Virtual Blind Spots

Why physical video surveillance is not enough

In the physical realm, video surveillance is among the most effective methods for safeguarding property. With 24/7 monitoring, companies ensure that trusted insiders have access to the premises, and that criminals do not. Unfortunately, in today’s business world, physical surveillance is not enough, though, as property that criminals seek now exists in the digital realm. And, in these instances, where data like credit card information, social security numbers, healthcare records and others are compromised, it is often impossible to distinguish between the criminals and the trusted insiders.

Research shows that the real threat lies with users who have access. In fact, more than 67 percent of data breaches involve stolen credentials from internal employees, remote vendors and other third-party contractors.

In the Target breach, for instance, attackers gained access to the network by compromising the credentials of an HVAC contractor. When eBay revealed that hackers had breached its network, making off with approximately 145 million user records, they indicated that the assailants gained access to customer records by compromising a small number of privileged employee accounts. Even the Snowden breach would not have been possible without the use of stolen and “borrowed” user credentials. In these circumstances, physical surveillance did not identify the culprit. Instead, these organizations needed to augment their security processes with a digital-based solution.

A New Solution Emerges

In the past, IT security teams attempted to assemble a picture of what people were doing based on infrastructure data available from systems logs—firewalls, SBCs and databases—but this method does not provide a complete, end-to-end view of user behaviors. Now, a new breed of security technology has emerged: user activity monitoring.

This type of monitoring enables companies to track their actual users and understand who did what on which computer. These solutions start with the user, rather than the infrastructure data, and create “videos” that capture exactly which applications the user accessed, which options they selected, what they typed, what files they downloaded and more. In short, user activity monitoring solutions can track every user action, no matter how they connect, where they travel in the network or what they do.

Simply videotaping user activity— physically or digitally—is not all that helpful if it requires the security team to constantly view hours of footage to find a problem. Fortunately, digital solutions can be equipped with analytics that evaluate activities against known user information and usage patterns to help companies rapidly detect suspicious, abnormal or outof- policy behaviors. Analytically-enabled user activity monitoring systems can alert on a variety of conditions such as if an employee ran a screen-sharing application on a server machine, executed a DROP command from a production database or changed the settings on a firewall. It can alert a healthcare provider when a nonattending physician attempts to access the medical records of a famous patient or tell a company that an authorized vendor accessed a file in the financial system.

With footage of exactly what the user did to trigger the alert, security professionals can quickly determine if the user is acting illegally and immediately shut the account down.

Clearly, there are tremendous benefits to adding user monitoring to any security program. Early detection limits risk exposure and can possibly prevent a complete breach. More importantly, solutions equipped with video capturing capabilities provide empirical evidence on both the culprit and his/her goal. Many times, companies that suffer from an assault cannot gain a clear picture of exactly what system was compromised, what data was taken or what pieces of intellectual property were viewed.

Not Adequately Protected

Unfortunately, many companies believe they are adequately protected against security breaches and do not realize the value of user activity monitoring until it is too late. There are a variety of reasons for this including:

Concentrating on machines, not people. For protection, organizations tend to concentrate on shoring up firewalls, creating complex authentication schemes, deploying malware-detection systems and/or using other automated and technology-based solutions. However, once a user is authorized, very few companies track where they go and what they do. In this scenario, it can take months for a company to realize that its systems have been compromised.

Getting lost in log data. Some companies believe that log files hold all the information they need to adequately discover and diagnose security issues. Unfortunately, this approach can leave knowledge gaps. Not every application provides detailed log files, and sophisticated hackers have been known to disable serverbased tracking features to navigate networks undetected.

On the flip side, log files were created to help programmers troubleshoot equipment related issues; therefore, they do not always provide the kind of data IT security teams need to determine if a specific user is acting suspiciously. More importantly, they rarely provide the complete trail of evidence a company would need to fully understand what exactly the hackers stole.

Relying on user-restrictions. Many organizations believe that carefully classifying what information, setting or systems that specific users are able to access is enough to prevent a breach. Unfortunately, hackers who are smart enough to steal credentials are typically savvy enough to work around these restrictions. Without a clear picture of a user’s activity as a whole that can then be compared to their privileges, unauthorized access can go undetected until a full breach is discovered.

Trusting alert overload. Because network monitoring solutions generate an overwhelming number of alerts on a daily basis—from firewalls, SBCs, routers and more—many organizations believe they must be covering all their bases. However, even the most meticulous support team, equipped with powerful SIEM systems, can get bogged down. Companies that do not include data from user-activity monitoring can easily miss the intelligence that would spotlight fraudulent, anomalous or out-of-policy behaviors from either employees or authorized third parties.

A Holistic Approach

As the potential payoff from both corporate espionage and fraudulent financial activities continues to skyrocket, organizations are forced to find new ways to fend off sophisticated assaults from multiple angles. Therefore, companies need to take a holistic, all-encompassing approach to defense.

Being able to quickly identify the culprits, even when disguised, and what they are trying to accomplish is the most important task for any security team. This makes surveillance— both physical and digital—a crucial piece of any security program.

On the digital side, user activity monitoring is emerging as a key strategy for limiting exposure to threats stemming from user accounts. Without proof of who did what and when, companies can find themselves not only compromised but wholly without the intelligence they need to adequately rectify the situation and fully explain it to customers, and the public at large.

This article originally appeared in the November 2014 issue of Security Today.

Featured

  • Creating a Safer World

    Managing and supporting locks and door hardware within a facility is a big responsibility. A building’s security needs to change over time as occupancy and use demands evolve, which can make it even more challenging. Read Now

  • Creating More Versatility

    Today, AI has become top of mind for most security professionals. It is the topic of conversation in the technology world and continues to transform the way data is used to make important business decisions. Read Now

  • Report: 78 Percent of CISOs Seeing Significant Impact from AI-Powered Cyber Threats

    Darktrace recently unveiled its 2025 State of AI Cybersecurity report. The findings reveal that 78% of Chief Information Security Officers (CISOs) surveyed say that AI-powered threats are having a significant impact on their organizations, a 5% increase1 from 2024. While an increasing number of CISOs report feeling a significant impact from AI threats, more than 60% now say that they are adequately prepared to defend against these threats, an increase of nearly 15% year-over-year. However, insufficient AI knowledge and skills and a shortage of personnel and talent continue to be listed as the two top inhibitors to a successful defense. Read Now

  • Teaching AI New Tricks

    You have probably heard that AI-enabled security cameras are evolving the role of traditional surveillance cameras, shifting the focus from passive monitoring to active problem-solving and operational insights. AI technology changes fast, so what is new can be considered old news in just a few months. Read Now

New Products

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.