As workers start to return to their job sites, many employers are trying to understand how they can provide a safe work environment and protect employees should a peer test positive for COVID-19. Can contact-tracing technologies play a role? Are there other technologies that organizations can leverage? Are employers legally required to notify employees?
In this post, we take a look at how contact-tracing apps work, data access and privacy considerations and health safety obligations. We also share how Exabeam customers can implement a contact-tracing use case in their Exabeam deployment to keep their employees safe.
No employer playbook
As legal requirements vary across countries and even within regions, including states and counties in a country, global enterprises are challenged with understanding their obligations to inform employees should someone in their organization test positive for the coronavirus.
In the U.S., the CDC recommends businesses “determine which employees may have been exposed to the virus and inform employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act (ADA).” The CDC further recommends that “employers notify other employees that may have been in close contact with an employee that tests positive for COVID-19.” Under this scenario, employers must determine who is “at risk for contracting the illness and consider any possible contacts, including those outside of the office, plant or facility that is within the employer control.”
To keep employees safe, organizations can use mobile contact-tracing apps. Mobile apps work by alerting someone if they have come in proximity to someone who has tested positive. Some of the apps leverage technology that logs an employee’s location or movement by using their mobile phone’s geolocation service. Other apps such as those that leverage Google and Apple’s Exposure Notification System (contact-tracing API) use the phone’s Bluetooth service.
Google and Apple launched their contact-tracing API in May 2020, which is now available to governments and health agencies. The technology is meant to augment traditional human-to-human tracing, not replace it, as there are some challenges. For example, contact-tracing apps would not be effective with a large percentage of the population sheltering in place.
An alternative to using mobile apps is the use of visual tools on a modern SIEM to track user activities for contact tracing. Using timelines built from aggregated events, logs, and alerts, analysts can fine tune threat hunting or investigation capabilities to trace user movement. For example, analysts can track if the user is logged in from their usual location, has moved to a different network zone or has been to a restricted area. Exabeam provides the tools to visualize activity and drill down into specific details in a user’s timeline. In Figure 8 we see a timeline showing user activity during the day with several physical access logs highlighted including locations where the user has been such as conference rooms.
Mobile contact-tracing app challenges
Health and safety are the biggest concerns, yet many users view these apps as an intrusion of privacy and a form of mass surveillance. For example, some governments use the apps to broadcast the locations of infected individuals. Another challenge is poor data quality. GPS technology isn’t precise enough to gauge short distances between two phones to determine which encounters are most risky. In the case of Bluetooth, the variation in the Bluetooth signal range can send false alerts. Different Bluetooth protocols prevent interoperability between apps.
Contact tracing with Exabeam
Given the challenges with mobile contact-tracing apps, global enterprises should consider security information and event management (SIEM) as they explore how to build a powerful contact-tracing use case. Modern SIEMs with user and entity behavior analytics (UEBA) are able to take this a notch further by connecting dots traditional SIEMs cannot, and in doing so, providing analysts with much needed visibility. While this capability is usually used to detect security threats by analyzing data including user behavior, Exabeam customers are discovering that their deployments can be used for contact tracing to prevent the spread of the coronavirus in their facilities.
How does Exabeam compare to mobile contact-tracing apps for global enterprises? Here’s a quick overview of capabilities for Exabeam and apps that leverage Google and Apple’s Exposure Notification System:
|Google and Apple’s Exposure Notification System||Exabeam|
|Broad Adoption||Dependent on adoption by government and public health agencies||Easy to deploy in global enterprises. No dependencies on other entities.|
|Data Quality||Inconsistent with false positives, lack of interoperability, limited/weak signal range||More reliable and leverages log information from network activity, badge access|
|IT Management||Hard to manage disparate solutions||Visual dashboards and leverages existing infrastructure|
|Privacy||Need to collect user data||No new data required; personal data is not captured|
Below we explore two different ways Exabeam customers can leverage their deployments for contact tracing. The first option uses Exabeam Data Lake with queries. The second uses Exabeam Threat Hunter.
Option 1: Leveraging Exabeam for contact tracing using log data
Using Exabeam Data Lake, with just a few simple steps, you can design your own contract tracing solution. Data Lake helps you collect and store security data to meet threat detection and compliance use cases. With Data Lake you can:
- Collect relevant data sources like access logs, badge data, authentication logs about who’s in the office at any given time
- Match this information against employees who become infected
- Notify employees who came in close contact with an infected worker and take the necessary steps to get tested and self-isolate
- Track all who have been in contact with an infected person
A step-by-step guide with queries
Step 1: Conduct interviews with stakeholders such as HR, facilities and security to identify the IP space for the network zone of the infected employee.
In this example, our employee is based in the Atlanta office and works on the second floor mapped to network zone 10.55.5.0/20.
Figure 1: Employees who are on a single floor can be traced through the network zone they are in.
Step 2: Submit a query to capture the user’s web activity within the Atlanta office network.
Figure 2: Type in a query “…” to find out users’ web activity in the office network.
Step 3: Fine tune by aligning data analysis with the incubation period of the infected employee.
Figure 3: Assigning a date range that maps to the two week-incubation period captures all the activity during that time.
Step 4: Save search results, export and visualize them as a data table.
Figure 4: Input the sample size for a better view of the activities of other employees during the same period.
Step 5: Capture the activities of other employees during the same period in the same Atlanta office network zone.
Step 6: Notify the employees that came into proximity to the infected employee during the incubation period and ask them to work from home and self-quarantine.
Option 2 – Visualizing contact tracing using Exabeam’s threat hunting tools
The prior contact-tracing method relied on the ability to perform search queries in a data lake or log management system. This requires analysts to have specific knowledge — both of the environment they are searching, and of the query language being used — which may be a problem for junior staff members. An alternate method uses threat hunting tools with search filters and drop downs to create queries and timelines to represent them via a more graphical interface. This approach may be more appropriate for less technical or junior team members, HR and facilities partners and is unique to the Exabeam Security Management Platform.
Exabeam’s threat hunting tools are typically used to detect insider threats such as malicious or compromised insiders. In this use case, threat hunting tools are used to detect an internal health threat.
Step 1: Determine when the user was in the office during an infection period. This can be done in Exabeam Threat Hunter by adjusting search criteria, including the time frame in question. Here we are searching for Aileen over a five-day period of time.
Figure 5: Search queries can be easily made using drop-down menus.
Figure 6: The resulting list shows when the infected user, Aileen, was present in the IT environment. Each result includes a timeline of their activity.
Step 2: Determine where the infected employee went. Many companies have multiple floors or buildings within their campuses. For this reason, it can be helpful to see which network zones a user might have visited. Here we see Aileen connected to the Atlanta Office and also the Zone 55 network.
Figure 7: Network zone access can be used to track access to a specific building on a company’s campus.
Step 3: Find out where within those offices the infected employee went. With the addition of badge access data and printer logs it’s often possible to gain a more granular understanding of employee movement. Exabeam Smart Timelines can be repurposed to help understand the movement of an employee throughout the building. Here we can see several physical access logs showing Aileen’s movement. Note that she was in conference room #9 at 1:49 p.m.
Figure 8: A timeline showing user activity during a day with several physical access logs highlighted.
Figure 9: A detailed look at the physical access log data shows the infected employee, Aileen, badged into a specific conference room at 1:49 p.m.
Step 4: Find other users who were in the same space with the infected employee. Return to the drop-down menus and search for other users during the same time frame that had similar network zone access and physical access logs to yield a list of other employees who may have been exposed. A similar list can be created for people who badged into the conference room at the same time as Aileen by changing the search parameters.
Figure 10: A list of other employees who were in the Atlanta office at the same time as Aileen.
Step 5 – Export the list and notify employees. With a list of people who have either been in the same office space or the same conference room as the infected employee, you can notify at-risk employees that they may have been exposed.
Figure 11: The list of users sharing space with the infected employee can be easily exported as a .CSV file.
Monitoring office closure and keeping employees safe
Many offices including Exabeam are intentionally closed in order to keep employees safe and the areas clean. But what if employees are violating office closure policies?
Exabeam monitors data from a wide range of data sources which may be used to determine if employees are violating office closure policies, for example, network access logs and physical access logs. Since many offices have been closed long enough for user behavioral baselines to adapt to a work from home world, alerts can easily be created that would automatically key analysts in on unusual badge activity or network access activity that may be indicative of people violating the office closure policy.
Figure 12: Exabeam can help determine if office closure policies have been violated by monitoring network access and physical access logs.
As employers work on the details to reopen their offices and sites safely, they have to consider many situations including having a contact-tracing process in place in the event some employees get ill. We shared two approaches on how you can build a contact-tracing use case for your organization using the Exabeam Security Management Platform. Let us know how we can help or if you’d like more information about leveraging your Exabeam deployment to build this use case.