Security Enterprise Services

How Will Big Data Change Security?

In the first part of this series (published in April 2013) we discussed some of the major technologies that will play a role in the application of Big Data to the practice of physical security.

October 1, 2013
Trans

In the first part of this series (published in April 2013) we discussed some of the major technologies that will play a role in the application of Big Data to the practice of physical security. We offered several conclusions:

Big Data is a perfect fit for cloud computing due to unlimited on-demand resources.

The ROI comes from unique insights not previously possible on smaller data sets or local servers.

Besides economics benefits, there is real potential for improving life safety and property protection with real-time analytics.

In this article, we look at some specific examples of how Big Data techniques can provide benefits at several scales of analysis. Note that these examples are only the tip of the iceberg. They are just illustrations of what can be done. We are limited only by our imagination. 

The data sets for these examples come from three different domains. The first two will be familiar to every enterprise security leader: access control and video analytics. Both produce copious amounts of data that contain many hidden patterns and predictive indicators. The third data source is one that may surprise you: log files from Web servers.

 

Population Statistics vs. Local Analytics

The analytic examples here are drawn at two different scales. The first is large groups of users and facilities who may or may not be related, but are nonetheless correlated with one another due to outside factors such as location, type of business, time of year, etc. We’ll call these “population statistics.” The second is based on data that is local to an organization or even a single facility, but can benefit from the powerful analytics provided in a Big Data context. We’ll call these “local analytics.” 

The use of population statistics exploits the fact that security systems generate massive quantities of data that have business and social value beyond immediate use in security management. However, with the legacy model of one security system per building or even one security system per enterprise, the old data populations were never large enough to support this mode of analysis. Today, with more security systems operating across larger, aggregated systems in the cloud, data sets are far more interesting and valuable. The tools we discussed in our first installment allow us to realize this value.

Local analytics provide facility or company-specific data insights, but do so with tools usually reserved for much larger problems. That means more computing power and more sophisticated algorithms brought to bear for much lower cost. Again, this benefit is enabled by cloud architectures that leverage economies of scale and provide capabilities that simply aren’t feasible on the class of servers usually associated with security systems. As Microsoft Research has observed, “big data is inconvenient. It’s too big to fit on a screen, or in memory, or on disk.”

 

Big Data in Action:  When Do People Get to Work?

A simple illustration of population statistics is to use Big Data techniques to answer the seemingly straightforward question, When do people get to work?  The answer depends on many factors, but one specific hypothesis we can test is whether there is any significant difference in arrival time based on time zone. To get at this, we examined a data set of around two million anonymized access events for a single workday this year. The same analysis over one year would comprise approximately 1 billion data points – clearly more than the typical security system is designed to process.

Figure One (see Fig. 1, p. 30) shows this data set as a histogram of arrival times for each of three major U.S. times zones. Three waves of activity representing each time zone are clearly visible, and offset by approximately one hour each, as expected.

What becomes more interesting is when we dig further into the data and look at the statistics for morning arrival times in each time zone.  As shown in Figure Two (see Fig. 2, p. 30), regional variations occur in the median arrival time, but we can only see this when data is aggregated across a statistically significant population.  

How can a business make use of this insight? For one thing, it may suggest –  apologies to California – if you want a workforce of early birds, open an office in the Midwest. The data shows that employees in the Central time zone arrive on average as much as 30 minutes earlier than their counterparts across the rest of the country. Overall, though, the data indicates that the regions are perhaps more alike than different.  The shape of the activity graphs is remarkably similar for the full day period, showing the same influx, mid-day lull, and subsequent trailing off.

If there’s one thing that Big Data analysis shows us, it’s that data created for one purpose may have more value for many other applications. This type of analysis shown in Figure Two could be extended to look at variations in day of the week or month, or larger seasonal patterns. These results could in turn provide valuable insights to better understand the workforce, commuting patterns, office occupancy, and more. The answers are there for those who have questions, and they won’t all be security users.

 

How Many of My People Are Showing Up?

If you provide security for a facility, campus, or a nationwide chain of offices, a key factor you need to understand is how many people are accessing your premises on any given day. Understanding both regional and seasonal variations is also important, as well as any changes to historical patterns.

To get a top-level view of this population analysis, we looked at an event sample for roughly four million anonymized users for a single day. We then produced a frequency distribution of number of times each user accessed one or more doors in their facility (see Fig. 3, p. 30). This tells us the level of activity for the day. We found that the single largest group – slightly more than one million – were those who never used their cards at all on the date analyzed. There were also a handful of people who went through a door an astonishing 400+ times in a single day. (It’s hard to see how they got any work done, but that’s another question.)

It’s easy to see how facility owners and others can benefit from this type of data. For example, knowing that roughly one quarter of the people don’t show up on any given day means that you might be over-allocating office space or other building resources. Perhaps it’s time for hoteling instead of assigned office space. Similarly, facilities that show lower or higher activity levels than this norm may have special security or maintenance requirements. At a municipal level, this type of data also has a lot to say about traffic, parking and city planning.

 

Is This Week Normal or Abnormal?

One of the biggest benefits from large data sets and strong analytical tools is the ability to detect patterns in data, and to show when there are exceptions. In the following example, we use longitudinal analysis of one year of data to find patterns that can be compared to the present.

Figure Four (see Fig. 4, p. 31) draws on a cloud-based history of video analytics produced by surveillance cameras in a commercial office setting. The data analysis software in this case established a baseline moving average of the activity level observed by the cameras (green line). It then overlaid an abnormal week’s observed event levels on top of the historical norm for this location (blue line). The obvious question is, Why is this week so much busier than the average? A better question might be, Would anyone have detected this was an abnormal week without the benefit of Big Data analytics? Compare this type of insight to what is possible with the “naked eye” or the usual reporting functions available in local security systems.

 

How Do My Properties Compare?

One of the most common questions in an enterprise setting is, How do my facilities compare? This question is often the subject of store-to-store comparisons in retail, for example, but could just as well apply any time there are large numbers of facilities brought under a single security umbrella. Understanding large quantities of data in a single analytical framework provides insights that would not be possible unless the data is aggregated into a single system with the speed and power to provide answers in a timely fashion.

Figure Five (see Fig. 5, p. 31) shows security events at four different locations within the same enterprise. In this case, the data representation shows at a glance that all four of these facilities exhibit approximately similar security event traffic. None of them really stands out – and sometimes that’s all you need to know. The trick here is to produce that knowledge quickly, on demand, without lengthy user or IT involvement.

 

How Does This Year Compare to Last Year?

Companies often want to measure the effect of new initiatives to see if they are having a positive effect on outcomes. Again, Big Data visualizations make this a straightforward process that quickly yields results for large data sets. Figure Six (see Fig. 6,
p. 31), 2012 clearly has a lower incident rate than 2011. A multi-dimensional analysis could expand on this technique to compare changes across multiple facilities undergoing the same improvements.

 

Improving the User Experience

Earlier, we indicated that an unusual data source in the security domain is log files from Web servers. What’s unusual is that it’s not security data per se. Rather, for cloud-based security systems (or any system supporting front end browsers), the data represents the behavior of the security personnel actually using the system to perform their jobs. Why is this important? In a world where consumer-oriented Web companies intensely study online user behavior to improve their applications, security system customers appear to be last in line for this aspect of User Experience (UX) enhancement. That’s a detriment to both our customers and the people we protect. A simple example of the kind of data we can extract from a few billion Web clicks is to understand which activities are performed most often by security managers; hence, where we should focus our User Experience improvements. Figure Seven (see Fig. 7, p. 31)distills a year’s worth of online customer behavior into the five most commonly performed security actions.

 

Where to from Here?

The examples presented here are all retrospective in that we have compiled and analyzed events that have already happened. As previously mentioned, they only scratch the surface, and are limited solely by our imagination.

Next time, we’ll look at the predictive value of security information in a Big Data context. After all, it’s nice to understand the past, but our real goal is to understand and change the future. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Steve Van Till

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

THE MAGAZINE

Security Magazine

April 2014

2014 April

In the April issue of Security magazine, read about integration partnerships and their growing success. The Boston Marathon bombing has changed the way integrators look at security for sporting events, see where they are one year after the tragic incident. Read about the 2014 RSA conference and this year's theme of "Threat Intelligence. Also, read about the latest products and news in the security industry.

Table Of Contents Subscribe

Background Checks

Who conducts background checks on new employees and contractors in your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13