Woman wearing mask showing COVID-19 contact tracing

Building AB685 Compliant Contact-Tracing Systems Using Existing Security Technologies

Without a lack of reporting standards for COVID-19 cases, organizations looking to return to their offices could face delays and potential risk of infection spread. To combat this, Gov. Newsom of California recently introduced an extension to the existing AB685 legislation to get employees back to work as safely as possible. The extension will go into effect on Jan.1 and will require employers to tell workers in writing that they may have been exposed to the virus. Newsom created this addendum as an enforceable statewide standard for how employers handle potential exposure to COVID-19 and outbreaks in the workplace. The law will also expand the power of California’s Division of Occupational Safety and Health (Cal/OSHA) to enforce the new standard and take action to protect employees, including shutting down worksites deemed a hazard due to COVID-19 risk.

At my company, we know first hand the importance of thoroughly contact tracing when COVID-19 comes knocking at your business’s door. We were one of the first tech companies to handle positive COVID-19 cases back in March following the RSA Conference. Our CEO and co-founder Nir Polak was skiing in Utah when he received word that a couple of employees were experiencing flu-like symptoms after attending the conference. At the time, our only method of contact tracing was to rely on the employees themselves to alert our human resources department if they had tested positive.

Following the confirmation that at least one of our employees had tested positive, our HR department immediately emailed the entire company – consisting of over 500 employees – urging them to work from home, shelter in place and monitor for any symptoms. In the end, three additional employees ended up testing positive. Our CEO also made the decision to alert anyone who might have come in contact with any of the employees at the conference and made a public statement.

For us, manual contact tracing was the only solution because of how early in the pandemic our cases occurred. Since March, several other exposure notification options have become available. Most notably is Apple and Google’s API for contact-tracing applications. The mobile apps work by alerting someone if they have come in proximity to someone who has tested positive using a phone’s Bluetooth service. The technology is meant to augment traditional human-to-human exposure notification, not replace it – but there are some challenges. A lack of consistency among apps, having to switch apps if you cross state lines and the inability to reach populations who are regularly sheltering in place have made some governments and organizations hesitant to adopt contact-tracing systems.

However, in order for organizations to stay in compliance with the extension to the AB685 law, it is imperative that they have a strong exposure notification system in place in order to quickly and efficiently notify employees of a positive COVID-19 case. Luckily, there are other options available. Shortly after our experience with the virus, we had a customer come forward and request to see if there was a way to use our security information and event management (SIEM) software to build a powerful tracking use case. Below, we explore how modern SIEMs equipped with user entity and behavior analytics (UEBA) can help organizations keep their employees safe and stay compliant with the changes to the AB685 law — without additional investment.

Use log data

Our customer was already using the Exabeam Security Management Platform’s (SMP) data lake to keep track of all activity across their hundreds of offices around the globe, in order to prevent cyberattacks. However, the information a company stores does not have to be limited to events that might indicate adversary activity. Organizations can also use data lakes to collect relevant data sources like access logs, badge data, wireless access point data,  authentication logs and other resources that might indicate who is in an office at any given time. Using this information, companies can then match information against any employees who have become infected. Human resources departments can then align the data with the incubation period of the infected employee and notify the employees who might have come in contact with the individual almost immediately via an email correspondence, meeting the conditions of the AB685 law.

Repurposing threat hunting tools

The prior contact-tracing method relies heavily on the ability to perform search queries in a data lake or other log management system. For junior analysts, this might be a problem because of the specific knowledge needed. An alternative method is to repurpose threat hunting tools with search filters and drop downs.  Despite being less technical, the method can still create queries and timelines to represent a more thorough interface.

Threat hunting tools are typically used to detect insider threat incidents, but in this use case, the tools can be used to detect the internal health threat. To determine when the employee was in the office during the infection period, analysts can adjust search criteria in the threat hunting tool for the time frame in question. Analysts then can use the information to determine where the infected employee went by monitoring the employee’s access to wireless routers, network zones, and badge scanners. With the addition of logs from data lakes, organizations can gain a more granular understanding of employee movement. After pulling together a timeline of where the infected employee was, analysts can then match it against other employees in the same areas and time frame. Analysts can then export the list and notify the HR department, which can then notify employees per the AB685 law.

Strong exposure notification systems are key to staying compliant

The extension to the AB685 law may be the first legislature of its kind for organizations dealing with the aftermath of COVID-19, but it will likely not be the last. Fortunately, we have moved past the need for manual contact-tracing systems and can use existing technologies in different ways in order to stay compliant with legislation. As the enforcement date for AB685 approaches and employees return to offices, organizations should look into using their existing SIEM and UEBA technologies for strong contact-tracing systems.