Machine learning focuses on the development of computer programmes that can teach themselves to grow and change through exposure to new data
The need for security convergence and shared threat intelligence is markedly increasing

“Converged security” has been a buzz phrase for more than a decade, but the industry is just now starting to reap the rewards. Converged security recognises that truly comprehensive organisational risk management involves the integration of two distinct security functions that have largely been siloed in the past: information security (network operations centre or NOC) and physical security (security operations centre or SOC). In fact, “siloed” may be a nicer way of saying that these people historically have had no desire or ability to work together.

NOC and SOC convergence

That situation has been acceptable in the past but the need, and in some cases requirement, for security convergence and shared threat intelligence is markedly increasing and clearly more important today than ever before. The recent slew of successful attacks that all had predictive indicators that were overlooked because of highly segmented data collection and analysis are solemn reminders that the vulnerabilities are real. Organisations are tasked with keeping people and other assets safe, and to do that effectively, they must encourage cooperation between both the NOC and SOC functions, as they are inextricably linked. In the most recent tragedies, there were unlinked predictors on the cyber side that were discovered after the fact. In the past, physical assets merited the most attention in security protection, but today’s organisations are data driven and many of these traditionally physical assets are now information-based.

These two security worlds are markedly different. Security in a NOC often is focused on information like raw network traffic, security and audit logs, and other similarly abstract data that requires some interpretation as to what it could possibly mean. Points of emphasis in a SOC are video camera feeds and recordings, physical identity and access logs, fire safety, and many other important but largely tangible data. In an optimal security environment, the NOC and the SOC rely on each other, so today’s security professionals must be aware of the goals of the “other side.”

Modern threats are linked to
each
other, meaning that
there’s rarely a
physical threat
that didn’t originate
from a
network touchpoint at some

point during planning or
execution

What’s driving (or enabling) convergence on the IT side for many organisations is the ongoing analogue-to-IP video conversion that started some time ago and some heavy investments in IT infrastructure (often for other areas of the business), which have led to easier access to sensor connectivity. This, combined with the continuously decreasing cost of network bandwidth and data storage, has removed the last big obstacles to widespread use. Further pressure on the outcomes comes from the intelligence perspective where modern threats are linked to each other, meaning that there’s rarely a physical threat that didn’t originate from a network touchpoint at some point in the planning or execution phase. That reality has led in some cases to the obliteration of walls between NOCs and SOCs, creating a “fusion centre” or “SNOC.”

Convergence challenges

Although necessary, there are some notable challenges to convergence, best served through the integration of people, processes, preferred solutions in the cyber and physical security space, and the analysts’ knowledge base, meaning that security officers, for example, have different training than cyber analysts.

Different “personalities” often are observed within organisations that are tasked with security. The cyber team, for example, might be comprised of millennials who have highly technical skill sets because they grew up in the Internet age (digital natives). Those in physical security, on the other hand, might be comprised of former city/state law enforcement, former military or government service protecting physical assets, who are often more senior and didn’t grow up with technology at their fingertips. As a result, these personalities sometimes don’t “mix” naturally, so extra effort is needed to break down barriers that isolate the roles into separate business units, in completely separate operation centres, or sometimes on opposite sides of the country.

Security in a NOC often is focused on information like raw network traffic, security and audit logs, and other similarly abstract data
Cyber and physical security professionals often have different knowledge, personalities and training that hinder cooperation

Because these operators/analysts come from different backgrounds, have different areas of responsibility, and because their response workflows rarely intersect, a question emerges: Would a typical operator in the SOC think to even call the NOC if the operator saw something suspicious that could relate to the cyber side? Some NOCs are unaware that the SOC even exists, and if they are, they don’t know what the SOC is monitoring. The key to success is cross-training. For greater context and threat identification/mitigation, operators need to be familiar with the physical and logical risk, solutions, and cross-escalations.

The challenge of going traditional

Even in a converged security environment, traditional security detection systems produce a range of challenges in keeping organisations secure. Among them are:

Weak, independent alert streams: Most threat detection systems today are limited to a single data type – physical or cyber – and often these best-of-breed solutions are niched into a specific use (or division) within the department. For example, a large metropolitan transportation authority might have a physical security team with a dedicated fare evasion department – and, thus, leverage multiple cutting-edge solutions, including some machine learning, in support of a very specific objective rather than looking holistically at how to apply the technology across the organisation.

Cost of alarm investigation: Operators are inundated with data and “false alarms” in their day-to-day work. For example, on a large, urban college campus, SOC operators are responding to 911 (blue phones), LPR, unit dispatch, video analytics, and access control. The challenge of data inundation and false alarms cause them to average just over three minutes in issuing the required acknowledgement. In some cases this is actually considered a “good” response time. 

In short, false alarms without
context  or relevance and data
inundation require enormous
time and resources from
organisations

In another example, a major metropolitan city‘s police department, operators attempt to proactively keep the public safe and direct response resources by monitoring almost 2,000 cameras online (easily 48,000 hours of recorded footage per day). In an 18-month period, only one time did they actually catch an anomalous event as it happened with a camera operator looking at the monitor at the exact right time. Every other incident had to be found after the fact. In short, false alarms without context or relevance and data inundation require enormous time and resources from organisations and in most cases, are making real-time or even rapid response impossible.

Interpretability of alerts: Even when an alert is issued, the hardest thing to figure out through many systems is (1) why the alert was issued and (2) is there a recommended action/workflow.

Alerting rules start bad but get worse: Considering data inundation and the incidence of false alarms, traditional systems don’t adjust themselves to stop providing alerts that eventually are deemed to not be useful and don’t teach themselves to provide more relevant alerts that merit further investigation. Over time, a system that started with a large volume of alerts and a manageable amount of false alarms eventually becomes a system of mostly false alarms.

A machine learning system will connect to known threat libraries to help classify new anomalies and recommend mitigation steps
The next attack will not look like the last so we need an intelligent system that will identify the unexpected

How machine learning can help solve the challenges

So given the limitations of traditional systems, increasingly machine learning security systems are being used to address the challenges. Machine learning is a facet of artificial intelligence that provides computers with the ability to learn without being explicitly programmed or configured. Machine learning focuses on the development of computer programs that can teach themselves to grow and change through exposure to new data. Giant Gray’s Graydient platform, for example, leverages machine learning in its integration with video, SCADA or cyber technology to reduce false alarms in “teaching itself” what’s normal behaviour in a given setting. Machine learning addresses the limitations of traditional systems by:

Reducing the cost of alarm investigation with intelligent prioritisation: In a traditional rules-based system, the logic is largely black and white. There is either a violation of a rule or there isn’t. All alerts are treated equally. In an unsupervised machine learning system, the logic to determine the likelihood or “unusualness” of an event can be based on an ever-evolving body of highly detailed knowledge. As a result, it offers the ability to rate the unusualness of any given event. With the ability to dynamically rank alerts, those alerts can be classified based on this unusualness score. 

Machine learning focuses on
the development of computer
programs that can teach
themselves to grow and
change through exposure to
new data

A typical machine learning event ranking in a given period might be: Four alarms requiring acknowledgement, seven worth investigating, and 10 informational-only alerts that don’t create tickets. A perfectly configured traditional rules-based system in the same period would generate 21 equally ranked alerts that all require human interpretation. That said, optimally configured rules are rare and get worse with time, so the expectation might be to expect hundreds of equally ranked alerts in the same period that all need human review.

Context through combining traditionally disconnected alert sources: Machine learning systems leverage a composite sensor, a collection of individual sensors of various types that the system will learn and alarm as a whole based on the relationships between the member sensors. For example: When Object-A exhibits this behaviour, Object-B typically exhibits another behaviour within a certain time. The system will alert if the expected correlated action doesn’t occur.

External threat-intelligence: A system will connect to known threat libraries to help classify new anomalies and recommend mitigation steps. No one likes to see an “unknown” or “unk” classification, so many of the leading SIEMs have this functionality built in.

Automatic self-improvement: Feedback loops must be guarded and learned. There always will be risk that a human’s input can corrupt a learning system, which could result in undesirable output. This risk is mitigated with continuous learning, where we‘re either reinforcing memories or driving memory decay (forgetting) based on what we see. This approach adapts to changing conditions and can prevent long-term, heavy handed feedback.

Why machine learning is required in security

  • There is no baseline training data we can use to create reliable system rules or to train supervised learning systems;
  • We cannot manually keep pace with change, so we have to have a system that continuously adapts, learning the new environment or condition and forgetting the old;
  • Modelling and rules are the most effective they will ever be on the day they’re programmed. The next attack will not look like the last so we need an intelligent system that will identify the unexpected;
  • The most dangerous threats we all face are the ones that have never been seen before. They can’t be predicted, and therefore, we cannot program a rule or build a model for something that we can’t quantify.
Download PDF version Download PDF version

Author profile

Cody Falcon Vice President, Solutions & Services, Giant Gray

In case you missed it

How soon will access control cards become extinct and why?
How soon will access control cards become extinct and why?

Since the advent of the physical security industry, access control has been synonymous with physical cards, whether 125 kHz ‘prox’ cards or the newer smart card alternatives. However, other credentials have also come on the scene, including biometrics and even smart phones. Some of these choices have distinct cost and security advantages over physical cards. We asked this week’s Expert Panel Roundtable: How soon will the access control card become extinct and why? 

Addressing the Internet Of Things (IoT) and challenges in device design using a comprehensive approach
Addressing the Internet Of Things (IoT) and challenges in device design using a comprehensive approach

As the number of connected devices increases worldwide, the ways that they are being used, designed, and tested have also expanded. The rise of connected devices is demanding engineers to harness the power of the internet of things, which is expected to hit 28 billion by 2025. A comprehensive approach to device design is needed more than ever to address the challenges that this rapid growth will bring. Why engineers should be using IoT technology in product design The demand for devices designed to use the Internet of Things (IoT) technology is increasing as more industries are finding expanded ways to put them into use. Industries such as healthcare, automobiles, and agriculture are becoming more dependent on cloud capabilities and are therefore in need of new devices able to connect to it. Due to this rise in demand, an increasing amount of devices are delivering a multitude of benefits both to consumers and companies. However, this new wave of products has led to a growing list of challenges for engineers as they are forced to address IoT tech in regards to connectivity, regulations, longevity, and security. Ways to use IoT in the development process Engineers are facing these new challenges along with the normal pressure of deadlines and test considerations. By approaching all of these issues from a comprehensive point-of-view, the solutions become clearer and new device capabilities can be born. Let’s look at the challenges individually as well as possible solutions for them. Improving connectivity IoT enables data to be transferred between infrastructure, the cloud, and devices, making the process smooth  Because IoT is based around connection, it’s no surprise that the primary challenge for engineers to overcome is the improvement of connectivity between devices. IoT enables data to be transferred between infrastructure, the cloud, and devices, so making this process as smooth as possible is crucial. The main challenges involved with connectivity have to do with development and product testing while meeting industry standards and best practices. Additionally, many companies lack the necessary equipment and technology to develop new IoT devices, which makes it difficult to create scalable prototypes and test new products. Suggested solutions To address the issue of not having the expertise and necessary tools for testing, we suggest outsourcing the prototyping and evaluation process instead of attempting to tackle this in-house. By doing this, you’re able to free up resources that would otherwise be needed for expensive equipment and qualified staff. Helping comply with regulations When working with devices that are connected across the world, there is a complex web of regulations and conformance standards that can lead to challenges for engineers. The necessity of complying with these regulations while also pushing to meet deadlines can be burdensome and lead to an increase in production time and expenses. Failure to comply with global and regional laws, as well as system and carrier requirements, can lead to fines and costly setbacks. This type of failure can destroy a company’s reputation on top of causing financial losses, often leading to the loss of business. Suggested solutions By testing the IoT device design and components early, engineers can address any pre-compliance issues that may arise. During the early stages of development, we suggest using scalable and automated test systems readily available in the marketplace. Improved communication with other devices New challenges arise as new devices hit the market and existing technologies are redesigned to offer a better experience In the rapidly growing number of connected devices, new challenges will arise as new devices hit the market and existing technologies are redesigned to offer a better user experience. This rapid growth in devices will lead to congested networks leading to the necessity of devices being able to function in the midst of increased traffic and interference. Failure to do this will lead to delayed responses which could prove to be fatal. Suggested solutions The best solution for this issue is found in the evaluation process and supporting test methods that the Institute of Electrical and Electronics Engineers (IEEE) published in the American National Standard for Evaluation of Wireless Coexistence (ANSI). This process addresses the interconnectivity issues present in radio frequency environments. The outlined process involves defining the environment and evaluating the wireless performance of the equipment through thorough testing. An in-depth version can be found in its entirety online. Increasing the longevity of devices IoT devices are being used in vital industries such as healthcare and automotive so battery life and power consumption are two challenges that engineers must take seriously. A failure in this area could potentially lead to loss of life or safety concerns on the road. As new firmware and software are being designed to address these factors, engineers must be implementing them into IoT devices with the ability to be continually updated. Suggested solutions Longevity should be addressed in all aspects of the design process and tested thoroughly using a wide range of currents. By doing this, an engineer can simulate consumer applications to best predict performance. Security Security and privacy are concerns with any technology, but with the use of IoT in medical devices, it’s paramount Security has been a controversial issue for IoT since its inception. Security and privacy are concerns with any technology, but with the widespread use of IoT in medical devices, smart home appliances, and access control and surveillance, it’s paramount. For example, medical devices may store information about health parameters, medications, and prescriber information. In some cases, these devices may be controlled by an app, such as a smart pacemaker, to prevent heart arrhythmias. Naturally, a security issue in these devices could be devastating. Another example of dangerous security concern is with surveillance cameras and access control, such as for home or business security systems. These intelligent door locking systems contain locks, lock access controllers, and associated devices that communicate with each other. Suspicious activities are flagged with alerts and notifications, but if a hacker gains access, it can lead to real-world, physical danger. Security design points Here are some key points for security design: Physical security: IoT devices may be in external, isolated locations that are vulnerable to attack from not only hackers but by human contact. Embedding security protection on every IoT device is expensive, but it’s important for general security and data safety. Security of data exchange: Data protection is also important because data gets transmitted from IoT devices to the gateway, then onto the cloud. With surveillance and access control information or sensitive medical information, and encryption is vital to protecting data from a breach. Cloud storage security: Similar to data exchange, the information stored in medical devices, surveillance and access control systems, and some smart appliances with payment features, must be protected. This includes encryption and device authentication through access control, which can police what resources can be accessed and used. Update: Security vulnerabilities will always occur, so the key to addressing them is having a plan to address errors and release patches. Customers should also have options to secure devices quickly and effectively. Suggested solutions Engineers can include security and protection into IoT devices with early and perpetual testing throughout the design process. Most security breaches occur at endpoints or during updates, giving engineers a starting point for how to address them. Creating more secure devices Ensuring the security of connected devices should be of supreme importance for engineers as these devices are vulnerable to security breaches. The ultimate security of devices goes beyond the scope of engineering as the network and enterprise levels must also be secure to protect against potential threats. However, engineers play a role in this protection as well and should consider device security in the design process. Suggested solutions On a device level, engineers can help protect IoT devices from vulnerabilities by implementing early testing and continuing it throughout the design process. Most security transgressions occur at endpoints so this continual testing can, and should, create barriers to breaches. Regulations and compliance For IoT engineers, the complex web of regulations and compliance standards present new challenges Regulations and compliance surrounding data and technology are nothing new, but for IoT engineers, the complex web of regulations and compliance standards present new challenges. Engineers are already addressing obstacles in security and connectivity, all while meeting deadlines, and working around regulations adds time and expense to the process. Unfortunately, a failure to comply with global, regional, or local laws can lead to setbacks and fines. In addition to time lost in production and possible fines, the damage to a company’s reputation can lead to even more losses. Suggested solutions Compliance should be considered early and often in the design process. In the early stages of development, the IoT device or components can be tested to address and compliance issues. If possible, use a scalable and automated test system. The comprehensive solution As we stare at an uncertain future full of possibilities, it’s clear to see that new challenges will continue to be presented as technology evolves and new innovative devices are designed by engineers. By addressing these issues early and often, solutions can be implemented and problems prevented before they even have a chance to occur thanks to sound engineering and solid design.

Everbridge provides the critical event management platform to help organisations manage the full lifecycle of a crisis
Everbridge provides the critical event management platform to help organisations manage the full lifecycle of a crisis

The UK Government is consulting on plans to introduce a new law requiring operators of public spaces to consider the risk of a terrorist attack and take proportionate and reasonable measures to prepare for and protect the public from such an attack. Under the proposals outlined in the consultation document, those responsible for a publicly accessible location will have a ‘protect duty.’ The protect duty would apply to certain publicly accessible locations, widely defined as ‘any place to which the public or any section of the public has access, on payment or otherwise, as of right or by virtue of express or implied permission.’ Publicly accessible locations Publicly accessible locations include a wide variety of everyday locations such as: Sports stadiums, festivals and music venues, hotels, public houses, clubs, bars, casinos, high streets, retail stores, shopping centres, markets, schools, universities, medical centres, hospitals, places of worship, government offices, job centres, transport hubs, parks, beaches, public squares, other open spaces. This list is by no means exhaustive, but it does demonstrate the diverse nature of publicly accessible locations. To manage these challenges, some organisations are relying on guarding and manual solutions or processes Organisations responsible for publicly accessible locations have many challenges they need to overcome while at the same time ensuring that safety and security is visible, yet non-intrusive. To manage these challenges, some organisations are relying on guarding and manual solutions or processes, whereas other organisations have invested heavily in diverse security technologies: CCTV, access control, intruder alarms, fire detection, intercoms and more. Managing public safety Effectively managing public safety and security is difficult and can be costly. Potential liabilities are something to seriously consider, based on forthcoming regulation and prevailing public expectations. When a critical event unfolds public reactions can be difficult to safely manage, however this is now a must do. Public space operators need to get the right information to the right people at the right time to protect all people, including every single member of the public. Their work with public and private sector clients around the world has enabled them to understand ‘protecting the public’ challenges and offer solutions that meet the specific requirements. Public space operators and organisations must keep track of all emerging threats and assess the potential impacts of when, not if, they will experience a critical event. Unpredictable threat environment Security executives have the challenge of protecting people, facilities and assets With an increasingly complex and unpredictable threat environment, it has never been more imperative to act faster. With more complete intelligence, organisations can increase their speed and decisiveness to assess risks and prevent those risks from harming people or disrupting operations. Leisure and entertainment is a prominent UK industry, that is also one of the most vulnerable to safety and security threats. Security executives have the challenge of protecting people, facilities and assets, while also maintaining friendly and welcoming services to visitors. Public venues and retailers must provide non-intrusive client safety and security. For the would-be criminal, safety and security provision should be a visible deterrent. Balancing these needs is where Everbridge can help organisations. Everbridge provides the critical event management platform to help organisations manage the full lifecycle of a crisis. Facilitating device activation Their platform correlates events from disparate safety and security systems into a common operating picture to focus people’s attention on what really matters. The platform provides users with actionable alerts, next step actions, and automated reporting to better manage risks, ensure compliance with operating procedures and support the business continuity. Automated workflows ensure rapid, consistent responses, reducing the risk of human error Automated workflows ensure rapid, consistent responses, reducing the risk of human error. It also facilitates device activation to ensure they are always in operational control and protecting the people. Dynamic reports and dashboards provide real-time actionable insights for the operations teams and senior executives. Benefits include: Real-time situational awareness. Reduces risk. Accelerates response times. Avoids technology lock-ins. Prevents information overload. Keeps stakeholders informed. With Everbridge, the organisation can deliver the public protect duty. Now and in the future.