Actionable Intelligence - Data is the main player in making security decisions

Actionable Intelligence

Data is the main player in making security decisions

All security decisions are based on data. So, it would stand to reason that the more data organizations are able to collect, the more informed their security teams will be and, by extension, the better the decisions they make will be. Sadly, that’s not always the case thanks in large part to the sheer—and staggering— amount of data that is being collected today by an increasing number of devices and systems. Much of this “big data” has significant implications for security and when properly sorted, searched and executed, can become incredibly useful and actionable intelligence.

The underlying problem with the current security approach is that it does not involve analyzing available data. Alarm-based security processes are mainly reactive in nature. And, because more than 95 percent of alarms are false, we tend to respond slowly because there’s a good chance that the alarm isn’t valid.

In essence, the alarm monitoring process itself has inadvertently trained people that the data is so noisy as a result of the overwhelming number of false alarms that they won’t be able to accomplish their job and identify a threat as it occurs in real time. As a result, threats often go undetected; or by the time something happens, it’s too late to do anything about it.

Case in point: there have been many security breaches where there was actually enough relevant data located within disparate sources to warn of a possible security risk, but no way for the organization to extrapolate actionable intelligence from that data. For many organizations, simply organizing the vast quantity of security- and incident-related data, let alone analyzing it and utilizing it to make smart decisions, poses a tremendous challenge. Many lack a comprehensive approach to making sense of all this data, and as a result end up missing potential opportunities and benefits that it presents.

Real-time predictive analytics technology focuses on analyzing the metadata from disparate systems and devices to identify statistical patterns and trends. Often, this requires examining data over the course of months or years to accurately predict what may occur at a given time. The patterns or trends that result from analyzing the data help identify certain predictors that could indicate that an incident may occur.

Insider threat is an increasingly prevalent security concern for organizations, with some statistics suggesting it is the reason behind nearly half of all security breaches. In some cases, these types of incidents can be devastating, but not all insider threat is obvious or destructive.

Rather, it could be as simple as a frustrated sales rep downloading his contacts or an engineer taking code before they leave a company. Given the complex psychology behind it, insider threat can be incredibly difficult to understand and predict. This is where big data comes in, allowing security to analyze information and look at patterns across a large number of employees over a long time period to identify things that may not be obvious or intuitive.

From this analysis, incidents that could indicate potential insider threats, known as indicators of compromise, begin to emerge. A triggering event, such as a bad performance review, a missed promotion or something similar may be the trigger that precedes an insider breach, and therefore can serve as an indicator.

Information related to these events is stored in the HR system and can be used to generate an initial red flag that an individual may pose a threat or needs to be placed on a watch list.

Combining this HR information with an analysis of every time that person enters the premises and every door he or she has accessed helps establish an individual’s normal routine. By our nature, humans are creatures of habit, so an individual’s regular behavior pattern can be established relatively quickly through data analysis.

These individual routines can then be used to develop additional metrics to indicate a potential threat. If an employee exhibits not only differentiated behavioral patterns but access patterns as well, those indicators of compromise show that they are a higher risk and as such should be subjected to additional scrutiny.

For those employees who have been flagged in the system, future deviations from their routines, such as coming in to or leaving work at an unusual hour or accessing areas of the building or information systems they’ve never accessed before, will generate additional red flags or even alarms.

When an employee exhibits abnormal behavior relative to their regular routine, it may indicate a possibility of a potential breach. But, these deviations could turn out to be the result of normal or regular access, and the individual may in fact pose no threat to the organization. A supervisor may have asked the employee to work different hours or approved their access to a particular area or system that might be required for a particular project he or she is working on.

In these cases, supporting data from one or more systems will likely be available as part of the analysis, and connecting those dots will make the activity understandable and remove the employee from suspicion. This underscores the importance of collecting and analyzing large amounts of data, since without this context provided by predictive analysis, the data would essentially be useless.

One real-world example of the effectiveness of predictive analysis can be found in a company that was experiencing the loss of their equipment over a period of time. At first, the company was unsure who was behind the thefts, but thought it might be the work of an insider. One factor was that the losses were mostly being reported in the morning, which would indicate that the thefts were likely occurring after hours.

Based on this initial information, the company began to analyze data to examine employee activity, beginning with identifying any employees who were behaving outside of their normal routine.

They were able to determine those routines using available data that had been collected from a number of systems. This analysis led them to discover that a particular employee had started to access areas and facilities they had never used previously. They were also able to determine that this access was regularly occurring outside of the employee’s typical hours, often in the late evening.

A final factor was that these abnormal behaviors seemed to correspond with buildings where the equipment was disappearing. From there, the company set an alarm for those types of events. The next time the employee engaged in this new behavior pattern, an alarm was triggered. When security staff responded, they caught the employee in the act of disassembling and preparing to steal a piece of equipment.

As illustrated by this example, when properly analyzed, data and information become intelligence. Until now, the amount of available data has often proven too great for an organization to use properly, leading to breakdowns in security processes. Predictive analysis alters this paradigm by pulling the most relevant information out of the virtual ocean of available data in order to develop the intelligence necessary to improve security. Using the intelligence gleaned from analyzing these vast amounts of available data, organizations are able to easily identify patterns, trends and behaviors that could indicate a potential threat in real time based on irregular behaviors and access patterns.

This actionable intelligence enables organizations to identify potential threats in real time to apply better measures and take proactive action to guard against incidents or breaches that data suggests could potentially occur down the road. Unlike alarm-based processes, real-time predictive analysis is immune to false alarms, making the process unsusceptible to the human nature that causes people to ignore or respond slowly to alarms. Recognizing a threat when it’s too late and responding reactively is useless for improving security.

Taking advantage of big data, however, predictive analysis transforms security from a reactive process that involves attempting to investigate in real time into a more proactive and effective process.

This article originally appeared in the February 2015 issue of Security Today.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.