Achieving Security Through Multi-Dimensional Analytics

A technical paper written by Honeycomb’s director Peter Sturge.

Achieving Security Through
Multi-Dimensional Analytics
New Threats, New Challenges
We are all acutely aware of businesses’ and organizations’ reliance on an ever-widening scope of IT systems and services
to perform critical business activity. As these systems grow and change,as new device types,cloud services and
interactive applications become more pervasive,the security concerns to the mission-critical core of the business become
essential. Securing the vast and ever-changing morass of systems and the internal and external users that access them is
crucial to the continuing success of any organization.

This paper addresses these concerns,as well as oft-ignored concerns outside the traditional IT Security scope, and
examines typical gaping security holes that exist in most organizations today. The sophistication and backing of new
attacks is squarely focused on these gaps,and will be ruthlessly exploited if not dealt with in a secure and comprehensive

The Good ‘Ole Days
The traditional view of IT security has been to invest in,and secure the company’s perimeter – firewalls, webfilters, email
scanners, etc.,as well as the endpoints – anti-virus, anti-malware and the like. Plenty of new technologies have arisen that
have altered the familiar face of these – e.g. next-gen firewalls,cloud-based sandboxing etc., but they ultimately are
performing the same job. Unquestionably,these systems remain critical for business security – however,there is equally no
doubt that these systems alone are unable to hold back the tide of sophisticated threats and well-funded attacks,
particularly in the ‘new world’ of mobile devices,cloud services,and remotely connected staff,clients,customers and
The Landscape
The backdrop for achieving all-encompassing security paints a picture of examining all areas of a business – including the
sectors traditionally ignored by IT Security.

Here is just a small sampling of critical parts of business that can be and typically are neglected by IT Security:

• Document and shared access activity
• User behaviour and metrics
• Domain and Directory Access
• Privileged user access
• Local permissions and access control
• Change Control and Management
• Internal-to-internal communications and activity
• Provisioning and permissions assignment
• Physical systems
• Door entry system
• Fingerprint scanners
• Reception registration and security
• Visitors,contractors,cleaners and guest activity
• Transient devices – e.g. visitors’ mobile phones
• Wireless access
© Copyright 2015 Honeycomb Technologies Ltd. All Rights Reserved.
Each of these,plus many more,can be easily and invisibly exploited if not covered by a thorough and comprehensive
Company Security policy. There may very well be plenty of Security Policies to deal with some,many or even all of these
items,but how are these tested? Are they monitored and measured for effectiveness? Do these Policies interact and are
they correlated with other parts of the business?

This area is currently a cavernous ‘black-hole’ of Security among most organizations today. This is partly due to an
historic practice of segregating IT from other business processes – e.g. premises. These areas also tend to be under the
jurisdiction of different and often isolated teams,often with no remit to a central security authority. There is also the
age-old problem that it’s just not that easy to cover all these areas in a cohesive and all-encompassing way.

The price to businesses and organizations that neglect these areas can be very high indeed – not just lost revenue and
loss of brand reputation,also loss of consumer and client confdence,theft of confdential data and trade secrets,
signifcant and costly down-time,and compliance and regulatory impositions,to name but a few.

The necessity to cover all vulnerable areas of the business – not just its traditional IT resources,is so crucial to future
success that,without it,it is just a matter of time before a deadly exploit makes its way in,with ramifcaions that can
bring an organization to its knees.

The Immeasurable Benefts of Measuring
So what chance have organizations got against such an onslaught? Fortunately,new technologies aren’t just used for
threats and attacks. The keys to good security coverage can be summarized by adopting these procedures:
1.Identify all relevant processes and areas of vulnerability (i.e. not just the internet!)
Many,in fact most business processes these days will involve some sort of technology resource,but there are
plenty of areas where data and access flows in and out of technology,most of it occurs internally within an
organization – e.g. printers,photos from mobile phones,scanners,USB sticks,privileged access,out-of-hours
access etc. All technology is,ultimately,used by people. Whether this be for work,pleasure,or malicious intent,
recognizing where these interactions occur,and then monitoring them is a vital step to providing the necessary
information to measure behaviour.
2.Build in an infrastructure for gathering behaviour from all identified areas
Once the areas and interactions have been identified a plan can be formulated to capture data relating to these
areas. At first, this is a divide and conquer’ exercise in order to get any gaps closed off. Later,this data can be used
collectively to provide detailed views of complex and interactive behaviour.
3.Measure the coverage continually so that ongoing changes don’t ‘fall through the cracks’
It’s important to perform regular audits of processes,resources,premises,etc.,so that changes can have the same
rules applied to them as in the initial audit phase. Making this part of the change procedure will reap big dividends
moving forward.
4.Correlate all the identified information to make cross-process attacks visible
This step is crucial – here,all the different aspects and characteristics of all the nooks and crannies of an
organisation and its processes,behaviour and interactions can be brought together to give an holistic view of the
overall health of these processes – this is a company’s Big Data,and it’s not just useful for Security – operationally
this information is of enormous value. It’s a beautiful illustration of the re-use of data for multiple purposes. The
company has invested lots of money in its people,resources and processes – it makes sense to get the most out of
It is important that these steps include all aspects of the organization,and is not limited to ‘the network team’,or the ‘IT
infrastructure team’,or the ‘Call Centre’ etc. It’s typical and understood these different sectors are run and managed by
different departments,often in multiple locations. There’s no need to change the underlying structure,only to add
collaboration of information and behaviour across all sections.
© Copyright 2015 Honeycomb Technologies Ltd. All Rights Reserved.
Dimensions of Coverage
The primary goal of all security systems is to gain as much detection,visibility and coverage as possible,so that timely
and appropriate action can be taken in the event of a breach.

The goal here is to move from a Single Security Plane to a Multi-Dimensional Security Model that encompasses all areas
of an organization,as described above,including its processes and people,and not just its IT assets.

By transitioning to an overlapping,collaborative,multi-dimensional model,huge swathes of security gaps are filled in, with
the corresponding benefits such a transition enjoys.

An additional benefit is the complete and immediate visibility this brings to an organization’s processes and behaviour as
well as its vulnerabilities,allowing companies to detect fault lines and weak spots. It’s the classic ‘You don’t know what
you don’t know’ conundrum.

Traditional Single Security Plane
Multi-Dimensional Security Planes
The Win-Win Scenario
The techniques described here illustrate how a comprehensive Security Policy that reaches into all aspects of an
organization’s behaviour will reap huge rewards in Security,operations and efficiency,and ensure long-term health and
The benefits brought to an organization when adopting this approach are so great, that once the model is brought into
practice, it’s difficult to imagine how an organization survived without it
© Copyright 2015 Honeycomb Technologies Ltd. All Rights Reserved.