About Baseline behavioral profiling

  • 1 minute(s) read
Prev Next

What is a behavioral baseline

A behavioral baseline is the reference profile built for each user, credential, or asset monitored by Segura's Behavior Engine. It represents the typical set of actions, patterns, times, access methods, and interaction behaviors that characterize the common and legitimate use of that user within the organizational context.

This profile serves as a dynamic parameter for continuous comparison, being updated as behavior evolves or new legitimate activities are learned.

Creating the user's profile

Segura employs multiple sources and signals to build and update each user's baseline:

  • Typing patterns: analyzes the speed, rhythm, pressure, and sequence of keystrokes during interactive sessions (RDP, SSH, web), identifying unique patterns for each user.
  • Executed commands: monitors the sequence, frequency, and nature of commands and scripts used, both in terminals and specific applications.
  • Access times: maps the most common times and days of the week for each user to access sensitive resources.
  • Devices and locations: identifies endpoints, IP addresses, mobile devices, and usual access locations.
  • Accessed applications: records which systems, web applications, databases, and assets the user usually utilizes, as well as the frequency and context.
  • Session patterns: analyzes typical session duration, intervals between accesses, navigation workflow, and seasonal variations.
  • Credential queries and views: monitors the frequency, type, and time of queries to secrets and passwords.

Baseline Phases

The baseline process is divided into three main phases:

  1. Initial learning: in the first accesses, the behavior engine collects broad data, learning the fundamental patterns of each user. In this phase, thresholds are more flexible to avoid false positives.
  2. Continuous adaptation: with regular use, the baseline automatically adjusts to legitimate changes (e.g., new work hours, job promotion, change of role). The model learns new routines and dynamically adjusts limits.
  3. Dynamic limits: the limits (thresholds) for anomaly detection are not static: they are adapted by machine learning algorithms and constantly reevaluated, taking into account organizational context, seasonality, and policy changes.