User Behavior Analytics (UBA): key applications for cybersecurity While User Behavior Analytics (UBA) is not a new concept, its applications are multiplying as Machine Learning becomes more mature. By associating Machine Learning and Big Data, UBA updates the patterns (reference models) and detects any deviation that is potentially dangerous for the information system. What is User Behavior Analytics? User Behavior Analytics is a category of applications that analyzes the user’s behavior and detects abnormal and potentially malicious actions. This behavioral analysis, which can be applied to all users, particularly those located within the organization’s network, is part of Zero Trust policy, which aims to trust no one, including logged-in users who have entered the organization’s perimeter defenses. The main feature of User Behavior Analytics lies in the prediction and therefore the annihilation of any potential threat even before it becomes effective. It is through data analysis and automatic learning that UBA applications will be able to evolve and carry out their mission of protecting the information system. Which applications for UBA? User Behavior Analytics applications can identify usurped accounts through the analysis of deviant behavior compared to a known reference print (in some cases, of the user, in other cases, of a user profile) or detect malicious actions of a legitimate user. Continuous authenticationPrimary or secondary authentication Authentication allows a user to guarantee his or her identity before accessing a resource or service. Primary authentication will give user access to the workstation (Windows login). Several authentication modes can be made available to users: login and password, smart or contactless cards, biometrics, mobile ... To classify an authentication mode it will be enough to rely on the principles of the 3 factors: "What do I have? ", " What do I know? ", " Who am I? ». The answers provided to these questions make it possible to say for a given authentication method whether it is "simple" or "double" factor. Secondary authentication is the access of a user to an application from an open session on a workstation. The application can be of any type: web, client-server, local to the workstation or external......, which consists of guaranteeing the user’s identity in real time based on his behavioral print, the way he uses the mouse and keyboard, allows us to respond to the first scenario: identity theft. In this case, it is not the actions that are analyzed, but rather the mouse movements, clicking habits or keyboard typing speed. This analysis validates the identity of the user in a very fine detail, even if the user does not perform an abnormal action or one that is considered dangerous for the organization. The advantage of continuous authentication, which is based on behavioral biometrics, is the speed of detection of the illegitimate user: after a few tens of seconds of using the mouse and keyboard, the solution will block his session or ask him to re-authenticate, even if he has not committed any malicious action or deviated from what is considered “normal” use with regard to a user or a user profile. Ultimately, this is a form of “passwordless” authentication, an authentication that is transparent to the user: when users use the application, they are permanently authenticated without being intrusive. A transparent, natural and continuous user authentication is likely to make the user’s life and experience easier and therefore make the user the actor of his cybersecurity. Which users is the UBA intended for? User Behavior Analytics is intended for all types of users: internal collaborators and external service providers, whether they access the organization’s information system and applications from a controlled or uncontrolled network, via a professional or personal workstation. But it is for privileged users that the UBA is most relevant: they have information system administration rights and access to critical resources. Any compromise from this type of user could seriously harm the organization. With this in mind, Systancia has integrated its continuous authentication solution, Systancia Cleanroom Authograph, to its PAMPrivileged Access Management. PAM is a technology for managing access and authentication of authorized users, usually information system administrators, to administrative resources or applications. The main objective is to secure the information system by removing unauthorized access to sensitive resources. This protection is based on two main axes: management of the injection and life cycle of passwords used in administered resources and administration applications, the traceability of all the actions carried out when connecting users with a power of nuisance on the information system, in the form of audit or video traces. The users with malicious power concerned by the PAM may be internal users of the information system, such as system administrators or users handling sensitive data, as well as external users such as infomanagers or remote maintenance personnel.... (Privileged Access Management) product, Systancia Cleanroom. The use of Systancia Cleanroom for administration actions thus allows organizations to protect themselves against any risk of identity theft, since this is detected before the illegitimate user has time to carry out actions that are dangerous for the information system. Thanks to its applications and the challenges it addresses, User Behavior Analytics is today one of the major levers for improving the security level of organizations faced with increasingly sophisticated threats in cyberspace.