Virtual Blind Spots

Why physical video surveillance is not enough

In the physical realm, video surveillance is among the most effective methods for safeguarding property. With 24/7 monitoring, companies ensure that trusted insiders have access to the premises, and that criminals do not. Unfortunately, in today’s business world, physical surveillance is not enough, though, as property that criminals seek now exists in the digital realm. And, in these instances, where data like credit card information, social security numbers, healthcare records and others are compromised, it is often impossible to distinguish between the criminals and the trusted insiders.

Research shows that the real threat lies with users who have access. In fact, more than 67 percent of data breaches involve stolen credentials from internal employees, remote vendors and other third-party contractors.

In the Target breach, for instance, attackers gained access to the network by compromising the credentials of an HVAC contractor. When eBay revealed that hackers had breached its network, making off with approximately 145 million user records, they indicated that the assailants gained access to customer records by compromising a small number of privileged employee accounts. Even the Snowden breach would not have been possible without the use of stolen and “borrowed” user credentials. In these circumstances, physical surveillance did not identify the culprit. Instead, these organizations needed to augment their security processes with a digital-based solution.

A New Solution Emerges

In the past, IT security teams attempted to assemble a picture of what people were doing based on infrastructure data available from systems logs—firewalls, SBCs and databases—but this method does not provide a complete, end-to-end view of user behaviors. Now, a new breed of security technology has emerged: user activity monitoring.

This type of monitoring enables companies to track their actual users and understand who did what on which computer. These solutions start with the user, rather than the infrastructure data, and create “videos” that capture exactly which applications the user accessed, which options they selected, what they typed, what files they downloaded and more. In short, user activity monitoring solutions can track every user action, no matter how they connect, where they travel in the network or what they do.

Simply videotaping user activity— physically or digitally—is not all that helpful if it requires the security team to constantly view hours of footage to find a problem. Fortunately, digital solutions can be equipped with analytics that evaluate activities against known user information and usage patterns to help companies rapidly detect suspicious, abnormal or outof- policy behaviors. Analytically-enabled user activity monitoring systems can alert on a variety of conditions such as if an employee ran a screen-sharing application on a server machine, executed a DROP command from a production database or changed the settings on a firewall. It can alert a healthcare provider when a nonattending physician attempts to access the medical records of a famous patient or tell a company that an authorized vendor accessed a file in the financial system.

With footage of exactly what the user did to trigger the alert, security professionals can quickly determine if the user is acting illegally and immediately shut the account down.

Clearly, there are tremendous benefits to adding user monitoring to any security program. Early detection limits risk exposure and can possibly prevent a complete breach. More importantly, solutions equipped with video capturing capabilities provide empirical evidence on both the culprit and his/her goal. Many times, companies that suffer from an assault cannot gain a clear picture of exactly what system was compromised, what data was taken or what pieces of intellectual property were viewed.

Not Adequately Protected

Unfortunately, many companies believe they are adequately protected against security breaches and do not realize the value of user activity monitoring until it is too late. There are a variety of reasons for this including:

Concentrating on machines, not people. For protection, organizations tend to concentrate on shoring up firewalls, creating complex authentication schemes, deploying malware-detection systems and/or using other automated and technology-based solutions. However, once a user is authorized, very few companies track where they go and what they do. In this scenario, it can take months for a company to realize that its systems have been compromised.

Getting lost in log data. Some companies believe that log files hold all the information they need to adequately discover and diagnose security issues. Unfortunately, this approach can leave knowledge gaps. Not every application provides detailed log files, and sophisticated hackers have been known to disable serverbased tracking features to navigate networks undetected.

On the flip side, log files were created to help programmers troubleshoot equipment related issues; therefore, they do not always provide the kind of data IT security teams need to determine if a specific user is acting suspiciously. More importantly, they rarely provide the complete trail of evidence a company would need to fully understand what exactly the hackers stole.

Relying on user-restrictions. Many organizations believe that carefully classifying what information, setting or systems that specific users are able to access is enough to prevent a breach. Unfortunately, hackers who are smart enough to steal credentials are typically savvy enough to work around these restrictions. Without a clear picture of a user’s activity as a whole that can then be compared to their privileges, unauthorized access can go undetected until a full breach is discovered.

Trusting alert overload. Because network monitoring solutions generate an overwhelming number of alerts on a daily basis—from firewalls, SBCs, routers and more—many organizations believe they must be covering all their bases. However, even the most meticulous support team, equipped with powerful SIEM systems, can get bogged down. Companies that do not include data from user-activity monitoring can easily miss the intelligence that would spotlight fraudulent, anomalous or out-of-policy behaviors from either employees or authorized third parties.

A Holistic Approach

As the potential payoff from both corporate espionage and fraudulent financial activities continues to skyrocket, organizations are forced to find new ways to fend off sophisticated assaults from multiple angles. Therefore, companies need to take a holistic, all-encompassing approach to defense.

Being able to quickly identify the culprits, even when disguised, and what they are trying to accomplish is the most important task for any security team. This makes surveillance— both physical and digital—a crucial piece of any security program.

On the digital side, user activity monitoring is emerging as a key strategy for limiting exposure to threats stemming from user accounts. Without proof of who did what and when, companies can find themselves not only compromised but wholly without the intelligence they need to adequately rectify the situation and fully explain it to customers, and the public at large.

This article originally appeared in the November 2014 issue of Security Today.

Featured

  • Work Anywhere, Secure Everywhere: 2025 Tech Predictions

    Five years after the pandemic, organizations need a flexible work reset to stay productive and support any work arrangement. Despite the pandemic-fueled workplace shift that began five years ago, companies across industries and geographies continue to increase flexible work configurations. However, many tools adopted during COVID onset remain in place today, and they now need a reset to keep employees productive and secure regardless of location. Security leaders must re-evaluate existing practices and reinvest in zero trust security, passwordless environments, and automation adoption to improve efficiency and productivity. Read Now

  • Guiding Principles

    Construction sites represent a unique sector of perimeter security, especially amidst a steady increase in commercial construction. As in any security environment, assessing weaknesses and threats remains paramount and modern technology, coupled with sound access control principles, are critical in addressing vulnerabilities at even the most secure construction sites around the world. Read Now

  • Empowering 911

    In the wake of the tragic murder of UnitedHealth Group CEO Brian Thompson, media coverage flooded the airwaves with images, videos and detailed timelines of the suspect’s movements. While such post-incident analysis is not new, today’s 911 centers now have access to similar data in real-time. This technological evolution marks a pivotal transformation in emergency response, transitioning from analog calls to a digital ecosystem capable of saving more lives. Read Now

  • Security Industry Embraces Mobile Credentials, Biometrics and AI, New Trends Report From HID Finds

    As organizations navigate an increasingly complex threat landscape, security leaders are making strategic shifts toward unified platforms and emerging technologies, according to the newly released 2025 State of Security and Identity Report from HID. The comprehensive study gathered responses from 1,800 partners, end users, and security and IT personnel worldwide, and reveals a significant transformation in how businesses are approaching security, with mobile credentials and artificial intelligence emerging as key drivers of innovation. Read Now

New Products

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.