Implementing Analytics in Security Operations

Nov. 20, 2009
Technology provides actionable insight for security professionals

Security operations can benefit significantly from the use of analytics — and not just video analytics. Any analytics technology or service can be of value by supporting one or more threat monitoring and response functions of security operations including deterrence, detection, identification, assessment, response and recovery.

Analytics can be said to be the application of computer processing to examine information carefully and in detail so as to identify causes, key factors, patterns and possible results. In security applications, analytics technology is used to identify the likely presence of a threat or threat activity and to report it and/or take automatic action, according to predetermined rules or programming. Some analytics technologies can “learn” over time. Based on certain criteria, they update the basis they use to evaluate data, which can increase accuracy and effectiveness.

It can be helpful to think of analytics techniques and tools as fitting into two categories: sensor-based or raw data analytics, and information analytics. Both categories offer value, and the key objective for each is to get data that can be translated into something meaningful to the operational environment.

Analytics Based on Sensor Data

Video analytics is the most widely known category of sensor-based analytics. Most security industry material on analytics centers on video analytics, which is naturally of high interest due to the recent increases in camera system capability, and the general widespread use of video cameras in security. Pixel images from the camera’s image sensor are examined for patterns in real time, and resulting conclusions are reported using graphical displays (such as drawing a box around a violation occurrence) or text data (such as for people or vehicle counting analytics). There is a lot of information available from video analytics vendors, and increasingly case study information is becoming available.

There are many factors to consider in evaluating video analytics capability, suitability and performance. Aimetis Corp. (www.aimetis.com), a provider of intelligent video surveillance software, provides a white paper entitled, “Factors that Influence Video Analytic Performance,” which summarizes the key technology issues and is available for download from its Website.

Information Analytics

Technically speaking, in the information world, data mining is considered distinct from data analytics, even though both are data analysis. Data mining is an activity of extracting information (hence the term mining) whose goal is to discover hidden facts, undiscovered business patterns, and hidden relationships existing among the data contained in databases.

Data analytics is the science of examining raw data with the purpose of drawing conclusions about that information. It generates new data not found in the original data examined. Until one gets very specific about the applications, these distinctions are academic. Furthermore, the distinction tends to blur when both are combined, or when the results of either are used to evaluate data being generated in real time or near real time, such as is done by Google Analytics (www.google.com/analytics).

Therefore, for the purposes of this article, the term analytics is being used to encompass any kind of data analysis that provides actionable insight. Analytics can have a force-multiplier effect, enabling fixed security resources to be applied for increased security-effectiveness or increased cost-effectiveness, or both. The job of security is to reduce security risks to acceptable levels, at an acceptable cost — and technology use should always be viewed in light of that overall focus.

Simple Analytics Allows Redeployment of Security Officers

In case the preceding paragraphs give the wrong impression — that this is going to be a theoretical article about analytics — let’s take a look at a very simple, yet highly beneficial real example of data mining that any company could perform, provided that they have the data to do so. Real-time analytics generate data on the fly. Other data mining analytics — as in this example — require historical data. Many security operations accumulate access and alarm history and then simply delete it after a time; yet, such data can be a source of information that can help improve security operations.

Some years back, a question was raised in one global corporation about the use of security officers at its multi-building campuses. It seemed like the officers were spending an excessive amount of time responding to door forced or held open alarms, only to arrive on the scene and find the door closed and with no apparent incident evidence in sight. When multiple alarms occurred, some could not be responded to; however, they knew that some of these alarms were related to actual property or information material removal. The question was, which ones?

They performed a manual exercise data analysis. Correlation with incident reports and available video revealed that if doors were held open for 20 seconds or less, no security incident occurred. They also discovered that a door forced open for four minutes was always a security incident. In between, there was a high likelihood of an incident. The data also showed that the majority of such alarms had durations of 20 seconds or less. A pilot program was launched, using a rules-based software application, to only annunciate door forced or held open alarms at the 20-second point. This reduced the dispatch rate by 90 percent, and also resulted in an immediate increase in catching incidents in progress.

Some situations were not security incidents, but responding to them still had value as a deterrent action, since officers were now showing up mid-activity when there was prolonged activity at a door. There was a small increase in property pass use, indicating at least partial success. Further data analysis showed that some buildings never had long-duration door alarms, and so security patrols and posts could be located to enable quicker response to higher-risk buildings. Additional cameras were deployed only at the higher-risk buildings, resulting in cost savings compared to deployment at every building. An educational campaign was designed and executed, and this resulted in a further reduction in the officer dispatch rate.

Planned further improvements include applying metrics to the high-risk buildings (such as R&D), to monitor effectiveness and to detect any potential rise in the 20-second or less category (possibly indicating a shift in violator behavior). A security dashboard was designed to display the related trends on an ongoing basis. Additional security improvements could now be implemented using the security officer time reclaimed from chasing after non-incident situations at doors.

Such data analysis can be important for organizations that want to implement a regional or central security operations center (SOC). Should all alarms from each facility be reported to the SOC? The lesson from this example is that they should not. It requires some data analysis, followed by investigation and verification, to determine what SOC response is most security-appropriate. A first step in SOC deployment is to optimize and standardize the security response and alarm reporting at each facility — which may differ based on the presence or absence of security personnel — and then determine what the optimum use of the SOC can be.

Extending the door alarm example further, using current-day video system technology, it is possible to capture door activity (people and vehicles) and forward this to the PDA or mobile phone of the responding officer, and to an officer posted at the exit gate. It is also possible to send the same data to a supervisor or manger (i.e. the security stakeholder with authority in the area), especially if his or her desk is near the alarming door. Another possibility is to lock down an unstaffed parking exit gate (appropriate for a very high-risk situation — such as a box being carried out from an R&D area without authorization), until security can respond and meet the vehicle there. Another consideration is whether a different type of response warranted for suspicious activity after hours vs. normal hours.

What data analytics lets us do — and this applies to both historical and real-time analytics — is to narrow the application of security efforts based on the risk reality. For a closer look at real-time analytics technologies and intelligent responses capabilities, see the following articles:
• Security Integration: Ground Floor Changes (www.securityinfowatch.com/root+level/1295759)
• Security Integration: High-Level Drivers (www.securityinfowatch.com/Cover+Focus/security-integration-high-level-drivers)
• Don’t Just Automate — Orchestrate! (www.securityinfowatch.com/root+level/1296064)

Advanced Real-Time Analytics

Today, with most systems, we can only create alerts on something that we expect to happen. And that is the orientation of historical data analysis. What about something that hasn’t happened yet, or that we simply haven’t been detecting?

ArcSight (www.arcsight.com), headquartered in Cupertino, Calif., is a global provider of security and compliance management solutions that intelligently identify and mitigate cyber threat and risk for businesses and government agencies. The supplier’s offerings have advanced pattern recognition activity, and can be set up to detect when, for example, a terminated employee changes his or her pattern of data access. It can respond by temporarily suspending specific information access, pending a briefing by HR or a business unit manager regarding obligations related to proprietary information. Tools like these enable the definition of high-risk situations, and can provide alerts when the situation occurs. This is much better than being alerted after a policy violation or data loss occurs.

When integrated with the physical access control system, physical access response can be automated, such as temporarily heightening access control restrictions as appropriate for the circumstance. (See this issue’s Convergence Q&A column — page 16 — for a specific example).

A Deeper Look

While working on this article, I collaborated with two specialists whom I knew could help provide a very close look at the operational aspects of information and analytics as they apply to security operations. Eugene A. Keller, CPP, PSP, CHS-III, CAS is a consultant and project manager with more than 20 years of demonstrated competency in the areas of physical and logical security convergence, business continuity and emergency management. Keller also has specialized expertise in the design and application of intelligent video analytics into security operations.

John Gargett, a nationally and internationally recognized expert in crisis management, has worked in more than 40 countries and, for example, assisted the United Nations in designing systems for the monitoring of relief supplies in the former Yugoslavia and Somalia. Gargett has also worked with many industrial firms writing, evaluating and implementing Crisis and Emergency Management plans.
Once our collaboration began, it became obvious that two specific topics warranted in-depth coverage, separate from this article. Emergency response and crisis management is an aspect of security operations that many companies would like to improve. Video analytics has been a disappointing experience for some companies, yet for others it provides significant ongoing value. Thus, two follow-up articles will examine using information (including analytics) for emergency response and crisis management, and the process of integrating advanced video analytics with security operations, including an example project timeline.

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard, a member of the Subject Matter Expert Faculty of the Security Executive Council, is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.