- Use Cases
Veriato produces software that collects and analyses human activity and behaviour, with alerting, reporting and review capabilities designed to enable early detection of problems and reduce the amount of time from detection through investigation to remediation.
Identifying Corruption Within The UK Police Force
In November 2014, HMIC published its force reports, which assessed the extent that forces have put in place arrangements to ensure its workforce acts with integrity.
The capability of UK institutions to tackle police corruption had progressed. However, HMIC condemned the relatively large number of investigations where no further action was taken, roughly two thirds of all investigations.
HMIC’S Mike Cunningham QPM noted that whilst many cases of police corruption are dropped due to being unfounded, “we cannot rule out that some of those allegations have not been properly inquired into or investigated.”
Veriato collects detailed, context-rich information about user activity, and makes it available and understandable, without the need for expensive, specialized forensic expertise. With Veriato acting as a system-of-record, investigators are in possession of exactly the type of evidence they need to conclude investigations in a timely, accurate, cost and resource efficient manner.
Because Veriato solutions consistently deliver accurate evidence that stands up to challenge, they have been deployed in almost 40,000 organizations in more than 110 countries worldwide. From household name companies through major educational institutions and government entities, Veriato is the system-of-record.
According to Transparency International UK, 0.5% - 1% of UK police staff are corrupt - March 2015: (900,000 officers x 0.5% = 4,500 - 9,000 officers)
HMIC Recommendations & Observations
Criminals seek information about themselves, competitors, investigations, tactics, prosecutions, witnesses, and intelligence sources to undermine law enforcement…
…forces that used the national assessment of the threat from corruption… had carried out a greater range of prevention activities, intelligence-gathering and investigations …are in a better position to understand the nature of the corruption threat they face and how best to respond to it.
…Disappointingly, we have found that fewer than half of all forces have an effective counter-corruption plan which demonstrates their understanding of the threat to their force from corruption, and their proposed activities to improve not only the prevention and identification of corrupt behaviours, but also their investigative capability …
…forces that do not have a process for using the range of information(data) that they hold miss opportunities to identify and prevent or investigate members of staff breaching the professional standards of behaviour or those susceptible to corruption
…anti-corruption units should have the ability to conduct initial research on force computer systems including crime, intelligence and human resources systems…
…a small number of forces had anticorruption units that were not staffed sufficiently to allow them actively to seek and gather intelligence about corruption.
The overwhelming majority of corruption investigations involve some element of unlawful access to data and information held on computer systems or disclosure of the information held on those systems. Monitoring the use of force computer systems is therefore vital in countering corruption. Communicating to the workforce that such monitoring takes place will help to discourage unauthorised access.
How can Veriato work for you?
By employing Veriato, you can implement a robust monitoring scheme - one that provides the vital insight into data and systems access required to counter corruption, without overtaxing your budget and infrastructure.
Collection and temporary storage of user activity data on the endpoint where the activity occurs
Analysis of user behavioral patterns and alerting on deviations from the norm that suggest a threat
Extraction of the user activity data Veriato Recon has stored on the endpoint into a central database
Presentation of user activity data for use in investigations
Veriato has been in the business of watching and alerting on user actions since the late 1990’s. We’re proud of our track record, and we’ve applied lessons learned over the years to help us design a solution that possesses advantages our competitors can’t match.
Veriato stores recorded user activity data securely and obsfucated on the endpoint. Data can be retained on the endpoint up to 90 days. This temporary retention supports the need to have detailed, context-rich activity history available when the need to conduct an investigation is discovered. The solution also stores meta data needed to maintain high quality behavioral baselines in a secure on-premise SQL database.
Veriato stores recorded data in a secure on-premise database. Retention periods are customer configurable.
One of the most common questions asked at the onset of an activity and behavioral monitoring program is “how much storage will we need to deal with all of this data?” Please see “Storage Considerations on page 11” for a detailed look at the infrastructure requirements.
Veriato Recon and Veriato 360 lever a single, common endpoint agent to collect information and intelligence from the online and communications fabric of the organization. This agent has been refined since 1998, and has been deployed on millions of endpoints.
The agent records the activity you configure it to. The following options are available:
Veriato Recon analyzes the user activity data collected, identifies behavioral patterns, and detects anomalies in established patterns that suggest risk or threat. The software looks for anomalies related to data access and movement, as well as psycholinguistic anomalies (changes in the way people communicate) that can act as early warning of elevated risk conditions. Veriato Recon is a User and Entity Behaviour Analytics solution.
Alerting, Reporting, and Review
Veriato sends alerts when behavioral anomalies are detected. Alerts can be sent via direct integration to leading SIEM solutions, to any 3rd party solution that can ingest syslog, and via email to designated recipients
Veriato sends alerts when customer defined events occur. Alerts can be sent via direct integration to leading SIEM solutions, to any 3rd party solution that can ingest syslog, and via email to designated recipients
Testimonial - Veriato in Action
A member of the staff at Leicestershire was responsible for a large-scale internal theft. The defendant created a false alibi for themselves by fabricating an excuse to enter a secure limited access building: ‘defendant’ typed a simple sign to be placed in their vehicle ‘when needed.’ They wanted to laminate the sign and the laminator was in the secure building.
Whilst in the building they removed a key for a safe, which they used to steal from other premises.
According to Detective Sergeant Lee Ferguson of the Anti Corruption Unit, “Due to their expertise and knowledge of processes they were able to access large cash sums and remove without detection.”
The software proved extremely useful to the prosecution case and resulted in guilty pleas.
To effectively cover their tracks, they needed a reason to re-enter the building to return the safe key. The defendant claimed that the sign they created and laminated contained a typing error, and they need to create and laminate a new copy without the error. This was the reason provided for re-entering the secure building to return the key.
Leicestershire ACU was able to prove the alibi false through use of Veriato 360. Keystroke recording, combined with screenshots recorded, unequivocally proved that there was NO typing error and the documents were identical. Though the defendant went through the theatre of the false alibi, they didn’t include the typing error they claimed.
“The software proved extremely useful to the prosecution case and resulted in guilty pleas,” said Ferguson.
Technical Information - Storage Considerations
For a default recording profile, Veriato will record approximately 8 Mb per user per day (including screenshots captured every 30 seconds).
Policing guidelines (MoPI) suggest Police keep data used in an investigation for 6 years.
According to Transparency International UK, 0.5% - 1% of UK police staff are corrupt:
March 2015 (900,000 officers x (0.5% to 1%) = 4,500 to 9,000 officers)
Policing guidelines (MoPI) suggest data used in an investigation be stored for 6 years. To provide an estimate of storage space required to support a recommended monitoring and retention program, we use two assumptions:
A key differentiator for Veriato our ability to securely, temporarily store user activity data on the endpoint that the activity occurred. This distributed storage architecture was designed to (a) insure that the detailed user activity data is available when needed to support investigations while (b) minimizing the resource impact on the IT infrastructure and budget. Other solutions Veriato has seen deployed within UK police forces require as much as 25 Mb of space per user per day, and do not have the ability to lever available storage on the endpoint to mitigate the overall additional storage requirement.
Veriato employs a client-server architecture. The data collector or agent, commonly referred to as a “client recorder” in Veriato technical documentation, is deployed to the target machine (workstation, server or mobile device ). Server-based components collect and store information from the target machines, where it can be analysed and reported on from a client-based application (the ‘Dashboard’). Multiple instances of the Dashboard can be deployed. The ‘Control Centre’ application is used to deploy and manage agent recording and to administer the other components in the architecture.
Authentication, Permissions, & Data Security
The ‘standard’ user can:
Dashboard users require access permissions to the database that stores the recorded events as well as the network share where the screen snapshots and email attachments are stored.
The Control Centre application requires administrative and network access to all monitored end points (for Client Recorder control) as well as network access to other components for administration purposes. Note that the Control Centre is a single instance from which all client recorders are administered.
Client recordings are encrypted before being sent to the server data stores. Once stored in the database, access to event data is controlled through database authentication. Screen snapshots and email attachment are encrypted on the network share.
Veriato provides an Export Utility that allows client recordings to be exported from the database and flat file system to our propriety format. Since these files are viewable only with a Veriato Viewer chain of custody is maintained for any legal proceedings where recordings may be used as evidence.