Actionable Intelligence - Data is the main player in making security decisions

Actionable Intelligence

Data is the main player in making security decisions

All security decisions are based on data. So, it would stand to reason that the more data organizations are able to collect, the more informed their security teams will be and, by extension, the better the decisions they make will be. Sadly, that’s not always the case thanks in large part to the sheer—and staggering— amount of data that is being collected today by an increasing number of devices and systems. Much of this “big data” has significant implications for security and when properly sorted, searched and executed, can become incredibly useful and actionable intelligence.

The underlying problem with the current security approach is that it does not involve analyzing available data. Alarm-based security processes are mainly reactive in nature. And, because more than 95 percent of alarms are false, we tend to respond slowly because there’s a good chance that the alarm isn’t valid.

In essence, the alarm monitoring process itself has inadvertently trained people that the data is so noisy as a result of the overwhelming number of false alarms that they won’t be able to accomplish their job and identify a threat as it occurs in real time. As a result, threats often go undetected; or by the time something happens, it’s too late to do anything about it.

Case in point: there have been many security breaches where there was actually enough relevant data located within disparate sources to warn of a possible security risk, but no way for the organization to extrapolate actionable intelligence from that data. For many organizations, simply organizing the vast quantity of security- and incident-related data, let alone analyzing it and utilizing it to make smart decisions, poses a tremendous challenge. Many lack a comprehensive approach to making sense of all this data, and as a result end up missing potential opportunities and benefits that it presents.

Real-time predictive analytics technology focuses on analyzing the metadata from disparate systems and devices to identify statistical patterns and trends. Often, this requires examining data over the course of months or years to accurately predict what may occur at a given time. The patterns or trends that result from analyzing the data help identify certain predictors that could indicate that an incident may occur.

Insider threat is an increasingly prevalent security concern for organizations, with some statistics suggesting it is the reason behind nearly half of all security breaches. In some cases, these types of incidents can be devastating, but not all insider threat is obvious or destructive.

Rather, it could be as simple as a frustrated sales rep downloading his contacts or an engineer taking code before they leave a company. Given the complex psychology behind it, insider threat can be incredibly difficult to understand and predict. This is where big data comes in, allowing security to analyze information and look at patterns across a large number of employees over a long time period to identify things that may not be obvious or intuitive.

From this analysis, incidents that could indicate potential insider threats, known as indicators of compromise, begin to emerge. A triggering event, such as a bad performance review, a missed promotion or something similar may be the trigger that precedes an insider breach, and therefore can serve as an indicator.

Information related to these events is stored in the HR system and can be used to generate an initial red flag that an individual may pose a threat or needs to be placed on a watch list.

Combining this HR information with an analysis of every time that person enters the premises and every door he or she has accessed helps establish an individual’s normal routine. By our nature, humans are creatures of habit, so an individual’s regular behavior pattern can be established relatively quickly through data analysis.

These individual routines can then be used to develop additional metrics to indicate a potential threat. If an employee exhibits not only differentiated behavioral patterns but access patterns as well, those indicators of compromise show that they are a higher risk and as such should be subjected to additional scrutiny.

For those employees who have been flagged in the system, future deviations from their routines, such as coming in to or leaving work at an unusual hour or accessing areas of the building or information systems they’ve never accessed before, will generate additional red flags or even alarms.

When an employee exhibits abnormal behavior relative to their regular routine, it may indicate a possibility of a potential breach. But, these deviations could turn out to be the result of normal or regular access, and the individual may in fact pose no threat to the organization. A supervisor may have asked the employee to work different hours or approved their access to a particular area or system that might be required for a particular project he or she is working on.

In these cases, supporting data from one or more systems will likely be available as part of the analysis, and connecting those dots will make the activity understandable and remove the employee from suspicion. This underscores the importance of collecting and analyzing large amounts of data, since without this context provided by predictive analysis, the data would essentially be useless.

One real-world example of the effectiveness of predictive analysis can be found in a company that was experiencing the loss of their equipment over a period of time. At first, the company was unsure who was behind the thefts, but thought it might be the work of an insider. One factor was that the losses were mostly being reported in the morning, which would indicate that the thefts were likely occurring after hours.

Based on this initial information, the company began to analyze data to examine employee activity, beginning with identifying any employees who were behaving outside of their normal routine.

They were able to determine those routines using available data that had been collected from a number of systems. This analysis led them to discover that a particular employee had started to access areas and facilities they had never used previously. They were also able to determine that this access was regularly occurring outside of the employee’s typical hours, often in the late evening.

A final factor was that these abnormal behaviors seemed to correspond with buildings where the equipment was disappearing. From there, the company set an alarm for those types of events. The next time the employee engaged in this new behavior pattern, an alarm was triggered. When security staff responded, they caught the employee in the act of disassembling and preparing to steal a piece of equipment.

As illustrated by this example, when properly analyzed, data and information become intelligence. Until now, the amount of available data has often proven too great for an organization to use properly, leading to breakdowns in security processes. Predictive analysis alters this paradigm by pulling the most relevant information out of the virtual ocean of available data in order to develop the intelligence necessary to improve security. Using the intelligence gleaned from analyzing these vast amounts of available data, organizations are able to easily identify patterns, trends and behaviors that could indicate a potential threat in real time based on irregular behaviors and access patterns.

This actionable intelligence enables organizations to identify potential threats in real time to apply better measures and take proactive action to guard against incidents or breaches that data suggests could potentially occur down the road. Unlike alarm-based processes, real-time predictive analysis is immune to false alarms, making the process unsusceptible to the human nature that causes people to ignore or respond slowly to alarms. Recognizing a threat when it’s too late and responding reactively is useless for improving security.

Taking advantage of big data, however, predictive analysis transforms security from a reactive process that involves attempting to investigate in real time into a more proactive and effective process.

This article originally appeared in the February 2015 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3