When we examine the cause of most data breaches today, almost all of them involve the perpetrator getting access to and using legitimate login credentials. According to Forrester, approximately 80% of breaches involve compromised privileged accounts.
When this happens, it essentially equates to an “insider attack” and guarding against this type of activity requires the ability to detect when hackers are using your stolen credentials. Unfortunately, traditional methods of using security tools to detect and thwart this threat are falling short. However, a new type of user behavior analytics has been engineered for this specific problem, and it is proving to be highly effective.
This new method I speak of is called Privileged User Behavior Analytics, or PUBA for short. PUBA uses machine learning technology to analyze the behavior of your privileged accounts to create baseline behaviors for your users and those privileged accounts. This baseline allows you to rapidly detect and alert your security team to anomalous behavior, an early indication of compromise or abuse.
How does privileged user behavior analytics differ from user behavior analytics?
Before we get into PUBA, let me explain a little about User Behavior Analytics (UBA).
UBA is when you use your monitoring system to track, collect, and assess your user data. UBA technologies analyze your historical data logs, to include your network and authentication logs you have collected and stored in your SIEMs and log management systems. This data is then used to identify the normal and malicious behavior traffic patterns of your users. With this analysis, you can develop some actionable items for your security teams to implement to increase the safety of your network.
UBA collects many types of data on your network's activities, including information about your users’ roles and titles, access, accounts, and permissions. Additionally, it collects information on user activities where those activities are conducted from, generating security alerts based on this activity if required. You are able to take historical data and compare it to current activity, and analyze the data based on factors such as the resources your users used, how long they used it, where they are connecting from. You can schedule automatic updates when changes occur to the data, such as privilege promotions or added permissions.
UBA is a unique and exciting subfield within security. It examines your user account activity to determine if attackers are trying to penetrate your defenses using a low privilege user account and escalating its privileges. This approach is effective because UBA technologies notice when user accounts are operating outside of the normal activities of the account, based on its historical data.
The functions that privileged user behavior analytics performs
So back to PUBA. PUBA technology can assist you to perform three main functions:
- It helps you to determine a baseline of your user’s normal activities
- It helps you to quickly recognize any deviations from those user’s normal activites
- Based on this information, it alerts your security team to take action
The anomalous or negligent behavior might not be malicious, but at least you are aware of it and can investigate further. PUBA will enable your IT and Security administrators to rapidly discover breaches before they even occur, analyze how your privileged accounts are distributed and examine how they are accessed throughout your organization. This adds an additional layer of security to your defense-in-depth strategy. This way your time can be better spent focusing on finding, managing, and protecting your privileged accounts.
There are at least three uses that I can recommend for PUBA within your organization. They are as follows:
- Identify compromised service accounts. Your service accounts are constantly under attack from cybercriminals looking to compromise your network. Many of these accounts are not sufficiently monitored, but may have high access rights for use by your operating systems and various applications to perform such activities as automated background tasks. The activity of these accounts must be monitored to confirm that they are not accessing systems they are not authorized to access, or worse, transmitting your critical data to unauthorized recipients.
- Detect privileged account abuse. Your privileged accounts are the prime targets for Therefore, it is imperative that you monitor the use of these accounts for unusual behavior. Automated, remote, or simultaneous access can be a telltale indicator of insider threat. Logging in at unusual times, accessing unauthorized accounts and systems, and unsanctioned data transmissions should all raise red flags.
- Discover shared credentials.Unfortunately, it is a fact that users share their passwords with others, even when it is in violation of your policy. Using PUBA to monitor for simultaneous, remote, or unusual usage of user accounts can help you to discover and deal with credential sharing violations.
How BeyondTrust Can Help
The Privileged Access Management platform offered by BeyondTrust combines behavioral analytics, vulnerability and malware intelligence, and security data from best-of-breed security solutions to allow you to out-maneuver attackers and stop data breaches. PowerBroker leverages BeyondTrust platform capabilities to:
- Aggregate user and asset data to centrally baseline and track behavior
- Correlate diverse asset, user, and threat activity to reveal critical risks
- Identify potential malware threats buried in asset activity data
- Measure the velocity of asset changes to flag in-progress threats
- Isolate users and assets exhibiting deviant behavior
- Generate reports to inform and align security decisions
- Increase the ROI of deployed security solutions with deep risk analytics
Dependable insider threat detection is essential to safeguard your environment and you must be diligent about using every mechanism at your disposal. PUBA can help with this, but keep in mind that it alone is not the “magic pill” for protecting your user accounts. It is also important to use baseline protections such as firewalls, intrusion prevention system (IPS), intrusion detections systems (IDS), etc., to form a complete defense-in-depth strategy for your network. Layering on PUBA helps ensure your security is that much tighter and resilient.
If you would like to learn more about BeyondTrust’s threat analytics capabilities, contact us today.

Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.