Actionable Intelligence - Data is the main player in making security decisions

Actionable Intelligence

Data is the main player in making security decisions

All security decisions are based on data. So, it would stand to reason that the more data organizations are able to collect, the more informed their security teams will be and, by extension, the better the decisions they make will be. Sadly, that’s not always the case thanks in large part to the sheer—and staggering— amount of data that is being collected today by an increasing number of devices and systems. Much of this “big data” has significant implications for security and when properly sorted, searched and executed, can become incredibly useful and actionable intelligence.

The underlying problem with the current security approach is that it does not involve analyzing available data. Alarm-based security processes are mainly reactive in nature. And, because more than 95 percent of alarms are false, we tend to respond slowly because there’s a good chance that the alarm isn’t valid.

In essence, the alarm monitoring process itself has inadvertently trained people that the data is so noisy as a result of the overwhelming number of false alarms that they won’t be able to accomplish their job and identify a threat as it occurs in real time. As a result, threats often go undetected; or by the time something happens, it’s too late to do anything about it.

Case in point: there have been many security breaches where there was actually enough relevant data located within disparate sources to warn of a possible security risk, but no way for the organization to extrapolate actionable intelligence from that data. For many organizations, simply organizing the vast quantity of security- and incident-related data, let alone analyzing it and utilizing it to make smart decisions, poses a tremendous challenge. Many lack a comprehensive approach to making sense of all this data, and as a result end up missing potential opportunities and benefits that it presents.

Real-time predictive analytics technology focuses on analyzing the metadata from disparate systems and devices to identify statistical patterns and trends. Often, this requires examining data over the course of months or years to accurately predict what may occur at a given time. The patterns or trends that result from analyzing the data help identify certain predictors that could indicate that an incident may occur.

Insider threat is an increasingly prevalent security concern for organizations, with some statistics suggesting it is the reason behind nearly half of all security breaches. In some cases, these types of incidents can be devastating, but not all insider threat is obvious or destructive.

Rather, it could be as simple as a frustrated sales rep downloading his contacts or an engineer taking code before they leave a company. Given the complex psychology behind it, insider threat can be incredibly difficult to understand and predict. This is where big data comes in, allowing security to analyze information and look at patterns across a large number of employees over a long time period to identify things that may not be obvious or intuitive.

From this analysis, incidents that could indicate potential insider threats, known as indicators of compromise, begin to emerge. A triggering event, such as a bad performance review, a missed promotion or something similar may be the trigger that precedes an insider breach, and therefore can serve as an indicator.

Information related to these events is stored in the HR system and can be used to generate an initial red flag that an individual may pose a threat or needs to be placed on a watch list.

Combining this HR information with an analysis of every time that person enters the premises and every door he or she has accessed helps establish an individual’s normal routine. By our nature, humans are creatures of habit, so an individual’s regular behavior pattern can be established relatively quickly through data analysis.

These individual routines can then be used to develop additional metrics to indicate a potential threat. If an employee exhibits not only differentiated behavioral patterns but access patterns as well, those indicators of compromise show that they are a higher risk and as such should be subjected to additional scrutiny.

For those employees who have been flagged in the system, future deviations from their routines, such as coming in to or leaving work at an unusual hour or accessing areas of the building or information systems they’ve never accessed before, will generate additional red flags or even alarms.

When an employee exhibits abnormal behavior relative to their regular routine, it may indicate a possibility of a potential breach. But, these deviations could turn out to be the result of normal or regular access, and the individual may in fact pose no threat to the organization. A supervisor may have asked the employee to work different hours or approved their access to a particular area or system that might be required for a particular project he or she is working on.

In these cases, supporting data from one or more systems will likely be available as part of the analysis, and connecting those dots will make the activity understandable and remove the employee from suspicion. This underscores the importance of collecting and analyzing large amounts of data, since without this context provided by predictive analysis, the data would essentially be useless.

One real-world example of the effectiveness of predictive analysis can be found in a company that was experiencing the loss of their equipment over a period of time. At first, the company was unsure who was behind the thefts, but thought it might be the work of an insider. One factor was that the losses were mostly being reported in the morning, which would indicate that the thefts were likely occurring after hours.

Based on this initial information, the company began to analyze data to examine employee activity, beginning with identifying any employees who were behaving outside of their normal routine.

They were able to determine those routines using available data that had been collected from a number of systems. This analysis led them to discover that a particular employee had started to access areas and facilities they had never used previously. They were also able to determine that this access was regularly occurring outside of the employee’s typical hours, often in the late evening.

A final factor was that these abnormal behaviors seemed to correspond with buildings where the equipment was disappearing. From there, the company set an alarm for those types of events. The next time the employee engaged in this new behavior pattern, an alarm was triggered. When security staff responded, they caught the employee in the act of disassembling and preparing to steal a piece of equipment.

As illustrated by this example, when properly analyzed, data and information become intelligence. Until now, the amount of available data has often proven too great for an organization to use properly, leading to breakdowns in security processes. Predictive analysis alters this paradigm by pulling the most relevant information out of the virtual ocean of available data in order to develop the intelligence necessary to improve security. Using the intelligence gleaned from analyzing these vast amounts of available data, organizations are able to easily identify patterns, trends and behaviors that could indicate a potential threat in real time based on irregular behaviors and access patterns.

This actionable intelligence enables organizations to identify potential threats in real time to apply better measures and take proactive action to guard against incidents or breaches that data suggests could potentially occur down the road. Unlike alarm-based processes, real-time predictive analysis is immune to false alarms, making the process unsusceptible to the human nature that causes people to ignore or respond slowly to alarms. Recognizing a threat when it’s too late and responding reactively is useless for improving security.

Taking advantage of big data, however, predictive analysis transforms security from a reactive process that involves attempting to investigate in real time into a more proactive and effective process.

This article originally appeared in the February 2015 issue of Security Today.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.