Implementing Analytics in Security Operations

Technology provides actionable insight for security professionals

What data analytics lets us do — and this applies to both historical and real-time analytics — is to narrow the application of security efforts based on the risk reality. For a closer look at real-time analytics technologies and intelligent responses capabilities, see the following articles:
• Security Integration: Ground Floor Changes (
• Security Integration: High-Level Drivers (
• Don’t Just Automate — Orchestrate! (

Advanced Real-Time Analytics

Today, with most systems, we can only create alerts on something that we expect to happen. And that is the orientation of historical data analysis. What about something that hasn’t happened yet, or that we simply haven’t been detecting?

ArcSight (, headquartered in Cupertino, Calif., is a global provider of security and compliance management solutions that intelligently identify and mitigate cyber threat and risk for businesses and government agencies. The supplier’s offerings have advanced pattern recognition activity, and can be set up to detect when, for example, a terminated employee changes his or her pattern of data access. It can respond by temporarily suspending specific information access, pending a briefing by HR or a business unit manager regarding obligations related to proprietary information. Tools like these enable the definition of high-risk situations, and can provide alerts when the situation occurs. This is much better than being alerted after a policy violation or data loss occurs.

When integrated with the physical access control system, physical access response can be automated, such as temporarily heightening access control restrictions as appropriate for the circumstance. (See this issue’s Convergence Q&A column — page 16 — for a specific example).

A Deeper Look

While working on this article, I collaborated with two specialists whom I knew could help provide a very close look at the operational aspects of information and analytics as they apply to security operations. Eugene A. Keller, CPP, PSP, CHS-III, CAS is a consultant and project manager with more than 20 years of demonstrated competency in the areas of physical and logical security convergence, business continuity and emergency management. Keller also has specialized expertise in the design and application of intelligent video analytics into security operations.

John Gargett, a nationally and internationally recognized expert in crisis management, has worked in more than 40 countries and, for example, assisted the United Nations in designing systems for the monitoring of relief supplies in the former Yugoslavia and Somalia. Gargett has also worked with many industrial firms writing, evaluating and implementing Crisis and Emergency Management plans.
Once our collaboration began, it became obvious that two specific topics warranted in-depth coverage, separate from this article. Emergency response and crisis management is an aspect of security operations that many companies would like to improve. Video analytics has been a disappointing experience for some companies, yet for others it provides significant ongoing value. Thus, two follow-up articles will examine using information (including analytics) for emergency response and crisis management, and the process of integrating advanced video analytics with security operations, including an example project timeline.

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard, a member of the Subject Matter Expert Faculty of the Security Executive Council, is founder and publisher of The Security Minute 60-second newsletter ( For more information about Ray Bernard and RBCS go to or call 949-831-6788.