Actionable Intelligence
Data is the main player in making security decisions
All security decisions are based on data. So,
it would stand to reason that the more data
organizations are able to collect, the more
informed their security teams will be and,
by extension, the better the decisions they
make will be. Sadly, that’s not always the
case thanks in large part to the sheer—and staggering—
amount of data that is being collected today by an increasing
number of devices and systems. Much of this “big data” has
significant implications for security and when properly sorted,
searched and executed, can become incredibly useful and
actionable intelligence.
The underlying problem with the current security approach is
that it does not involve analyzing available data. Alarm-based security
processes are mainly reactive in nature. And, because more
than 95 percent of alarms are false, we tend to respond slowly
because there’s a good chance that the alarm isn’t valid.
In essence, the alarm monitoring process itself has inadvertently
trained people that the data is so noisy as a result of the
overwhelming number of false alarms that they won’t be able to
accomplish their job and identify a threat as it occurs in real time.
As a result, threats often go undetected; or by the time something
happens, it’s too late to do anything about it.
Case in point: there have been many security breaches where
there was actually enough relevant data located within disparate
sources to warn of a possible security risk, but no way for
the organization to extrapolate actionable intelligence from that
data. For many organizations, simply organizing the vast quantity of security- and incident-related data,
let alone analyzing it and utilizing it to
make smart decisions, poses a tremendous
challenge. Many lack a comprehensive approach
to making sense of all this data,
and as a result end up missing potential
opportunities and benefits that it presents.
Real-time predictive analytics technology
focuses on analyzing the metadata
from disparate systems and devices to
identify statistical patterns and trends. Often,
this requires examining data over the
course of months or years to accurately
predict what may occur at a given time.
The patterns or trends that result from
analyzing the data help identify certain
predictors that could indicate that an incident
may occur.
Insider threat is an increasingly prevalent
security concern for organizations,
with some statistics suggesting it is the
reason behind nearly half of all security
breaches. In some cases, these types of incidents
can be devastating, but not all insider
threat is obvious or destructive.
Rather, it could be as simple as a frustrated
sales rep downloading his contacts
or an engineer taking code before they leave
a company. Given the complex psychology
behind it, insider threat can be incredibly
difficult to understand and predict. This is
where big data comes in, allowing security
to analyze information and look at patterns
across a large number of employees over a
long time period to identify things that may
not be obvious or intuitive.
From this analysis, incidents that could
indicate potential insider threats, known
as indicators of compromise, begin to
emerge. A triggering event, such as a bad
performance review, a missed promotion
or something similar may be the trigger
that precedes an insider breach, and therefore
can serve as an indicator.
Information related to these events is
stored in the HR system and can be used
to generate an initial red flag that an individual
may pose a threat or needs to be
placed on a watch list.
Combining this HR information with
an analysis of every time that person enters
the premises and every door he or she
has accessed helps establish an individual’s
normal routine. By our nature, humans are
creatures of habit, so an individual’s regular
behavior pattern can be established
relatively quickly through data analysis.
These individual routines can then be
used to develop additional metrics to indicate
a potential threat. If an employee
exhibits not only differentiated behavioral
patterns but access patterns as well, those
indicators of compromise show that they
are a higher risk and as such should be
subjected to additional scrutiny.
For those employees who have been
flagged in the system, future deviations
from their routines, such as coming in to
or leaving work at an unusual hour or accessing
areas of the building or information
systems they’ve never accessed before, will
generate additional red flags or even alarms.
When an employee exhibits abnormal
behavior relative to their regular routine,
it may indicate a possibility of a potential
breach. But, these deviations could turn
out to be the result of normal or regular
access, and the individual may in fact pose
no threat to the organization. A supervisor
may have asked the employee to work
different hours or approved their access to
a particular area or system that might be
required for a particular project he or she
is working on.
In these cases, supporting data from
one or more systems will likely be available
as part of the analysis, and connecting
those dots will make the activity understandable
and remove the employee
from suspicion. This underscores the importance
of collecting and analyzing large
amounts of data, since without this context
provided by predictive analysis, the
data would essentially be useless.
One real-world example of the effectiveness
of predictive analysis can be
found in a company that was experiencing
the loss of their equipment over a period
of time. At first, the company was unsure
who was behind the thefts, but thought it
might be the work of an insider. One factor
was that the losses were mostly being
reported in the morning, which would indicate
that the thefts were likely occurring
after hours.
Based on this initial information, the
company began to analyze data to examine
employee activity, beginning with identifying
any employees who were behaving
outside of their normal routine.
They were able to determine those routines
using available data that had been
collected from a number of systems. This
analysis led them to discover that a particular
employee had started to access areas
and facilities they had never used previously.
They were also able to determine
that this access was regularly occurring
outside of the employee’s typical hours,
often in the late evening.
A final factor was that these abnormal
behaviors seemed to correspond with buildings
where the equipment was disappearing.
From there, the company set an alarm
for those types of events. The next time the
employee engaged in this new behavior pattern,
an alarm was triggered. When security
staff responded, they caught the employee
in the act of disassembling and preparing to
steal a piece of equipment.
As illustrated by this example, when
properly analyzed, data and information
become intelligence. Until now, the amount
of available data has often proven too great
for an organization to use properly, leading
to breakdowns in security processes.
Predictive analysis alters this paradigm by
pulling the most relevant information out
of the virtual ocean of available data in
order to develop the intelligence necessary
to improve security. Using the intelligence
gleaned from analyzing these vast amounts
of available data, organizations are able to
easily identify patterns, trends and behaviors
that could indicate a potential threat in
real time based on irregular behaviors and
access patterns.
This actionable intelligence enables
organizations to identify potential threats
in real time to apply better measures and
take proactive action to guard against incidents
or breaches that data suggests could
potentially occur down the road. Unlike
alarm-based processes, real-time predictive
analysis is immune to false alarms,
making the process unsusceptible to the
human nature that causes people to ignore
or respond slowly to alarms. Recognizing
a threat when it’s too late and responding
reactively is useless for improving security.
Taking advantage of big data, however,
predictive analysis transforms security
from a reactive process that involves
attempting to investigate in real time into
a more proactive and effective process.
This article originally appeared in the February 2015 issue of Security Today.