The next time you are walking through your favorite retail store, take a moment to stop and look upward. There is a strong chance that you will find a video camera just a few feet above your head, recording your every move. These cameras are used to detect activity that may lead to loss via theft and ensure the overall safety of store patrons. While security cameras aren’t a new concept, they are a departure from more human-centric security mechanisms, such as posting security guards throughout a store. So, why did most retailers make this transition?

The simple answer is scale. The larger the retailer is, the more nooks and crannies that have to be watched. This might be conceivable in a small local pharmacy with a single person, but even moderately sized retail stores can’t afford this level of overhead. Instead, these stores have turned to cameras and modern digital video recording systems to provide watch over the entire store. And many times, only a single security guard is required to monitor these systems.

For organizations struggling with visibility and scale, a thin network sensor deployment model can help. The idea is similar to brick and mortar stores using video cameras and digital video recording systems, as opposed to posting security guards in every aisle. These retailers have moved from a distributed visibility model to a centralized one, allowing for much more efficient use of resources. This is a more economic model that enables a much greater degree of vigilance.

Figure 1: Distributed guards vs. centralized video surveillance

Network Security Visibility

Similar to physical security, computer network security is all about providing visibility where theft is most likely to occur. Collecting and analyzing data to detect the presence of intruders is known as network security monitoring (NSM).

At a basic level, NSM hinges on being able to capture and process relevant data entering and exiting the network of each store. This visibility is made possible through the deployment of physical sensors that collect network traffic as it passes through network ingress and egress points. There are two primary strategies when deploying sensors in a network: thick sensors and thin sensors.

Comparing Thick and Thin Sensors

Thick sensors are most prevalent in small and medium-sized organizations. Similar to having a security guard in every aisle, many organizations choose to deploy a grid of thick sensors responsible for the whole gamut of NSM operations. These sensors collect network data, perform necessary filtering, and process the data through multiple detection tools in order to produce an output fit for human analyst consumption. All relevant network data that is captured is retained on each individual sensor, which is also where all processing occurs.

Figure 2: Thick sensors rely on distributed processing and on-demand data retrieval

A thin sensor is a much simpler device, with a deployment similar to a small number of individuals overseeing a bank of video monitors in a single location.

The thin sensor collects data from the network segment it is monitoring, filters the data so that only the necessary information is retained, and sends the remaining data out to a central collection point. All anomaly detection and data retention is handled at this central collection point. The same output relevant and suitable for human analyst investigation is produced; however, that output is only produced from one location instead of each sensor individually.

Figure 3: Thin sensors rely on centralized collection

Sensor Hardware

Due to their expanded role, thick sensors demand a greater hardware investment. More disk space is required because of the data retention responsibility, and more RAM and CPU processing are required to process data for detecting anomalies. These functions can push the costs of thick sensors upwards of $20,000.00 each for the hardware alone.

Thin sensors have a much more limited scope. Because they are simply collecting data, performing a minimal amount of filtering, and forwarding that data onward, there is no heavy requirement for disk, memory, or processing resources. This results in a significantly lower hardware investment – in some cases, a thin sensor can cost as little as $1,000.00.

Sensor Management

Thick sensors are significantly more complex to manage than thin sensors because of the software that is required to support their various roles. Management of a thick sensor often means that operations staff will be constantly tasked with ensuring that dozens of services are kept running and operating in concert.

This is in stark contrast to a thin sensor, which has a much smaller number of processes to monitor and track. Instead of having detection and analysis processes distributed across the environment, they are centralized in one location that receives the forwarded data.

Sensor Elasticity

In some networks, the amount of data that must be processed is relatively static. While varying volumes of traffic may be seen from day to night (unless the operation runs around the clock), traffic from month-to-month is normally predictable.

Retailers can have it different. In the same way that stores have to hire additional staffers to support sales and other big events, additional technical resources have to scale to process data at an increased rate. This is often referred to as operation elasticity, or the ability to scale business processes when there is increased demand.

Thick sensors become more expensive when planning for periods of excess capacity. This can result in major expenditures during peak times, as well as underutilized resources during normal throughput.

With thin sensors, there is less concern about limitations on disk, memory, and processing. Plus, if that becomes an issue, then it is much easier to have extra sensors on hand that can be strategically deployed as needed.

The advantages gained by the elasticity of thin sensors and centralized data storage is exponentially increased when applying cloud services to this model. Using cloud infrastructure can increase centralized data storage and processing capabilities with the click of a button. This means that when adding new stores or ramping up for the holidays, there is no need to worry about the challenges associated with scaling a centralized collection.

Analytic Capability

At more advanced levels of security program maturity, organizations begin moving beyond simple signature matching towards more sophisticated detection techniques, such as behavior anomaly discovery and advanced analytics. When this occurs, aggregating and analyzing all data that needs to be interpreted is challenging, since it is distributed across every store that is managed.

That is exactly what happens in a thick sensor model. It then becomes a requirement to add more hardware and software resources to the sensor grid, which oftentimes is not feasible. By design, having all of the data centrally located with a thin sensor deployment circumvents this issue, allowing for big data security analytics to help accelerate detection of advanced threats.

Conclusion

In network security monitoring, visibility and scale are the biggest challenges that must be addressed at a fundamental level. In order to find evil, there needs to be visibility where theft is most likely to occur, and organizations must be able to scale that visibility and detection – as well as the analysis of the data it provides – to a level that is consistent with the scale of the business.

Retailers may have the biggest struggle – they must overcome the challenge of needing visibility in every store they operate, and one solution to these challenges is to consider a thin sensor deployment model leveraging centralized data collection. This strategy truly allows storeowners to have a security camera in every corner of their shops.

To learn more about thin sensor deployment and centralized data collection in the cloud using the FireEye Threat Analytics Platform (TAP), check out our website or contact us.