The industry has come a long way from analog CCTV video surveillance systems. The days of a few low-resolution cameras being monitored by a security guard at a desk are becoming rarer in mid-sized to enterprise organizations. Putting the cameras on an enterprise network and treating the video like any other data gives us endless possibilities of what we can do with this powerful and complex information.
We witnessed the rise of video content analysis (VCA) technology, or video analytics, in the early 2000s in response to the growth of cameras and general surveillance, spurred on by the emergence of IP cameras, the falling costs of data storage and IT infrastructure, a reactive security posture to a changing threat landscape, and the quick realization that traditional monitoring approaches couldn’t keep pace with the growth in video data.
The video analytics industry is typically split into two distinct camps: (1) systems designed around rules and user-specified rules or models and (2) autonomous systems designed around machine learning. One could write an entire article on the subtle nuances and sub-classes within machine learning approaches and potential security applications and implications, so we will stick with the general definition here with a single defining characteristic: supervised vs. unsupervised learning. Supervised learning systems require heavy training and feedback to achieve the desired output, where unsupervised learning systems train themselves from the input data and require minimal human input. The video analytic solutions we saw in the market a decade ago seem rudimentary compared to today’s offerings; partly due to the technology catching up with early promises and partly due to the industry’s understanding and level-setting of expectations from the initial splash of analytics hyped as a panacea and the future of security.
Much of the initial excitement around machine learning in analytics such as (1) limiting configuration and ongoing support requirements, (2) unlimited scale, and (3) the ability to detect the unexpected has proven to be accurate. However, some of the extreme claims such as its ability to replace trained human operators, eliminate the need for well-designed camera placement, completely eliminate false positives, and determine a person’s intent ahead of an action have proven to be more hype than reality for many end users. Now that the dust is settling and the industry is moving beyond some broken promises, we must acknowledge the progress made and lessons learned. Above all, we are clear, now more than ever, that people are still a critical ingredient for success in both design and ongoing security operations.
Meeting Challenges Head On
In full disclosure, I am firmly planted in the unsupervised machine learning camp. For the better part of a decade, I’ve been working under the premise that ML is the only option for detecting our most dangerous threats; the unpredictable or those where we can’t pinpoint the target, time, location, or attack vector. Five years of deploying and maintaining these systems have solidified my belief that ML provides the fastest ROI with lowest TCO through scale and deployability, but I acknowledge that there is still work to do. Some of the key remaining challenges are alert relevance or actionabilty, the burden of triage on the operators, and the interpretability of alerts. On the surface, the value of unsupervised machine learning is the ability to eliminate the need for any input from humans.
This is actually true, up to a point. These systems have the proven ability to observe a live data stream, learn the normal patterns of behavior, and identify anomalies (statistical outliers) as they happen. Furthermore, they accurately rank how an abnormal event is measured against all previously observed behaviors. Under these criteria, these systems do not issue false positives as each alert can be traced back to the model built from observation and proven to be statistically significant. With zero false positives, why don’t we have perfect systems that only alert on the things worth investigation?
In practice, ML does three things really well:
- It eliminates the heavy configuration upfront and ongoing high-touch support required with rules-based systems
- It excels at detecting the unexpected
- It continuously evolves through continuous learning and forgetting, adapting to changing environments
While organizations continue to adopt ML into their security practice, we still see implementation shortfalls and inefficiencies in the Security Operation Center. The burden of triage on the operator is often higher than desired. Part of the issue is that “normal” doesn’t quite mean “good”. If it’s normal for bad things to happen, it doesn’t mean that I don’t want to be alerted about them. One of my key lessons learned in 20-years of threat intelligence work is that most organizations are really unaware of how often undesirable behaviors actually occur in their environment until they start monitoring, and we now see analytics serving as the discovery tool.
“Normal” is highly correlated with “good” but there is still a gap that we need to close in order to achieve “ideal”. It’s this gap between ideal and normal that we spend our time deciphering and chasing down as the human part of the system. In the ML world, we are continuously shrinking this gap through guarded feedback, where the human element can provide hints or preferences back into the algorithms to tailor the output toward more desirable alerts by shaping the model. The feedback must be guarded in the sense that a human can completely derail ML’s value, i.e. Microsoft’s Tay experiment that used Twitter as a feedback mechanism. These intelligent and ever-learning machines will provide their opinion on the data, but desperately need a human’s feedback to close the gap between artificial intelligence and human expectations based on a person’s intuition and experience.
Another critical area that arguably ties into the same root challenges is the relationship between analytics and situational awareness. In its simplest terms, situational awareness is nothing more than having immediate access to all the relevant data needed at that moment. In a typical example, an operator sees a male subject enter the room. Having access to the information that tells you this room is the CEO’s office and that the person in the room is the CEO is critical to knowing how to react, or not to react. But what happens when we add more information to the mix? What if I know who entered the building and who left in the last 30 minutes? What if I know what computers accessed which network resources? What if I know that there is scheduled construction on part of the building? What if I also know the condition of every internet enabled device in the building? Even if the information is likely relevant, it’s not surprising that this information quickly shifts from helpful to an unbearable burden.
It’s All About the Data
Enter Big Data and the general assertion that companies are “drowning in data”. Naturally, this is the area where analytics comes in. We need a way to organize the data and correlate the alerts to be contextually relevant. Knowing the person in the CEO’s office is the CEO is important when monitoring the CEO’s office. It’s not as useful when trying to determine if the rush of people exiting the building means there is: a) a fire b) a fire drill c) a surprise party for the division manager. These are relatively simple examples. The real examples might have 10 correlated data sources, each of which has millions of data points of history to trend against established normality based on a number of factors, including time of day, which can be cross-correlated with the rest of the data in the collection. All of which create a pattern that tells the system that something might be “weird”.
So then what? In comes the expert. Does high pressure in a specific section of pipe remind the operator that this is what tripped a relief valve in the boiler room, and this is why personnel are running in the opposite direction? The key here is that while millions of data points may have been analyzed and cross-correlated, all the relevant data is delivered to me as one combined snapshot. You get a nice tidy alert with a handful of relevant metrics and indicators, but the system has been poring over an incomprehensible amount of data just trying to decide when it needs to give you a nudge. Ideally, it’s just enough data to let an operator know what’s going on in the relevant system with minimal amounts of extraneous information. The right data to the right person at the right time.
To be clear, analytics is fairly nebulous, where users often look at it as a “magic black box”, so some degree of hype here is inevitable. ML and analytics, in general, open up limitless possibilities and potential use cases with the availability of data, so it’s very easy to get blinded by the promised potential. Today, we’re seeing previously siloed or unrelated data being fed into analytics for additional context and correlations that were previously unknown to the business. This blended analytic or “multi-sensor fusion” is leading the way in context-rich insights and being driven by the broader availability and accessibility of data. Elevating analytics out of the trenches of a particular business unit or division and into the enterprise level where event relationships can be identified earlier is crucial. This critical treatment of data is leading the way in organizations looking to broaden their situational awareness and improve the bottom line through efficiency or safety and security.
The future of analytics in physical security is bright as we continue to leverage cutting edge approaches from other industries, and we see the combination of intelligent systems with tried modeling approaches as being required for modern protection. Not every situation requires bleeding edge technology in the form of AI, but we must acknowledge the general lack of insight into the unexpected or unpredictable threats and look to systems that provide that cover. As these analytics continue to grow inside and outside of traditional security, we are seeing easier adoption across the enterprise as multiple business units can leverage the same platform.
About the Author: Cody Falcon has more than 15 years of experience in high-tech solution design, product implementation and operations. At Giant Gray, he manages solution development through engineering and product delivery through global field operations. He and his team drive technology innovation through engineering, from concept to delivery. Mr. Falcon joined Giant Gray in 2011 after 10 years of active duty in the U.S. Navy, where his work focused in satellite communications, cryptography and electronic warfare. His highly decorated tours include multiple overseas deployments on intelligence, surveillance and reconnaissance missions, as well as a five-year assignment at the White House as an Advance Lead for the President of the United States. Mr. Falcon holds a bachelor’s of science degree in Information Assurance, an MBA, and numerous professional certifications and affiliations across the physical and logical security domains.
