Anomaly Detection
Anomaly Detection is a technique that identifies unusual patterns in identity behavior — logins from unusual locations, access to unusual resources, or timing patterns that deviate from normal. It uses historical baseline data to flag deviations that might indicate compromise or abuse.
# WHAT TEAMS RUN INTO
- —
Anomalies are hard to define. What counts as anomalous depends on the person and their job. A sales executive might legitimately travel and log in from anywhere. A backend engineer might always log in from the same office. Creating per-person baselines is expensive.
- —
Legitimate behavior changes. Users get promoted, change teams, or take on new responsibilities, and their access patterns change legitimately. Baseline models that don't account for role changes will flag legitimate activity as anomalous.
- —
Attackers learn baselines. If an attacker has access to historical data about a user's normal behavior, they can try to mimic it. Attackers can log in from the user's typical location at typical times and use typical resources.
# WHY IT MATTERS
Anomaly detection is a way to make identity security faster than human analysis — automatically flag unusual activity and escalate for investigation. But anomaly detection is only as good as the baselines it uses. When anomaly detection is tuned carefully, it catches attacks early. When it is tuned carelessly, it becomes a source of false alarms or missed detections.