Continuous User Behavior Analytics: The Use of ML in Identity and Access Management to Increase Security

Jebastin Packiaraj Ponnudurai
Published 09/28/2023
Share this on:

ML for Identity Access ManagementAccording to a 2023 Deloitte Center for Controllership poll, 48.8 percent of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase within the next year. With continuous advancements in artificial intelligence (AI), machine learning (ML), and digital automation, the number of reported cyber attacks each year is growing at an alarming rate. This puts global organizations at a significantly higher risk of security breaches, placing stolen data in the wrong hands.

A critical component for eliminating potential threats while adopting a modern approach to cybersecurity is continuous user behavior analytics (UBA).Citrix defines UBA as “cybersecurity technology that uses monitoring tools to gather and assess data from user activity, with the goal of proactively finding and flagging suspicious behavior before it leads to a data breach.” While ML focuses on understanding how users interact with an organization’s technology, UBA captures that information and detects unusual activity or suspicious interactions, thereby stopping attackers from accessing sensitive data. UBA fights potential threats and attacks in real time through automated analysis to eliminate unnecessary risks quickly and efficiently.

Applying user behavior analytics to cybersecurity

To fully understand the intricacies of UBA and how it enhances enterprise-wide cybersecurity, it’s important to break down the factors that lead to common successes and failures before implementation. Continuous UBA reveals patterns, anomalies, and potential threats that often go unnoticed. It analyzes historical data and prior behaviors to create an established baseline pattern for behavior considered “normal.” UBA allows the system to determine unusual or harmful behaviors by forming a point of reference. Detected anomalies include unusual login times, unexpected access locations, abnormal data transfers, and other behaviors that typically indicate a compromised account. After detecting these anomalies, UBA assigns risk scores or severity levels to assist security teams with prioritizing responsive efforts. It even picks up on phishing or credential attacks that may include users clicking on suspicious links or entering sensitive credentials into fraudulent sites.

UBA’s ML-driven analytics seamlessly detect advanced threats and evade traditional security measures. There are many factors and functionalities that allow this to happen, which is what makes continuous UBA so appealing to global organizations. UBA’s one-up over traditional security practices is achieved through behavioral analysis, anomaly detection, adaptive learning, feature extraction, identifying behavioral deviations through new or unknown attack methods, and reducing false positives to ensure alerts remain meaningful and accurate. Via continuous monitoring and intricate data identification, ML detects certain anomalies or qualities that are missed by the human eye. This ensures the mitigation of these threats with rapid threat detection and timely incident responses with 24/7 monitoring.



Want More Tech News? Subscribe to ComputingEdge Newsletter Today!



Ethical principles, practical guidelines, and best practices

Continuous UBA brings controversy concerning its potential invasiveness toward individual privacy rights, especially when capturing detailed activity. This often raises an ethical debate about the fine line between cybersecurity needs, user privacy, and moral considerations for organizations to ensure transparency and user consent when continuous UBA is in effect. Because these ML models collect and analyze sensitive user data and their respective credentials, it is essential for leadership to ensure this process aligns with cybersecurity needs and is used for legitimate purposes only.

On the other hand, users must also be made aware of the UBA implementation and the behavioral data it monitors to ensure a complete understanding and full consent. This also means protecting sensitive information through anonymization and encryption to safeguard trust from the users when sharing their data. Organizations can guarantee a healthy work environment that provides transparency while respecting user rights by applying data storage policies and avoiding intrusive monitoring.

When UBA is effectively implemented into identity and access management (IAM) systems, organizations can better detect, understand, and eliminate account compromises, access abuse, and anomalous behaviors. Some of these primary benefits include:

  • Advanced threat detection. This type of detection identifies more sophisticated or complex threats often overseen by traditional security measures due to its central focus on unusual or unauthorized activities.
  • Insider threat detection. This detection notifies organizations of internal risks, often involving employees misusing their access or pursuing unauthorized activities that go against a strict code of conduct.
  • Adaptive security. UBA’s ML functionalities learn from prior user behavior to ensure stronger detection from evolving behaviors.

When leveraging continuous UBA, it’s essential to know the best practices and practical guidelines for implementation to best serve an organization’s unique needs. That’s why it is important for organizations to define their objectives and use cases to understand what they want to accomplish with UBA before implementing it. Then, they need to collect the login data they would like protected, clean and preprocess it into a suitable analysis format, and establish a baseline to indicate normal behavior levels.

Despite offering solutions for everyone, each organization is different. This means businesses need to select the UBS solution that aligns with their enterprise’s unique situation and requirements. Because different models may be needed for different use cases, it’s important to develop ML capabilities that detect the potential threats that pertain to a specific enterprise’s resources to meet unique cybersecurity standards.

Recent cybersecurity success stories and case studies

In a 2020 report, 68 percent of IT and security experts felt their employers were somewhat or very at risk of insider attacks. As AI and analytics continue to dominate the modern tech industry and business landscape, it’s important to acknowledge recent success stories for major organizations. In 2021, Intuit, a financial software company, implemented UBA to enhance its enterprise-wide cybersecurity defenses. This allowed the company to detect insider or other threats and anomalies while eliminating unauthorized access to sensitive financial data. By reducing response times and consistently monitoring user behavior across their entire system, Intuit achieved a modern approach to cybersecurity.

UBA has also been implemented into cybersecurity for colleges and universities to protect sensitive academic data from falling into the wrong hands. Recently, Oregon State University strengthened its security measures within the education sector. By monitoring user behavior, the analytics enabled the school to detect potential threats and unauthorized activities pertaining to student and faculty data. They also found compromised accounts more quickly to ensure the safety and privacy of those involved.

The future of UBA in cybersecurity

Although the future of continuous UBA remains unknown, current trends within the industry may lead to key innovations moving forward. Some of these distinct possibilities fall under relevant UBA solutions, including:

  • Real-time analysis. As ML-driven models evolve, security teams will respond more swiftly to emerging incidents due to real-time analysis of user and entity behaviors.
  • Contextual insights. ML algorithms will provide increasingly more contextual insights into various anomalies, enabling analysts to make more informed decisions based on a stronger understanding of user behavior.
  • Explainable AI. As AI develops and evolves, security professionals will need to understand how ML-driven models arrive at certain decisions for the sake of transparency. AI will be better explained and understood on both ends.

AI and its ever-expanding role in global business make it difficult to pinpoint where it can take the market on the road ahead. An increased reliance on technology in helping to monitor an organization’s operational workflow continues to grow with increased risks and attacks. By better understanding how sensitive or critical data is accessed and leveraged by accepted users, organizations will have a heightened awareness of anomalous occurrences and harmful activities.

Unfortunately, companies can’t prevent attackers from attempting to steal or access valuable information, but they can block and eliminate potential threats and vulnerabilities that could jeopardize the entire enterprise at its core. UBA provides businesses with a modern approach to cybersecurity that comprehends the proper measures and procedures behind accessibility while managing the overall privacy of information intended for a particular audience.

About the Author

JebastinPackiarajPonnudurai9-23Jebastin Packiaraj Ponnudurai is a senior technical consultant with more than 15 years of experience in identity and access management in the cybersecurity industry. He is a subject matter expert in providing IAM solutions that align with industry-specific security needs and regulatory requirements. Jebastin holds a Master of Technology degree in data science and engineering from the Birla Institute of Technology and Science, Pilani in India. For more information, contact


Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE’s position nor that of the Computer Society nor its Leadership.