Access our demo library to view BeyondTrust products in action.
Learn More Learn MoreComplete your PAM journey with detailed guidance, hands-on capability checklists, and more.
Learn More Learn MoreLearn why Gartner® has named BeyondTrust as a PAM Leader once again.
Learn More Learn MoreExplore how customers are using our solutions to advance security and productivity.
Learn More Learn MoreOffering a wide array of services and benefits tailored to your specific needs
Learn More Learn MoreLearn how BeyondTrust solutions protect companies from cyber threats.
Learn More Learn MoreAccess our demo library to view BeyondTrust products in action.
Learn More Learn MoreThis blog marks the first in a series that explores applications of longitudinal data analysis (LDA) in identity security. In this initial blog, we will focus on how LDA can be leveraged to detect anomalous privilege changes, a common security risk in large organizations.
With organizations managing a sprawling number of identities—both human and non-human—across on-prem, cloud, and SaaS environments, today’s attack surface has expanded significantly. Each of these identities presents an opportunity for a threat actor to exploit and gain access to sensitive system data and resources. As a result, identity security has become critical in securing today’s digital environment. One useful approach for detecting threats in the identity space is Longitudinal Data Analysis (LDA), the analysis of changes in user behavior across time. By analyzing temporal patterns of access and privilege changes, security teams can uncover risks that are not evident using strictly point-in-time analysis.
Depending on the field, Longitudinal Data Analysis may be called Panel Data Analysis, Event History Analysis, or Repeated Measures Analysis. For the purpose of this blog, we will refer to this approach as Longitudinal Data Analysis.
LDA represents a critical approach in identifying suspicious changes in the configuration and/or behavior of an account, IP address, session, or other entity over time. Rather than examining only the current state of an entity, such as a user’s level of privilege, LDA employs a variety of methods to combine past state with current state to identify anomalous activity or configurations. This form of analysis can identify unusual behavior that would otherwise go unidentified if only the current state was analyzed. Escalation of privilege, or privilege jumps, for example, may indicate account compromise, making detection essential in securing an organization’s IT infrastructure. LDA and its associated methods can be leveraged by security teams to monitor and identify unusual privilege changes, helping organizations mitigate the risks posed by account vulnerabilities.
This blog marks the first in a series that explores applications of LDA in identity security. In this initial blog, we will focus on how LDA can be leveraged to detect anomalous privilege changes, a common security risk in large organizations.
At its core, LDA is a technique for analyzing change over time. It is a variation on time series analysis that, rather than focusing on a single entity over time, is used for the analysis and modeling of many entities across time. A defining feature of LDA is the collection of repeated measurements per entity, allowing for the study of change over time. This approach is well-suited to the identity security setting, where many identities and their behaviors/configurations need to be observed over time to detect when suspicious changes in behavior occur. For instance, these repeated measurements could take the form of a daily record of privilege level, number of failed authentications, and number of IP addresses per account. LDA utilizes various approaches to data modeling and structuring to allow for the temporal analysis of changes.
Examples of these temporal changes include:
Identity security is inherently temporal. In a general sense, identifying unusual behavior requires both knowledge of the current state of an entity as well as its previous states. This involves modeling the state of an entity at the current time period conditionally to its state at previous time periods. For instance, identifying whether the current configuration or behavior of an account is anomalous often requires examining past configurations or behaviors. LDA provides a framework for achieving this.
A separate benefit to LDA is the ability to include subject-specific information within the model. For example, certain accounts might be expected to have higher levels of privilege than others; LDA approaches provide various methods of incorporating this subject-specific information into the model. The importance of this is illustrated in the graph below. Accounts A and B both have sudden privilege increases, or privilege jumps, at time 10. If we were to only compare privilege at times 9 and 10, both changes would be concerning; however, when Account B’s entire history is included, this increase in privilege is much less surprising. Inclusion of this subject-specific information is thus critical in identifying anomalous changes over time.
In modeling this behavior, we can use the function: ⨍(𝒴𝑡 |𝒴𝑡-1, 𝒴𝑡-2). This function is visualized in the graph below (adapted from Bishop, 2006). In this second-order model, the state (𝒴) at the current time period (𝑡) is modeled conditionally on the state in the previous two time periods: 𝒴𝑡-1 and 𝒴𝑡-2. This enables the model to utilize past behavior when predicting expected values at the current time period.
Now, let’s apply this to identity security. A user may have standard access, but later gain excessive or unwarranted permissions, which could be exploited if left unchecked. Longitudinal data analysis allows security teams to see this evolution in access patterns, track trends in permissions, and flag any deviations that might otherwise go unnoticed. This approach is especially useful for identifying unusual changes in state, such as changes in account dormancy, privilege escalation, and lateral movement within a system.
Here are a few more examples of how LDA can be used in identity security:
Applying LDA requires a systematic approach to data collection, analysis, and anomaly detection:
Collecting data over time is the foundation of LDA. In the context of identity security, this includes logging account activity, privilege levels, access requests, and other interactions with the identity management system.
To enable LDA, it is critical that both the current state and previous states are recorded. For example, if the goal is to identify unusual privilege changes, it is insufficient to record only an account’s current state. At a minimum, we would require the user’s current privilege level and previous privilege level, although more effective analysis can be performed with a more complete collection of state changes.
As we’ve established above, Longitudinal Data Analysis is time-based—that means the data needs to be properly structured to preserve timestamps, or temporal markers, to allow it to ensure events are comparable and identify trends, anomalies, or behavioral shifts can be made visible.
There are several approaches to structuring data in LDA:
This table demonstrates how data is structured in the Repeated Measurements approach.
| Time | Account ID | Privilege | privilege_lag1 |
|---|---|---|---|
| t-7 | 7ab0d09 | low | NA |
| t-6 | 7ab0d09 | low | low |
| t-5 | 7ab0d09 | low | low |
| t-4 | 7ab0d09 | high | low |
| t-3 | 7ab0d09 | high | high |
| t-2 | 7ab0d09 | high | high |
| t-1 | 7ab0d09 | high | high |
| t | 7ab0d09 | high | high |
In LDA for identity security, we derive features that capture critical information about user behavior, access patterns, and privilege changes over time. Feature engineering transforms raw logs into meaningful signals that help detect anomalies, predict risk, and uncover hidden threats. This step is essential to enable models to learn temporal dependencies and behavioral baselines.
Some key types of features include:
Through LDA, unusual patterns of account activity, changes in privilege, and dormant periods can be visualized and analyzed. By setting thresholds for unusual activity—such as unexpected privilege escalation (privilege jumps), erratic login behavior, or inactivity—security teams can effectively flag accounts or actions that warrant further investigation.
This detection process can leverage different analytical methods, including:
By combining these approaches within a longitudinal analysis framework, identity security teams can move beyond static thresholds and gain a more adaptive, context-aware view of risk that is capable of detecting both known and novel identity-based threats.
In this use case, we’ll apply LDA to identify suspicious privilege changes in service accounts. Service accounts pose a unique security risk because they often have elevated privileges that do not change over time. Often unmonitored, these accounts may have access to sensitive resources, increasing the organization’s attack surface. If compromised, these accounts can be exploited for privilege escalation attacks, and unauthorized actions can be performed due to those elevated access levels.
Here are the technical steps security teams can follow to identify suspicious elevation of privilege activity using LDA:
Service accounts can be identified via rule-based or model-based approaches. Under the model-based approach, this could take the form of a model estimating the conditional probability of an account being a service account given its configuration and/or behavior.
Next, we look for increases in privilege levels for these service accounts. This requires a quantitative or ordinal value representing the privilege level of each account as well as a history of each account’s privilege. A simple yet effective detection might identify any privilege increase on a service account as concerning. Non-service accounts, having potentially more variability in their privilege changes due to just-in-time (JIT) access or other organizational policies, may require more complex model-based approaches that incorporate additional lags, account-specific effects, and/or estimate a particular correlation structure.
A model to identify service accounts with unusual privilege changes can be represented in the manner shown in the graph below. Additional features that might be useful in modeling expected privilege level, such as the number of days since last activity, are represented by the vector 𝑿.
The following table describes a hypothetical scenario in which a privilege increase is observed on a service account that has been inactive for a prolonged period. Additional information, such as the specific privileges, groups, or roles added to this account, can be included to provide additional context for the analyst. In this case, a simple comparison of the current privilege level with the previous privilege level can identify the anomalous change in privilege.
The asterisked selection on this table shows a privilege jump on a service account that has been inactive for a prolonged period.
| time | accountId | isServiceAccount | privilege | privilege_lag1 | daysSinceLastActivity |
|---|---|---|---|---|---|
| t-4 | 7ab0d09 | True | low | low | 91 |
| t-3 | 7ab0d09 | True | low | low | 92 |
| **t-2** | **7ab0d09** | **True** | **high** | **low** | **93** |
| t-1 | 7ab0d09 | True | high | high | 1 |
| t | 7ab0d09 | True | high | high | 2 |
For any service account showing a significant increase in privilege, an alert is generated for the security team to investigate further. The frequency of alerts can be modified by tuning the thresholds used to identify service accounts and relevant privilege changes.
Additional Recommendations
LDA not only helps in identifying unusual privilege changes, but also empowers security teams to improve overall security practices:
Longitudinal Data Analysis is an invaluable, albeit often underutilized tool, for identity security. Unlike point-in-time-based assessments, LDA enables security teams to track and analyze user behavioral trends, detect subtle anomalies, and spot privilege shifts as they occur over time. The detection of privilege jumps in service accounts is just one example of LDA's potential.
When woven into a broader security strategy, LDA equips organizations with the context and continuity needed to truly understand how identities evolve and behave across their environments. In doing so, it strengthens defenses against modern threats—many of which thrive in the blind spots between traditional detection methods.
At BeyondTrust, we integrate LDA-driven insights into the BeyondTrust Pathfinder Platform to help you see and secure the Paths to Privilege™ in your environment. By gaining visibility into behavior over time—not just at a single moment—you can uncover hidden risks, reduce attack surfaces, and respond to threats with greater speed and confidence.
LDA-based techniques are used within a variety of detections, including anomalous service account behavior, unusual account creation, and potential session hijacking—with additional detections currently in development. In one instance, our system detected a service account deviating from its normal behavior and accessing unusual applications with a rare user agent. The plot below shows anomaly scores for this account over time, clearly highlighting suspicious activity in May 2024. Our model successfully detected this anomalous activity, and we were able to notify the customer within 24 hours. It was later confirmed that the activity was part of a scheduled penetration test.
Ready to take the next step? Explore how BeyondTrust Identity Security Insights® can help you harness the power of LDA to uncover hidden privilege risks and harden your identity landscape by taking our free Identity Security Assessment.
Darren Maynard is a Senior Data Scientist at BeyondTrust with over a decade of experience in data science and machine learning. His work has focused on solving complex problems involving large datasets and rare event detection in both industry and government. He holds a master’s degree in statistics and previously worked within the defense sector.
BeyondTrust Phantom Labs™ believes the best way to fully understand cybersecurity threats is to work closely with our customers and partners, conducting real world research into the attacks that matter most to them. By dissecting emerging attack methods and exploitation techniques of threat actors, as well as conducting novel research, the team’s mission is to help organizations defend against identity threats.