Contextual Analytics

A more complete security and risk picture appears when fully prepared

• By Don Campbell
• Sep 01, 2016

Most security organizations underestimate the possible impact of security data and only use it for reporting. They may use enterprise analytics solutions to answer the “what” questions related to their security infrastructure without considering context, such as a person’s behavior, work shift or HR background. As a result, these solutions lack the ability to answer the “why” questions that are often the critical missing piece to understanding security threats. Responding without adequately analyzing a situation and its associated circumstances can increase an organization’s risk profile by creating an environment where security operations are managed by assumptions rather than measurable facts. This is why contextual analytics needs to play an important role in the decision-making process.

MAKING DECISIONS

Each of the millions of decisions made each day by people, devices and systems falls into one of two categories: binary and contextual. Binary decisions are those that are a simple choice between two options or pieces of data, such as yes or no. Contextual decisions, on the other hand, are much more involved, taking into account the circumstances that form the setting for an event, statement or idea to provide a fuller understanding of the decision that must be made and why.

Traditional or current security infrastructures typically make binary decisions. For example, if an employee forgets his or her cell phone in the office and needs to re-enter the building, the access control system makes a binary yes/no decision without considering any context, such as the employee’s behavior, work shift or HR background. Where contextual analysis would take these into account, a traditional access control system doesn’t care why the employee is entering, only that a valid credential is presented for entry.

Context-based security makes sense out of large amounts of data from multiple authoritative systems, including physical security systems and devices. Information is then analyzed from these sources to provide valuable insights and allow for more informed decisions.

Forward-thinking organizations try to make the most of the information they have on hand, relying on contextual analytics to make sense out of the mountains of data generated by multiple authoritative and security systems and devices to provide a deeper understanding of threat and operational efficiencies. Successful contextual analysis requires strong metrics. Determining how to implement a program to achieve security and organizational goals can be a challenge, but there are a number of factors organizations can consider to ease the process.

KEY INDICATORS

The key indicators that define context for security decisions include access, process, and behavioral changes. Within each of these factors are a number of potential red flags that contextual analysis can use to detect potential risks to an organization.

When we take a look at access, there are many areas within the access spectrum that may give us a deeper understanding of what is happening at the site. For example, access levels of individuals based on their roles can be cross compared with their normal access patterns. It is also useful to look for anomalies in device behavior.

Additional sources of data to pull from for access may incorporate audits and any indicators that may present a red flag. These include the same person requesting and approving an access request, delays in conducting an audit, expiration of training, failed or missing background checks or other data missing from prerequisites for access privileges. Any of these factors when looked at alone may not seem like a red flag, but once you begin to look at the data across multiple systems—you are able to get a better contextual landscape of typical and atypical access patterns.

Process is an area that may seem difficult to accurately track and monitor and apply to this contextual based analysis. Here the key is to leverage technologies that help automate and track processes in a meaningful way across a global organization. For example, contractors are a way of life for many organizations. While they may act like employees while on the premises, there are some clearly differentiated processes that must be followed before provisioning access for them. Contract companies must have the proper documentation on file, along with insurance requirements, training pre-requisites, and complete background checks. Depending on the industry, any violation in these policies and processes leads to costly fines and delays in work. Without an automated system tracking the efficiency of an organization’s policies and processes, it would be extremely difficult to detect anomalous behaviors.

Behavioral indicators are equally challenging to properly track. Using security systems alone may not be enough to get a full view into behavioral changes. This is where organizations need to start looking at other key indicators of compromise with the ability to make note of changes of behavior in a meaningful way. Perhaps the organization’s policy is for security to alert HR of an employee’s unusual patterns of behavior, thereby elevating the risk profile of individuals and monitoring their activity across an additional set of data points. To take it one step further, if individuals with an elevated risk score continue to access areas outside of their usual patterns, or if they begin accessing shared directories or printing more than normal, any one of these indicators can lead to an automated response from security with immediate action. This could include disabling their badge and/or access to IT infrastructure, dispatching security or any other number of actions deemed appropriate given the severity of the situation. The key is to put actions into context so that it is possible to pull insights from the data.

There are new technologies and solutions that are capable of recognizing these problems and anomalies quickly— provided an organization is measuring the most appropriate metrics.

BEST PRACTICES FOR IMPLEMENTING METRICS

There are a number of best practices organizations can follow to ensure they are measuring the strongest possible metrics—those that will provide the highest level of context and help identify potential risks.

Not all context is equal, so organizations’ first goal must be to capture and collect appropriate data that will help define context appropriately. Here again is where it is of critical importance to integrate intelligent automation that can correlate relevant data from diverse systems to create meaningful insights. Once this has been achieved, the next step is to implement predictive analytics that will identify and provide the behavioral context that will provide a more complete picture of incidents. Finally, organizations must use the intelligence generated by predictive analytics to drive actions and decisions.

In the instance of credential fraud, the main question should be, “What context is needed to tell the difference between someone trying to enter using a stolen badge or an employee who forgot something inside?” The metrics needed to analyze credential fraud include persistence and pattern, such as considering how long an individual has been attempting to gain entry and if that employee has ever been in the area before.

In this case, the metrics needed for an automated system to recognize a potential problem would be to measure and flag multiple access attempts, denied access points and the time of day. Analyzed contextually, these metrics will determine the difference between an employee seeking to retrieve something left behind, or an individual who has stolen a badge and is attempting to access sensitive areas of the facility.

LEVERAGING PREDICTIVE ANALYSIS

Without data, people make decisions based on instinct, which is far from the most accurate method. But simply having the data isn’t enough, as the information needed to provide valuable context for security resides in different “brains”—separate departments and disparate systems—that are often incapable of connecting and sharing data with each other. Yes, the data is there, but separately, these small, siloed pieces of information simply cannot create enough context to generate actionable intelligence.

For example, several smaller incidents may occur across a variety of locations, departments and/or systems, with information known by multiple people or residing in different systems. If these incidents can somehow be put together, they provide a complete picture of a larger pattern that may indicate something is about to occur. Unfortunately, this information often cannot be connected until the postevent investigation process. So, how can all of these pieces be brought together to identify the context for predicting the potential for a particular situation or incident? Accomplishing this requires leveraging new and emerging technologies, such as predictive analytics, which help create context for decisions and outcomes.

Predictive analytics solutions are the key to transforming security into a context-based process. A main strength of predictive analysis solutions is the ability to serve as a single platform that connects data from disparate systems. These solutions gather and correlate data from multiple sources, which is analyzed using a predictive engine to apply statistical algorithms and machine learning to make sense of the vast amount of data and generate reports and/or automated actions.

This analysis looks for anomalies and potential areas of improvement (including operational efficiencies) to provide a baseline that is used to identify the likelihood of future outcomes based on historical observation. These patterns provide valuable contextual history, indicators of compromise and risk analysis to increase the accuracy of the statistical findings many organizations already employ.

In addition to increasing security, contextual analytics also enables security to shift from a business barrier or cost center with manual processes that inhibit its effectiveness, into a business enabler that provides ROI to the organization. Rather than being a devicedriven operation, security becomes more data-centric, allowing organizations to make cost-justified decisions, optimize spending and streamline security compliance.

Information may be power, but more important than simply having information available is having the ability to connect the dots between disparate data sources to develop valuable context that goes beyond binary “yes or no” decisions to answer the “why” questions that provide deeper understanding of security threats. Contextual analytics allow organizations to make more informed decisions based on facts and patterns, rather than instinct, while determining which events, incidents or actions are likely benign—such as an employee who left his or her credentials in the office—or pose a potential risk to the organization.

Predictive analytics have the power to deliver context-based security based on large amounts of raw data gathered from multiple systems to identify anomalies in patterns that may indicate potential problems. With the right context, these solutions generate a more complete security and risk picture while also identifying operational inefficiencies that can be addressed, making security a valuable partner within the organization.

This article originally appeared in the September 2016 issue of Security Today.