Big Data Analytics in security – helping proactivity and value creation
Given the spate of recent incidents globally, a lot of attention is drawn towards cyber security. However, as most organisations recognise, this attention is not limited to the cyber side of security but to all elements which relate to protection of information and people in their organisation.
The wealth of data which security departments capture through their various activities or systems is being used in novel ways to identify and resolve risks (exceptions) which otherwise would go unnoticed till they manifest into issues. The principles of these novel approaches are seldom classified into ‘Security Intelligence’ and ‘Behavioural Analytics’.
To share a few examples:
- A global bank employing >150K people with over 100 sites across the world was keen to identify instances where their people were ‘remote’ logging into their IT systems despite being (physically) inside their premises. Such exceptions relate to possible duplication of an identity record, which is a serious threat. As the bank discovered, the ‘best’ (cheap, quick and replicable) way for them to approach this was to apply simple principles of data integration and visualisation across their logical and physical access control systems. By doing so, the security team was notified of any such exceptions in real time. This allowed for an instant investigation and helped the bank mitigate their risk significantly.
- A Fortune 500 organisation had multiple reported cases of expensive equipment stolen from different buildings around the main campus area. They suspected the thefts were occurring after hours but analysis of access records from their physical access control systems alone wasn’t very helpful. They had hundreds of people working late at that site on a regular basis so they were unable to identify a manageable number of suspects. But, by applying analytical intelligence to an integrated set of time and attendance data; and physical access data, they were able to resolve this. They first defined a ‘usual’ behaviour of an individual and groups of individuals, i.e. which areas they access the most and at what times. Then they looked for exceptions, i.e. if certain individuals or groups accessed certain areas at times which fell outside their ‘usual’ behaviour.
By doing this analysis, a single employee stood out and his access pattern also coincided with the thefts. The next time the employee entered a new area after his normal hours, the Security Operations team was notified following which a guard was sent to inspect the building. The thief was caught red-handed. This approach not only helped them resolve a mystery but also provided them with a strategy to prevent similar activities in the future.
- A highly secure Research and Development organisation spent enormously each year to perform background checks for every person accessing their campus. Reduction of their security budget led them to change their policy such that they decided to perform ‘risk assessments’ on each individual and they re-ran checks only on those who represented the highest risk. However, this simply led to a cut in the frequency of checks and raised their risk significantly. So it was critical they re-defined the way in which they derived their ‘risk assessments’.
They started by factoring each individual’s level of access, the time they had been with the organisation and the time since they last went through a background check. This information was coupled with their known ‘behaviour’ (which areas they access frequently and at what times) to compute a ‘Risk Score’. Background checks were mandated for individuals with a high Risk Score and those who showed a sudden increase in their overall Risk Score. This helped a great deal in maintaining their high security levels (no issues reported since) whilst reducing their operational cost by approximately 85%.
Benefits of Big Data Analytics in Security
There are several other use cases, which highlight the benefits and values which security departments are creating using the principles of ‘Security Intelligence’ and ‘Big Data Analytics’.
To outline a few:
- Site utilisation metrics – to what degree is a site being used?
- Key performance indicators – how well are the security operational teams doing based on their service level agreements?
- Identifying risk indicators such as those around tailgating and unused access cards.
- Impact analysis in case of changes such as change of security policies or existing technologies such as access cards and access control systems.
- Supporting the green agenda by reducing the energy usage in areas which are not used heavily based on the data analysed.
How to succeed with Big Data Analytics in Security
However, all great ideas require a successful execution (implementation) for their ‘greatness’ to be recognised. During this study we learnt the following tenets, which were key to successfully achieving the above:
- Identify the use cases, which should be addressed through the endeavours of ‘Security Intelligence’ or ‘Big Data’. Base these on the experiences of known risks, threats and exceptions.
- Look for extensible solutions that can contribute to the bigger picture if that should become necessary. Scalability and extensibility are easily achieved when out-of-the-box solutions are deployed as opposed to customised ones. This helps organisations protect their investment as such solutions can be geared to handle changes of other third party systems or business processes.
- Partner with systems vendors that specialise in vertical security and connect to applicable systems (such as Access control, logical human resource systems, security devices) in a non-customised/non-bespoke manner.
- Avoid generic ‘Big Data’ solutions from vendors that don’t understand security. Domain knowledge is very important given that one size doesn’t fit all. Domain knowledge coupled with reference-able experience of a solution provider implied cheaper, shorter and scalable implementation.
With the above it’s evident that security departments globally are recognising the opportunity to be a business enabler and are aligning their objectives so their organisations can run efficiently. This is a welcome deviation from the traditional view of security being a reactive and investigative team only which was unfairly labelled as a ‘cost centre’.
Dr. Vibhor Gupta, Ph.D., Technology Lead, ASIS UK (at time of writing)