Detecting Malicious Activities in Enterprise Applications
The most important criteria in a detection solution is accuracy: the number of false positives and number of false negatives, and the goal is of course to minimize these alerts. However, current application detection solutions are based on rules and highly inaccurate.
TrackerIQ’s unique analytic approach achieves high accuracy using the context of the activity, i.e. by analyzing a sequence of activities, instead of the activity itself. TrackerIQ does this with user journey analytics in the application.
TrackerIQ’s detection model is agnostic to the meaning of an application’s activities, so that it can be applied to any application and even cross applications.
User Journey Analytics
TrackerIQ analyzes user journeys (i.e. application sessions), not individual activities, and the journey provides a context which is important for accurate detection.
To achieve unprecedented accuracy, TrackerIQ machine learns using its patent pending clustering engine all user journey profiles and use them to detect abnormal user journeys.
No Rules Required
Rule based detection detects only known attack patterns, generates a high number of false alerts, requires constant expensive maintenance, and doesn’t scale.
User Journey Analytics
Tracking user journeys enables a new level of application activity analysis, one which is far more accurate and comprehensive than older rule-based and statistical model solutions.
A User journey is a sequence of activities the user has performed in an application. Research has proven that each user has typical journeys when they use an application. Learning the typical journey per user (per application), enables us to accurately detect an abnormal journey which isn’t similar to the user’s typical journeys in the application.
For example when an insider performs a malicious activity, their journey will deviate from their typical journeys and/or the typical journeys of their peer groups. In addition, an accurate way to detect account takeover (i.e. impersonator) is by comparing the impersonator’s journey to the real typical user journeys.
Applying Machine Learning to Learn the User Journey Profiles
The challenge is of course how to learn automatically all the typical user journeys in an application (or even across applications) as each user has many typical journeys profiles. It is important to emphasize that there is no meaning to an average journey. We must learn all the user’s typical journeys to accurately detect the abnormal journey.
To accurately learn user journey profiles, TrackerIQ reads log events and generates user journeys (i.e. the user sessions in the application). It then groups similar user journeys together to generate the user's journey profiles. To perform this grouping of journeys accurately, RevealSecurity has developed a unique clustering engine. Based on the groups generated by the clustering engine, TrackerIQ generates user’s journey profiles and uses them to detect abnormal journeys.
Ubiquitous Detection Solution: The Essence of Activities Makes No Difference to TrackerIQ
TrackerIQ’s detection is based on the user journey characteristics, i.e. the activities performed during a user journey, the order in which they have been performed and the time difference between them. These user journey characteristics are completely indifferent to the essence of specific user activities. Thus, TrackerIQ’s detection model can be applied to any application because it is ubiquitous and agnostic to the meaning of an application’s activities. This is fundamental to RevealSecurity’s detection, as each application has a different set of activities
Reach out to us to find the needle in your haystack!
4 Yaakov Rosen St, Ramat Gan 5246208, Israel