Threats to an organisation’s physical and logical security are increasing in number and financial impact, according to several recent surveys. To combat this problem, security and IT professionals are fighting back with system upgrades and software solutions including advanced analytics. Using the analytics software, management is better able to answer the “what” questions related to their security infrastructure. Unfortunately, without also answering the “why” question, the analysis can result in an outcome where operations are managed by assumptions rather than measurable facts.
Contextual analytics can help answer the why questions – and provide a deeper understanding of threat and operational efficiencies -- by making sense out of the “what”, derived from mountains of data generated by multiple authoritative and security systems and devices. It does so by examining the three key indicators that define context for security decisions: access, process and behavioural changes. Within each of these factors are a number of red flags that contextual analysis can use to detect potential risks to an organisation.
Predictive analysis solutions gather and correlate data from multiple sources, which is then analysed using a predictive engine to apply statistical algorithms and machine learning
Understanding access patterns
When we take a look at access, there are many areas within the spectrum that may give us a deeper understanding of what is happening at the site. For example, access levels of individuals based on their roles can be cross compared with their normal access patterns. It is also useful to look for anomalies in device behaviour. Additional sources of data to pull from for access may incorporate audits, including any indicators that may present a red flag. These include the same person requesting and approving an access request, delays in conducting an audit, expiration of training, failed or missing background checks or other data missing from prerequisites for access privileges. Any of these factors when looked at alone may not seem like a red flag, but once you begin to look at the data across multiple systems, you are able to get a better contextual landscape of typical and atypical access patterns.
Automated tracking process
This is an area that may seem difficult to accurately track and monitor and apply to this contextual based analysis. Here the key is to leverage technologies that help automate and track processes in a meaningful way across a global organisation. For example, contractors are a way of life for many organisations. While they may act like employees while on the premises, there are some clearly differentiated processes that must be followed before provisioning access for them. Contract companies must have the proper documentation on file, along with insurance requirements, training pre-requisites, and complete background checks. Depending on the industry, any violation in these policies and processes leads to costly fines and delays in work. Without an automated system tracking the efficiency of an organisation’s policies and processes, it would be extremely difficult to detect anomalous behaviours.
Observing behavioural changes
These indicators are equally challenging to properly track. Using security systems alone may not be enough to get a full view into behavioural changes. This is where organisations need to start looking at other key indicators of compromise with the ability to make note of changes of behaviour in a meaningful way. Perhaps the organisation’s policy is for security to alert HR of an employee’s unusual patterns of behaviour, thereby elevating the risk profile of individuals and monitoring their activity across an additional set of data points. To take it one step further, if individuals with an elevated risk score continue to access areas outside of their usual patterns, or if they begin accessing shared directories, printing more than normal or other anomalous behaviour, any one of these indicators can lead to an automated response from security with immediate action. This could include disabling their badge and/or access to IT infrastructure, dispatching security, or any other number of actions deemed appropriate given the severity of the situation. The key is to put actions into context so that it is possible to pull insights from the data.
|Organisations need to start looking at other key indicators of compromise with the ability to make note of changes of behaviour in a meaningful way|
Key to transforming security with predictive analysis
Contextual analytics allows organisations to make more informed decisions based on facts and patterns rather than instinct, but it’s only half the solution. Predictive analytics solutions are the important other half and the key to transforming security into a context-based process. Predictive analysis solutions gather and correlate data from multiple sources, which is then analysed using a predictive engine to apply statistical algorithms and machine learning to make sense of the vast amount of data and generate reports and/or automated actions. This analysis looks for anomalies and potential areas of improvement (including operational efficiencies) to provide a baseline that is used to identify the likelihood of future outcomes based on historical observation.
Identifying unexpected patterns and insider threat
These patterns provide valuable contextual history, indicators of compromise and risk analysis to increase the accuracy of the statistical findings many organisations already employ. As an added benefit, predictive analysis solutions are capable of learning and improving over time, meaning they are often capable of identifying patterns that may never have been expected and most likely wouldn’t have been uncovered without that level of contextual analysis.
Contextual and predictive analytics are proving to be vital in the fight against insider threat, which is an increasingly prevalent security concern for organisations
Contextual and predictive analytics are proving to be vital in the fight against insider threat, which is an increasingly prevalent security concern for organisations. Given the complex psychology behind it, insider threat can be incredibly difficult to understand and predict. An event such as a bad performance review, a missed promotion or something similar may be the trigger that precedes an insider breach, and therefore can serve as an indicator.
Tracking effective policies and safeguarding organisation
These solutions can also identify and forecast which policies are effectively enforced and which are ineffective within the current systems. For instance, the number of visitors who enter a facility during specific time periods, the time it takes to process those visitors and how that affects wait-time can be combined to measure the effectiveness of lobby staffing levels.
Whether the organisation is a large multi-national enterprise with a complex business structure or an SMB, contextual and predictive analysis of logical and physical data can help identify red flags and potentially save the organisation from financial and reputation losses.