Virtual Blind Spots

Why physical video surveillance is not enough

In the physical realm, video surveillance is among the most effective methods for safeguarding property. With 24/7 monitoring, companies ensure that trusted insiders have access to the premises, and that criminals do not. Unfortunately, in today’s business world, physical surveillance is not enough, though, as property that criminals seek now exists in the digital realm. And, in these instances, where data like credit card information, social security numbers, healthcare records and others are compromised, it is often impossible to distinguish between the criminals and the trusted insiders.

Research shows that the real threat lies with users who have access. In fact, more than 67 percent of data breaches involve stolen credentials from internal employees, remote vendors and other third-party contractors.

In the Target breach, for instance, attackers gained access to the network by compromising the credentials of an HVAC contractor. When eBay revealed that hackers had breached its network, making off with approximately 145 million user records, they indicated that the assailants gained access to customer records by compromising a small number of privileged employee accounts. Even the Snowden breach would not have been possible without the use of stolen and “borrowed” user credentials. In these circumstances, physical surveillance did not identify the culprit. Instead, these organizations needed to augment their security processes with a digital-based solution.

A New Solution Emerges

In the past, IT security teams attempted to assemble a picture of what people were doing based on infrastructure data available from systems logs—firewalls, SBCs and databases—but this method does not provide a complete, end-to-end view of user behaviors. Now, a new breed of security technology has emerged: user activity monitoring.

This type of monitoring enables companies to track their actual users and understand who did what on which computer. These solutions start with the user, rather than the infrastructure data, and create “videos” that capture exactly which applications the user accessed, which options they selected, what they typed, what files they downloaded and more. In short, user activity monitoring solutions can track every user action, no matter how they connect, where they travel in the network or what they do.

Simply videotaping user activity— physically or digitally—is not all that helpful if it requires the security team to constantly view hours of footage to find a problem. Fortunately, digital solutions can be equipped with analytics that evaluate activities against known user information and usage patterns to help companies rapidly detect suspicious, abnormal or outof- policy behaviors. Analytically-enabled user activity monitoring systems can alert on a variety of conditions such as if an employee ran a screen-sharing application on a server machine, executed a DROP command from a production database or changed the settings on a firewall. It can alert a healthcare provider when a nonattending physician attempts to access the medical records of a famous patient or tell a company that an authorized vendor accessed a file in the financial system.

With footage of exactly what the user did to trigger the alert, security professionals can quickly determine if the user is acting illegally and immediately shut the account down.

Clearly, there are tremendous benefits to adding user monitoring to any security program. Early detection limits risk exposure and can possibly prevent a complete breach. More importantly, solutions equipped with video capturing capabilities provide empirical evidence on both the culprit and his/her goal. Many times, companies that suffer from an assault cannot gain a clear picture of exactly what system was compromised, what data was taken or what pieces of intellectual property were viewed.

Not Adequately Protected

Unfortunately, many companies believe they are adequately protected against security breaches and do not realize the value of user activity monitoring until it is too late. There are a variety of reasons for this including:

Concentrating on machines, not people. For protection, organizations tend to concentrate on shoring up firewalls, creating complex authentication schemes, deploying malware-detection systems and/or using other automated and technology-based solutions. However, once a user is authorized, very few companies track where they go and what they do. In this scenario, it can take months for a company to realize that its systems have been compromised.

Getting lost in log data. Some companies believe that log files hold all the information they need to adequately discover and diagnose security issues. Unfortunately, this approach can leave knowledge gaps. Not every application provides detailed log files, and sophisticated hackers have been known to disable serverbased tracking features to navigate networks undetected.

On the flip side, log files were created to help programmers troubleshoot equipment related issues; therefore, they do not always provide the kind of data IT security teams need to determine if a specific user is acting suspiciously. More importantly, they rarely provide the complete trail of evidence a company would need to fully understand what exactly the hackers stole.

Relying on user-restrictions. Many organizations believe that carefully classifying what information, setting or systems that specific users are able to access is enough to prevent a breach. Unfortunately, hackers who are smart enough to steal credentials are typically savvy enough to work around these restrictions. Without a clear picture of a user’s activity as a whole that can then be compared to their privileges, unauthorized access can go undetected until a full breach is discovered.

Trusting alert overload. Because network monitoring solutions generate an overwhelming number of alerts on a daily basis—from firewalls, SBCs, routers and more—many organizations believe they must be covering all their bases. However, even the most meticulous support team, equipped with powerful SIEM systems, can get bogged down. Companies that do not include data from user-activity monitoring can easily miss the intelligence that would spotlight fraudulent, anomalous or out-of-policy behaviors from either employees or authorized third parties.

A Holistic Approach

As the potential payoff from both corporate espionage and fraudulent financial activities continues to skyrocket, organizations are forced to find new ways to fend off sophisticated assaults from multiple angles. Therefore, companies need to take a holistic, all-encompassing approach to defense.

Being able to quickly identify the culprits, even when disguised, and what they are trying to accomplish is the most important task for any security team. This makes surveillance— both physical and digital—a crucial piece of any security program.

On the digital side, user activity monitoring is emerging as a key strategy for limiting exposure to threats stemming from user accounts. Without proof of who did what and when, companies can find themselves not only compromised but wholly without the intelligence they need to adequately rectify the situation and fully explain it to customers, and the public at large.

This article originally appeared in the November 2014 issue of Security Today.

Featured

  • Until We Meet Again

    A short three years ago we were all pondering whether to attend any tradeshows all thanks to COVID-19. Sorry to bring that nightmare up again, but it seems that little pandemic is in the rear-view mirror, and it’s time to meet again. Read Now

    • ISC West
  • Cyber Hygiene: What it Looks Like for IoT Devices

    Cyber Hygiene: What it Looks Like for IoT Devices

    For our second pillar about the Industrial Internet of Things (IIoT) Pillars of Security, we are going to discuss what cyber hygiene looks like for IoT devices. Read Now

  • ISC West Announces 2023 Keynote Series Speaker Lineup

    The International Security Conference (ISC), in collaboration with premier sponsor Security Industry Association (SIA), announced five of this year’s ISC West Keynote Series speakers. ISC West will kick off its annual conference on March 28 (SIA Education@ISC: March 28-30 | Exhibit Hall: March 29-31) at the Venetian Expo in Las Vegas, Nevada. Read Now

    • ISC West
  • Accelerating Security Modernization

    In recent years, the term “digital transformation” has been one of the most frequently used buzzwords across industries. On its most basic level, it refers to the reimagining of how an organization leverages its technology systems to improve business processes. Read Now

Featured Cybersecurity

New Products

  • Camden Door Controls CV-603 2 Door Bluetooth Access Control System

    Camden Door Controls CV-603 2 Door Bluetooth Access Control System

    his app-based system is designed to provide ‘best in class’ security of doors and gates, with up to 2,000 users. The intuitive programming app is Apple® and Android® compatible, with easy to use system set-up, user administration, downloadable audit trail and data back-up. 3

  • ABLOY IP54-rated Integrated Dust Cover

    ABLOY IP54-rated Integrated Dust Cover

    One of the things that keep security managers on high alert is the real possibility the security locks used to safeguard their properties may unexpectedly fail due to environmental conditions. 3

  • Genetec Security Center

    Genetec Security Center

    This major new release allows more system components to run in the cloud, reducing the gap between cloud and on-premises security systems. It also makes it easier to connect external systems and tap external data for use in dashboards, maps and investigations without relying on complex, specialized integrations. 3