Using Existing Data to Detect Anomalous Behavior

Implementing a full insider threat program can be expensive. Small, mid-size and even large organizations struggle to find the budget, but are keenly aware that they are at risk. The good news is that most organizations have deployed an access control system and often an identity management system to control access throughout a facility, campus or enterprise environment, ensuring employees only have the access they need to perform their jobs. These systems typically collect large amounts of employee and contractor access data. While the amount of data collected is often overwhelming and difficult to productively manage, it can be extremely useful, especially when trying to identify potential risks.

How can a company identify who their riskiest employees are without investing a lot of money using the data they already collect? Companies can invest in analytics. Using the data collected from access control and other systems, an analytics system will track an employee’s access history and behavior patterns. People are creatures of habit and have daily work routines based on where they enter a building, what elevator they use, the location of their office or desk, etc. Over time, employees establish their work patterns and the business intelligence system knows what doors they go through and when. It understands their behavior. How does it work? A risk score is assigned to all access readers based on location. Entering a cafeteria during work hours would generate a low risk score because there is nothing critical to protect. The risk score for entering a bank vault, hospital pharmacy or data center would be high because they contain money, pharmaceuticals, critical technologies or data. By understanding an employee’s habits and applying scores to the readers throughout a facility, an overall risk score is established for each employee. Baseline scores demonstrate normal behavior. However, if someone tries to enter a facility at 2 am on a Sunday morning, outside of normal business hours, that behavior would raise the score. Or if someone repeatedly tried to access areas where they are not allowed, their risk score would also rise. When a person’s risk score has raised above what is considered normal, an alert in the analytic’s system dashboard notifies the security manager or chief security officer. The security manager can then review the specific employee’s behavior and see if the suspicious behavior is an anomaly or requires further action. Maybe the employee was working late on a project and needed to get into another department that he didn’t have access to after-hours. Or maybe the employee is hunting for data to share with a competitor. A business intelligence system flags possible early warning signs and alerts the security manager to keep a better watch on the situation. Having insight early could prevent a possible breach or catastrophic event because you can start to watch the behavior more closely. It will also provide just-cause to investigate the situation and confront the employee. It is simply not possible to manually review each employee’s access history to determine if they are acting in a suspicious manner. Obtaining this level of insight from your access data is only possible using analytics. Analytics also helps with the reactive side of a security program. It looks at where employees are seeking access and if they are doing anything abnormal in which security managers can respond accordingly. Good security programs need both proactive and reactive technologies to be successful. A business intelligence system detects suspicious behavior, whether accidental or intentional and identifies the riskiest people via a risk score at an organization. The risk score saves time and effort by prioritizing the riskiest users and eliminates the need to sort through thousands of alerts from an access control system, simplifying the investigation process and saving money.