Part 2: Centralizing Physical/Logical Security Operations: A View from PSIM Vendor VidSys

| 0 Comments | 0 TrackBacks

David Fowler of VidSys discusses some of the political and logistical aspects of centralizing physical and logical security operations

Yesterday's portion of Security Squared's exclusive conversation with David Fowler (pictured), senior vice president, product development and marketing for VidSys, discussed some of DFowler.jpgthe ways in which large enterprises are beginning to pool data gathered by their physical and logical systems to correlate alerts and/or to assist with situation management. In today's portion, he talks about who tends to "own" centralized physical/logical security operations and about the impact of not having a comprehensive strategy for integrating physical and logical security systems.

What follows is an abridged transcription of Fowler's conversation with Sharon J. Watson, edited for clarity and length.

*********************

Sharon J. Watson: Who owns the centralized security operation?

David Fowler: That's a great question. We just did a webinar on convergence, we've done a couple of them in the last six months, and inevitably, the question comes down to 'Who's in charge?'

In most organizations today, they actually run two different command centers. They have a logical one and a physical one. The physical one is typically much more impressive. It involves a large video wall, they have video streams coming in, they might even have live TV being broadcast, often times they're getting weather feeds, particularly if they happen to be an organization that's moving goods around, like trucking.

The logical side [is] much less impressive. Tends to be oriented around a handful of people in a room monitoring what's going on with systems and networks. So there's very little video.

And they budget separately. The place where they tend to come together...at some organizations, they come together at the CSO, some don't come together until you reach the CFO level. In a number of organizations, particularly recently, we're seeing a risk executive being put in place who's worried about both the risk associated with intellectual property or damage to property or asset protection or employee protection as well as worried about things like financial guidance and Sarbanes-Oxley.

The risk person would then, either on a dotted line basis or solid line basis, have the physical and logical underneath them. It's only when that happens that we start to see organizations--and this is only a few organizations right now--that we start to see organizations talk about bringing the two together. Usually when the two come together it's because they happen to be sharing the same network or sharing the same data, and when that happens, the organizations are forced to work together.

It's not a natural partnership.

SJW: That strikes me as illogical.

DF: I think it goes to the history of both organizations. The physical security guys have typically come up as physical security experts. Many of them are out of government agencies--CIA, FBI, law enforcement. IT to them was always just a tool, a necessary tool they had to have around. IT security takes a different view [of security]...they're much more interested in cyber-security than they are in bomb blast coatings, as we talked about earlier.

SJW: Some of the consultants I've talked to have said you can be attacked from within, that some fairly sophisticated hackers can figure out a way into your building and start hunting for passwords, and suddenly you have a hacker in the building. So you not only have a cyber problem but a physical security problem, and if your monitoring teams are in two different places, it seems like you would lose precious time and may be not even communicate [about the alerts] properly.

DF: Yeah, I absolutely agree. I don't know what the recent studies are showing but a few years ago, the studies were showing the majority of assaults on companies actually came internally, not externally. I think the issue you tend to run into is the two organizations haven't had to work together to resolve these situations. The IT guys just assumed that the physical security guys were [ensuring] that no one got into the building who wasn't supposed to get into the building because that was their job, not just for protecting the computers but for protecting the people as well.

The physical guys just assumed that the IT guys are responsible for making sure no one got into their systems, whether they were inside or outside the building. It's only recently, I would say in the last couple of years, that people started to worry about once someone's in a building, how much more at risk am I of a security breach? I think that has become much clearer over the last few years.

Some of the organizations we're dealing with have very serious intellectual property security issues they have to deal with on a biweekly basis, and a lot of times it comes from the fact either employees or visitors in their building are walking off with intellectual property....

In a lot of cases, [enterprises] are going so far as to have a separate network for the company's operations than they do for a company's physical security, and the two aren't connected to each other. So an employee who works on physical security actually has to have two computers, one connected to the internal network, and one connected to the physical security network.

SJW: And that's still how it is today?

DF: Yes, in many organizations, that's the way it is today.

SJW: So when we're talking about a centralized security operation, we do mean people trying to pull together the logical and the physical alarms, not just consolidating the data feeds from a bunch of physical security systems - or just the feeds from logical SIM systems?

DF: Most organizations on the physical side are saying, I want to consolidate all of my physical, then when I've got that all under control in one command center, then I can talk about how that talks to the logical side.

But in some organizations right now, they're not waiting. So each side is dipping into the databases of the other side. But that tends to be, for lack of another term, situation specific. Something happened, and they've decided they need to make logical talk to some aspect of physical or vice versa.

SJW: In other words, something bad happened and they want to make sure it doesn't happen again?

DF: Yeah, I'll give you a quick example. We were in an organization where they said, 'we had a visitor...found wandering in an area of the building they shouldn't have been in.' They have a visitor management system that's tied to the logical side but it wasn't tied in at all to the badge that the visitor had. They had one visitor badge, and the policy was the visitor had to be physically escorted. They weren't escorted to the restroom, and they were found wandering in an area that was highly secure.

The organization...went to a tieback system where the visitor's badge would restrict the access they had in the building. That's not a complete physical to logical tie in. That's not even a complete identity management tie in. That's just visitor management on the logical side tied to the badge system on the physical side.

So that's a tactical solution. Of course the problem is, whatever they just did for visitor management they'll have to do again if they want to restrict access to intellectual property or engineering labs or some other area. That's where it starts to get out of control: if you're doing one-offs between logical and physical all the time, you're going to have a bunch of one-offs to manage. Ideally what you want to get to is where there is one path between logical and physical, you connect the two systems together and decide what you're going to send over that path.

SJW: At some point, that would mean people need to sit down in a room and figure out what the rules are.

DF: That's correct. What are my risks? The first question we ask organizations when they come to us is, what are the situations you're most worried about? Interestingly enough, most of them can't tell us. They can give chapter and verse of all the situations; they can't prioritize them for you. The ones they're most concerned about actually turn out to be the ones that occur the least number of times. The ones that happen in the thousands of times a day are the ones that operationally they just want to get rid of. Most of the time, they're false alarms. Sometimes they're redundant. We have organizations getting 100,000s of false alarms a week. They can't possibly find the good ones amongst the bad ones.

So you start with, what are my risks? And then having the [physical and logical] security organizations teamed up to say, what can we do to help resolve those risks? And translate those into each side's responsibilities to monitor for their specific situations. To be able to tap the assets of the other organization, that would be the ideal.

###

Query: How well is your enterprise able to correlate alarms from various physical security, building automation, network and IT systems?

Don't miss Part 1 of our exclusive conversation with David Fowler of VidSys.



David Fowler of VidSys discusses some of the political and logistical aspects of centralizing physical and logical security operations

Yesterday's portion of Security Squared's exclusive conversation with David Fowler (pictured), senior vice president, product development and marketing for VidSys, discussed some of DFowler.jpgthe ways in which large enterprises are beginning to pool data gathered by their physical and logical systems to correlate alerts and/or to assist with situation management. In today's portion, he talks about who tends to "own" centralized physical/logical security operations and about the impact of not having a comprehensive strategy for integrating physical and logical security systems.

What follows is an abridged transcription of Fowler's conversation with Sharon J. Watson, edited for clarity and length.

*********************

Sharon J. Watson: Who owns the centralized security operation?

David Fowler: That's a great question. We just did a webinar on convergence, we've done a couple of them in the last six months, and inevitably, the question comes down to 'Who's in charge?'

In most organizations today, they actually run two different command centers. They have a logical one and a physical one. The physical one is typically much more impressive. It involves a large video wall, they have video streams coming in, they might even have live TV being broadcast, often times they're getting weather feeds, particularly if they happen to be an organization that's moving goods around, like trucking.

The logical side [is] much less impressive. Tends to be oriented around a handful of people in a room monitoring what's going on with systems and networks. So there's very little video.

And they budget separately. The place where they tend to come together...at some organizations, they come together at the CSO, some don't come together until you reach the CFO level. In a number of organizations, particularly recently, we're seeing a risk executive being put in place who's worried about both the risk associated with intellectual property or damage to property or asset protection or employee protection as well as worried about things like financial guidance and Sarbanes-Oxley.

The risk person would then, either on a dotted line basis or solid line basis, have the physical and logical underneath them. It's only when that happens that we start to see organizations--and this is only a few organizations right now--that we start to see organizations talk about bringing the two together. Usually when the two come together it's because they happen to be sharing the same network or sharing the same data, and when that happens, the organizations are forced to work together.

It's not a natural partnership.

SJW: That strikes me as illogical.

DF: I think it goes to the history of both organizations. The physical security guys have typically come up as physical security experts. Many of them are out of government agencies--CIA, FBI, law enforcement. IT to them was always just a tool, a necessary tool they had to have around. IT security takes a different view [of security]...they're much more interested in cyber-security than they are in bomb blast coatings, as we talked about earlier.

SJW: Some of the consultants I've talked to have said you can be attacked from within, that some fairly sophisticated hackers can figure out a way into your building and start hunting for passwords, and suddenly you have a hacker in the building. So you not only have a cyber problem but a physical security problem, and if your monitoring teams are in two different places, it seems like you would lose precious time and may be not even communicate [about the alerts] properly.

DF: Yeah, I absolutely agree. I don't know what the recent studies are showing but a few years ago, the studies were showing the majority of assaults on companies actually came internally, not externally. I think the issue you tend to run into is the two organizations haven't had to work together to resolve these situations. The IT guys just assumed that the physical security guys were [ensuring] that no one got into the building who wasn't supposed to get into the building because that was their job, not just for protecting the computers but for protecting the people as well.

The physical guys just assumed that the IT guys are responsible for making sure no one got into their systems, whether they were inside or outside the building. It's only recently, I would say in the last couple of years, that people started to worry about once someone's in a building, how much more at risk am I of a security breach? I think that has become much clearer over the last few years.

Some of the organizations we're dealing with have very serious intellectual property security issues they have to deal with on a biweekly basis, and a lot of times it comes from the fact either employees or visitors in their building are walking off with intellectual property....

In a lot of cases, [enterprises] are going so far as to have a separate network for the company's operations than they do for a company's physical security, and the two aren't connected to each other. So an employee who works on physical security actually has to have two computers, one connected to the internal network, and one connected to the physical security network.

SJW: And that's still how it is today?

DF: Yes, in many organizations, that's the way it is today.

SJW: So when we're talking about a centralized security operation, we do mean people trying to pull together the logical and the physical alarms, not just consolidating the data feeds from a bunch of physical security systems - or just the feeds from logical SIM systems?

DF: Most organizations on the physical side are saying, I want to consolidate all of my physical, then when I've got that all under control in one command center, then I can talk about how that talks to the logical side.

But in some organizations right now, they're not waiting. So each side is dipping into the databases of the other side. But that tends to be, for lack of another term, situation specific. Something happened, and they've decided they need to make logical talk to some aspect of physical or vice versa.

SJW: In other words, something bad happened and they want to make sure it doesn't happen again?

DF: Yeah, I'll give you a quick example. We were in an organization where they said, 'we had a visitor...found wandering in an area of the building they shouldn't have been in.' They have a visitor management system that's tied to the logical side but it wasn't tied in at all to the badge that the visitor had. They had one visitor badge, and the policy was the visitor had to be physically escorted. They weren't escorted to the restroom, and they were found wandering in an area that was highly secure.

The organization...went to a tieback system where the visitor's badge would restrict the access they had in the building. That's not a complete physical to logical tie in. That's not even a complete identity management tie in. That's just visitor management on the logical side tied to the badge system on the physical side.

So that's a tactical solution. Of course the problem is, whatever they just did for visitor management they'll have to do again if they want to restrict access to intellectual property or engineering labs or some other area. That's where it starts to get out of control: if you're doing one-offs between logical and physical all the time, you're going to have a bunch of one-offs to manage. Ideally what you want to get to is where there is one path between logical and physical, you connect the two systems together and decide what you're going to send over that path.

SJW: At some point, that would mean people need to sit down in a room and figure out what the rules are.

DF: That's correct. What are my risks? The first question we ask organizations when they come to us is, what are the situations you're most worried about? Interestingly enough, most of them can't tell us. They can give chapter and verse of all the situations; they can't prioritize them for you. The ones they're most concerned about actually turn out to be the ones that occur the least number of times. The ones that happen in the thousands of times a day are the ones that operationally they just want to get rid of. Most of the time, they're false alarms. Sometimes they're redundant. We have organizations getting 100,000s of false alarms a week. They can't possibly find the good ones amongst the bad ones.

So you start with, what are my risks? And then having the [physical and logical] security organizations teamed up to say, what can we do to help resolve those risks? And translate those into each side's responsibilities to monitor for their specific situations. To be able to tap the assets of the other organization, that would be the ideal.

###

Query: How well is your enterprise able to correlate alarms from various physical security, building automation, network and IT systems?

Don't miss Part 1 of our exclusive conversation with David Fowler of VidSys.


No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/74

Leave a comment