Virtual Blind Spots

Why physical video surveillance is not enough

  • By Gaby Friendlander
  • Nov 03, 2014

In the physical realm, video surveillance is among the most effective methods for safeguarding property. With 24/7 monitoring, companies ensure that trusted insiders have access to the premises, and that criminals do not. Unfortunately, in today’s business world, physical surveillance is not enough, though, as property that criminals seek now exists in the digital realm. And, in these instances, where data like credit card information, social security numbers, healthcare records and others are compromised, it is often impossible to distinguish between the criminals and the trusted insiders.

Research shows that the real threat lies with users who have access. In fact, more than 67 percent of data breaches involve stolen credentials from internal employees, remote vendors and other third-party contractors.

In the Target breach, for instance, attackers gained access to the network by compromising the credentials of an HVAC contractor. When eBay revealed that hackers had breached its network, making off with approximately 145 million user records, they indicated that the assailants gained access to customer records by compromising a small number of privileged employee accounts. Even the Snowden breach would not have been possible without the use of stolen and “borrowed” user credentials. In these circumstances, physical surveillance did not identify the culprit. Instead, these organizations needed to augment their security processes with a digital-based solution.

A New Solution Emerges

In the past, IT security teams attempted to assemble a picture of what people were doing based on infrastructure data available from systems logs—firewalls, SBCs and databases—but this method does not provide a complete, end-to-end view of user behaviors. Now, a new breed of security technology has emerged: user activity monitoring.

This type of monitoring enables companies to track their actual users and understand who did what on which computer. These solutions start with the user, rather than the infrastructure data, and create “videos” that capture exactly which applications the user accessed, which options they selected, what they typed, what files they downloaded and more. In short, user activity monitoring solutions can track every user action, no matter how they connect, where they travel in the network or what they do.

Simply videotaping user activity— physically or digitally—is not all that helpful if it requires the security team to constantly view hours of footage to find a problem. Fortunately, digital solutions can be equipped with analytics that evaluate activities against known user information and usage patterns to help companies rapidly detect suspicious, abnormal or outof- policy behaviors. Analytically-enabled user activity monitoring systems can alert on a variety of conditions such as if an employee ran a screen-sharing application on a server machine, executed a DROP command from a production database or changed the settings on a firewall. It can alert a healthcare provider when a nonattending physician attempts to access the medical records of a famous patient or tell a company that an authorized vendor accessed a file in the financial system.

With footage of exactly what the user did to trigger the alert, security professionals can quickly determine if the user is acting illegally and immediately shut the account down.

Clearly, there are tremendous benefits to adding user monitoring to any security program. Early detection limits risk exposure and can possibly prevent a complete breach. More importantly, solutions equipped with video capturing capabilities provide empirical evidence on both the culprit and his/her goal. Many times, companies that suffer from an assault cannot gain a clear picture of exactly what system was compromised, what data was taken or what pieces of intellectual property were viewed.

Not Adequately Protected

Unfortunately, many companies believe they are adequately protected against security breaches and do not realize the value of user activity monitoring until it is too late. There are a variety of reasons for this including:

Concentrating on machines, not people. For protection, organizations tend to concentrate on shoring up firewalls, creating complex authentication schemes, deploying malware-detection systems and/or using other automated and technology-based solutions. However, once a user is authorized, very few companies track where they go and what they do. In this scenario, it can take months for a company to realize that its systems have been compromised.

Getting lost in log data. Some companies believe that log files hold all the information they need to adequately discover and diagnose security issues. Unfortunately, this approach can leave knowledge gaps. Not every application provides detailed log files, and sophisticated hackers have been known to disable serverbased tracking features to navigate networks undetected.

On the flip side, log files were created to help programmers troubleshoot equipment related issues; therefore, they do not always provide the kind of data IT security teams need to determine if a specific user is acting suspiciously. More importantly, they rarely provide the complete trail of evidence a company would need to fully understand what exactly the hackers stole.

Relying on user-restrictions. Many organizations believe that carefully classifying what information, setting or systems that specific users are able to access is enough to prevent a breach. Unfortunately, hackers who are smart enough to steal credentials are typically savvy enough to work around these restrictions. Without a clear picture of a user’s activity as a whole that can then be compared to their privileges, unauthorized access can go undetected until a full breach is discovered.

Trusting alert overload. Because network monitoring solutions generate an overwhelming number of alerts on a daily basis—from firewalls, SBCs, routers and more—many organizations believe they must be covering all their bases. However, even the most meticulous support team, equipped with powerful SIEM systems, can get bogged down. Companies that do not include data from user-activity monitoring can easily miss the intelligence that would spotlight fraudulent, anomalous or out-of-policy behaviors from either employees or authorized third parties.

A Holistic Approach

As the potential payoff from both corporate espionage and fraudulent financial activities continues to skyrocket, organizations are forced to find new ways to fend off sophisticated assaults from multiple angles. Therefore, companies need to take a holistic, all-encompassing approach to defense.

Being able to quickly identify the culprits, even when disguised, and what they are trying to accomplish is the most important task for any security team. This makes surveillance— both physical and digital—a crucial piece of any security program.

On the digital side, user activity monitoring is emerging as a key strategy for limiting exposure to threats stemming from user accounts. Without proof of who did what and when, companies can find themselves not only compromised but wholly without the intelligence they need to adequately rectify the situation and fully explain it to customers, and the public at large.

This article originally appeared in the November 2014 issue of Security Today.

Featured

  • From Surveillance to Intelligence

    Years ago, it would have been significantly more expensive to run an analytic like that — requiring a custom-built solution with burdensome infrastructure demands — but modern edge devices have made it accessible to everyone. It also saves time, which is a critical factor if a missing child is involved. Video compression technology has played a critical role as well. Over the years, significant advancements have been made in video coding standards — including H.263, MPEG formats, and H.264—alongside compression optimization technologies developed by IP video manufacturers to improve efficiency without sacrificing quality. The open-source AV1 codec developed by the Alliance for Open Media—a consortium including Google, Netflix, Microsoft, Amazon and others — is already the preferred decoder for cloud-based applications, and is quickly becoming the standard for video compression of all types. Read Now

  • Cost: Reactive vs. Proactive Security

    Security breaches often happen despite the availability of tools to prevent them. To combat this problem, the industry is shifting from reactive correction to proactive protection. This article will examine why so many security leaders have realized they must “lead before the breach” – not after. Read Now

  • Achieving Clear Audio

    In today’s ever-changing world of security and risk management, effective communication via an intercom and door entry communication system is a critical communication tool to keep a facility’s staff, visitors and vendors safe. Read Now

  • Beyond Apps: Access Control for Today’s Residents

    The modern resident lives in an app-saturated world. From banking to grocery delivery, fitness tracking to ridesharing, nearly every service demands another download. But when it comes to accessing the place you live, most people do not want to clutter their phone with yet another app, especially if its only purpose is to open a door. Read Now

  • Survey: 48 Percent of Worshippers Feel Less Safe Attending In-Person Services

    Almost half (48%) of those who attend religious services say they feel less safe attending in-person due to rising acts of violence at places of worship. In fact, 39% report these safety concerns have led them to change how often they attend in-person services, according to new research from Verkada conducted online by The Harris Poll among 1,123 U.S. adults who attend a religious service or event at least once a month. Read Now

Most   Popular

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.