It’s commonplace these days to assume we can learn everything about someone from their digital activity – after all, people share so much on social media and over digital chats. However, advanced threats are more careful on digital. To catch advanced threats, therefore, combining insights from their actual activities in the world on a day-to-day basis with their digital communications and activity can provide a better sense if there’s an immediate and significant threat that needs to be addressed.
Let’s play out this insider threat scenario. While this scenario is in the financial services sector, with quick imagination, a security analyst could see applicability to other sectors. An investment banking analyst, Sarah, badges into a satellite office on a Saturday at 7 pm. Next, she logs onto a workstation, and prints 200 pages of materials. These activities alone, could look innocuous. But taken together, could there be something more going on?
As it turns out, Sarah tendered her resignation the prior Friday with 14 days notice. She leaves that Saturday night with two paper bags of confidential company printouts in tow to take to her next employer – a competing investment bank - to give her an edge.
A complete picture of her activity can be gleaned with logs from a few data sources:
-
HR data showing her status as pending termination, from a system like Workday or SAP
-
Badge reader logs
-
Sign in logs
-
Print logs
-
Video camera logs, from the entry and exit way of the building
While seemingly simple, piecing all this information together and taking steps to stop the employee’s actions or even recover the stolen materials is non-trivial. Today, companies are asking themselves, what type of technology is required to know that her behavior was immediately suspicious? And what type of security program can establish the objectives and parameters for quickly catching this type of insider threat?
What is a converged security program?
In the above scenario, sign-in logs and print logs alone aren’t necessarily suspicious. The suspicion level materially increases when you consider the combined context of her employment status with the choice of day and time to badge into the office. As such, converged security dataset analysis brings together physical security data points, such as logs from cameras or badge readers in the above example, and digital insights from activity on computers, computer systems or the internet. If these insights are normalized into the same dataset with clear consistency across user and device activity, they can be analyzed by physical security or cybersecurity analysts for faster threat detection. Furthermore, such collaboration can give way to physical and cybersecurity practitioners establishing a converged set of policies and procedures for incident response and recovery.
In his book, Roland Cloutier describes three important attributes of a converged security function:
-
One Table: everyone sitting together to discuss issues and create a sense of aligned missions, policies, and procedures for issue detection and response.
-
Interconnected Issue Problem Solving: identifying the problem as a shared mission and connecting resources in a way that resolves problems faster.
-
Link Analysis: bringing together data points about an issue or problem and correlating them to gain insights from data analytics.
Challenges of bringing together physical and information security
In today’s environment, the challenges of intertwining physical and digital security insights are substantial. Large international enterprises have campuses scattered across the world and a combination of in-office and remote workers. They may face challenges when employee data is fragmented across different physical and digital systems. Remote workers often don’t have physical security log information associated with their daily activity because they work from the confines of their homes, out of reach of corporate physical monitoring.
The modern workforce model further complicates managing physical and digital security as organizations contend with the:
-
Rise of remote work
-
Demise of the corporate network
-
Usage of personal mobile devices at work
-
Constant travel of business executives
A worker can no longer be tracked by movement in the building and on the corporate network. Instead, the person’s physical location and network connections change throughout the day. Beyond the technical challenges, organizations face hierarchical structure and human element challenges.
Many companies separate physical security from cybersecurity. One reason for this is that a different skillset may be required to stop the threats. Yet, there is value in the two security leaders developing an operating model for collaboration centers on a global data strategy with consistent and complete insights from the physical security and cybersecurity tools.
Consider a model to do so that revolves around 3 principles:
-
Common data aggregation and analysis across physical and cybersecurity toolsets
-
Resource alignment for problem solving and response in the physical security org and the cybersecurity group.
-
A common set of metrics for accountability across the converged security discipline
Diverse, disconnected tools
This is the problem cybersecurity faces, but this time on a wider scale. Each executive purchases tools for monitoring within their purview. They get data.
However, they either fail to gain insights from it or any insights they do achieve are limited to the problem the technology solves.
Access is a good example:
-
Identity and Access Management (IAM): sets controls that limit and manage how people interact with digital resources.
-
Employee badges: set control for what facilities and parts of facilities people can physically access.
Returning to the insider threat that Sarah Smith poses: the CISO’s information security organization has visibility into sign in and print logs but would have to collaborate with the CSO’s physical security group for badge logs. This process takes time and, depending on organizational politics, potentially requires convincing.
The siloed technologies could potentially create a security gap when the data remains uncorrelated:
-
The sign in and print logs alone may not sufficiently draw attention to Sarah’s activities in the CISO’s organization.
-
Badge in logs in the CSO’s organization may not draw an alert.
-
HR data, such as employment/termination status, may not be correlated in either the CISO’s or CSO’s available analytical datasets.
Without weaving the various data sources together into one story, Sarah’s behavior has a high risk of going completely undetected – by anyone.
In a converged program, IAM access and badge access would be correlated to improve visibility. In a converged program with high security data maturity, the datasets would provide a more complete picture with insights that correlate HR termination status, typical employee location, and more business context.
Resource constraints
The challenge of resource alignment often begins by analyzing constraints. Both physical and digital security costs money. Many companies view these functions as separate budgets, requiring separate sets of technologies, leadership, and resources.
Converged security contemplates synergies where possible overlaps can potentially reduce costs. For example:
-
Human Resources data: identifying all workforce members who should have physical and digital access.
-
IT system access: determining user access where HR is the source underlying Active Directory or IGA birthright provisioning and automatic access termination.
-
Building access: badges provisioning and terminating physical access according to HR status
The HR system, sign on system, and badge-in system each serve a separate recordation purpose, which can then provide monitoring functionality. However, by keeping insights from daily system usage separate, the data storage and analysis can grow redundant. As Cloutier notes, “siloed operations tend to drive confusion, frustration, and duplicative work streams that waste valuable resources and increase the load on any given functional area.” (24)
Instead, imagine if diverse recordation systems output data to a single location that parsed, correlated, and enriched data to create user profiles and user timelines so cross-functional teams with an interdisciplinary understanding of threat vectors could analyze it. In such an organization, this solution could
-
Reduce redundant storage.
-
Eliminate manual effort in correlating data sources from different systems.
-
Save analysts time by having all the data already in one spot (no need for gathering in the wake of an incident.
-
Allow for more rapid detection and response.
Metrics and accountability
Keeping physical security separate from cybersecurity can create the risk of disaggregated metrics and a lack of accountability. People must “compare notes” before making decisions, and the data may have discrepancies because everyone uses different technologies intended to measure different outcomes.
These data, tool, and operations silos can create an intricate, interconnected set of overlapping “blurred lines” across:
-
Personal/Professional technologies
-
Physical/Digital security functions
In the wake of a threat, the last thing people want to do is increase the time making decisions or argue over accountability, which can quickly spiral into conversations of blame.
Imagine, instead, a world in which the enterprise can make security a trackable metric. Being able to track an end goal – such as security, whether physical or digital – makes it easier to
-
Hold people accountable.
-
Make clear decisions.
-
Take appropriate action.
A trackable metric is only as good as the data that can back it up. Converged security centers around the concept of a global security data strategy that provides an open architecture for analyses that answer different questions while using a commonly accessed, unified data set that diverse security professionals accept as complete, valid, and the closet thing they can get to the “source of truth”.
Weaving together data for converged security with DataBee®
DataBee by Comcast Technology Solutions fuses together physical and digital security data into a data fabric architecture, then enriches it with additional business information, including:
-
Business policy context
-
Organizational hierarchy
-
Employment status
-
Authentication and endpoint activity logs
-
Physical bad and entrance logs
By weaving this data together, organizations achieve insights using a transformed dataset mapped to the DataBee-extended Open Cybersecurity Framework Scheme (OCSF). DataBee EntityViewsTM uses a patent-pending entity resolution software that automatically unifies disparate entity pieces across multiple sources of information. This enables many analytical use cases at speed and low cost. One poignant use case includes insider threat monitoring with a comprehensive timeline of user and devices activity, inside a building and when connected to networks.
The DataBee security data fabric architecture solves the Sarah problem, by weaving together in on timeline:
-
Her HID badge record from that Saturday’s office visit
-
The past several months of HR records from Workday showing her termination status.
-
Her Microsoft user sign-in to a workstation in the office
-
The HP print logs associated with her network ID and a time stamp.
DataBee empowers all security data users within the organization, including compliance, security, operations, and management. By creating a reliable, accurate dataset, people have fast, data-driven insights to answer questions quickly.