Contextual Analytics
A more complete security and risk picture appears when fully prepared
- By Don Campbell
- Sep 01, 2016
Most security organizations underestimate the possible impact
of security data and only use it for reporting. They may use
enterprise analytics solutions to answer the “what” questions
related to their security infrastructure without considering
context, such as a person’s behavior, work shift or HR background.
As a result, these solutions lack the ability to answer the “why” questions
that are often the critical missing piece to understanding security threats. Responding
without adequately analyzing a situation and its associated circumstances can
increase an organization’s risk profile by creating an environment where security
operations are managed by assumptions rather than measurable facts. This is why
contextual analytics needs to play an important role in the decision-making process.
MAKING DECISIONS
Each of the millions of decisions made each day by people, devices and systems
falls into one of two categories: binary and contextual. Binary decisions are those
that are a simple choice between two options or pieces of data, such as yes or no.
Contextual decisions, on the other hand, are much more involved, taking into account the circumstances that form the setting for an event, statement or idea to
provide a fuller understanding of the decision that must be made and why.
Traditional or current security infrastructures typically make binary decisions.
For example, if an employee forgets his or her cell phone in the office and needs
to re-enter the building, the access control system makes a binary yes/no decision
without considering any context, such as the employee’s behavior, work shift or
HR background. Where contextual analysis would take these into account, a traditional access control system doesn’t care why the employee is entering, only that a valid credential is presented for entry.
Context-based security makes sense out of large amounts of data from multiple
authoritative systems, including physical security systems and devices. Information
is then analyzed from these sources to provide valuable insights and allow for
more informed decisions.
Forward-thinking organizations try to make the most of the information they
have on hand, relying on contextual analytics to make sense out of the mountains
of data generated by multiple authoritative and security systems and devices to
provide a deeper understanding of threat and operational efficiencies. Successful
contextual analysis requires strong metrics. Determining how to implement a program
to achieve security and organizational goals can be a challenge, but there are
a number of factors organizations can consider to ease the process.
KEY INDICATORS
The key indicators that define context for security decisions include access, process,
and behavioral changes. Within each of these factors are a number of potential red
flags that contextual analysis can use to detect potential risks to an organization.
When we take a look at access,
there are many areas within the access
spectrum that may give us a deeper understanding
of what is happening at
the site. For example, access levels of
individuals based on their roles can be
cross compared with their normal access
patterns. It is also useful to look
for anomalies in device behavior.
Additional sources of data to pull
from for access may incorporate audits
and any indicators that may present a
red flag. These include the same person
requesting and approving an access request,
delays in conducting an audit,
expiration of training, failed or missing
background checks or other data missing
from prerequisites for access privileges.
Any of these factors when looked
at alone may not seem like a red flag,
but once you begin to look at the data
across multiple systems—you are able
to get a better contextual landscape of
typical and atypical access patterns.
Process is an area that may seem
difficult to accurately track and monitor
and apply to this contextual based
analysis. Here the key is to leverage
technologies that help automate and
track processes in a meaningful way
across a global organization. For example,
contractors are a way of life for
many organizations. While they may
act like employees while on the premises,
there are some clearly differentiated
processes that must be followed before
provisioning access for them. Contract
companies must have the proper documentation
on file, along with insurance
requirements, training pre-requisites,
and complete background checks. Depending
on the industry, any violation
in these policies and processes leads to
costly fines and delays in work. Without
an automated system tracking the
efficiency of an organization’s policies
and processes, it would be extremely
difficult to detect anomalous behaviors.
Behavioral indicators are equally
challenging to properly track. Using
security systems alone may not be
enough to get a full view into behavioral
changes. This is where organizations
need to start looking at other
key indicators of compromise with the
ability to make note of changes of behavior
in a meaningful way. Perhaps
the organization’s policy is for security
to alert HR of an employee’s unusual
patterns of behavior, thereby elevating
the risk profile of individuals and
monitoring their activity across an additional
set of data points. To take it
one step further, if individuals with an
elevated risk score continue to access
areas outside of their usual patterns, or
if they begin accessing shared directories
or printing more than normal, any
one of these indicators can lead to an
automated response from security with
immediate action. This could include
disabling their badge and/or access to
IT infrastructure, dispatching security
or any other number of actions deemed
appropriate given the severity of the
situation. The key is to put actions into
context so that it is possible to pull insights
from the data.
There are new technologies and solutions
that are capable of recognizing
these problems and anomalies quickly—
provided an organization is measuring
the most appropriate metrics.
BEST PRACTICES FOR
IMPLEMENTING METRICS
There are a number of best practices
organizations can follow to ensure they
are measuring the strongest possible
metrics—those that will provide the
highest level of context and help identify
potential risks.
Not all context is equal, so organizations’
first goal must be to capture and
collect appropriate data that will help
define context appropriately. Here again
is where it is of critical importance to
integrate intelligent automation that
can correlate relevant data from diverse
systems to create meaningful insights.
Once this has been achieved, the next
step is to implement predictive analytics
that will identify and provide the
behavioral context that will provide a
more complete picture of incidents. Finally,
organizations must use the intelligence
generated by predictive analytics
to drive actions and decisions.
In the instance of credential fraud,
the main question should be, “What
context is needed to tell the difference
between someone trying to enter using
a stolen badge or an employee who
forgot something inside?” The metrics
needed to analyze credential fraud include
persistence and pattern, such as
considering how long an individual
has been attempting to gain entry and
if that employee has ever been in the
area before.
In this case, the metrics needed for
an automated system to recognize a
potential problem would be to measure
and flag multiple access attempts, denied
access points and the time of day.
Analyzed contextually, these metrics
will determine the difference between
an employee seeking to retrieve something
left behind, or an individual who
has stolen a badge and is attempting to
access sensitive areas of the facility.
LEVERAGING PREDICTIVE
ANALYSIS
Without data, people make decisions
based on instinct, which is far from
the most accurate method. But simply
having the data isn’t enough, as the information
needed to provide valuable
context for security resides in different
“brains”—separate departments
and disparate systems—that are often
incapable of connecting and sharing
data with each other. Yes, the data
is there, but separately, these small,
siloed pieces of information simply
cannot create enough context to generate
actionable intelligence.
For example, several smaller incidents
may occur across a variety of
locations, departments and/or systems,
with information known by multiple
people or residing in different systems.
If these incidents can somehow be
put together, they provide a complete
picture of a larger pattern that may
indicate something is about to occur.
Unfortunately, this information often
cannot be connected until the postevent
investigation process. So, how can
all of these pieces be brought together
to identify the context for predicting the potential for a particular situation
or incident? Accomplishing this
requires leveraging new and emerging
technologies, such as predictive analytics,
which help create context for decisions
and outcomes.
Predictive analytics solutions are
the key to transforming security into a
context-based process. A main strength
of predictive analysis solutions is the
ability to serve as a single platform that
connects data from disparate systems.
These solutions gather and correlate
data from multiple sources, which is
analyzed using a predictive engine to
apply statistical algorithms and machine
learning to make sense of the vast
amount of data and generate reports
and/or automated actions.
This analysis looks for anomalies
and potential areas of improvement
(including operational efficiencies) to
provide a baseline that is used to identify
the likelihood of future outcomes
based on historical observation. These
patterns provide valuable contextual
history, indicators of compromise and
risk analysis to increase the accuracy of
the statistical findings many organizations
already employ.
In addition to increasing security,
contextual analytics also enables security
to shift from a business barrier or
cost center with manual processes that
inhibit its effectiveness, into a business
enabler that provides ROI to the organization.
Rather than being a devicedriven
operation, security becomes
more data-centric, allowing organizations
to make cost-justified decisions,
optimize spending and streamline security
compliance.
Information may be power, but
more important than simply having information
available is having the ability
to connect the dots between disparate
data sources to develop valuable
context that goes beyond binary “yes
or no” decisions to answer the “why”
questions that provide deeper understanding
of security threats. Contextual
analytics allow organizations to make
more informed decisions based on facts
and patterns, rather than instinct, while
determining which events, incidents or
actions are likely benign—such as an
employee who left his or her credentials
in the office—or pose a potential risk to
the organization.
Predictive analytics have the power
to deliver context-based security based
on large amounts of raw data gathered
from multiple systems to identify
anomalies in patterns that may indicate
potential problems. With the right context,
these solutions generate a more
complete security and risk picture while
also identifying operational inefficiencies
that can be addressed, making
security a valuable partner within the
organization.
This article originally appeared in the September 2016 issue of Security Today.