Apache Metron features a revolutionary streaming profiler that lets you ask questions in real time about long term behaviour trends; questions like “how many servers should this admin have logged into on a weekday morning that's not a public holiday?” or “has this user, or anyone in their department, ever done anything like this before?”. Doing this with lightweight statistical sketching techniques means you can get high quality results without the need for huge hardware investment and get them much faster. It means you can deploy the expensive analytics in the right place, and progressively build up context around what is going on in your environment. In this technically focussed talk we will share some of the algorithms, use cases, and demonstrations of the low compute cost and resulting effectiveness of real-time algorithms in the Apache Metron profiler. We will also illustrate some new analytic models to protect your users from attackers, and from themselves.