Machine learning focuses on the development of computer programmes that can teach themselves to grow and change through exposure to new data
The need for security convergence and shared threat intelligence is markedly increasing

“Converged security” has been a buzz phrase for more than a decade, but the industry is just now starting to reap the rewards. Converged security recognises that truly comprehensive organisational risk management involves the integration of two distinct security functions that have largely been siloed in the past: information security (network operations centre or NOC) and physical security (security operations centre or SOC). In fact, “siloed” may be a nicer way of saying that these people historically have had no desire or ability to work together.

NOC and SOC convergence

That situation has been acceptable in the past but the need, and in some cases requirement, for security convergence and shared threat intelligence is markedly increasing and clearly more important today than ever before. The recent slew of successful attacks that all had predictive indicators that were overlooked because of highly segmented data collection and analysis are solemn reminders that the vulnerabilities are real. Organisations are tasked with keeping people and other assets safe, and to do that effectively, they must encourage cooperation between both the NOC and SOC functions, as they are inextricably linked. In the most recent tragedies, there were unlinked predictors on the cyber side that were discovered after the fact. In the past, physical assets merited the most attention in security protection, but today’s organisations are data driven and many of these traditionally physical assets are now information-based.

These two security worlds are markedly different. Security in a NOC often is focused on information like raw network traffic, security and audit logs, and other similarly abstract data that requires some interpretation as to what it could possibly mean. Points of emphasis in a SOC are video camera feeds and recordings, physical identity and access logs, fire safety, and many other important but largely tangible data. In an optimal security environment, the NOC and the SOC rely on each other, so today’s security professionals must be aware of the goals of the “other side.”

Modern threats are linked to
other, meaning that
there’s rarely a
physical threat
that didn’t originate
from a
network touchpoint at some

point during planning or

What’s driving (or enabling) convergence on the IT side for many organisations is the ongoing analogue-to-IP video conversion that started some time ago and some heavy investments in IT infrastructure (often for other areas of the business), which have led to easier access to sensor connectivity. This, combined with the continuously decreasing cost of network bandwidth and data storage, has removed the last big obstacles to widespread use. Further pressure on the outcomes comes from the intelligence perspective where modern threats are linked to each other, meaning that there’s rarely a physical threat that didn’t originate from a network touchpoint at some point in the planning or execution phase. That reality has led in some cases to the obliteration of walls between NOCs and SOCs, creating a “fusion centre” or “SNOC.”

Convergence challenges

Although necessary, there are some notable challenges to convergence, best served through the integration of people, processes, preferred solutions in the cyber and physical security space, and the analysts’ knowledge base, meaning that security officers, for example, have different training than cyber analysts.

Different “personalities” often are observed within organisations that are tasked with security. The cyber team, for example, might be comprised of millennials who have highly technical skill sets because they grew up in the Internet age (digital natives). Those in physical security, on the other hand, might be comprised of former city/state law enforcement, former military or government service protecting physical assets, who are often more senior and didn’t grow up with technology at their fingertips. As a result, these personalities sometimes don’t “mix” naturally, so extra effort is needed to break down barriers that isolate the roles into separate business units, in completely separate operation centres, or sometimes on opposite sides of the country.

Security in a NOC often is focused on information like raw network traffic, security and audit logs, and other similarly abstract data
Cyber and physical security professionals often have different knowledge, personalities and training that hinder cooperation

Because these operators/analysts come from different backgrounds, have different areas of responsibility, and because their response workflows rarely intersect, a question emerges: Would a typical operator in the SOC think to even call the NOC if the operator saw something suspicious that could relate to the cyber side? Some NOCs are unaware that the SOC even exists, and if they are, they don’t know what the SOC is monitoring. The key to success is cross-training. For greater context and threat identification/mitigation, operators need to be familiar with the physical and logical risk, solutions, and cross-escalations.

The challenge of going traditional

Even in a converged security environment, traditional security detection systems produce a range of challenges in keeping organisations secure. Among them are:

Weak, independent alert streams: Most threat detection systems today are limited to a single data type – physical or cyber – and often these best-of-breed solutions are niched into a specific use (or division) within the department. For example, a large metropolitan transportation authority might have a physical security team with a dedicated fare evasion department – and, thus, leverage multiple cutting-edge solutions, including some machine learning, in support of a very specific objective rather than looking holistically at how to apply the technology across the organisation.

Cost of alarm investigation: Operators are inundated with data and “false alarms” in their day-to-day work. For example, on a large, urban college campus, SOC operators are responding to 911 (blue phones), LPR, unit dispatch, video analytics, and access control. The challenge of data inundation and false alarms cause them to average just over three minutes in issuing the required acknowledgement. In some cases this is actually considered a “good” response time. 

In short, false alarms without
context  or relevance and data
inundation require enormous
time and resources from

In another example, a major metropolitan city‘s police department, operators attempt to proactively keep the public safe and direct response resources by monitoring almost 2,000 cameras online (easily 48,000 hours of recorded footage per day). In an 18-month period, only one time did they actually catch an anomalous event as it happened with a camera operator looking at the monitor at the exact right time. Every other incident had to be found after the fact. In short, false alarms without context or relevance and data inundation require enormous time and resources from organisations and in most cases, are making real-time or even rapid response impossible.

Interpretability of alerts: Even when an alert is issued, the hardest thing to figure out through many systems is (1) why the alert was issued and (2) is there a recommended action/workflow.

Alerting rules start bad but get worse: Considering data inundation and the incidence of false alarms, traditional systems don’t adjust themselves to stop providing alerts that eventually are deemed to not be useful and don’t teach themselves to provide more relevant alerts that merit further investigation. Over time, a system that started with a large volume of alerts and a manageable amount of false alarms eventually becomes a system of mostly false alarms.

A machine learning system will connect to known threat libraries to help classify new anomalies and recommend mitigation steps
The next attack will not look like the last so we need an intelligent system that will identify the unexpected

How machine learning can help solve the challenges

So given the limitations of traditional systems, increasingly machine learning security systems are being used to address the challenges. Machine learning is a facet of artificial intelligence that provides computers with the ability to learn without being explicitly programmed or configured. Machine learning focuses on the development of computer programs that can teach themselves to grow and change through exposure to new data. Giant Gray’s Graydient platform, for example, leverages machine learning in its integration with video, SCADA or cyber technology to reduce false alarms in “teaching itself” what’s normal behaviour in a given setting. Machine learning addresses the limitations of traditional systems by:

Reducing the cost of alarm investigation with intelligent prioritisation: In a traditional rules-based system, the logic is largely black and white. There is either a violation of a rule or there isn’t. All alerts are treated equally. In an unsupervised machine learning system, the logic to determine the likelihood or “unusualness” of an event can be based on an ever-evolving body of highly detailed knowledge. As a result, it offers the ability to rate the unusualness of any given event. With the ability to dynamically rank alerts, those alerts can be classified based on this unusualness score. 

Machine learning focuses on
the development of computer
programs that can teach
themselves to grow and
change through exposure to
new data

A typical machine learning event ranking in a given period might be: Four alarms requiring acknowledgement, seven worth investigating, and 10 informational-only alerts that don’t create tickets. A perfectly configured traditional rules-based system in the same period would generate 21 equally ranked alerts that all require human interpretation. That said, optimally configured rules are rare and get worse with time, so the expectation might be to expect hundreds of equally ranked alerts in the same period that all need human review.

Context through combining traditionally disconnected alert sources: Machine learning systems leverage a composite sensor, a collection of individual sensors of various types that the system will learn and alarm as a whole based on the relationships between the member sensors. For example: When Object-A exhibits this behaviour, Object-B typically exhibits another behaviour within a certain time. The system will alert if the expected correlated action doesn’t occur.

External threat-intelligence: A system will connect to known threat libraries to help classify new anomalies and recommend mitigation steps. No one likes to see an “unknown” or “unk” classification, so many of the leading SIEMs have this functionality built in.

Automatic self-improvement: Feedback loops must be guarded and learned. There always will be risk that a human’s input can corrupt a learning system, which could result in undesirable output. This risk is mitigated with continuous learning, where we‘re either reinforcing memories or driving memory decay (forgetting) based on what we see. This approach adapts to changing conditions and can prevent long-term, heavy handed feedback.

Why machine learning is required in security

  • There is no baseline training data we can use to create reliable system rules or to train supervised learning systems;
  • We cannot manually keep pace with change, so we have to have a system that continuously adapts, learning the new environment or condition and forgetting the old;
  • Modelling and rules are the most effective they will ever be on the day they’re programmed. The next attack will not look like the last so we need an intelligent system that will identify the unexpected;
  • The most dangerous threats we all face are the ones that have never been seen before. They can’t be predicted, and therefore, we cannot program a rule or build a model for something that we can’t quantify.
Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Cody Falcon Vice President, Solutions & Services, Giant Gray

In case you missed it

Why the touchless office is another argument for going passwordless
Why the touchless office is another argument for going passwordless

Security experts have discussed the demise of the passwords for years. As early as 2004, Bill Gates told the RSA Security Conference that passwords “just don’t meet the challenge for anything you really want to secure.” Change has been slow, but the sudden increase in remote working and the need for enterprises to become touchless as they try to encourage teams back to the office is increasing traction. Here we look at the future of passwordless authentication - using the example of trusted digital identities - and share tips on choosing a solution that works for your organisation. The move away from passwords was beginning to gain momentum pre-pandemic. Gartner reported an increase in clients asking for information on ‘passwordless’ solutions in 2019. Now Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will put in place passwordless methods by 2022. This is up from 5% in 2018. The many limitations of passwords are well-documented, but the cost of data breaches may be the reason behind this sharp upswing. Stolen credentials – usually passwords – and phishing are the top two causes of data breaches according to the 2019 Verizon Data Breach Incident Report. Each breach costs businesses an average of anywhere between £4M to £8M depending on which studies you read. A catalyst for change As in so many other areas, the pandemic has been a catalyst for change. Newly remote workers using BYOD devices and home networks, sharing devices with other family members, and writing down passwords at home all make breaches more likely. And seasoned home workers represent a risk too.  It also means that enterprises are developing new procedures to mitigate the spread of disease. This includes a thorough examination of any activity that requires workers to touch surfaces. Entering passwords on shared keyboards or touchscreens falls squarely in this area of risk. As does handling physical smart cards or key fobs. Enterprises are expanding their searches from “passwordless” to “passwordless and touchless,” looking to replace physical authenticators. In the quest to go touchless these are items that can be easily eliminated. The future of passwordless authentication Using fingerprint or facial recognition often only provides a new front-end way to activate passwords Common alternatives to passwords are biometrics. But, using fingerprint or facial recognition often only provides a new front-end way to activate passwords. Passwords are still required for authentication after the biometric scan and these live in a central repository vulnerable to hackers. With one successful hack of the central repository, cyber-criminals can swipe thousands of details. In other words, biometrics on their own are not an improvement in security, only a better user experience. They need to be combined with a different approach that adds another layer of security. A more secure option is to move away from the centralised credential repository to a decentralised model. For example, one based on trusted digital identities. This is where digital certificates are stored on users’ phones. Think of encrypted digital certificates as virtual passports or ID cards that live on a worker’s device. Because they are stored on many separate phones, you are able to build a highly secure decentralised credential infrastructure. A solution that uses people’s phones is also compatible with touchless authentication systems. You can replace smart cards and key fobs with a phone-based security model and reduce the number of surfaces and items that people touch. This is especially beneficial for workplaces where people have to visit different sites, or for example in healthcare facilities. Replacing smartcards with a phone in a pocket reduces the number of items that clinicians need to take out and use a smartcard between and in different areas, which may have different contamination levels or disease control procedures. How do trusted digital identities work?   Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition Here’s an example installation. You install a unique digital certificate on each user’s mobile device — this is their personal virtual ID card. Authorised users register themselves on their phones using automated onboarding tools. Workers unlock their mobile devices and access their trusted identity using fingerprint or facial recognition. Once they are authenticated, their device connects to their work computer via Bluetooth and automatically gives them access to the network and their applications with single sign on (SSO). This continues while their phone is in Bluetooth range of their workstation, a distance set by IT. When they leave their desk with their phone, they go out of range and they are automatically logged out of everything. Five tips on choosing a passwordless solution More automation means less disruption Consider how you can predict and eliminate unnecessary changeover disruptions. The task of onboarding large or widely dispersed employee populations can be a serious roadblock for many enterprises. Look for a solution that automates this process as much as possible. Scalability and your digital roadmap Will you maintain remote working? Having a high proportion of your team working remotely means that passwordless solutions will become more of a necessity. Are you expecting to grow or to add new cloud apps and broader connectivity with outside ecosystems? If so, you need password authentication that will scale easily. Encryption needs and regulatory requirements If your workers are accessing or sharing highly sensitive information or conducting high-value transactions, check that a solution meets all necessary regulatory requirements. The most secure passwordless platforms are from vendors whose solutions are approved for use by government authorities and are FIDO2-compliant. Prioritise decentralisation Common hacker strategies like credential stuffing and exploitation of re-used credentials rely on stealing centralised repositories of password and log-in data. If you decentralise your credentials, then these strategies aren’t viable. Make sure that your passwordless solution goes beyond the front-end, or the initial user log-in and gets rid of your central password repository entirely. Make it about productivity too Look for a solution that offers single sign on to streamline login processes and simplify omnichannel workflows. For workers, this means less friction, for the enterprise, it means optimal productivity. Security improvements, productivity gains and user goodwill all combine to form a compelling case for going passwordless. The additional consideration of mitigating disease transmission and bringing peace of mind to employees only strengthens the passwordless argument. The new end goal is to do more than simply replace the passwords with another authenticator. Ideally, enterprises should aspire to touchless workplace experiences that create a safer, more secure and productive workforce.

Be our guest: How to manage visitors with both safety and service
Be our guest: How to manage visitors with both safety and service

In today’s fraught times, business continuity and success hinges on how you manage the visitors to your company. By prioritising safety and security, and coupling them with top-notch attention and customer service, you win loyalty and gain a reputation that will serve you in years to come. An excellent way to accomplish this is by identifying and implementing the best visitor management system for your company. And visitor management systems go beyond ensuring the safety of your visitors and staff safety from your visitors. A feature-rich VMS will track your guests' activities, so you can better understand their preferences for future visits. That way, you can manage visitor experience and tailor amenities and preferences. Both customer loyalty and brand reputation benefit. Visitor management systems: who uses it, and why is it used? Visitor management refers to all the processes put together by an organisation to welcome, process, and keep track Visitor management refers to all the processes put together by an organisation to welcome, process, and keep track of all the guests daily. A visitor management system (VMS) is the technology used to manage guests for their convenience, safety, and security. Several features are typical in today’s applications. They include preregistration tools,  video intercoms, self-check-in stations, and health screening. In visitor management, the term "visitor" doesn't only refer to guests but also anyone without an authorized access credential. For instance, an employee without their access credential logs in as a visitor. The same applies to a delivery man or a technician carrying out routine maintenance. A VMS helps to account for everyone within the organisation at any given time. Who uses visitor management systems? You need a visitor management system to manage a school or hospital, an office, or even a residential building. Here's why: Visitor management system for schools: schools are among society’s most vulnerable facilities. A VMS is almost mandatory in this setting. It helps to identify visitors, detect intruders, and alert security of any unauthorised access. Visitor management system for offices: A VMS accounts for guests at all times. They include clients, maintenance contractors, delivery men, employees without credentials, friends, and family, Visitor management system for hospitals: access control is essential in hospitals, and managing visitors plays a major role. Hospitals offer access to pharmaceuticals, medical records, newborns, and expensive equipment. It is crucial to monitor restricted hallways and sections with video intercoms and track unauthorised persons' movements. Residential visitor management system: tracking people's movement is a key VMS component. In case of a crime, knowing who had access to the building within a specific time frame can help in the investigation. Plus, tracking the activities of visitors can deter future crime. Why is the visitor management system important? A video intercom makes it much more difficult for a visitor to impersonate a known guest. VMS accounts for everyone within the organisation in cases of emergency. VMSs can prevent intruders and alert the security department of a breach. A VMS creates a positive visitor experience, which shapes perception of the organisation. With a trusted VMS in place, employees can focus on being productive. Health screening gives staff peace of mind. It increases employees' willingness to return to work in the midst of the COVID 19 pandemic. How does a good VMS address occupant and visitor safety? The necessary technology to ensure building safety The best visitor management systems contain the necessary technology to ensure building safety. To maximise occupant and visitor safety, a VMS should have the following features: Job one of a VMS is visitor identification. It also helps deter potential criminals. Some VMSs go beyond identification by running a quick check on the visitor's ID and alerting security of any discrepancies. By identifying and proving a visitor's identity, the VMS ensures the safety of employees and other visitors. VMS helps with compliance A good visitor management system helps the organisation follow regulations, such as for occupancy. In the COVID era, some states may require health screening for guests. Health screening helps protect the building's occupants from exposure to health hazards. Information security VMSs also aid in information protection. It takes mere seconds for a rogue visitor to download files into a jump drive, photograph exposed blueprints, or copy customer lists. Visitor management systems restrict visitor access to parts of the building and track the whereabouts of guests. Visitor privacy With pen and paper systems, walking up to the receptionist often gives visitors full view of the visitors list. Visitor management systems seal that vulnerability. Visitors can check in without fear that anyone nearby can see their information. Emergency evacuation With a good VMS, the exact number of people within the building is always known. In the case of an emergency, first responders can use VMS data to identify everyone on site. This is a safety net for both the occupants and visitors to the organisation. How to manage building visitors System features depend on the purpose and setting of the VMS. Yet certain features and processes are essential. Preauthorisation and health screening The first step is knowing the visitors upfront. Preauthorisation allows everyone to know who is coming and when. Guests specify the time and purpose of their visits. You get to welcome and accommodate your visitors accordingly. Some systems may also be able to upload documents of interest, such as proposals, contracts, presentations, or agendas. Health screening is critical today. It signals that the organisation cares about its guests. A visitor is more likely to visit an organisation that prioritises health and safety. Health screening is a way to protect your staff and send the right message. Video intercom Along with health screening, video intercom is a key element of VMSs. It enables secure video identification with remote, touchless, and COVID-safe access into buildings. Intercoms are a safe and secure way to communicate with audio and video without physical contact. Video allows you to visually verify the visitor. The audio component enables spoken communication. Some systems even use facial recognition technology and mobile app unlock. When integrated with access control, visitor arrival is seamless. Upgrade to touchless access Touchless access is the safest and most secure VMS option Touchless access is the safest and most secure VMS option. It is more sophisticated because it receives visitors without them having to lift a finger. It's also convenient and effective. In this time of the novel coronavirus, the demand for hands-free systems is surging. VMS has pivoted to met this demand. Many organisations are finding how touchless systems increase safety in the workplace. Visitor logging is essential for managing guests to your building. Besides being a source for verification and data tracing, it also helps in real-time to know who signed into the building and who hasn't signed out yet. Tracking the movement of visitors within the facility makes it clear where they are at all times. This way, there can be an effective emergency action plan for visitors and other occupants. This feature has use in contact tracing, health investigations, and other investigations, such as for theft.

What does 2020 mean for the future of security trade shows?
What does 2020 mean for the future of security trade shows?

Trade shows have always been a basic element of how the security industry does business - until the year 2020, that is. This year has seen the total collapse of the trade show model as a means of bringing buyers and sellers face to face. The COVID-19 pandemic has effectively made the idea of a large trade show out of the question. Today, even air travel seems incredibly risky, or at minimum a huge hassle. The good news is that the industry has adapted well without the shows. A series of “on-line shows” has emerged, driven by the business world’s increasing dependence on Zoom and other video conferencing platforms. The fact is, 2020 has provided plenty of opportunities for sellers to connect with buyers. It’s easy to dismiss these sessions as “Death by PowerPoint,” but some of them are incredibly informative. And conveniently accessible from the comfort of a home office. Internet transforming businesses We have already seen how the online world makes it easier than ever to connect with customers. In the consumer space, businesses like Uber, Shopify and Airbnb have proven that the Internet can transform how business is done. But in the security industry, we hear: “You can’t replace the value of meeting face to face.” That’s definitely true to some degree. A lesson of 2020 is the need to take a hard look at the economic model of trade shows However, the reality of 2020 suggests that there are alternatives that are almost - emphasis on almost - as good. And that don’t cost as much. And that don’t take away as much time from the office. And that don’t involve the effort of schlepping luggage through an airport yet again to a hotel in a beautiful city you will never see where you will spend three days in a big exhibit hall eating overpriced hot dogs and regretting your choice of footwear. Economic model of trade shows Sure, you’ll meet up with old pals, and get some value out of the experience. But how much value versus the cost? A lesson of 2020 is the need to take a hard look at the economic model of trade shows - how much they cost versus the value they provide. Considering how well we have gotten along without them, one wonders how and why trade shows have become such an integral part of our industry, and of hundreds of other industries, for that matter. I have had many conversations with exhibitors at trade shows in the last several decades. I have heard probably thousands of complaints about the slowness of the foot traffic, the high costs of exhibiting, the price and hassles of travel. The question I have often wondered (and asked): Is it worth it? Defray the costs Usually, the complaining exhibitor will reluctantly admit that it is, and/or provide some other justification, such as one of the following: All my competitors are here. If I don’t exhibit, it sends the wrong message to the market. That’s why I need to have the largest booth near the front of the show, too, because it’s all about perception and positioning ourselves in the market. We need the show for the sales leads, which drive our sales for the next six months. If I meet one large end user who turns into a big sale, the extra revenue pays for it all and makes everything worthwhile. This is the only time I get to see my sales staff or other coworkers from around the country. We have a sales meeting this week, too, so it helps to defray the costs. Success of alternatives The realities of 2020, and the challenges to the business world, will impact the nature of commerce for years to come Given the experience of the year 2020 without any trade shows, might some of these justifications melt away? At a minimum, companies will be taking a hard look next year to evaluate what they missed about the trade show experience, and more importantly, what the impact was on their business (if any). What is the future of trade shows? After the 2020 hiatus, exhibitors and attendees alike will be starting with a clean slate, taking a fresh look, reexamining the value proposition with new eyes, braced by the successes (while acknowledging the failures) of alternatives that emerged as necessities during a global pandemic. Ensuring safety and security The realities of 2020, and the challenges to the business world, will impact the nature of commerce for years to come - including trade shows. During the pandemic, we have all had to reinvent ourselves, deploy new strategies, work around new challenges, and in the end, hopefully, emerge better for it. There’s no reason trade shows shouldn’t undergo the same transformation. And it’s likely the “new normal” could look very different. The security market has found new opportunities during the pandemic, including new applications for existing technology and a renewed emphasis on the importance of ensuring safety and security. That positivity will hopefully carry our industry triumphantly into the new decade, and trade shows will adapt to find their place in the newly revitalised industry. As it should be.