Actionable Intelligence - Data is the main player in making security decisions

Actionable Intelligence

Data is the main player in making security decisions

All security decisions are based on data. So, it would stand to reason that the more data organizations are able to collect, the more informed their security teams will be and, by extension, the better the decisions they make will be. Sadly, that’s not always the case thanks in large part to the sheer—and staggering— amount of data that is being collected today by an increasing number of devices and systems. Much of this “big data” has significant implications for security and when properly sorted, searched and executed, can become incredibly useful and actionable intelligence.

The underlying problem with the current security approach is that it does not involve analyzing available data. Alarm-based security processes are mainly reactive in nature. And, because more than 95 percent of alarms are false, we tend to respond slowly because there’s a good chance that the alarm isn’t valid.

In essence, the alarm monitoring process itself has inadvertently trained people that the data is so noisy as a result of the overwhelming number of false alarms that they won’t be able to accomplish their job and identify a threat as it occurs in real time. As a result, threats often go undetected; or by the time something happens, it’s too late to do anything about it.

Case in point: there have been many security breaches where there was actually enough relevant data located within disparate sources to warn of a possible security risk, but no way for the organization to extrapolate actionable intelligence from that data. For many organizations, simply organizing the vast quantity of security- and incident-related data, let alone analyzing it and utilizing it to make smart decisions, poses a tremendous challenge. Many lack a comprehensive approach to making sense of all this data, and as a result end up missing potential opportunities and benefits that it presents.

Real-time predictive analytics technology focuses on analyzing the metadata from disparate systems and devices to identify statistical patterns and trends. Often, this requires examining data over the course of months or years to accurately predict what may occur at a given time. The patterns or trends that result from analyzing the data help identify certain predictors that could indicate that an incident may occur.

Insider threat is an increasingly prevalent security concern for organizations, with some statistics suggesting it is the reason behind nearly half of all security breaches. In some cases, these types of incidents can be devastating, but not all insider threat is obvious or destructive.

Rather, it could be as simple as a frustrated sales rep downloading his contacts or an engineer taking code before they leave a company. Given the complex psychology behind it, insider threat can be incredibly difficult to understand and predict. This is where big data comes in, allowing security to analyze information and look at patterns across a large number of employees over a long time period to identify things that may not be obvious or intuitive.

From this analysis, incidents that could indicate potential insider threats, known as indicators of compromise, begin to emerge. A triggering event, such as a bad performance review, a missed promotion or something similar may be the trigger that precedes an insider breach, and therefore can serve as an indicator.

Information related to these events is stored in the HR system and can be used to generate an initial red flag that an individual may pose a threat or needs to be placed on a watch list.

Combining this HR information with an analysis of every time that person enters the premises and every door he or she has accessed helps establish an individual’s normal routine. By our nature, humans are creatures of habit, so an individual’s regular behavior pattern can be established relatively quickly through data analysis.

These individual routines can then be used to develop additional metrics to indicate a potential threat. If an employee exhibits not only differentiated behavioral patterns but access patterns as well, those indicators of compromise show that they are a higher risk and as such should be subjected to additional scrutiny.

For those employees who have been flagged in the system, future deviations from their routines, such as coming in to or leaving work at an unusual hour or accessing areas of the building or information systems they’ve never accessed before, will generate additional red flags or even alarms.

When an employee exhibits abnormal behavior relative to their regular routine, it may indicate a possibility of a potential breach. But, these deviations could turn out to be the result of normal or regular access, and the individual may in fact pose no threat to the organization. A supervisor may have asked the employee to work different hours or approved their access to a particular area or system that might be required for a particular project he or she is working on.

In these cases, supporting data from one or more systems will likely be available as part of the analysis, and connecting those dots will make the activity understandable and remove the employee from suspicion. This underscores the importance of collecting and analyzing large amounts of data, since without this context provided by predictive analysis, the data would essentially be useless.

One real-world example of the effectiveness of predictive analysis can be found in a company that was experiencing the loss of their equipment over a period of time. At first, the company was unsure who was behind the thefts, but thought it might be the work of an insider. One factor was that the losses were mostly being reported in the morning, which would indicate that the thefts were likely occurring after hours.

Based on this initial information, the company began to analyze data to examine employee activity, beginning with identifying any employees who were behaving outside of their normal routine.

They were able to determine those routines using available data that had been collected from a number of systems. This analysis led them to discover that a particular employee had started to access areas and facilities they had never used previously. They were also able to determine that this access was regularly occurring outside of the employee’s typical hours, often in the late evening.

A final factor was that these abnormal behaviors seemed to correspond with buildings where the equipment was disappearing. From there, the company set an alarm for those types of events. The next time the employee engaged in this new behavior pattern, an alarm was triggered. When security staff responded, they caught the employee in the act of disassembling and preparing to steal a piece of equipment.

As illustrated by this example, when properly analyzed, data and information become intelligence. Until now, the amount of available data has often proven too great for an organization to use properly, leading to breakdowns in security processes. Predictive analysis alters this paradigm by pulling the most relevant information out of the virtual ocean of available data in order to develop the intelligence necessary to improve security. Using the intelligence gleaned from analyzing these vast amounts of available data, organizations are able to easily identify patterns, trends and behaviors that could indicate a potential threat in real time based on irregular behaviors and access patterns.

This actionable intelligence enables organizations to identify potential threats in real time to apply better measures and take proactive action to guard against incidents or breaches that data suggests could potentially occur down the road. Unlike alarm-based processes, real-time predictive analysis is immune to false alarms, making the process unsusceptible to the human nature that causes people to ignore or respond slowly to alarms. Recognizing a threat when it’s too late and responding reactively is useless for improving security.

Taking advantage of big data, however, predictive analysis transforms security from a reactive process that involves attempting to investigate in real time into a more proactive and effective process.

This article originally appeared in the February 2015 issue of Security Today.

Featured

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West
  • Cyber Overconfidence Is Leaving Your Organization Vulnerable

    The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced. Read Now

  • Mission 500 Debuts Refreshed Identity Ahead of Security 5K/2K at ISC West

    Mission 500, the security industry’s nonprofit charity dedicated to supporting children in need across the US, Canada, and Puerto Rico, has unveiled a refreshed brand identity ahead of ISC West. The charity’s new look includes a modernized logo with refined messaging to reinforce Mission 500’s nearly decade-long commitment to serving the needs of children and families in crisis. Read Now

    • Industry Events
  • Meeting Modern Demands

    Door hardware and access control continue to be at the forefront of innovation within the security industry, continuously evolving to meet the dynamic needs of commercial spaces. Read Now

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.