Defining Normal: Establishing User and Device Baselines for Zero Trust Security (Activity 7.2.5)

We’ve been honing our Zero Trust detection capabilities, standardizing our log data (Activity 7.1.2) and analyzing it for user and device risk levels (Activity 7.1.3). But to detect subtle threats and anomalies, you need a clear definition of “normal.” How do you spot suspicious activity if you don’t know what typical behavior looks like? This brings us to Zero Trust Activity 7.2.5: User/Device Baselines.

This activity is the foundational step in applying behavioral analytics to your Zero Trust strategy. It mandates that DoD Components develop a subject/attribute baseline approach based on typical pattern and behavior (likely guided by an earlier “Establish User Baseline Behavior” activity). This approach is designed to serve as a benchmark for security when identifying and responding to abnormal or malicious activity. It’s about scientifically defining what “normal” looks like for every user and every device in your environment.

This activity is vital for maturing your threat detection, moving beyond signature-based alerts to intelligently identify deviations that signal advanced threats or insider risks.

The outcomes for Activity 7.2.5 highlight the establishment of this critical analytical foundation:

1. Components identify a subject/attribute baseline approach.

The ultimate end state underscores the continuous security benefit: Components can utilize baseline approach to build profiles in activity “Baseline and Profiling Pt 1.” (7.4.1). This sets the stage for more comprehensive behavioral profiling and dynamic risk scoring.

Solutions for Achieving User/Device Baselines

Implementing Activity 7.2.5 requires a methodology for defining normalcy, robust data collection, and advanced analytical capabilities to build and maintain behavioral baselines:

1. Developing a Baseline Approach Methodology:
   1. Process: Components define what attributes and behaviors will be baselined for users (e.g., typical login times, usual accessed applications, standard data transfer volumes, common locations) and for devices (e.g., normal process execution, typical network connections, common software installations).
   2. Subject/Attribute Focus: The approach clarifies which subjects (users, specific devices, types of NPEs) and which attributes (e.g., source IP, destination, time of day, data volume, process name) will be tracked to define typical patterns.
2. Leveraging SIEM/XDR Platforms for Data Collection and Analytics:
   1. Central Data Hub: Your Security Information and Event Management (SIEM) / Extended Detection and Response (XDR) platform (e.g., Elastic Security) is the primary technology for collecting and storing the massive amounts of standardized log data (from Activity 7.1.2) needed to build baselines.
   2. Behavioral Analytics Capabilities: Utilize the User and Entity Behavior Analytics (UEBA) capabilities within Elastic Security (or integrate with dedicated UEBA solutions). These capabilities employ machine learning and statistical analysis to automatically identify normal patterns in the ingested data over time.
   3. Trend and Pattern Development: The SIEM/XDR analyzes long periods of historical data to develop statistical trends and patterns for user and device activities, which form the actual baselines.
3. Integrating Rich Data Sources for Baseline Inputs:
   1. Identity Data (Okta’s Contribution): Your Identity Provider (e.g Okta) provides the foundational “who” data. Its authentication logs (login times, locations, successful/failed MFA attempts, applications accessed) are crucial inputs for building user behavioral baselines. Okta’s role and group information also help define different “normal” behaviors for different user segments.
   2. Endpoint Data (Trellix’s Contribution): Trellix’s EDR/XDR platform provides the rich, granular telemetry from endpoints (process execution, file activity, network connections, system calls). This data is essential for building robust device behavioral baselines, defining what “normal” looks like for specific types of laptops, servers, or critical service devices. This data flows into Elastic Security for analysis.

How Okta, Trellix, and Elastic Work Together to Achieve Desired Outcomes and End State:

These three strategic partners form a powerful triad to achieve the outcomes and end state of Activity 7.2.5, driving the creation of accurate user and device baselines:

• Elastic Security (The Analytics Engine and Baseline Repository):
  • Achieving Outcomes: Elastic Security is where the “subject/attribute baseline approach” is operationalized. It acts as the central analytics engine that ingests vast amounts of data, performs the complex statistical and machine learning computations to automatically identify “common user and device activities” and build the actual “baselines.” This directly contributes to identifying a “subject/attribute baseline approach” and being able to “build profiles” later.
  • Achieving End State: By continuously updating these baselines, Elastic enables Components to “utilize baseline approach to build profiles” for dynamic risk scoring in subsequent activities like “Baseline and Profiling Pt 1.”
• Okta (The User Identity and Behavioral Context Provider):
  • Achieving Outcomes: Okta provides the essential identity context that enables Elastic to build meaningful user baselines. It gives the “who” and crucial “login/access” activity data. Without Okta’s authoritative identity data, baselines would be generic. Okta’s behavioral logs are direct inputs to Elastic’s UEBA capabilities.
  • Achieving End State: Okta’s identity profiles are the foundation upon which behavioral profiles in subsequent activities are built, ensuring accuracy.
• Trellix (The Device Behavior Data Source):
  • Achieving Outcomes: Trellix’s EDR/XDR platform provides the rich, granular telemetry from the endpoint that is paramount for building accurate device baselines within Elastic. It delivers insights into process execution, network connections, and system interactions, helping to define “normal” behavior for specific device types.
  • Achieving End State: Trellix’s continuous monitoring provides the ongoing stream of device behavioral data needed to maintain and refine baselines, ensuring they remain relevant for profiling.
• The Combined Synergy: Okta provides the unique identity of the “subject.” Trellix provides the unique behaviors and attributes of the “device.” Elastic Security pulls all this standardized data (often pre-optimized by Cribl) together, applies its powerful analytics, and creates the definitive “baselines” for what constitutes normal patterns of behavior for each user and device. This integrated approach moves your Zero Trust architecture beyond simple rules to truly intelligent, adaptive detection based on behavioral context.

Key Items to Consider:

• Defining “Normal” is Complex: This requires iterative tuning. What’s normal for a developer may be abnormal for a HR manager. Baselines need to account for roles, departments, time, and specific device types.
• Data Volume and Quality: Building accurate baselines requires collecting and storing massive amounts of high-quality, historical log data. Data pipeline optimization (Activity 7.1.2) is critical here.
• Managing Seasonality and Evolution: User and device behavior changes over time (e.g., seasonal peaks, new applications, remote work trends). Baselines need to be continuously updated and retrained to remain accurate and minimize false positives.
• False Positive Management: Initial behavioral baselines often generate many false positives. A robust process for analyst review and feedback (human-in-the-loop) is essential for tuning.
• Attribute Selection: Carefully select the most relevant attributes to baseline. Too many can create noise; too few can miss important anomalies.

For the Technical Buyer

Activity 7.2.5 is about building the scientific foundation for intelligent threat detection in your Zero Trust architecture. It’s about moving beyond simple rules to systematically defining “normal” behavior for every user and device in your environment. For technical buyers, success here means leveraging your Elastic Security platform’s powerful analytics and UEBA capabilities, fueled by the essential identity context from Okta and the rich endpoint telemetry from Trellix. This integrated approach allows you to build comprehensive behavioral baselines, which are indispensable for automatically identifying deviations and anomalies that signal advanced threats.

Pillar: Visibility & Analytics 

Capability: 7.2  Security Information and Event Management (SIEM)

Activity: 7.2.5 Asset ID & Alert Correlation

Phase: Target Level 

Predecessor(s): 1.6.1 Implement User & Entity Behavior Activity (UEBA) and User Activity Monitoring (UAM) Tooling, 7.1.3 Log Analysis, 7.3.2 Establish User Baseline Behavior Pattern

Successor(s): 1.6.2 User Activity Monitoring Pt1, 2.3.1 Entity Activity Monitoring Pt1 Implement Extended Detection & Response (XDR) Tools and Integrate with C2C Pt1