Behavioral analytics, long associated with threat detection (such as UEBA or UBA), are experiencing a renaissance. Once primarily used to detect suspicious activity, it is now being used reimagined as a powerful technology after discovery which improves incident response processes. By leveraging behavioral information during alert triage and investigations, SOCs can transform their workflows to become more accurate, efficient and effective. Fortunately, many new cyber security products like AI SOC Analysts are able to incorporate these techniques into their investigative capabilities, enabling the SOC to use them in their response processes.
This post will provide a brief overview of behavior analytics and then discuss 5 ways to reimagine it to shake up SOC incident investigation and response.
Behavioral analysis is back, but why?
Behavioral analytics was a hot topic back in 2015, promising to revolutionize static SIEM and SOC detections with dynamic anomaly detection to uncover “unknown unknowns.” Within a year, user behavior platforms were quickly acquired by SIEM vendors, and soon the concept of a behavioral lens in security data spread to many other detection product categories.
So why doesn’t he care anymore?
Behavioral analytics is a bit like a microwave in the sense that sometimes the first application of the technology is not the best. When American engineer Percy Spencer accidentally discovered microwave technology after noticing chocolate melting in his pocket while experimenting with radio technology, he probably had no idea that it would revolutionize kitchens around the world. Originally, microwave ovens were not intended for cooking, but over time their practicality for reheating food became apparent, changing the way we think about their use. Similarly, behavioral analytics was originally developed as a detection tool in the field of cyber security aimed at detecting threats in real time. However, such early use required extensive setup and maintenance and often overwhelmed security teams with false positives. Behavioral analytics has now found a much more effective role in post-discovery analysis. By narrowing the scope of analysis to provide information on specific security alerts, it provides valuable information with fewer false alarms, making it an invaluable part of the incident response process rather than a constant source of noise.
5 ways behavioral analytics are revolutionizing incident response
Here are five key ways behavioral analytics can improve incident response, helping security agencies respond with greater speed and accuracy.
1. Increasing the accuracy of incident investigations
One of the most critical challenges in incident response is sifting through false positives to identify real threats. With behavioral analytics, post-discovery, analysts can answer key contextual questions that bring clarity to incident investigations. Without understanding how a user, entity, or system typically behaves, it is difficult to distinguish whether an alert indicates legitimate activity or a potential threat.
For example, an “impossible travel” warning, which often produces false positives, indicates entries from locations that are impossible for a human to reach in a short time (eg, entering New York followed by Singapore five minutes later). Baseline metrics of behavior and activity provide useful data to effectively evaluate these alerts, such as:
- Is travel to this location typical for this user?
- Is the login behavior normal?
- Is the device familiar?
- Are they using a proxy or VPN and is that ok?
Behavioral analysis becomes powerful in investigations by providing context that allows analysts to filter out false positives by confirming expected behavior, especially with alerts such as identification that would otherwise be difficult to investigate. So SOC teams can focus on the real positives with greater precision and confidence.
2. Eliminating the need to communicate with end users
Some alerts, especially those related to user behavior, require SOC analysts to reach out to end users for more information. These interactions can be slow, frustrating, and sometimes unsuccessful when users are hesitant to respond or aren’t clear about what they’re being asked. Using behavioral patterns that capture typical patterns, AI-powered SOC tools can automatically answer many of these contextual questions. Instead of waiting to ask users, “Are you going to France now?” or “are you using Chrome?” the system already knows, allowing analysts to work without disruption to end users, simplifying investigations.
3. Faster Mean Time Response (MTTR)
Incident response speed is determined by the slowest task in the process. Traditional workflows often involve repetitive manual tasks for each alert, such as examining historical data, checking for common patterns, or communicating with end users. With AI tools capable of performing post-discovery behavioral analytics, these queries and checks are automated, meaning analysts no longer need to run slow manual queries to understand behavioral patterns. As a result, SOC teams can triage and investigate alerts in less time, significantly reducing mean time to response (MTTR) from days to mere minutes.
4. Improved information for deeper investigation
Behavioral analytics enables SOC to capture a wide range of insights that might otherwise remain unexplored. For example, understanding application behavior, process execution patterns (such as when firefox.exe typically runs from a specific location), or user interactions can provide valuable context during investigations. While it is often difficult or time-consuming to gather this information manually, SOC tools with built-in behavioral analytics can automatically analyze and incorporate this information into investigations after detection. This empowers analysts to gain insights that they would otherwise not have, allowing them to make more informed decisions during alert triage and incident response.
5. Improved use of resources
Creating and maintaining behavioral models is a resource-intensive process that often requires significant data storage, processing power, and analyst time. Many SOCs simply do not have the expertise, resources, or ability to use behavioral information to accomplish post-detection tasks. However, AI SOC solutions equipped with automated behavioral analytics allow organizations to access these benefits without additional infrastructure costs or human workload. This capability eliminates the need for additional storage and complex queries, providing behavioral information for each alert within minutes and freeing up analysts to focus on more important tasks.
Figure 1. An example of a Splunk query that identifies the countries used by users with the sales team and finds anomalies. |
Behavioral analytics and analytics are redefining SOC’s approach to incident response. Moving from an initial detection tool to a post-detection powerhouse, behavioral analytics provide the context needed to distinguish real threats from noise, avoid end-user disruptions, and accelerate response times. SOC teams benefit from faster and more accurate investigations, improved intelligence and optimized resource allocation, while gaining an edge in proactive threat detection. How SOCs continue to use AI-powered behavioral analyticsincident response will only become more efficient, resilient and effective in today’s dynamic threat landscape.
Download this manual to learn more about how to make SOC more effective, or take an interactive product tour to learn more about AI SOC Analysts.