Virtual Blind Spots
Why physical video surveillance is not enough
- By Gaby Friendlander
- Nov 03, 2014
In the physical realm,
video surveillance is
among the most effective
methods for
safeguarding property.
With 24/7 monitoring,
companies
ensure that trusted
insiders have access to the premises,
and that criminals do not. Unfortunately,
in today’s business world, physical surveillance
is not enough, though, as property
that criminals seek now exists in the
digital realm. And, in these instances,
where data like credit card information,
social security numbers, healthcare records
and others are compromised, it is
often impossible to distinguish between
the criminals and the trusted insiders.
Research shows that the real threat lies
with users who have access. In fact, more
than 67 percent of data breaches involve
stolen credentials from internal employees,
remote vendors and other third-party
contractors.
In the Target breach, for instance, attackers
gained access to the network by
compromising the credentials of an HVAC
contractor. When eBay revealed that hackers
had breached its network, making off
with approximately 145 million user records,
they indicated that the assailants
gained access to customer records by compromising
a small number of privileged
employee accounts. Even the Snowden
breach would not have been possible without
the use of stolen and “borrowed” user
credentials. In these circumstances, physical
surveillance did not identify the culprit.
Instead, these organizations needed
to augment their security processes with a
digital-based solution.
A New Solution Emerges
In the past, IT security teams attempted
to assemble a picture of what people were
doing based on infrastructure data available
from systems logs—firewalls, SBCs
and databases—but this method does not
provide a complete, end-to-end view of
user behaviors. Now, a new breed of security
technology has emerged: user activity
monitoring.
This type of monitoring enables companies
to track their actual users and
understand who did what on which computer.
These solutions start with the user,
rather than the infrastructure data, and
create “videos” that capture exactly which
applications the user accessed, which options
they selected, what they typed, what
files they downloaded and more. In short,
user activity monitoring solutions can
track every user action, no matter how
they connect, where they travel in the network
or what they do.
Simply videotaping user activity—
physically or digitally—is not all that
helpful if it requires the security team to
constantly view hours of footage to find a
problem. Fortunately, digital solutions can
be equipped with analytics that evaluate
activities against known user information
and usage patterns to help companies rapidly
detect suspicious, abnormal or outof-
policy behaviors. Analytically-enabled
user activity monitoring systems can alert
on a variety of conditions such as if an
employee ran a screen-sharing application
on a server machine, executed a DROP
command from a production database or
changed the settings on a firewall. It can
alert a healthcare provider when a nonattending
physician attempts to access the
medical records of a famous patient or tell
a company that an authorized vendor accessed
a file in the financial system.
With footage of exactly what the user did to trigger the alert,
security professionals can quickly determine if the user is acting
illegally and immediately shut the account down.
Clearly, there are tremendous benefits to adding user monitoring
to any security program. Early detection limits risk exposure
and can possibly prevent a complete breach. More importantly,
solutions equipped with video capturing capabilities provide empirical
evidence on both the culprit and his/her goal. Many times,
companies that suffer from an assault cannot gain a clear picture
of exactly what system was compromised, what data was taken or
what pieces of intellectual property were viewed.
Not Adequately Protected
Unfortunately, many companies believe they are adequately protected
against security breaches and do not realize the value of
user activity monitoring until it is too late. There are a variety of
reasons for this including:
Concentrating on machines, not people. For protection, organizations
tend to concentrate on shoring up firewalls, creating
complex authentication schemes, deploying malware-detection
systems and/or using other automated and technology-based solutions.
However, once a user is authorized, very few companies
track where they go and what they do. In this scenario, it can
take months for a company to realize that its systems have been
compromised.
Getting lost in log data. Some companies believe that log files
hold all the information they need to adequately discover and
diagnose security issues. Unfortunately, this approach can leave
knowledge gaps. Not every application provides detailed log files,
and sophisticated hackers have been known to disable serverbased
tracking features to navigate networks undetected.
On the flip side, log files were created to help programmers
troubleshoot equipment related issues; therefore, they do not always
provide the kind of data IT security teams need to determine
if a specific user is acting suspiciously. More importantly,
they rarely provide the complete trail of evidence a company
would need to fully understand what exactly the hackers stole.
Relying on user-restrictions. Many organizations believe that
carefully classifying what information, setting or systems that
specific users are able to access is enough to prevent a breach.
Unfortunately, hackers who are smart enough to steal credentials
are typically savvy enough to work around these restrictions.
Without a clear picture of a user’s activity as a whole that can
then be compared to their privileges, unauthorized access can go
undetected until a full breach is discovered.
Trusting alert overload. Because network monitoring solutions
generate an overwhelming number of alerts on a daily basis—from
firewalls, SBCs, routers and more—many organizations believe
they must be covering all their bases. However, even the most meticulous
support team, equipped with powerful SIEM systems,
can get bogged down. Companies that do not include data from
user-activity monitoring can easily miss the intelligence that would
spotlight fraudulent, anomalous or out-of-policy behaviors from
either employees or authorized third parties.
A Holistic Approach
As the potential payoff from both corporate espionage and
fraudulent financial activities continues to skyrocket, organizations
are forced to find new ways to fend off sophisticated assaults
from multiple angles. Therefore, companies need to take a
holistic, all-encompassing approach to defense.
Being able to quickly identify the culprits, even when disguised,
and what they are trying to accomplish is the most important
task for any security team. This makes surveillance—
both physical and digital—a crucial piece of any security
program.
On the digital side, user activity monitoring is emerging as a
key strategy for limiting exposure to threats stemming from user
accounts. Without proof of who did what and when, companies
can find themselves not only compromised but wholly without
the intelligence they need to adequately rectify the situation and
fully explain it to customers, and the public at large.
This article originally appeared in the November 2014 issue of Security Today.