Detection of unauthorized access can be flawed especially in the case of insider threats or stolen credentials. Behavior Profiling is a technique used to detect fraudulent access and track the unusual user behavior. Using user behavior analytics and can be really effective since normal access is continuously checked to identify the abnormal behavior such as volumetric access information of documents or records.
Yet it can be difficult to understand what is happening on production systems or identify the difference between legitimate connections and attackers. In the past security teams sometimes turned to decoy technologies such as honeypots or a resource whose value lies in its being misused. Honeypots can be used to help understand what is happening production systems because often a honeypot is as a secure as production but the honeypot has no legitimate uses. However there are liability concerns. Honeypot users and could face legal ambiguity or it could just be hard to prosecute an attacker if you have a "honey pot".
Quality control (QA) and test systems should have a lot of the qualities of a honey pot (limited use, identical security) without the added effort of maintaining a separate system.
While QA systems could provide some of the benefits of traditional decoy systems, due to their legitimate use patterns, taking in behavior analytics from QA could help model user behavior and train your analytics when applied to production data.
The decoy (masked) information in QA and test systems could also help detect the illegitimate access and be used in a production lookup to look for an insider or credentials with access production data or systems. Additionally using decoy information for validating alerts can be used to profile normal access patterns and to detect the unusual behavior of a user.
A side note that helped bring me to this argument is that in research QRadar yields 90% of positive results identifying suspicious content browsing and user information along with its source addresses and bandwidth can be reported or logged and therefore put in reference data.
Resources used:
honeypots-guide: www.sans.org
Analysis of Behavior Profiling Algorithm to Detect Usage Anomalies in Fog Computing : www.ijesi.org
Guardium and QRadar: https://tinyurl.com/y8q8vjnx