Previous Article

Secrets of Fighting the Insider Threat

Martin Grigg
Martin Grigg of 323 Consulting discusses the benefits of security integration within a high-security environment and proposes a solution to identify and mitigate the risks associated with a blended attack. 
Around the world and throughout history, mankind has been using an integrated approach to security to defend its people, its property and its assets. 3,000 years ago in Europe, during the later Bronze Age, people were building hill forts [1] to protect their villages from invaders and marauding enemies. Layers of banked ditches, fences, buildings, lookouts and warriors integrated together to form a robust security system. Evidence of a layered approach to security can be found even further back than this when Ancient Egyptians dug moats around some of their castles (an example of this can be found at Buhen). Evidence of other similar moats can be found in the ruins of Babylon [2], and these date back to nearly 5,000 years ago.  

The integrated approach to security today is no different to that of the past – it is just a bit more complex because today we have more advanced technology and at least 3,000 years of experience. However, so do our adversaries! 

Integration in the context of a security system is the process of combining distinct elements in such a way that they support each other to produce a strong and effective scheme. The benefits of such integration can be summed up by the phrase that was first coined by the Greek philosopher and scientist, Aristotle, who said that “the whole is greater than the sum of its parts”. In other words, integration produces synergy. 

Whether you use an analogy of a hill fort or that of an onion, the process of layering up lines of defence is straight forward – simply put one after another. However, to successfully integrate the layers it is necessary to understand the operational requirements and performance of each one and how combining technologies and resources will increase their effectiveness. Tests in the cyber security world have demonstrated that simply layering up security defences is not enough to stop all potential forms of attack. Enterprises should focus on the effectiveness of specific combinations of devices at blocking specific exploits rather than simply layering randomly in the hope that multiple devices equal higher protection [3]

A layered approach to security has a series of fundamental operational requirements but applying different technologies with due consideration to synergy will enhance each layer and integrate it to the next or deeper layers within the scheme. The outer layer should clearly demarcate the protected area and a simple fence will do that but if the fence supports signage, then the combined effect is greater than either the fence or the sign. This is a simple example of integrating physical items together to increase their value. However, if you integrate technology to provide detection and remote vision at the perimeter, then the outer layer becomes much more defensive than a simple fence. 

Detection at the earliest opportunity is essential within a security scheme to allow an appropriate response as much time as possible to neutralise the threat [4]. Consideration should be given to detection and delay times so that an adversary is identified quickly and delayed while a response is mounted. These competing timelines are altered by integrating physical barriers with technology. However, it is important to consider that physical barriers could impede the response as well as the adversary. 

Video surveillance will provide situational awareness to give a response force a means of verification of an event and the vital intelligence to allow an appropriate response to be delivered. Integrate this further with a set of formal response procedures and you will soon see that integration is no longer a logical step by step layered approach, but a web of connections that links physical with physical, physical with technology, technology with people, people with processes and so on; a web that links all these things together and improves upon value at each connection point (or node). The nodes within a well-designed security system will bridge traditional layers of security to form a network of information, communication, physical barriers and responses. 

This web of integration not only provides synergy but also creates defence in depth, which is a term used to describe the defensive lines of a system that work together to create strength and uncertainty for an assailant. Defence in depth in a high-security scheme reaches out as far as gathering international intelligence. It includes communication with local communities and government agencies as well as the physical, technical and procedural integration. Defence in depth is not simply a set of physical barriers; it is the procedures, the policies and the security culture [5] within an organisation brought together with the physical systems, the operators and the response forces. Defence in depth can only be achieved through multiple layers of integration. 

With all of this said, it makes security integration seem like a monster that is going to be impossible to capture and control but that is not necessarily the case. Being in the business of critical national infrastructure or any other sector that demands high-security means that organisations must have highly effective security measures in place to protect all of their activities. These measures must keep up with the changing threat horizon and the technology developments that people with malicious intent have access to. Therefore, the use of modern integrated security systems that meet the operational and resilience needs of an organisation has to be considered. With this in mind, it is important that a security design team ensure that their strategies are not hindered by historic or legacy solutions and that the new designs are relevant to the next generation of infrastructure and the ever-evolving threats that may target it. 

It is not uncommon to find security operations and some command-and-control centres using paper-based processes and not sharing information. A cluttered control room with multiple systems and piles of paper should be a thing of the past. Several years ago, a group of security industry ‘dreamers’ came together because they wanted to do with security data what every other business unit does – that is, to make intelligent business decisions. The term that is commonly used today is PSIM – Physical Security Information Management. [6] This is a software-based application that gathers data from all of the disparate security systems/devices and aggregates it to produce better situational awareness, prompting better security and operational decisions. 

The ability to manage multiple systems with thousands of sensors is essential for improved visibility and the holistic analysis of events at a high-security facility. However, it is not only the vast scale of the data that needs to be managed but also the human interface. Professor Velastin (et al) points out that ‘video blindness’ [7] can cause people to see what they expect to see rather than an unusual event. This has been proven many times and is now regarded as one of the best-known experiments in psychology. For fun, you can search for [8] on the internet where you will find several short videos demonstrating this phenomenon. 

Using technology to integrate systems and then applying algorithms and true/false Boolean logic (AND/OR/NAND/NOR) to the data allows the system to present only valid information to security operators.  This goes a long way to preventing operators getting swamped by information overload and ‘video blindness’. The same process also provides an ‘enhanced intelligence’ in that the software can correlate so much data that some relationships that may not have been apparent to a person doing the same job can be highlighted. For example, if a door is held open somewhere in a building, the operator may perceive it as a low-level event. If a leak detection system identifies a problem in a plant room, then a person may also perceive that as a low-level event. Neither of these events requires immediate action but if they correlate in time and location, then they may be indicative of a sabotage event, which is very different from a door being held open by a cleaner or a leaky air-conditioning unit. 

Modern security systems in a high-security facility can have thousands of devices connected to them. The sheer scale of detection systems does make them difficult to maintain. Having a centralised software application monitoring all of the devices allows for a 24/7 health status of the scheme to be displayed to operators and maintainers. If a camera stops producing a video signal or the usual scene changes dramatically, the system can automatically highlight this to an operator as soon as it happens rather than when the operator next looks at that camera. If a detection device does not operate at least once in a given period of time the system can alert this to a maintainer so that it can be checked. The alternative would be to either wait for the next routine maintenance or for it to not detect a real event with potential disastrous consequences. 

24/7 Central device monitoring also allows for the detection of a ‘corridor of opportunity’. In a security system, this is when two or more lines of defence are inactive in a layered approach. It is common practice to have two different detection technologies on a perimeter to increase the probability of detection. It is also good practice to have closed circuit television to provide video verification of alarm events at any given zone. A corridor of opportunity would be created if two of these three systems failed simultaneously. This would create a significant weakness on the perimeter, hence providing an opportunity to breach the system. A corridor of opportunity would also be formed if multiple lines of defence were to be ineffective throughout a facility, creating a weak path or ‘corridor’ to a protected asset. 

The ability to automatically aggregate and correlate large data sets provides the further benefit of ‘trend analysis’ which has the potential to predict the next security event. Access to so much data allows the identification of common events across time and location. When applied to trend analysis, these events can be tracked for patterns and be extrapolated to predict when it might happen again – forewarned is forearmed. 

The World Institute for Nuclear Security (WINS) Special Publication on Data Analytics for Nuclear Security [9] introduced the concept of integrated data analytics, which imagines data sets being brought together from different functional areas of the business so that new insights can be established by monitoring trends across traditional functional boundaries. This idea brings in data from silos, such as human resource and medical files, email and phone records, material audits, workflow process management, safety operations, quality control, etc. to identify correlating abnormalities with a view to providing early warning of a weakness forming or highlighting a potential insider threat. 

Putting the obvious privacy issues to one side, integrated data analytics may highlight a personal motive and a corridor of opportunity being opened. An inter-departmental data sharing process can allow for the bi-directional exchange of information to benefit the organisation as a whole. As storage costs decrease, many departments are streaming large quantities of data into their silos without necessarily analysing it. Analysis of latent data may not only protect against major security breaches, but it can also monitor staff behaviour and movements. The same bi-directional data sharing means that investment in security can be leveraged to create powerful new business and safety tools. For example, combining training records with access control permissions will ensure that a contractor is not only authorised to enter an area but their training for that area is still valid. 

With the digital shift of security technology and process instrumentation to IP-based systems, the risk of cyber-attack increases significantly. Traditionally, these systems were analogue and isolated but now that they reside in the digital space, they are subject to the same vulnerabilities as every other networked device. It has been proven that viruses, Trojans, worms and other malicious applications now have the capability to jump air gaps which means that isolated networks are not safe from attack either. The combination of physical, procedural, data and network security provide a greater resilience to the current trend of ‘blended’ attacks, i.e., insider attack, cyber-attack and physical attack – either in order or simultaneously. 

Security Information Event Management (SIEM) is the software equivalent to PSIM in that it monitors, correlates and reacts to security events on a computer network and within a software environment rather than a physical one. Typical systems will monitor network assets, aggregate and centralise the data, detect threats and manage the events. All of this needs to be done in a live situation to alert security staff of anomalous behaviour. Cyber security, like physical security cannot be deployed and left. It’s all very well having firewalls and encrypted data but to assume that that your security networks are safe is reckless and constant vigilance is advised. 

Having security systems integrated to such a high degree as described here allows for a level of flexibility that would not be apparent in a collection of disparate systems. Resilience is often described as being tough and having the ability to recover quickly. However, in my mind resilience is the ability to adapt to new threats. Rafe Sagarin [10] postured that 'Despite the billions of dollars we’ve poured into foreign wars, homeland security, and disaster response, we are fundamentally no better prepared for the next terrorist attack or unprecedented flood than we were in 2001. Our response to catastrophe remains unchanged: add another step to airport security, another meter to the levee wall. This approach has proved ineffective: reacting to past threats and trying to predict future risks will only waste resources in our increasingly unpredictable world’. Rafe advocates that an ability to be adaptable is one of the best forms of resilience. Having plasticity in the configuration of integrations allows a security system to ‘escalate’ when necessary and adapt to changing threats. When designing a security system, it is essential that adaptability is built in rather than relying on the usual reaction of building more security on top. Adaptability makes change possible and having a system that can be reprogrammed and reconfigured makes for a system that is resilient to the ever-changing threats that we face. 

So, all through history, we can see the benefits of integration when it comes to security. The only thing in comparison to our ancestors that has changed is the technical ability that we have today. Building windows just big enough to allow an arrow to be fired out of can be compared to having closed circuit television on a perimeter. A moat around a castle can be compared to having layers of defence in a modern scheme. Aristotle was right in that the whole can be greater than the sum of its parts. With integration, we can see things that might not normally be apparent; we can tame huge monsters so that only relevant information is received. With integration and data analysis, we can even predict the future. The ability to integrate allows flexibility so that a security system can adapt to change. The benefits of integration are many, but without a vigilant eye on security design it is easy to fall in the trap of inefficiency and inflexibility which ultimately will make for a weaker security system. 

Created with