August 2015www.security-today.com

NETWORKING SECURITY

PRIVILEGED IDENTITIESLearning what is at the core of online attacks

NS10

NO PROTECTION FROM BAD DATA

Beware what the experts claim as noise and a security signal

NS12

BREACHING THE NETWORKAll businesses are at risk of a cyberattackNS6

A Special Section to Security Products

0815nws_NS01_v2.indd 1 7/6/15 9:42 AM

EDITORIAL STAFFEditor-in-Chief/Associate Publisher Ralph C. JensenSenior Editor Lindsay PageE-news Editor Brent Dirks

ART STAFFArt Director Dale Chinn

PRODUCTION STAFFDirector, Print and Online Production David SeymourProduction Coordinator Teresa Antonio

EDITORIAL ADVISORY BOARDSteve Collen, Cisco Physical Security, San Jose, Calif.Charlie Howell, Division 28 Consulting, San Antonio, TexasJeff Lemoine, General Mills, Minneapolis, Minn.Fredrik Nilsson, Axis Communications, Chelmsford, Mass.Dick O’Leary, EMC, Hopkinton, Mass.

SALESSam Baird +44 1883 715 697Randy Easton 904-261-5584Brian Rendine 972-687-6761

SECURITY, SAFETY, AND HEALTH GROUPPresident & Group Publisher Kevin O’Grady Group Circulation Director Margaret PerryGroup Marketing Director Susan MayGroup Website Manager Scott NewhouseGroup Webinar Administrator Tammy RenneGroup Social Media Editor Ginger Hill

Chief Executive Officer Rajeev Kapur

Senior Vice President & Chief Financial Officer Richard Vitale

Chief Operating Officer Henry Allain

Executive Vice President Michael J. Valenti

Vice President, Information Technology & Application Development Erik A. Lindgren

Chairman of the Board Jeffrey S. Klein

REACHING THE STAFF Staff may be reached via email, telephone, fax or mail. A list of editors and contact information also is available online at www.security-today.com.E-mail: To e-mail any member of the staff, please use the following form: FirstinitialLastname@1105media.com

Dallas Office (weekdays, 8:30 a.m. – 5:30 p.m. CT) Telephone (972) 687-6700; Fax (972) 687-6799 14901 Quorum Dr., Suite 425, Dallas, TX 75254

Corporate Office (weekdays, 8:30 a.m. – 5:30 p.m. PT) Telephone (818) 814-5200; Fax (818) 734-1522 9201 Oakdale Avenue, Suite 101, Chatsworth, CA 91311© Copyright 2015, all rights reserved. Networking Security is a supplement to Security Products, an 1105 Media Inc. publication, and is published

four times a year: February, May, August, and November.The information in this magazine has not undergone any formal testing by 1105 Media Inc. and is distributed without any warranty expressed

or implied. Implementation or use of any information contained herein is the reader’s sole responsibility. While the information has been reviewed for accuracy, there is no guarantee that the same or similar results may be achieved in all environments. Technical inaccuracies may result from printing errors and/or new developments in the industry.

Networking Security welcomes vendor information and briefings. To arrange a briefing, please contact our editor-in-chief, Ralph C. Jensen, via email at rjensen@1105media.com. Our agreement to accept or review product material or backgrounders is not a guarantee of publication.

www.security-today.com August 2015 | Volume 9, No. 3

NS2 0 8 1 5 | N E T W O R K I N G S E C U R I T Y

NETWORKING SECURITYWhere IT Security and Physical Security Converge

Features

Departments

NS14Exitby Mitchell KaneAccess Control in the Midst of an IP Revolution

NS4Enterby Ralph C. JensenEveryone is at Risk

NS12 Big DataNO PROTECTION FROM BAD DATABeware what the experts claim as noise and a security signal

By Jonathan Sander

NS10 Cyber Attacks PRIVILEGED IDENTITIESLearning what is at the core of online attacks

By Philip Lieberman

NS6 Cyber Security BREACHING THE NETWORKAll businesses are at risk of a cyberattack

By Lee A. Pernice

0815nws_NS02_TOC_v1.indd 2 7/6/15 9:56 AM

Surveillance - Audio - Accessories

Contact us at: sales@specotech.com • Toll Free: 1-800-645-5516 • specotech.com

SEE COLOR IN LOW LIGHT IN FULL HD 1080p WITHOUT IRs

Intensifier IP®

Provides crisp, detailed images in full HD resolution. With Intensifier IP® technology, customers do not have to worry about losing the visibility of images in various lighting conditions.

» Supports Full HD resolution @ 30fps

» Built-in standard PoE (IEEE 802.3af)

» No problems caused by objects that reflect or absorb IR light sources

» Presets for different scenarios: Indoor, Outdoor, Elevator, Lobby, Hallway & Low Light

» Wide dynamic range (WDR) operation

» Supports H.264 and MJPEG codecs

» 2-way audio communication

» Sensor input and relay output

» IP66 compliant (outdoor models)O2iB3M O2iMD1O2iD4M O2iMT61

Works seamlessly with our Free SecureGuard™ Plus Video Management Software & our NS NVRs.

Go to http://sp.hotims.com and enter 205 for product information.

Untitled-8 1 6/30/15 2:31 PM

ENTERBy Ralph C. Jensen

NS4 0 8 1 5 | N E T W O R K I N G S E C U R I T Y

Technology is amazing stuff. However, some of the greatest threats that today’s business-man or woman faces is a cyberattack. Just count the number of breaches in the last couple of years; you know what I mean.

Some of the recent breaches include JP Morgan Chase, Sony, UPS and my favorite, PF Chang’s. The list of breaches is quite extensive,

and to that end, some companies are creating a separate network for physical security applications.

I think you will enjoy our cover story from Lee A. Pernice. She knows a lot about networking and security, and she will tell you that a physical security-only network is typically used for intru-sion detection, video, access control and related infrastructure.

When you dive into this story, Pernice will give you the ben-efits of a dedicated security-only network, plus who should con-sider such a network, and selecting a third-party provider. Once you have made that decision, she will guide you through the steps

to consider when designing such a network, and finish up with a case study implemented by Protection 1.

Another contribution comes from Philip Lieberman, presi-dent of Lieberman Software, who writes about privileged identi-ties and learning what is at the core of an online attack. A ques-tion posed in his story, “has it reached the point where no system is ever fully protected from hackers?”

Lieberman says IT managers should anticipate that their systems will be breached, and sensitive data could be stolen or made public. The real question then is how do you minimize the damage of a cyberattack? Also realize today’s cyber hacker is not naïve and can exploit the network because every account on that network has some level of privilege associated with it.

Want to learn some amazing things about cyber security? It’s all here in these few pages, and adhering to the messages could save you time and business resources in the very near future.

EVERYONE IS AT RISK

Untitled-2 1 6/26/15 10:58 AM

Go to sp.hotims.com and enter 202 for product information.

0815nws_NS04_Enter_v2.indd 4 7/6/15 9:43 AM

1.877.213.1222 • samsung-security.com

changeeverything

is aboutto

introducing

A breakthrough in price and quality

Go to http://sp.hotims.com and enter 203 for product information

Untitled-1 1 7/2/15 10:10 AM

C Y B E R S E C U R I T Y

NS6 0 8 1 5 | N E T W O R K I N G S E C U R I T Y

BREACHING THE NETWORKAll businesses are at risk of a cyberattackBy Lee A. Pernice

Cyberattacks are one of the greatest threats facing global businesses today. Hardly a day goes by that there isn’t a report of another company suffering at the hands of hackers breaching their networks and stealing sensi-tive customer or personal data. According to

Identify Theft Resource Center (ITRC), there were 783 known data breaches in 2014, an increase of more than 27 per-cent over 2013. Furthermore, the FBI estimates that more than 1,000 retailers may be under assault from the same or similar malware that attacked Target and The Home Depot a couple of years ago.

Retailers are not the only at-risk sector for data breaches and cyberattacks. The risk is real for all types of public and private organizations. As reported in a recent Forbes article, some of the more recent companies and organizations to feel the pain from these breaches include Neiman Marcus, White Lodging Hotel Management, Affinity Gaming, Community Health Sys-tems, UPS, PF Chang’s, JP Morgan Chase, Sony and even the citizens of New York City to name just a few on the extensive list, proving that these new types of criminals have a wide and non-discriminating reach.

To emphasize just how serious the threat of cyberattacks is becoming, the White House signed an executive order that urges companies to share cybersecurity threat information with one another and the government. Industry trade associations are also joining the fight against cyber crime with the Retail Indus-try Leaders Association (RILA) Board of Directors recently

arda savasciogullari/Shutterstock.com

0815nws_NS06_09_Pernice_v3.indd 6 7/6/15 9:44 AM

www.quantumsecure.com | info@quantumsecure.com

Go to http://sp.hotims.com and enter 204 for product information

Untitled-1 1 7/2/15 2:21 PM

NS8 0 8 1 5 | N E T W O R K I N G S E C U R I T Y

approving a comprehensive, collaborative and sustainable plan to address the chal-lenges which includes enhancing existing cybersecurity and privacy efforts as well as informing the general public through increased dialogue in order to build and maintain consumer trust.

Emerging TrendsIn response to the threats presented by cyber criminals, many organizations are physically separating their IT infrastruc-ture for their networks based on their pri-mary usage to limit exposure.

A prime example is creating a separate network to run physical security applica-tions from the network used for other crit-ical business processes. A physical security only network is typically used to host the company’s security devices such as intru-sion detection, video, access control de-vices and related infrastructure.

BenefitsThe benefits of a dedicated security-only network are multi-faceted. Not only does the security only network deliver a higher level of protection but also offers faster speeds, more bandwidth and easier access to the network for loss prevention and se-curity teams while not impacting business critical systems. Deploying a standardized implementation across multiple locations can also provide for a lower cost alterna-tive to traditional networks.

Further benefits to a security-only net-work include nearly unlimited access to the system for applications such as remote monitoring of video or conducting remote investigations, allowing investigators im-mediate access to video and supporting data. This not only reduces travel time and associated expenses but also the time it takes to conduct the investigations.

When the security-only network is monitored by a certified third-party pro-vider, added benefits include advanced alerts of potential system failure or at-tempted breach of the network. The monitoring company can also ensure that the network has the latest network secu-rity protocols and anti-virus software at all times.

Who Should Consider a Security-Only Network? Any type of organization that is looking

to provide a safer and more secure physi-cal environment for its employees, guests and assets while maintaining a higher level of security for its business critical opera-tions, is a candidate for a dedicated secu-rity only network.

When determining if this type of net-work is a viable option, it is important to include the company’s internal IT resourc-es in the evaluation and assessment of needs and requirements including security.

Selecting a Third-Party ProviderWhen considering a third-party provider for security only networks, traditional IT companies that design and implement standard networks may not be your best option. Selecting a company that has the proper certifications for designing net-works as well as deep industry knowl-edge of the security devices running on the network and how they need to work together will greatly enhance the overall end result.

Certifications, such as Cisco Cloud and Managed Services Express Partner Certification, Meraki Certified, Sonicwall Certified and security product specific certifications will ensure successful system integration. Cisco Cloud and Managed Services Express Partner certification rec-ognizes companies who have attained the expertise in the planning, designing, imple-menting and supporting of cloud or man-aged services based on Cisco platforms.

Steps to Consider When Designing a Security-Only NetworkOne of the first steps is to identify the circuit requirements for the security only network. Understanding what type of ap-plications are going to be running on the network and how much bandwidth and speed is necessary to support the applica-tions is key. Security only networks are of-ten based on commodity broadband, so it is important to ensure that the carrier can deliver reliable service and speed at any given location.

It can be a challenging task trying to determine which carrier provides the best and most cost-effective solution. Your third-party provider can help identify the best solution among the available options

in your area as well as procure and provi-sion the circuit for optimum throughput.

Once the network parameters of ad-equate circuit bandwidth are determined, additional considerations that must be designed into the system include remote (VPN) access and appropriate security measure and rules. At a minimum there should be a strict password update rule both for duration of password life as well as re-use of passwords used in the past. Ideally a consolidated security identifica-tion system should be established to en-sure continuous monitoring of access with biometric or other proven security solu-tions as part of any access to the network.

If any part of the network is wireless enabled, appropriate security for network access and ongoing traffic monitoring are essential. If they are not part of the system, monitoring to make sure that no additional devices with wireless capability are installed on the system.

Firewall protection design is essential. With the advent of IPv6 and its inclusion in networks, there is potential for security breach when tools designed for IPv4 are faced with IPv6 calls.

Continuous monitoring for abnormal network traffic, behavior or attempted un-authorized access are discovered, rules for appropriate notification and/or lockout must be determined and enforced.

Protection 1’s SolutionProtection 1 operates a Network Opera-tions Center (NOC) as part of its Integrat-ed Solutions Group. The center employs a team of Cisco Certified, Meraki Certified and Sonicwall Certified professionals. This team also holds the Cisco Cloud and Man-aged Services Express Partner certification, making Protection 1 the only security sys-tem integrator to hold this designation.

The NOC is primarily focused on pro-viding real-time monitoring of IT-sen-sitive systems, including up/down status and network performance metrics. In ad-dition to monitoring systems for perfor-mance and potential problems, the NOC also designs, installs and commissions LAN/WAN networks for companies that either do not have the internal resources to accomplish this in-house or for those who want a dedicated security only net-work. The addition of the Cisco Cloud and Managed Services Express Partner

0815nws_NS06_09_Pernice_v3.indd 8 7/6/15 9:44 AM

W W W . S E C U R I T Y - T O D A Y . C O M NS9

Certification introduces a new level of ca-pabilities and expertise to the NOC in this growing outsourced services market.

“Protection 1’s ongoing investment in technology and the skillsets of our team members give us the ability to deliver more than just security integration to our cus-tomers,” said Christopher BenVau, senior vice president of Enterprise Solutions for Protection 1. “We are seeing more of our customers implementing networks that are separate from their customer data and POS networks to ensure a higher level of security due to recent data breaches. This trend makes the services provided by the Network Operations Center even more important as our customers’ needs evolve.”

The NOC team can design and de-ploy a company’s network, implement and manage broadband connections and design and implement VoIP systems. The Network Operation Monitoring Center can notify a customer if their IP camera

is out before they even realize it. With the large storage arrays in use today, one un-known failed hard drive could bring down an entire system, potentially destroying all archived video. The NOC can monitor the health of hard drives as well and immedi-ately notify the customer of a failed drive, while scheduling a service call to remedy the situation and minimize loss. Cloud-based services managed from the NOC in-clude a web-based dashboard that allows management and reporting of all IT en-vironments including networks, security, and IP telephony along with Cloud back-up and disaster recovery services.

The growing threat of cyber crime and the high cost associated with remediating the aftermath of an attack, both in terms of hard dollars and the damage to brand reputation and customer trust, can be dev-astating to an organization.

New and innovative approaches to el-evating the protection of sensitive data

have never been more pressing. Whether organizations choose to implement chang-es to their networks internally or through a third-party partner to make them more secure, it is a process that is worth heavy consideration.

The cost of implementing a security only network pales in comparison to the cost of an actual breach. If an organiza-tion or company has not yet considered the possibility of implementing a higher level of security to protect their business and their customers, it is probably time to do so.

Cyber crime rates are escalating at ex-ponential levels and cyber-criminals will continue to grow more sophisticated in their approach. Now is the time to ensure your business is protected.

Lee A. Pernice is a freelance writer with experience in the security and loss preven-tion industries.

Security-TodayAcademy.com

Get the CEU training you need from the convenience of your computer

Access over 125 courses, including:•AlarmIndustryProfessionalDevelopmentSeries•IPVideo•StructuredWiringandTerminationTechnician(SWATT)•AccessControlSpecialistLevel1(ACS) •NICETFireAlarmPreparatoryCourses

•IPNetworkingforSecurity•TroubleshootingSeries•CodesandStandardsSeries•WirelessTechnologies•Andmore!

Untitled-2 1 6/26/15 10:57 AM

Go to sp.hotims.com and enter 207 for product information.

0815nws_NS06_09_Pernice_v3.indd 9 7/6/15 9:44 AM

C Y B E R A T T A C K S

NS10 0 8 1 5 | N E T W O R K I N G S E C U R I T Y

Over the last year, we have witnessed a se-ries of staggering data breaches affecting some of the world’s leading businesses—with each breach seemingly worse than the last in terms of financial and reputational damage.

Following intrusions into Target, JP Morgan, Sony Pictures and others, many people are asking “has it reached the point where no system is ever fully protected from hackers?”

The unfortunate answer to this question is that if an intruder wants into your network—they will get in—no matter how many perimeter defenses you build around your IT infrastructure. It is vital for IT departments to anticipate that their systems will be breached, and their most sensitive data could be stolen and made public.

PRIVILEGED IDENTITIESLearning what is at the core of online attacksBy Philip Lieberman

GlebStock/Shutterstock.com

0815nws_NS10_11_Lieberman_v3.indd 10 7/6/15 9:45 AM

W W W . S E C U R I T Y - T O D A Y . C O M NS11

Therefore, the real question that corpo-rate executives should be asking themselves is: what can be done to minimize the dam-age of a cyberattack on my organization?

The Keys to Your IT King-dom, Privileged IdentitiesThe lesson from the recent Sony Pictures hack is that organizations that do not have a security solution which can limit damage internally are taking remarkable risks and acting extraordinarily naive about the advanced capabilities of today’s cyber attackers.

That’s because one of the most com-mon ways for cybercriminals to gain ac-cess to systems is through unsecured privileged accounts. Privileged accounts provide the access needed to view and extract critical data, alter system configu-ration settings, and run programs on just about every hardware and software asset in the enterprise.

Almost every account on the network has some level of privilege associated with it and can potentially be exploited by a hacker. For example, business applica-tions and computer services store and use privileged identities to authenticate with databases, middleware, and other applica-tion tiers when requesting sensitive infor-mation and computing resources.

In fact, there are so many privileged accounts in large enterprises that many or-ganizations don’t even know where all of their privileged accounts reside—or who has access to them.

Unlike personal login credentials, privi-leged identities are not typically linked to any one individual and are often shared among multiple IT administrators with cre-dentials that are rarely—if ever—changed.

The Privileged Account Attack VectorCyber attackers need privileged access to carry out their illicit plans—whether it’s to install malware or key loggers, steal or cor-rupt data, or disable hardware. That’s why privileged account credentials are in such high demand by hackers. In fact, research conducted by Mandiant revealed that 100 percent of the data breaches they investi-

gated involved stolen credentials.A destructive data breach can begin

with the compromise of just one privi-leged account. Criminal hackers and ma-licious insiders can exploit an unsecured privileged account to gain the persistent administrative access they need to anony-mously extract sensitive data.

As stated previously, if attackers want to get into your environment, they will—and there’s really no way to prevent it short of creating an “air gap” to isolate your most critical systems from the rest of your network. Conventional perimeter security tools that most organizations rely on, like firewalls, react too late to defend against new advanced persistent threats and zero day attacks.

So, the issue is not whether attackers will penetrate your perimeter, but what will happen once they’re in. The first thing they will do is look for ways to expand their access. Usually remote access kits, routers and key loggers are installed. The intruder’s goal is to extract the credentials that will give them lateral motion through-out the network.

To accomplish this, attackers look for SSH keys, passwords, certificates, Kerbe-ros tickets and hashes of domain adminis-trators on compromised machines. Often, hackers will quietly monitor and record activity on the systems, and then use this information to expand their control of the IT environment.

This is the classic “land and expand” attack, and the entire activity can be com-pleted in about 15 minutes. It doesn’t take long because most of these attacks use au-tomated hacking tools.

Next Generation Adaptive Privilege ManagementGiven the fact that your adversaries are us-ing highly advanced automated tools to at-tack, shouldn’t you match their efforts with your own automated security solutions?

Adaptive privilege management is an automated cyber defense solution that proactively secures privileged accounts in response to a stimulus. For example, an organization’s logger, SIEM, or trouble ticket system reports an anomaly. Then,

the adaptive privilege management solu-tion uses that information to look up the address—say, in LDAP or a configuration management database (CMDB)—to de-termine what is being targeted.

If the organization under attack has a hundred sets of systems, the adaptive privilege management solution might have a hundred password change jobs in place to manage those credentials. Based on the outside stimulus, the solution can call PowerShell or another web service with the appropriate password change job and begin immediate remediation.

Adaptive privilege management works in conjunction with detect-and-respond software to react to notifications that those products produce, and immediately change the credentials on systems under attack. Every time the intrusion detection system spots a new event, the credentials are changed again.

The goal is to block intruders by re-sponding with new credentials as soon as any logins are compromised. Essentially, when hackers harvest a credential, the solution deploys new credentials—effec-tively minimizing lateral motion inside the environment, even in zero day attack scenarios.

The basic idea is continuous detection and remediation. Adaptive privilege man-agement automatically discovers privi-leged accounts throughout the enterprise, brings those accounts under management, and audits access to them.

Remember, if you can’t find the privi-leged accounts on your network, you can’t secure them. But just because you may not know where all of your privileged accounts reside, that doesn’t mean the bad guys can’t locate these powerful accounts—and lever-age them to execute their cyberattacks.

The reality of today’s cyber security landscape is that attackers can breach your network regardless of your coun-termeasures. Fortunately, with adaptive privilege management you can remediate security threats faster than cyber attackers can exploit them.

Philip Lieberman is president of Lieberman Software.

0815nws_NS10_11_Lieberman_v3.indd 11 7/6/15 9:45 AM

B I G D A T A

NS12 0 8 1 5 | N E T W O R K I N G S E C U R I T Y

NO PROTECTION FROM BAD DATABeware what the experts claim as noise and a security signalBy Jonathan Sander

Walking the expo floor at the most recent RSA conference, it was hard to miss how many companies were talking about big data. May-be they used the word analytics, or perhaps they called it machine learning. The claims were all similar. Give me your tired, your

poor, your huddled masses of log and incident data that you’re yearning to make actionable—or something along those lines. They all wanted to sell us on the notion that big data can take operational noise and turn it into security signal.

Of course, the next line of the famous poem I misquote re-fers to “wretched refuse,” and that’s a pretty good description for most of the data people would feed into these systems. The belief that such systems can take refuse and spin it into gold is magical thinking. Big data, data science, machine learning and other novel approaches do have true promise for security leaders and practitioners looking for better results. There are ways to get better data to feed these new systems if you know where to look. When you combine good data and big data, you get results that can seem like magic without having to wear the funny hats.

The need for good data starts right in the beginning of the big data lifecycle. The real power of these analytics systems are in the models they build. A good model will allow you to go from a

0815nws_NS12_13_Sander_v2.indd 12 7/6/15 9:46 AM

W W W . S E C U R I T Y - T O D A Y . C O M NS13

reactive to a predictive approach to secu-rity incidents. It’s like having hindsight for the future—you’re always seeing the signs 20/20. But how can you tell if you’ve got a good model? The model needs to be tried out on a dataset you know a lot about.

This is the practice test where you have the answers and you want to see how well you may do on the real test later. Of course, a lot of the vendors have done the dirty work for you here. They have models that they feel should work well.

Best practice would be to take their model for a spin on your well known data and see what happens. Maybe the model needs some adjustments for the particular configuration of your IT infrastructure. People paying attention often get stuck right at this phase. Do you have a good backlog of data you could use to run tests like this? Are you archiving the critical logs and other data sources that these models would employ? Have you done the foren-sics to identify where the data you have cor-responded to breaches or incidents you’ve experienced so you know what the models ought to turn up? Too often the answers to these questions are no, no and no.

Let’s say you get to the stage where you have models that will work. The next challenge on the path to big data nirvana will be having these analytics cough up the answers to your burning questions. Here’s where another problem in the data often emerges. You’ve set up your shiny new data science driven machine, but suddenly you find the questions you’re being asked and the data you have don’t line up.

It’s often a level of abstraction mis-match. The executives ask questions about people, but your data is about machines and IP addresses. This can also affect your modeling. If you only have a hammer, you smash everything like a nail. Maybe you go find a bunch of data about people, but if you don’t adjust the models so that they treat people, machines, IP addresses and everything else like they ought to be treated and as if they are in the right rela-tionships, then you’ve made the problem worse and not better. Often bad models with data at different levels of abstrac-tion (e.g. a person and an IP) that fall into some correlation will start to crank out tons of bad conclusions when one thing

does something normal for its level of ab-straction (e.g. a person quits) that doesn’t have anything to do with the thing it fell into accidental correlation with.

An excellent example of good model-ing for these disparate types of data in the security space is how Securonix has used peer grouping from Identity and Access Management (IAM) systems to enrich their data. Like many in the User Behav-ior Analytics (UBA) space, Securonix will look at lots of different data sources to get you the insight you want about what your users are up to. They could have been prone to the troubles of modeling with dif-ferent layers of abstraction and correlat-ing at the wrong levels, but seem to have gotten it right.

When they take in data about people and their organizational relationships from IAM systems, they use this to influ-ence the outcomes not by directly corre-lating it with activity at the network and system layer, but rather by augmenting ex-pectations of what is normal based on the peer group you may have. A peer group will be people in the same building, man-agers at the same level of the hierarchy, or employees with the same job role.

You would expect these people to have notably similar activity patterns, and you can use that to learn what they do and point out anomalies. That’s getting the analytics game right by pulling in the right data and using it well.

Sometimes you have to work with what you’ve got, and that means bad data will happen to you. Nothing serves as a better example for that than the notoriously poor quality logs on Microsoft platforms. Single events like a bad authentication appear as multiple entries in multiple events on mul-tiple systems. Often, even if it’s possible to collect all the separate events, you find key pieces of data like an IP address is missing so correlating that event with other events from other sources is near impossible.

The default level of logging doesn’t offer enough detail for proper detection or forensics from a security perspective. Turning up the logging so that it becomes nominally useful for security means sacri-ficing a huge chunk of the system resourc-es. To add insult to injury, collecting and parsing all these logs is immensely burden-

some. If you’re a practitioner, then none of this is news to you. From the analyt-ics perspective, these problems often hide behind the SIEM system. You don’t know you’re dealing with such low quality data until you start using it via the SIEM and getting poor results.

This is where you will likely need to look to other sources for good data if you want the quest for big data analytics to have a happy ending. The STEALTH-bits StealthINTERCEPT platform is able to get all the security data you want from these Microsoft platforms and overcome these native logging issues. You can plug it into the SIEM, feed directly from Stealth-INTERCEPT itself, or even plug it into something else that can consume our SYS-LOG output. This means adding another layer to your infrastructure, but the result is a high quality, real time stream of secu-rity events from your Microsoft systems. I’m picking on Microsoft, but it’s not like they’re the only one guilty of having bad logging. Luckily for many of these prob-lem children you’ll find other solutions like ours that will help fill the gaps and get you the good data you want.

Moving from reactive controls to pre-dictive controls has been a goal on the ho-rizon for security organizations for a long time. Solid models powered by sound data science that processes the huge well of big data can finally make security predictive. That’s assuming they’re fed by streams of good data. If the stream of data is pollut-ed, then all that water in the big data well isn’t worth the trouble to drink. You’re going to need good data to get these sys-tems going, which means discipline and practices around retention you may need to improve.

You will have to be sure you’re getting all the right data from the right level sourc-es and putting them in just the right rela-tionships in your models so they produce useful results even as the real world changes around them. Sometimes you’re going to need to make tough choices to invest in better data sources or deal with lower qual-ity results. But if you can get the data right, then big data will do right by you.

Jonathan Sander is the strategy and research officer for STEALTHbits Technologies.

0815nws_NS12_13_Sander_v2.indd 13 7/6/15 9:46 AM

EXIT

NS14 0 8 1 5 | N E T W O R K I N G S E C U R I T Y

ACCESS CONTROL IN THE MIDST OF AN IP REVOLUTION By Mitchell Kane

Given the prevalence of IP-enabled de-vices in video surveillance today, it is reasonable to surmise the adoption of network technology will follow a similar path in access control. However, the pace of innovation in the access control market tends to be much slower than the rest of the physical security industry. Access con-

trol systems—including panels, software, readers and other peripheral devices—can be highly proprietary and embed-ded within the organizations they serve, which may make it difficult to integrate with other systems.

The demand for IP-centric access control systems and a trend toward more ‘open’ solutions are having a distinct effect on the market. End users now realize the tremendous cost savings by implementing an IP-based access control system in which devices, such as door sensors and card/badge readers, connect directly to the network and work well with other systems.

One of the biggest reasons why more users are making the transition to a IP is because of advancements in locking tech-nology, specifically with online and wireless locks. Online locks provide end users with various types of advanced functionality, such as remote system management and administration, and au-tomatic alerts following alarm events. With access points becom-ing another piece of data to be analyzed in the evolving ‘Internet of Things’ technology landscape, the benefits of online locks are significant. Locks can be either wired or wireless depending on the need of the application or the user, increasing flexibility and

return-on-investment (ROI). In places where running wire may be cost-prohibitive or where time is a crucial factor, wireless locks are a great alternative.

In addition to the evolution in technologies, however, there are also significant changes in the industry overall. IT depart-ments are increasingly being tasked with making decisions about the security technology solutions being purchased, as well as how these devices will be implemented throughout the organization. According to a recent report from IHS, IT integrators and IT de-partments will play an increasingly large role in physical security deployments. And since access control can help flag anomalies in behavior, it too will be a critical component for helping IT depart-ments protect physical and digital assets.

IT will continue to drive the industry towards tighter integra-tions between access control and other systems on the network. This applies not only to other security systems, but to building management systems and human resources software platforms, for example. Access control vendors will need to embrace open standards and ideas to ensure long-term scalability.

What if you could take an access control database and integrate it with other open software solutions, such as an event manage-ment system, so that users could not only use it for ingress and egress within a facility but also reserve a conference room for a designated time slot? That and other types of advanced capabili-ties are achievable today for those willing to think outside the box.

The access control market is and will continue to become more IP-based in the years to come. As businesses look to adapt their access control solutions to fit this, they will look closely at these new developments so as to not be left behind.

Mitchell Kane is the president of Vanderbilt.

Ad IndexAdvertiser ........................................... Circle # ...........Page .........URL

Speco Technologies ...................................... 205 ...................... NS3 ..............www.specotech.com

McGard Security Products ............................ 202 ...................... NS4 ..............www.mcgard.com

Samsung Techwin ......................................... 203 ...................... NS5 ..............www.samsungtechwin.com

Quantum Secure ........................................... 204 ...................... NS7 ..............www.quantumsecure.com

Security Today Academy ............................... 207 ...................... NS9 ..............www.security-todayacademy.com

Panasonic ...................................................... 206 ...................... NS15 ............www.panasonic.com

DSX Access Systems .................................... 201 ...................... NS16 ............www.dsxinc.com

0815nws_NS14_Exit_v2.indd 14 7/6/15 10:54 AM

*Some analytic functions require use of Panasonic WV-ASM200 Client Software.©2015 Panasonic Corporation of North America. All rights reserved. ULTRA360-degree_FY15-1

Bring ultra-efficiency to your facility with our new WV-SFN480 indoor and WV-SFV481 ULTRA 360-degree cameras. Our ULTRA 360 cameras produce a 9MP 3K x 3K fisheye image, capturing 360 degrees of crisp edge-to-edge image clarity, and come with an unlimited Video Insight camera license. Moreover, all ULTRA 360 cameras can deliver advanced analytics capabilities using the optional WV-SAE200W upgrade*, which enables Heat Mapping, People Counting and Advance Motion Detection modes to make your business even more efficient. Through September 30, 2015, the WV-SAE200W is free with the purchase of an ULTRA 360-degree camera.

Contact your authorized Panasonic reseller or visit us.panasonic.com/ultra360 for more details.

THE FUTURE IS ULTRA-EFFICIENT.

WV-SFN480

WV-SFV481

FREE Business Analytics

Upgrade (WV-SAE200W)

Available through September 30, 2015

Actual Image Showing Heat Mapping Analytics

Go to http://sp.hotims.com and enter 206 for product information.

Untitled-1 1 7/2/15 2:14 PM

10731 Rockwall Road | Dallas, TX USA 75238-1219| | sales@dsxinc.com

www.dsxinc.com

CREATING THE FUTUREOF SECURITY . . . TODAY

Go to http://sp.hotims.com and enter 201 for product information.

Untitled-10 1Untitled-10 1 1/2/13 4:21 PM1/2/13 4:21 PM