For many years, video analytics have enabled end users to detect specific people or vehicles entering restricted areas, capture license plate information, scan crowds for specific individuals and much more. Today’s Video Management Systems (VMS) and IP cameras are built with powerful processing capabilities, helping to drive the development of more advanced analytics to more accurately detect abnormalities in behaviors that trigger alerts – an important component of predictive analysis.

What is predictive analysis?

With this greater number and variety of data points available to security professionals, the trend toward integrated solutions is fuelling growth in the evolving science of predictive analysis. Differing from standard alert triggers, predictive analysis uses information gathered from a wide range of data sources including surveillance, access control, visitor management, incident management and other systems, evaluating the information against established behavioral models, taking into account, earlier incidents, effectively predicting the likelihood of a similar event in the future.

Note that predictive analysis does not always generate binary security events, but typically identifies occurrences such as irregular traffic patterns, motion detection during off peak hours or in restricted areas, and correlates this data with facial detection, access control activity or other system information to indicate anomalous activity or the potential for an incident of interest to occur. When this happens, the system can alert security professionals to take proactive preventive actions.

Predictive analytics in IP cameras

Camera-based analytics have improved significantly in recent years but these technologies remain largely reactive, providing valuable information for post-event investigation and follow-up. However, as the security industry continues its momentum toward a more predictive model, intelligent IP cameras will play a key role in allowing security staff to take more meaningful, proactive actions to prevent incidents before they can occur.

Those cameras equipped with video analytics are already driving advancements in predictive analysis, by providing the means to more accurately detect incidents and events and turn those into inputs which provide context systems can be designed to indicate compromising activity, enabling a fast and highly informed response, potentially highlighting potential future risks before they can occur.

People-counting video analytics can be used to detect a large number of people gathering in a particular area off hours

The below real-world example illustrates the value of intelligent IP cameras in enhancing predictive analysis to improve security personnel’s ability to take proactive rather than reactive action and avert threats.

Detecting unusual behaviour

For example, people-counting video analytics could be used to detect a large number of people gathering in a particular area during off hours. This could be as benign as people gathering to celebrate a coworker’s birthday or it could be something much more sinister, such as a group of disgruntled employees coordinating the theft of company assets and/or data. Without context, however, it’s impossible to tell where on the potential threat spectrum this event would fall.

As the predictive solution begins gathering contextual data for analysis, video analytics can determine whether an alert should be issued. Based on predetermined factors or analysis of prior events, such an off-hours gathering may be enough for the system to alert security staff to a potentially negative situation. The group’s location could also be a factor, as a gathering in a conference or break room would be much lower priority than if it were in a restricted area.

Alerts can also automatically trigger cameras to switch to higher resolution, initiate both on-board and remote recording, maintain focus on a particular area and/or entry point, and even launch facial recognition analytics. This is helpful for security management and staff when responding to an alert, providing more complete understanding of the situation to determine the appropriate course of action.

The system correlates information from intelligent cameras, access control, incident management and other sources
Access control data combined with people-counting may indicate that the number of people assembled exceeds the number of card swipes

Contextual analysis

Alerts also initiate contextual analysis to determine the specifics of a situation. Technology can’t accurately judge intent; it collects all available information to determine the level of severity of a situation and, in turn, what actions need to be taken – both in the immediate term and post-event.

In the case of a large after-hours gathering, data collected and correlated from additional systems and sources will provide fuller context. For example, access control data combined with people-counting may indicate that the number of people assembled exceeds the number of card swipes. While multiple people entering on a single card swipe is a clear violation of policies, it still may not indicate a threat. Several authorised individuals may have arrived at the door at the same time and simply entered together out of convenience. Using facial recognition both at the edge and within the VMS to compare those who entered against the database of authorised users will determine whether there may be a potential security threat from unauthorised individuals being in a restricted area.

Intelligence-based action

Once data has been gathered to provide greater context, predictive solutions analyse all available information to determine the level of the threat. At the same time, the system correlates information from intelligent cameras, access control, incident management and other sources to build a profile of either normal or abnormal behavior that will be used to analyse similar occurrences in the future that may or may not indicate a potential compromise.

Once data has been gathered to provide greater context, predictive solutions analyse all available information to determine the level of threat

Information from network-based calendar solutions may reveal that the gathering was simply a scheduled meeting or training. People-counting and facial recognition analytics combined with access control and HR system data could show that all of the individuals present are authorised to be in that particular area and that the discrepancy between the number of card swipes and individuals is indeed the result of tailgating. If this is the case, an email could be sent to employees to remind them of security policies.

However, if unauthorised individuals are found to be in the area, security staff would likely be dispatched to that location to determine the purpose of the gathering and ensure that unauthorised users are removed from the area in compliance with established policies. At the same time, the physical and IT access credentials of those in attendance can be temporarily deactivated to reduce the risk of insider theft. Additionally, intelligent cameras can employ analytics to detect whether objects have been removed from the area and isolate video of any such incidents for response.

As illustrated by the above example, intelligent video cameras play a significant role in more effective predictive analysis. Integrated security and surveillance systems with powerful video analytics can be deployed to improve security, lower risk, reduce fraud and transform traditional security operations from a simply reactive to much more proactive function. The intelligence gleaned from each incident empowers security professionals with the opportunity to avoid potentially dangerous situations before they can even occur.

Download PDF version

Author Profile

Jonathan Lewit Director of Technology Leadership, Pelco by Schneider Electric

In case you missed it

Drawbacks of PenTests and ethical hacking for the security industry
Drawbacks of PenTests and ethical hacking for the security industry

PenTesting, also known as “ethical hacking” or “white-hat hacking,” has always been viewed as the “sexy” side of cybersecurity, a task that is far more exciting than monitoring systems for intrusions, shoring up defenses, or performing compliance audits. Numerous security conferences are devoted to the fine art of attempting to hack into systems – with an owner’s full knowledge and permission – and reporting on the results. At an organisational level within businesses, they also value PenTesting under the premise that it allows them to identify security vulnerabilities before cyber criminals can. There are some regulatory requirements like PCI-DSS that require penetration assessments as part of their PCI compliance. However, many organisations have come to over-rely on PenTesting, thinking that if all the issues were identified in a PenTest, they’re good to go. Not only is this not helping them improve their security posture, it is also leaving them with a false sense of security. A penetration test is a simulated, live attack on your environment by a white-hat hacker What is PenTesting? A penetration test is a simulated, live attack on your environment by a white-hat hacker, customised to address specific problem areas, such as web-based applications, mobile applications and infrastructure services like border VPNs and firewalls. The PenTest may include different types of attacks based on the requested scope from an organisation so that the tester attempts to come at each system from all sides, the way a cyber-criminal would. The goal is to identify which systems and data the tester was able to access and how an organisation can address the vulnerabilities that allowed them to get in. The limitations of PenTesting There is great value in performing periodic PenTests, which is why PCI DSS and other security standards mandate them. However, PenTesting has three significant limitations: PenTesting does not provide solutions Let’s be honest: No one likes reading technical reports, but typically, that's the only deliverable provided by a PenTester. The value of a PenTesting report varies wildly based on the scope of the testing, the PenTester’s technical expertise and their writing ability. The tester may miss some things, or not clearly convey their findings. Additionally, a PenTest is a snapshot in time and the PenTester could miss changes in the systems, configurations, attack vectors and application environments. Even if your system “passes” a PenTest, will it crumble in the face of a brand new, more powerful attack vector that emerges a week later? The worst type of “PenTest report” consist of an analyst producing nothing more than the results of a vulnerability scan. Even if the PenTester produces a well-written, comprehensive report filled with valuable, actionable information, it’s up to your organisation to take the action, which leads to the next limitation of PenTesting. The value of a PenTesting report varies wildly based on the scope of the testing, the PenTester’s technical expertise and their writing ability PenTesters only exploit vulnerabilities and do not promote change PenTesting does not highlight the missing links in your organisation's technology stack that could help you address your security vulnerabilities. This is often in the guise of being agnostic to the technologies that exist because their expertise is only offensive security – unless, of course, the performing company has “magic software” to sell you. PenTests also do not help to develop your organisational processes. Additionally, they do not ensure that your employees have the knowledge and training needed to treat the identified fixes. Worst of all, if your in-house expertise is limited, any security issues that are identified during a PenTest aren't validated, which leads to a misrepresentation of their magnitude and severity while giving your team a false sense of security. PenTesters are self-serving Too often, PenTesting pits the assessment team against the organisation; the goal of the assessment team is to find the best way to "shame" the business into remediation, purchasing the testing company’s “magic software”, then call it a day. Once the PenTesters find, for example, a privilege escalation or a way to breach PII, they stop looking for other issues. The testers then celebrate the success of finding a single “flag”. In the meantime, the business is left in a precarious situation, since other unidentified issues may be lurking within their systems. Shifting the paradigm of PenTesting The goal of PenTesters is to find the best way to "shame" the business into purchasing the testing company’s “magic software”, then call it a day Penetration testing can uncover critical security vulnerabilities, but it also has significant limitations and it’s not a replacement for continuous security monitoring and testing. This is not to say that all PenTesting is bad. PenTesting should be integrated into a comprehensive threat and vulnerability management programme so that identified issues are addressed. The purpose of a mature vulnerability management programme is to identify, treat and monitor any identified vulnerabilities over its lifecycle. Vulnerability management programme Additionally, a vulnerability management programme requires the multiple teams within an organisation to develop and execute on the remediation plan to address the vulnerability. A mature threat and vulnerability management plan takes time and is helpful to partner with a managed security services provider (MSSP) to help you in the following areas: Improve your cyber-risk management program so that you can identify and efficiently address vulnerabilities in your infrastructure, applications and other parts within your organisation’s ecosystem on a continuous basis; Perform retests to validate any problems identified through a vulnerability scan or a PenTest assessment; Ensure that your in-house staff has the knowledge, skills and tools they need to respond to incidents. Cyber risk management and remediation is a "team sport." While periodic testing conducted by an external consultant satisfies compliance requirements, it is not a replacement for continuous in-house monitoring and testing. To ensure that your systems are secure, you must find a partner who not only performs PenTesting but also has the engineering and development experience to assist you in fixing these types of complex problems in a cost-effective manner and ensuring that your systems are hardened against tomorrow’s attacks.

Has the gap closed between security fiction and security reality?
Has the gap closed between security fiction and security reality?

Among its many uses and benefits, technology is a handy tool in the fantasy world of movie and television thrillers. We all know the scene: a vital plot point depends on having just the right super-duper gadget to locate a suspect or to get past a locked door. In movies and TV, face recognition is more a super power than a technical function. Video footage can be magically enhanced to provide a perfect image of a license plate number. We have all shaken our heads in disbelief, and yet, our industry’s technical capabilities are improving every day. Are we approaching a day when the “enhanced” view of technology in movies and TV is closer to the truth? We asked this week’s Expert Panel Roundtable: How much has the gap closed between the reality of security system capabilities and what you see on TV (or at the movies)?

How moving to Security as a Service benefits both providers and end users
How moving to Security as a Service benefits both providers and end users

The way we purchase services and products is changing. The traditional concept of buying and owning a product is giving way to the idea that it is possible to purchase the services it offers instead. This approach has come from the consumer realisation that it is the outcome that is important rather than the tools to achieve it. For example, this approach is evident with the rise of music streaming services as opposed to downloads or physical products.   With the physical security industry becoming ever more integrated – and truly open systems now a reality – there is every reason to assume this service-lead trend will come to dominate the way our industry interacts with its clients as well. Interest in service-based security There is a significant change of mindset that the security industry needs to embrace before a large-scale move to Security as a Service can take place. Like many technology sectors in the past, security providers have focussed on ‘shifting boxes’ as their definitive sales model. This approach was especially prevalent when proprietary systems were the mainstay of the security industry. Essentially, if the customer wanted more services they simply bought a new product. This was a straightforward and economic sales approach for manufacturers and installers alike.The security industry needs to embrace a change of mindset before a move to SaaS can take place The flexibility of integrated and open technology has changed the way consumers view their purchase, so it shouldn’t be any surprise that there is increased interest in a service-based approach. Customer choice equates to a change of focus and interest, with physical products being eclipsed by the benefits of the overall solution. We have already seen these changes in other technology areas, notably with smart devices and general IT systems. Cloud-based services put the onus on the result rather than which device the user chooses. This approach is even starting to manifest in areas that couldn’t have been predicted in the past, such as the car industry for example. Consumers are focusing more on the overall costs and convenience of buying a car over the specific specification of the vehicle. Equally, urban dwellers don’t necessarily want the hassle and expense of owning and parking their own vehicle anymore. If you don’t use it every day, it can make more sense to rent a vehicle only when you travel beyond public transport. For these consumers the car has become a service item for a specific journey. Benefits for end users At the heart of this approach is the simple equation that consumers have a need and suppliers need to provide the most cost-effective, and easiest, solution. At the same time, the security operator may not necessarily want to know (or care) what specification the system has, they just want it to perform the task as required.   By discussing with consumers, we can ensure we work even more closely with them to provide the expert support they need and deserve Most security buyers will identify the specific business needs and their budget to achieve this. This is where a service approach really comes into its own. Customers need expert advice on a solution for their requirements which takes away the stress of finding the right products/systems. In the past there was always a risk of purchasing an unsuitable solution, which could potentially be disastrous. The other issue was having to budget for a big capital expenditure for a large installation and then having to find further resources once an upgrade was due when systems went end of life. Most businesses find it far easier to pay a sensible monthly or annual fee that is predictable and can easily be budgeted for. A service model makes this far easier to achieve. Benefits of a service sales model As well as the benefits for end users, there are considerable benefits for security providers too. Rather than simply ‘shifting boxes’ and enduring the inevitable sales peaks and toughs this creates; a service sales model allows manufacturers and installers to enjoy a more stable business model. You don’t have to win new business with every product, but rather sell ongoing services for a set period. Its highly likely that the whole security industry will start to take this approach over the next few years. Manufacturers are already well aware of this shift in customer expectations and are changing their approach to meet demands.There are major opportunities on offer in return for a change of perspective in the security industry With the service and leasing approach already firmly entrenched in other industries, this is well proven in a consumer market. The airline industry is a great example. Manufacturers understand that airlines need flexibility to upscale and downscale operations and therefore whole aircraft and even individual key components (such as engines or seating) can be leased as required. Using this approach, airlines can concentrate on what customers demand and not worry about the logistics of doing this. Manufacturers and leasing businesses provide assurances and guarantees of service time for aircraft and engines, taking care of the servicing and maintenance to ensure this delivery. This approach is just as well suited for the provision of security systems. Servicing the future security market Undoubtedly there are major opportunities on offer in return for a change of perspective in the security industry. However, this will involve substantial changes in some quarters to ensure the business model is aligned with the market. Overall, the security industry needs to not only develop the right systems for the market, but also to deliver them in the right way as well. This will ensure we work even more closely with customers to provide the expert support they need and deserve.