Virtual Blind Spots

Why physical video surveillance is not enough

In the physical realm, video surveillance is among the most effective methods for safeguarding property. With 24/7 monitoring, companies ensure that trusted insiders have access to the premises, and that criminals do not. Unfortunately, in today’s business world, physical surveillance is not enough, though, as property that criminals seek now exists in the digital realm. And, in these instances, where data like credit card information, social security numbers, healthcare records and others are compromised, it is often impossible to distinguish between the criminals and the trusted insiders.

Research shows that the real threat lies with users who have access. In fact, more than 67 percent of data breaches involve stolen credentials from internal employees, remote vendors and other third-party contractors.

In the Target breach, for instance, attackers gained access to the network by compromising the credentials of an HVAC contractor. When eBay revealed that hackers had breached its network, making off with approximately 145 million user records, they indicated that the assailants gained access to customer records by compromising a small number of privileged employee accounts. Even the Snowden breach would not have been possible without the use of stolen and “borrowed” user credentials. In these circumstances, physical surveillance did not identify the culprit. Instead, these organizations needed to augment their security processes with a digital-based solution.

A New Solution Emerges

In the past, IT security teams attempted to assemble a picture of what people were doing based on infrastructure data available from systems logs—firewalls, SBCs and databases—but this method does not provide a complete, end-to-end view of user behaviors. Now, a new breed of security technology has emerged: user activity monitoring.

This type of monitoring enables companies to track their actual users and understand who did what on which computer. These solutions start with the user, rather than the infrastructure data, and create “videos” that capture exactly which applications the user accessed, which options they selected, what they typed, what files they downloaded and more. In short, user activity monitoring solutions can track every user action, no matter how they connect, where they travel in the network or what they do.

Simply videotaping user activity— physically or digitally—is not all that helpful if it requires the security team to constantly view hours of footage to find a problem. Fortunately, digital solutions can be equipped with analytics that evaluate activities against known user information and usage patterns to help companies rapidly detect suspicious, abnormal or outof- policy behaviors. Analytically-enabled user activity monitoring systems can alert on a variety of conditions such as if an employee ran a screen-sharing application on a server machine, executed a DROP command from a production database or changed the settings on a firewall. It can alert a healthcare provider when a nonattending physician attempts to access the medical records of a famous patient or tell a company that an authorized vendor accessed a file in the financial system.

With footage of exactly what the user did to trigger the alert, security professionals can quickly determine if the user is acting illegally and immediately shut the account down.

Clearly, there are tremendous benefits to adding user monitoring to any security program. Early detection limits risk exposure and can possibly prevent a complete breach. More importantly, solutions equipped with video capturing capabilities provide empirical evidence on both the culprit and his/her goal. Many times, companies that suffer from an assault cannot gain a clear picture of exactly what system was compromised, what data was taken or what pieces of intellectual property were viewed.

Not Adequately Protected

Unfortunately, many companies believe they are adequately protected against security breaches and do not realize the value of user activity monitoring until it is too late. There are a variety of reasons for this including:

Concentrating on machines, not people. For protection, organizations tend to concentrate on shoring up firewalls, creating complex authentication schemes, deploying malware-detection systems and/or using other automated and technology-based solutions. However, once a user is authorized, very few companies track where they go and what they do. In this scenario, it can take months for a company to realize that its systems have been compromised.

Getting lost in log data. Some companies believe that log files hold all the information they need to adequately discover and diagnose security issues. Unfortunately, this approach can leave knowledge gaps. Not every application provides detailed log files, and sophisticated hackers have been known to disable serverbased tracking features to navigate networks undetected.

On the flip side, log files were created to help programmers troubleshoot equipment related issues; therefore, they do not always provide the kind of data IT security teams need to determine if a specific user is acting suspiciously. More importantly, they rarely provide the complete trail of evidence a company would need to fully understand what exactly the hackers stole.

Relying on user-restrictions. Many organizations believe that carefully classifying what information, setting or systems that specific users are able to access is enough to prevent a breach. Unfortunately, hackers who are smart enough to steal credentials are typically savvy enough to work around these restrictions. Without a clear picture of a user’s activity as a whole that can then be compared to their privileges, unauthorized access can go undetected until a full breach is discovered.

Trusting alert overload. Because network monitoring solutions generate an overwhelming number of alerts on a daily basis—from firewalls, SBCs, routers and more—many organizations believe they must be covering all their bases. However, even the most meticulous support team, equipped with powerful SIEM systems, can get bogged down. Companies that do not include data from user-activity monitoring can easily miss the intelligence that would spotlight fraudulent, anomalous or out-of-policy behaviors from either employees or authorized third parties.

A Holistic Approach

As the potential payoff from both corporate espionage and fraudulent financial activities continues to skyrocket, organizations are forced to find new ways to fend off sophisticated assaults from multiple angles. Therefore, companies need to take a holistic, all-encompassing approach to defense.

Being able to quickly identify the culprits, even when disguised, and what they are trying to accomplish is the most important task for any security team. This makes surveillance— both physical and digital—a crucial piece of any security program.

On the digital side, user activity monitoring is emerging as a key strategy for limiting exposure to threats stemming from user accounts. Without proof of who did what and when, companies can find themselves not only compromised but wholly without the intelligence they need to adequately rectify the situation and fully explain it to customers, and the public at large.

This article originally appeared in the November 2014 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3