Contextual Analytics

Contextual Analytics

A more complete security and risk picture appears when fully prepared

Most security organizations underestimate the possible impact of security data and only use it for reporting. They may use enterprise analytics solutions to answer the “what” questions related to their security infrastructure without considering context, such as a person’s behavior, work shift or HR background. As a result, these solutions lack the ability to answer the “why” questions that are often the critical missing piece to understanding security threats. Responding without adequately analyzing a situation and its associated circumstances can increase an organization’s risk profile by creating an environment where security operations are managed by assumptions rather than measurable facts. This is why contextual analytics needs to play an important role in the decision-making process.

MAKING DECISIONS

Each of the millions of decisions made each day by people, devices and systems falls into one of two categories: binary and contextual. Binary decisions are those that are a simple choice between two options or pieces of data, such as yes or no. Contextual decisions, on the other hand, are much more involved, taking into account the circumstances that form the setting for an event, statement or idea to provide a fuller understanding of the decision that must be made and why.

Traditional or current security infrastructures typically make binary decisions. For example, if an employee forgets his or her cell phone in the office and needs to re-enter the building, the access control system makes a binary yes/no decision without considering any context, such as the employee’s behavior, work shift or HR background. Where contextual analysis would take these into account, a traditional access control system doesn’t care why the employee is entering, only that a valid credential is presented for entry.

Context-based security makes sense out of large amounts of data from multiple authoritative systems, including physical security systems and devices. Information is then analyzed from these sources to provide valuable insights and allow for more informed decisions.

Forward-thinking organizations try to make the most of the information they have on hand, relying on contextual analytics to make sense out of the mountains of data generated by multiple authoritative and security systems and devices to provide a deeper understanding of threat and operational efficiencies. Successful contextual analysis requires strong metrics. Determining how to implement a program to achieve security and organizational goals can be a challenge, but there are a number of factors organizations can consider to ease the process.

KEY INDICATORS

The key indicators that define context for security decisions include access, process, and behavioral changes. Within each of these factors are a number of potential red flags that contextual analysis can use to detect potential risks to an organization.

When we take a look at access, there are many areas within the access spectrum that may give us a deeper understanding of what is happening at the site. For example, access levels of individuals based on their roles can be cross compared with their normal access patterns. It is also useful to look for anomalies in device behavior.

Additional sources of data to pull from for access may incorporate audits and any indicators that may present a red flag. These include the same person requesting and approving an access request, delays in conducting an audit, expiration of training, failed or missing background checks or other data missing from prerequisites for access privileges. Any of these factors when looked at alone may not seem like a red flag, but once you begin to look at the data across multiple systems—you are able to get a better contextual landscape of typical and atypical access patterns.

Process is an area that may seem difficult to accurately track and monitor and apply to this contextual based analysis. Here the key is to leverage technologies that help automate and track processes in a meaningful way across a global organization. For example, contractors are a way of life for many organizations. While they may act like employees while on the premises, there are some clearly differentiated processes that must be followed before provisioning access for them. Contract companies must have the proper documentation on file, along with insurance requirements, training pre-requisites, and complete background checks. Depending on the industry, any violation in these policies and processes leads to costly fines and delays in work. Without an automated system tracking the efficiency of an organization’s policies and processes, it would be extremely difficult to detect anomalous behaviors.

Behavioral indicators are equally challenging to properly track. Using security systems alone may not be enough to get a full view into behavioral changes. This is where organizations need to start looking at other key indicators of compromise with the ability to make note of changes of behavior in a meaningful way. Perhaps the organization’s policy is for security to alert HR of an employee’s unusual patterns of behavior, thereby elevating the risk profile of individuals and monitoring their activity across an additional set of data points. To take it one step further, if individuals with an elevated risk score continue to access areas outside of their usual patterns, or if they begin accessing shared directories or printing more than normal, any one of these indicators can lead to an automated response from security with immediate action. This could include disabling their badge and/or access to IT infrastructure, dispatching security or any other number of actions deemed appropriate given the severity of the situation. The key is to put actions into context so that it is possible to pull insights from the data.

There are new technologies and solutions that are capable of recognizing these problems and anomalies quickly— provided an organization is measuring the most appropriate metrics.

BEST PRACTICES FOR IMPLEMENTING METRICS

There are a number of best practices organizations can follow to ensure they are measuring the strongest possible metrics—those that will provide the highest level of context and help identify potential risks.

Not all context is equal, so organizations’ first goal must be to capture and collect appropriate data that will help define context appropriately. Here again is where it is of critical importance to integrate intelligent automation that can correlate relevant data from diverse systems to create meaningful insights. Once this has been achieved, the next step is to implement predictive analytics that will identify and provide the behavioral context that will provide a more complete picture of incidents. Finally, organizations must use the intelligence generated by predictive analytics to drive actions and decisions.

In the instance of credential fraud, the main question should be, “What context is needed to tell the difference between someone trying to enter using a stolen badge or an employee who forgot something inside?” The metrics needed to analyze credential fraud include persistence and pattern, such as considering how long an individual has been attempting to gain entry and if that employee has ever been in the area before.

In this case, the metrics needed for an automated system to recognize a potential problem would be to measure and flag multiple access attempts, denied access points and the time of day. Analyzed contextually, these metrics will determine the difference between an employee seeking to retrieve something left behind, or an individual who has stolen a badge and is attempting to access sensitive areas of the facility.

LEVERAGING PREDICTIVE ANALYSIS

Without data, people make decisions based on instinct, which is far from the most accurate method. But simply having the data isn’t enough, as the information needed to provide valuable context for security resides in different “brains”—separate departments and disparate systems—that are often incapable of connecting and sharing data with each other. Yes, the data is there, but separately, these small, siloed pieces of information simply cannot create enough context to generate actionable intelligence.

For example, several smaller incidents may occur across a variety of locations, departments and/or systems, with information known by multiple people or residing in different systems. If these incidents can somehow be put together, they provide a complete picture of a larger pattern that may indicate something is about to occur. Unfortunately, this information often cannot be connected until the postevent investigation process. So, how can all of these pieces be brought together to identify the context for predicting the potential for a particular situation or incident? Accomplishing this requires leveraging new and emerging technologies, such as predictive analytics, which help create context for decisions and outcomes.

Predictive analytics solutions are the key to transforming security into a context-based process. A main strength of predictive analysis solutions is the ability to serve as a single platform that connects data from disparate systems. These solutions gather and correlate data from multiple sources, which is analyzed using a predictive engine to apply statistical algorithms and machine learning to make sense of the vast amount of data and generate reports and/or automated actions.

This analysis looks for anomalies and potential areas of improvement (including operational efficiencies) to provide a baseline that is used to identify the likelihood of future outcomes based on historical observation. These patterns provide valuable contextual history, indicators of compromise and risk analysis to increase the accuracy of the statistical findings many organizations already employ.

In addition to increasing security, contextual analytics also enables security to shift from a business barrier or cost center with manual processes that inhibit its effectiveness, into a business enabler that provides ROI to the organization. Rather than being a devicedriven operation, security becomes more data-centric, allowing organizations to make cost-justified decisions, optimize spending and streamline security compliance.

Information may be power, but more important than simply having information available is having the ability to connect the dots between disparate data sources to develop valuable context that goes beyond binary “yes or no” decisions to answer the “why” questions that provide deeper understanding of security threats. Contextual analytics allow organizations to make more informed decisions based on facts and patterns, rather than instinct, while determining which events, incidents or actions are likely benign—such as an employee who left his or her credentials in the office—or pose a potential risk to the organization.

Predictive analytics have the power to deliver context-based security based on large amounts of raw data gathered from multiple systems to identify anomalies in patterns that may indicate potential problems. With the right context, these solutions generate a more complete security and risk picture while also identifying operational inefficiencies that can be addressed, making security a valuable partner within the organization.

This article originally appeared in the September 2016 issue of Security Today.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”