Becoming Predictive, Rather than Reactive

A holistic view of physical and logical identities can help to identify insider threats

Don Campbell, Quantum Secure

Current events have raised awareness of digital threats worldwide, bringing cybersecurity to the forefront of our global consciousness. It seems that hardly a day goes by without news of an attack and precious digital assets such as personal and financial data being unscrupulously dispersed around the globe. Among the many responses to these incidents is the U.S. government’s mandate for programs to thwart digital criminals.

Before digging into potential solutions for addressing these digital threats, it is important to examine the landscape to understand not only the digital world but the physical world as well – and how the two intersect with regard to cybersecurity.

Cybersecurity has become a part of nearly all of today’s business strategies. This has led to a number of companies gaining traction with technologies that apply intelligence on top of infrastructure to harden networks and detect vulnerabilities to prevent breaches.

These cyber programs are an excellent start, but many fail to address a key element of the issue. Not all data breaches are committed by hackers in remote locations around the world. Sometimes, they come from within an organization, often from individuals who are authorized to have access to parts of the network, if not all of it.

To fully comprehend cybersecurity and programs to detect insider threats, it is vital to have a complete understanding of the various individuals – or identities – within an organization.

In this case, an identity is defined as a person or entity – an employee, contractor, vendor, temporary employee or visitor represented by records within the system. An identity record will contain information about an individual, including basic human resources data, such as home address and emergency contact information. It may also contain additional information used to authenticate that an individual is who he or she claims to be, such as government IDs, photos, biometric data and/or background check findings. Lastly, identity records often contain information about the assets or areas to which people should have access. In many organizations, there are two different types of identity records: logical and physical.

A logical identity consists of a combination of controls used for identification, authentication, authorization, and accountability in computer information systems. These components enforce access control measures for systems, programs, processes, and information and may be embedded within operating systems, applications, add-on security packages, and database and telecommunications management systems.

A physical identity, on the other hand, represents a set of credentials and attributes that define the physical presence and location of an individual and must be verified before providing physical access. There are a number of key attributes that define the physical identity of an individual, including badging and access credentials, personal data, HR information, background check findings, and training and certification records.

With both logical and physical identity types, it is necessary for organizations to establish a definition of trust. For example, what requirements must be met before a credential is issued to an IT manager who requires access to an organization’s data center? Keep in mind that similar questions must be answered for every identity type that is issued, making this a daunting task. This is where technology becomes an essential tool, to organize and automate information while maintaining accuracy.

A policy-based physical identity and access management (PIAM) system automate the workflows associated with onboarding all of the various identity types that are issued. Beyond automation, PIAM solutions also ensure that the right identity is given the right level of access to the right areas and assets for the right duration of time. To further deepen levels of trust for each identity type, additional controls are put in place, including background checks or biometric data for accessing highly secure areas.

Understanding the critical role a policy-based PIAM solution plays in automating the processes associated with applying specific levels of trust to specific identity types is an excellent first step. The next phase of securing both physical and logical assets is to gather security intelligence, specifically the ability to understand each identity’s behavior across the entire enterprise.

Security Intelligence

So how is intelligence gleaned and applied to prevent threats? Say an employee who has worked from 9 a.m. to 5 p.m. in a specific building for several years starts exhibiting access patterns outside of that norm. This might be entering the building at odd hours, attempting to gain entry to areas where authorization has not been granted (such as server rooms), or downloading more information than usual from the network. Of course, this unusual pattern may be the result of a new position, a change in working hours, a particular project that requires temporary access to different areas or assets, or any number of other reasons. However, this change in routine could also mean that the employee is involved in something more nefarious, such as insider theft.

This is where security intelligence – more specifically, predictive analytics – enters the picture. If all of an organization’s identity records are stored in siloed systems, there is no connection between, say, access control, identity management and HR data. In such environments, which are unfortunately fairly common, there is little or no opportunity to see a holistic picture of how an individual identity is behaving. As a result, organizations do not have a clear view of their potential exposure to risk.

The number of networked systems and devices is growing, generating vast amounts of data, so much that it would be impossible for any person, or even an entire department, to sort through to identify threats that would enable an organization to take proactive measures. However, there is a solution.

How PIAM Fits In

The first step in gleaning security intelligence is to establish a baseline with data and metrics, which will serve as the foundation for identifying any anomalous behaviors. In the case of the aforementioned employee who rarely deviated from the established routine and access patterns, if the physical security and IT departments had set their baseline data, the new actions would have raised red flags and alerted the appropriate parties. Now imagine that equipment or sensitive logical assets had been reported missing during the same timeframe as this change in behavior.

With a predictive analysis solution in place, the employee would have risen to the top of an audit list. Say, for example, organizational policy dictates that a security officer be dispatched for a tour of the facility on the third instance of anomalous behavior. With this simple policy in place, and with background data in hand, the officer might observe the employee removing something from an area that the worker does not typically access.

This is a very simple example of the power of predictive analysis for an organization and is mainly focused on physical access. However, one of the main challenges with insider threats and cybersecurity is that no two breaches look alike. Therefore, more effectively identifying and potentially thwarting insider threats requires that physical and logical security work in tandem.

A Closer Look at Insider Threats

Data breaches can create staggering costs for an organization. For example, entertainment industry analysts estimate that, as a result of the 2014 breach related to the release of the film “The Interview,” Sony lost somewhere in the ballpark of $90 million.

Of course, not all breaches come with such a high price tag. The majority of costs are assessed on a situational basis. For instance, if a sales representative copies a client list when leaving an organization to join a competitor, it would be possible to make a projection of the resulting loss in sales. Or if an employee who has been terminated deletes company files, the cost of identifying which files are gone and retrieving them from archives can be determined.

The cost of other situations may be more difficult to calculate because of the complexity of the breach. A few of these examples range from the theft of intellectual property, including source code; the deletion or sabotage of source code; or the misuse of data, all of which could have potentially catastrophic effects on a business.

Insider breaches can take many forms. Over the years, the Software Engineering Institute’s CERT division has put together a library of incidents, a few of which are listed below:

  • A law enforcement professional stumbled upon a way to create fake driver’s licenses completely by accident.
  • A systems administrator who had been terminated was able to delete 18 months of cancer research because there were no access controls in place.
  • The submission of $20 million in false health insurance claims was enabled by a developer who discovered a lack of oversight for certain business practices.
  • A software project leader covered up an inability to meet deadlines by sabotaging a development project.
  • A currency trader made unauthorized source code changes to cover up nearly $700 million in losses over a five-year period.

Unfortunately, but not surprisingly, the list goes on and on.

Integrating a Broader Range of Systems

Given the seemingly endless possibilities of insider threats, how can enterprises effectively reduce their risk and protect themselves from these types of incidents? The challenge is further compounded by the faulty logic many enterprises use in viewing breaches as isolated incidents when, in truth, they are culminating events that follow a pattern of activity across multiple systems. The key to combating insider threats begins with expanding the data sources that are employed to detect threats from all of the networked systems within the enterprise.

Perhaps the most crucial of these additional data sources is the human resources database, which lists individuals’ job titles, roles and responsibilities, associated levels of access to data, and the results of any background checks. People who have access to data as part of their job may represent a higher risk, while lower-level employees who accidentally discover and access unprotected data might pose a much lower risk. For instance, the critical or sensitive data that can be accessed by employees who work in finance, engineering or IT has the potential to do more harm than the data most employees can access.

Other important information contained within the HR database are records of triggering events, which are those events that may serve as a precursor to an employee posing a higher level of risk. Examples include employees who have received negative feedback or a poor performance review; who scored poorly on a performance improvement plan; or who have been subjects of complaints or guilty of infractions. Other red flags HR records can track include changes in family status that could place additional hardships – financial and otherwise – on individuals.

Identifying those employees who may pose a threat requires the widest possible perspective. Enterprises must employ procedures and mechanisms to correlate HR information with other enterprise systems, including those that monitor access to physical facilities and logical assets. That way, if a “9-to-5” employee attempts to enter a facility late at night or starts frequenting a building where he or she has no responsibilities, those patterns can be flagged. The PIAM solution can then automatically cross-reference those deviations with HR data to determine if the unusual behavior is the result of a job change or other non-threatening reason, or whether it may be indicative of a potential insider threat.

In addition to HR, data from access systems must also be correlated with calendaring systems. If an entire team or department comes in at an unusual time, they may be preparing for a business trip, an upcoming conference or a teleconference with a client in Japan – all of which are perfectly acceptable and would be contained in the calendar system. But a single employee doing this would be much more suspicious and would warrant a closer look.

Companies can also use IT logging systems to identify unusual equipment usage patterns, such as employees using photocopiers, printers or USB drives more frequently than in the past, or using external data-sharing sites. All of these may indicate an unauthorized collection of information in an effort to misappropriate data.

Today, the focus of security is undergoing a significant shift, evolving from risk management to providing demonstrable value to an organization. No longer are security professionals risk mitigators alone. Rather, they are increasingly becoming key players in overall business strategies.

For every business unit, the reality is that having to explain what went wrong and how it happened is much more costly than allocating funds to preventing incidents before they occur. Yet most organizations focus solely on the cyber component with no real understanding of the broader function of identity management.

High-security organizations spend a fortune each year on ensuring both physical and digital security through the use of access systems, security operations centers, alarm management, and surveillance and other security monitoring, as well as a large team of security personnel. While most of that spending is on reactive real-time systems, real-time monitoring can only have a positive impact if it enables sufficiently rapid detection, analysis and dispatch to stop incidents. Unfortunately, the response window in which real-time monitoring can prevent loss is rather small, measured in minutes, if not seconds. This makes spending on monitoring systems inefficient, and the cost of improving these real-time solutions often exceeds the cost associated with the threat itself. As a result, organizations that allocate extensive security resources to monitoring physical and cyber systems often fail to prevent crimes from occurring.

The focus must shift to prevention. It is also necessary to look at cybersecurity programs as a component of broader identity management for both logical and physical access.

Even the most robust cybersecurity program will not be completely effective without fully understanding the identity types within an organization and applying the concept of trust. PIAM solutions with predictive analysis capabilities allow organizations to gather data from a wide variety of IT, physical security and other systems. This data can then be cross-correlated to generate intelligence and detect anomalies associated with individual identities, which may indicate an insider threat. Shifting the focus to prevention enables security and management to stop threats before an incident occurs.

Don Campbell ( is director of product management for Quantum Secure (