (such as step-up verification).


Great post -user behavior analytics + web access management is a key technology for companies to be aware of and consume to protect themselves.





04-28-2016 10:11 AM

Thanks for sharing this blog, David!