Contextual Analytics

Contextual Analytics

A more complete security and risk picture appears when fully prepared

Most security organizations underestimate the possible impact of security data and only use it for reporting. They may use enterprise analytics solutions to answer the “what” questions related to their security infrastructure without considering context, such as a person’s behavior, work shift or HR background. As a result, these solutions lack the ability to answer the “why” questions that are often the critical missing piece to understanding security threats. Responding without adequately analyzing a situation and its associated circumstances can increase an organization’s risk profile by creating an environment where security operations are managed by assumptions rather than measurable facts. This is why contextual analytics needs to play an important role in the decision-making process.

MAKING DECISIONS

Each of the millions of decisions made each day by people, devices and systems falls into one of two categories: binary and contextual. Binary decisions are those that are a simple choice between two options or pieces of data, such as yes or no. Contextual decisions, on the other hand, are much more involved, taking into account the circumstances that form the setting for an event, statement or idea to provide a fuller understanding of the decision that must be made and why.

Traditional or current security infrastructures typically make binary decisions. For example, if an employee forgets his or her cell phone in the office and needs to re-enter the building, the access control system makes a binary yes/no decision without considering any context, such as the employee’s behavior, work shift or HR background. Where contextual analysis would take these into account, a traditional access control system doesn’t care why the employee is entering, only that a valid credential is presented for entry.

Context-based security makes sense out of large amounts of data from multiple authoritative systems, including physical security systems and devices. Information is then analyzed from these sources to provide valuable insights and allow for more informed decisions.

Forward-thinking organizations try to make the most of the information they have on hand, relying on contextual analytics to make sense out of the mountains of data generated by multiple authoritative and security systems and devices to provide a deeper understanding of threat and operational efficiencies. Successful contextual analysis requires strong metrics. Determining how to implement a program to achieve security and organizational goals can be a challenge, but there are a number of factors organizations can consider to ease the process.

KEY INDICATORS

The key indicators that define context for security decisions include access, process, and behavioral changes. Within each of these factors are a number of potential red flags that contextual analysis can use to detect potential risks to an organization.

When we take a look at access, there are many areas within the access spectrum that may give us a deeper understanding of what is happening at the site. For example, access levels of individuals based on their roles can be cross compared with their normal access patterns. It is also useful to look for anomalies in device behavior.

Additional sources of data to pull from for access may incorporate audits and any indicators that may present a red flag. These include the same person requesting and approving an access request, delays in conducting an audit, expiration of training, failed or missing background checks or other data missing from prerequisites for access privileges. Any of these factors when looked at alone may not seem like a red flag, but once you begin to look at the data across multiple systems—you are able to get a better contextual landscape of typical and atypical access patterns.

Process is an area that may seem difficult to accurately track and monitor and apply to this contextual based analysis. Here the key is to leverage technologies that help automate and track processes in a meaningful way across a global organization. For example, contractors are a way of life for many organizations. While they may act like employees while on the premises, there are some clearly differentiated processes that must be followed before provisioning access for them. Contract companies must have the proper documentation on file, along with insurance requirements, training pre-requisites, and complete background checks. Depending on the industry, any violation in these policies and processes leads to costly fines and delays in work. Without an automated system tracking the efficiency of an organization’s policies and processes, it would be extremely difficult to detect anomalous behaviors.

Behavioral indicators are equally challenging to properly track. Using security systems alone may not be enough to get a full view into behavioral changes. This is where organizations need to start looking at other key indicators of compromise with the ability to make note of changes of behavior in a meaningful way. Perhaps the organization’s policy is for security to alert HR of an employee’s unusual patterns of behavior, thereby elevating the risk profile of individuals and monitoring their activity across an additional set of data points. To take it one step further, if individuals with an elevated risk score continue to access areas outside of their usual patterns, or if they begin accessing shared directories or printing more than normal, any one of these indicators can lead to an automated response from security with immediate action. This could include disabling their badge and/or access to IT infrastructure, dispatching security or any other number of actions deemed appropriate given the severity of the situation. The key is to put actions into context so that it is possible to pull insights from the data.

There are new technologies and solutions that are capable of recognizing these problems and anomalies quickly— provided an organization is measuring the most appropriate metrics.

BEST PRACTICES FOR IMPLEMENTING METRICS

There are a number of best practices organizations can follow to ensure they are measuring the strongest possible metrics—those that will provide the highest level of context and help identify potential risks.

Not all context is equal, so organizations’ first goal must be to capture and collect appropriate data that will help define context appropriately. Here again is where it is of critical importance to integrate intelligent automation that can correlate relevant data from diverse systems to create meaningful insights. Once this has been achieved, the next step is to implement predictive analytics that will identify and provide the behavioral context that will provide a more complete picture of incidents. Finally, organizations must use the intelligence generated by predictive analytics to drive actions and decisions.

In the instance of credential fraud, the main question should be, “What context is needed to tell the difference between someone trying to enter using a stolen badge or an employee who forgot something inside?” The metrics needed to analyze credential fraud include persistence and pattern, such as considering how long an individual has been attempting to gain entry and if that employee has ever been in the area before.

In this case, the metrics needed for an automated system to recognize a potential problem would be to measure and flag multiple access attempts, denied access points and the time of day. Analyzed contextually, these metrics will determine the difference between an employee seeking to retrieve something left behind, or an individual who has stolen a badge and is attempting to access sensitive areas of the facility.

LEVERAGING PREDICTIVE ANALYSIS

Without data, people make decisions based on instinct, which is far from the most accurate method. But simply having the data isn’t enough, as the information needed to provide valuable context for security resides in different “brains”—separate departments and disparate systems—that are often incapable of connecting and sharing data with each other. Yes, the data is there, but separately, these small, siloed pieces of information simply cannot create enough context to generate actionable intelligence.

For example, several smaller incidents may occur across a variety of locations, departments and/or systems, with information known by multiple people or residing in different systems. If these incidents can somehow be put together, they provide a complete picture of a larger pattern that may indicate something is about to occur. Unfortunately, this information often cannot be connected until the postevent investigation process. So, how can all of these pieces be brought together to identify the context for predicting the potential for a particular situation or incident? Accomplishing this requires leveraging new and emerging technologies, such as predictive analytics, which help create context for decisions and outcomes.

Predictive analytics solutions are the key to transforming security into a context-based process. A main strength of predictive analysis solutions is the ability to serve as a single platform that connects data from disparate systems. These solutions gather and correlate data from multiple sources, which is analyzed using a predictive engine to apply statistical algorithms and machine learning to make sense of the vast amount of data and generate reports and/or automated actions.

This analysis looks for anomalies and potential areas of improvement (including operational efficiencies) to provide a baseline that is used to identify the likelihood of future outcomes based on historical observation. These patterns provide valuable contextual history, indicators of compromise and risk analysis to increase the accuracy of the statistical findings many organizations already employ.

In addition to increasing security, contextual analytics also enables security to shift from a business barrier or cost center with manual processes that inhibit its effectiveness, into a business enabler that provides ROI to the organization. Rather than being a devicedriven operation, security becomes more data-centric, allowing organizations to make cost-justified decisions, optimize spending and streamline security compliance.

Information may be power, but more important than simply having information available is having the ability to connect the dots between disparate data sources to develop valuable context that goes beyond binary “yes or no” decisions to answer the “why” questions that provide deeper understanding of security threats. Contextual analytics allow organizations to make more informed decisions based on facts and patterns, rather than instinct, while determining which events, incidents or actions are likely benign—such as an employee who left his or her credentials in the office—or pose a potential risk to the organization.

Predictive analytics have the power to deliver context-based security based on large amounts of raw data gathered from multiple systems to identify anomalies in patterns that may indicate potential problems. With the right context, these solutions generate a more complete security and risk picture while also identifying operational inefficiencies that can be addressed, making security a valuable partner within the organization.

This article originally appeared in the September 2016 issue of Security Today.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Making Safety and Security Intrinsic to School Design

    Public anxieties about school safety are escalating across the country. According to a 2023 Gallup report, 44% of parents fear for their child’s physical safety at school, a 10 percentage-point increase since 2019. Unfortunately, these fears are likely to increase if the incidence of school tragedies continues to mount. As a result, school leaders are now charged with two non-negotiable responsibilities. The first, as always, is to ensure kids have what they need to learn, grow, and thrive. Sadly, their second responsibility is to keep the children in their care safe from threats and physical danger. Read Now

  • The Power of a Layered Approach to Safety

    In a perfect world, every school would have an unlimited budget to help secure their schools. In reality, schools must prioritize what budget they have while navigating the complexities surrounding school security and lockdown. Read Now

  • How a Security System Can Enhance Arena Safety and the Fan Experience

    Ensuring guests have both a memorable experience and a safe one is no small feat for your physical security team. Stadiums, ballparks, arenas, and other large event venues are increasingly leveraging new technologies to transform the fan experience and maintain a high level of security. The goal is to preserve the integrity and excitement of the event while enhancing security and remaining “behind the scenes.” Read Now

Featured Cybersecurity

Webinars

New Products

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3