Protecting the Network
Improving physical security with operations’ team help
For many years, physical and network security
existed as separate disciplines, each
managed by an independent operations
team on its own side of the house with little
or no crossover between the two. Today, the
two are so closely intertwined that the separation
of physical and network security is no longer thinkable.
Rather, both sides—if, indeed, they do not already operate under
the same umbrella—must work closely together, collaborating
on tactics to combat attacks and protect an organization
from rapidly-growing risks including workplace violence, fraud,
cyberattacks and insider threat.
Discovering potential threats and taking action to prevent
breaches from happening requires a high level of security intelligence
along with technology created specifically for analyzing
activities across the enterprise. The aggregated data from diverse
physical security and logical/IT systems delivers the intelligence
needed to understand anomalous behaviors. It stands to reason
that this need, combined with the increasingly close relationship
between the two, creates a situation where protecting the network
also increases physical security.
With every high-profile data breach comes a greater focus on
network security, mainly from a logical perspective. However,
these breaches are not always the work of faceless remote attackers
on the other side of the world. In many cases, they come
from the inside. For example, a disgruntled employee could trigger
a massive breach simply by plugging a thumb drive into a
USB port. Likewise, contractors or others who are given physical
access to network-connected assets introduce additional threats,
which might be the result of malicious activity but could also be
caused by individuals’ lack of awareness of physical and/or network
security policies. While this contributes to the strong link
between on-site physical security presence and protecting the
network, enterprises don’t always dedicate adequate resources to
focusing on this link.
The risk of insider threat is growing and has taken on greater
significance in enterprises’ security practices, driven by a shift in
how employment in general is viewed. Employees tend to remain in
a job for shorter periods of time than in the past, resulting in lower
levels of loyalty and commitment. Also contributing to this threat
is companies’ increasing reliance on more remote, virtual, contract
and temporary employees, who may have access to both physical
assets and systems.
The evolving insider threat landscape makes it vital
for enterprises to consider their own potential for insider
threats, including who might be most likely to
commit these types of crimes, potential costs and
how threats can be mitigated. One primary strategy
for protection is to widen their perspective.
Rather than looking at breaches as discrete,
isolated events, these should be recognized
as culminating events that stem from a
pattern of activity across several systems.
This requires expanding the data sources
enterprises use from solely IT- or facilities-
based systems to include other data
sources within the enterprise.
This has been difficult in the past,
both because of the challenges enterprises
have faced in simply collecting
data from disparate sources
and because of the limits in analyzing this data to improve security policies
and practices. Today, the intelligence of
the tools available for identifying threats
is growing. Whereas in the past enterprises
would likely settle for focusing on
a single data set such as access logs, today
they can incorporate other data sources,
significantly expanding their options for
better insights.
Predictive analysis solutions generate
the intelligence necessary to accomplish
this goal, correlating information from
multiple sources and translating that data
into action on an ongoing basis. This allows
security to transition from being a
mainly reactive resource to a more proactive
function.
The human resources database is a key
source of information, including titles,
roles and responsibilities; associated levels
of access to data; and the results of
any background checks performed on
prospective employees or candidates. Employees
in finance, engineering and IT departments
have greater access to critical or
sensitive data, and this access could potentially
be used to do more harm than other
employees could.
The HR database contains records of
events that might presage employees’ becoming
a higher-level insider threat. These
“triggering events” could include negative
feedback, a bad performance review,
poor scores on a performance improvement
plan, and any infractions or complaints.
Other red flags might be changes
in family status, such as marriage, divorce
or the birth of a child, all of which represent
potential changes in financial status
that could make employees susceptible to
temptation. A long period of time since
an employee last took a vacation could be
another indicator, as people in financial
difficulty often don’t take vacations, while
insider threat candidates may also remain
on the job to try to make sure no one is
monitoring their activities.
Mechanisms for correlating HR information
with other enterprise systems, such
as those tracking physical access, provide
the widest perspective on threat and risk.
For instance, a traditionally 9-to-5 employee
who attempts to enter a building in
the middle of the night or someone starting
to regularly frequent a building where
they have no responsibilities would be
suspicious. At the same time, enterprises
should be able to correlate data from access
systems with calendaring systems. An entire
team coming in at an odd hour may be
preparing for a business trip, an upcoming
conference or a teleconference with a global
client; a single employee doing so is more
suspicious. All of this information, when
shared across the network, determines who
might be most at risk of compromising an
enterprise via insider threat.
But understanding who to track among
permanent and temporary employees, and
how to track them, is only the beginning.
There are a number of approaches that
must be followed to enable an enterprise to
be highly efficient at identifying potential
insider threats before they become a reality.
The first, as noted earlier, is the need
for a system that connects each of the appropriate
data sources: human resources
databases, physical security systems and
IT logs. The system must be highly flexible,
easily integrated and unfailingly accurate.
After that, an enterprise must set
up a monitoring system that reviews information
aggregated from those sources,
such as job titles, triggering events, changes
in physical and system access patterns
and behavioral changes. By establishing a
baseline of behavior, enterprises can create
profiles and risk scores associated with
all levels of employees—permanent, parttime,
contractor, virtual.
The next step is to establish a high-risk
score and identify employees who fall into
that range. This provides enterprises the
ability to focus on only the highest-risk
roles; after all, it’s simply not feasible for
an enterprise to track everyone who uses
the printers or the photocopiers. Anyone
in those roles—or applying for those
roles— should be subject to initial as well
as periodic background checks. By identifying
high-risk employees, enterprises are
able to focus their efforts on only the most
likely individuals, allowing them to take
proactive steps to review access, segregate
roles to eliminate conflict or schedule
more-frequent (or more-detailed) audits
and reviews.
Context is the overarching theme behind
all of these efforts. Data points alone
represent an incomplete approach to insider
threat. Without the context of other
events, behaviors or attributes, this data is
useless, and those enterprises that rely simply
on patterns run the risk of diminishing
morale and/or unnecessarily creating a
culture of suspicion.
Bringing these data points together enables
enterprises to create the equivalent of
a “watch list” that can be used for permanent
employees as well as other categories.
For instance, the system may track contractors’
employees for safety and security
violations. If they decrease, there’s no harm
done. If they increase, the enterprise can
engage in remediation such as retraining,
limiting access, requiring an escort or reporting
the violations to a manager.
It is important to note that while the
data from these integrated systems is invaluable,
as with many other technological
solutions it is the most effective when
combined with personal instincts. The system
readily provides aggregated data that
wasn’t available previously, but—especially
in a world where quality talent is frequently
hard to come by—it can’t account for human
knowledge and insight. No software
can yet distinguish between inappropriate
and merely unusual behavior.
The network plays an integral role in
predictive analysis and proactive security
itself. Not only does it form the backbone
upon which information and data
is shared, collected and analyzed, but by
using IT logging systems, enterprises can
track data sources for unusual patterns,
such as employees using photocopiers,
printers or USB drives more frequently
than in the past, which may indicate unauthorized
collection of information.
The use of external data sharing sites like
Dropbox increases this possibility. Viewed
together, all of these activities may be indicative
of insider threat in the form of
misappropriation of data.
Therefore, given the role the network
plays and the importance of data to accurate
predictive analysis and increased physical
security, ensuring the integrity and availability
of that data is paramount, which is
why network security is such a critical component
of physical security. Without good
data, insider threats and other risks cannot
be properly identified, eliminating the potential
for proactive security measures. As
a result of the close relationship between
information and physical security, protecting
the network not only decreases the potential
for remote data breaches but also
contributes to stronger physical security for
enterprises.
This article originally appeared in the February 2016 issue of Security Today.