Actionable Intelligence - Data is the main player in making security decisions

Actionable Intelligence

Data is the main player in making security decisions

All security decisions are based on data. So, it would stand to reason that the more data organizations are able to collect, the more informed their security teams will be and, by extension, the better the decisions they make will be. Sadly, that’s not always the case thanks in large part to the sheer—and staggering— amount of data that is being collected today by an increasing number of devices and systems. Much of this “big data” has significant implications for security and when properly sorted, searched and executed, can become incredibly useful and actionable intelligence.

The underlying problem with the current security approach is that it does not involve analyzing available data. Alarm-based security processes are mainly reactive in nature. And, because more than 95 percent of alarms are false, we tend to respond slowly because there’s a good chance that the alarm isn’t valid.

In essence, the alarm monitoring process itself has inadvertently trained people that the data is so noisy as a result of the overwhelming number of false alarms that they won’t be able to accomplish their job and identify a threat as it occurs in real time. As a result, threats often go undetected; or by the time something happens, it’s too late to do anything about it.

Case in point: there have been many security breaches where there was actually enough relevant data located within disparate sources to warn of a possible security risk, but no way for the organization to extrapolate actionable intelligence from that data. For many organizations, simply organizing the vast quantity of security- and incident-related data, let alone analyzing it and utilizing it to make smart decisions, poses a tremendous challenge. Many lack a comprehensive approach to making sense of all this data, and as a result end up missing potential opportunities and benefits that it presents.

Real-time predictive analytics technology focuses on analyzing the metadata from disparate systems and devices to identify statistical patterns and trends. Often, this requires examining data over the course of months or years to accurately predict what may occur at a given time. The patterns or trends that result from analyzing the data help identify certain predictors that could indicate that an incident may occur.

Insider threat is an increasingly prevalent security concern for organizations, with some statistics suggesting it is the reason behind nearly half of all security breaches. In some cases, these types of incidents can be devastating, but not all insider threat is obvious or destructive.

Rather, it could be as simple as a frustrated sales rep downloading his contacts or an engineer taking code before they leave a company. Given the complex psychology behind it, insider threat can be incredibly difficult to understand and predict. This is where big data comes in, allowing security to analyze information and look at patterns across a large number of employees over a long time period to identify things that may not be obvious or intuitive.

From this analysis, incidents that could indicate potential insider threats, known as indicators of compromise, begin to emerge. A triggering event, such as a bad performance review, a missed promotion or something similar may be the trigger that precedes an insider breach, and therefore can serve as an indicator.

Information related to these events is stored in the HR system and can be used to generate an initial red flag that an individual may pose a threat or needs to be placed on a watch list.

Combining this HR information with an analysis of every time that person enters the premises and every door he or she has accessed helps establish an individual’s normal routine. By our nature, humans are creatures of habit, so an individual’s regular behavior pattern can be established relatively quickly through data analysis.

These individual routines can then be used to develop additional metrics to indicate a potential threat. If an employee exhibits not only differentiated behavioral patterns but access patterns as well, those indicators of compromise show that they are a higher risk and as such should be subjected to additional scrutiny.

For those employees who have been flagged in the system, future deviations from their routines, such as coming in to or leaving work at an unusual hour or accessing areas of the building or information systems they’ve never accessed before, will generate additional red flags or even alarms.

When an employee exhibits abnormal behavior relative to their regular routine, it may indicate a possibility of a potential breach. But, these deviations could turn out to be the result of normal or regular access, and the individual may in fact pose no threat to the organization. A supervisor may have asked the employee to work different hours or approved their access to a particular area or system that might be required for a particular project he or she is working on.

In these cases, supporting data from one or more systems will likely be available as part of the analysis, and connecting those dots will make the activity understandable and remove the employee from suspicion. This underscores the importance of collecting and analyzing large amounts of data, since without this context provided by predictive analysis, the data would essentially be useless.

One real-world example of the effectiveness of predictive analysis can be found in a company that was experiencing the loss of their equipment over a period of time. At first, the company was unsure who was behind the thefts, but thought it might be the work of an insider. One factor was that the losses were mostly being reported in the morning, which would indicate that the thefts were likely occurring after hours.

Based on this initial information, the company began to analyze data to examine employee activity, beginning with identifying any employees who were behaving outside of their normal routine.

They were able to determine those routines using available data that had been collected from a number of systems. This analysis led them to discover that a particular employee had started to access areas and facilities they had never used previously. They were also able to determine that this access was regularly occurring outside of the employee’s typical hours, often in the late evening.

A final factor was that these abnormal behaviors seemed to correspond with buildings where the equipment was disappearing. From there, the company set an alarm for those types of events. The next time the employee engaged in this new behavior pattern, an alarm was triggered. When security staff responded, they caught the employee in the act of disassembling and preparing to steal a piece of equipment.

As illustrated by this example, when properly analyzed, data and information become intelligence. Until now, the amount of available data has often proven too great for an organization to use properly, leading to breakdowns in security processes. Predictive analysis alters this paradigm by pulling the most relevant information out of the virtual ocean of available data in order to develop the intelligence necessary to improve security. Using the intelligence gleaned from analyzing these vast amounts of available data, organizations are able to easily identify patterns, trends and behaviors that could indicate a potential threat in real time based on irregular behaviors and access patterns.

This actionable intelligence enables organizations to identify potential threats in real time to apply better measures and take proactive action to guard against incidents or breaches that data suggests could potentially occur down the road. Unlike alarm-based processes, real-time predictive analysis is immune to false alarms, making the process unsusceptible to the human nature that causes people to ignore or respond slowly to alarms. Recognizing a threat when it’s too late and responding reactively is useless for improving security.

Taking advantage of big data, however, predictive analysis transforms security from a reactive process that involves attempting to investigate in real time into a more proactive and effective process.

This article originally appeared in the February 2015 issue of Security Today.


  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Busy South Africa Building Integrates Custom Access Control System

    Nicol Corner, based in Bedfordview, Johannesburg, South Africa, is home to a six-star fitness club, prime office space, and an award-winning rooftop restaurant. This is the first building in South Africa to have its glass façade fully incorporate fritted glazing, saving 35% on energy consumption. Nicol Corner (Pty) LTD has developed a landmark with sophisticated design and unique architecture by collaborating with industry-leading partners and specifying world-class equipment throughout the project. This includes installing a high-spec, bespoke security and access control system. Read Now

  • Only 13 Percent of Research Institutions Are Prepared for AI

    A new survey commissioned by SHI International and Dell Technologies underscores the transformative potential of artificial intelligence (AI) while exposing significant gaps in preparedness at many research institutions. Read Now

  • Survey: 70 Percent of Organizations Have Established Dedicated SaaS Security Teams

    Seventy percent of organizations have prioritized investment in SaaS security, establishing dedicated SaaS security teams, despite economic uncertainty and workforce reductions. This was a key finding in the fourth Annual SaaS Security Survey Report: 2025 CISO Plans and Priorities released today by the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

Featured Cybersecurity


New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3