Security Operations, Centralized: A Perspective from Proximex

| 0 Comments | 0 TrackBacks

Larry Lien, vice president of product management for Proximex, talks about the issues of sharing data across physical and logical security lines

How can an enterprise achieve an intelligent perspective on its security that encompasses systems, functions and data in both logical and physical worlds? At Security Squared, we're researching that topic for an upcoming feature article. To that end, Sharon J. Watson spoke with Larry Lien (pictured), vice president of product management for PSIM vendor Proximex. In this first part of our conversation, Lien discusses the building blocks of creating centralized security operations as well as some of the obstacles.

What follows is an abridged transcription of our conversation, edited for clarity and length. Part 2 of this conversation posts tomorrow.
LienCrop.jpg

*******
Sharon J. Watson: When I say that, "centralized security operations," what comes to your mind, and what do you think would come to mind for a client or prospect?

Larry Lien: This is the way we see things right now. You typically go into what they call a security operations center, and it is very physically security oriented. They're managing access control, your badges, things like that, and you get alarms that a door's forced open, you might get an intrusion alert--glass is breaking in a particular facility--or they're monitoring video.  When you're talking about security operations, that's what you typically see.

The problem that we see...is that it tends to be [in silos], so they might have four or five different systems there, and they all sit in separate machines, there are separate logins for all of that. I draw a parallel to that as you look at the IT part of the world. There are lots of silos of information as well, and they have a network operations center, or NOC, and they are also managing things, alerts from networking devices, from servers, from databases and all these other types of applications that are running on the IP network. They are all silos; there is an application that sits on top of all that to manage it.

We're drawing a parallel when we look at a security operations center and all the physical security components they monitor. The interesting point is: where does identity fit into all of the applications? When it has to deal with physical security identity, somebody's badge, it typically falls into the security operations center. But when you talk about the logical identity, like using Active Directory or LDAP, to manage somebody's identity, it usually falls into a network operations center.

....So we're at a very, very interesting point: if you're sitting in the security operations center, how do you bring in information that's related to a logical identity--and vice versa as well: A logical intrusion could also be coming from something that happened on the physical side.

SJW: So when people are thinking about centralized security operations, are they thinking of merging physical and logical security systems?

LL: I'd say the more progressive companies are thinking about that, but the large majority are not. A perfect example is one of our customers down in Southern California, Stephen S. Wise schools, they are definitely thinking about converging these two areas. In fact, their CISO is responsible for both physical and logical security. So he has both of those underneath his belt.

I'd say a large majority of the companies out there are thinking about it, they may want to get there in the future, but they're still thinking about what the use cases are, how is their physical security really going to affect their logical security. People are talking about that, they're strategizing about that, but when you go into their environments, you have a plain old security operations center that's very, very physical security focused.

SJW: What would be the broad building blocks of pulling those two sides together?

LL: This comes from talking to a lot of customers, the way we see the architecture coming together. First of all, it's broken down into four major components....You need to have all the systems out there. That's the first part of your building block: getting information from those systems so whether you're getting information from an access control system or replaying video from a video system or pulling information from Active Directory, you have to have systems out there that you want to manage and monitor. That's the first piece.

The second piece is, how do you get that information into a common framework?  The way we looked at it is that it's like middleware, very much like that in the IT part of the world. It's a common way to share information on a common highway.  Today, one access control system doesn't know how to communicate with another access control system nor do they know how to communicate with a video management system. How do you put everything onto a common highway so everyone knows how to communicate with each other, and information can be shared? So that's the second building block

The third part is, how do you actually manage that information once it's there. How do you take that information and start to correlate it and relate it together so that it starts to make sense to people?  An example we like to cite is somebody busts through a door to get either in or out of the building. What are the types of information you want to see? First of all, you get an alarm from the access control system that says, 'hey, this door's been forced open.' Second, you want to pull in some video that relates that alarm to something that someone can visualize. So that might be live or recorded video.

At the same time, you might want to pull information about who were the last five people that went through that door.  That may be pulling [data] from an access control system, then going into an identity management system that looks at that person's history--did he log in and where? So you start to collect a lot of information. But if there is no good way to actually communicate or correlate that information, that information isn't really mined out so that you can make a good decision.

So the third part is very, very important, being able to pull that information together in a very intelligent way.

If you can do the first few steps very effectively, then the last piece is, how do you pool it in a way that somebody can view it and make use of that information.  People talk about a common user interface or centralized user interface...people say, I've got maps, I can pull up the details of the alarms. I think that's important but it's even more than that. It's how do you actually create reports very easily as well. We often see lots of people trying to go between multiple systems, manually pulling out information to put it into an Excel worksheet or Microsoft Word document, or going back and getting video clips from systems. How do you pool all of that information and do some very common reporting but also look at it in a way that's not just reactive but also proactive so that you are actually doing some trending across your environment.

Wouldn't it be great to know, 'Oh, I am getting the most alarms within this area,' or one particular area or one particular door or sensor that's setting off alarms or one particular person who's setting off all those alarms. Those are trends. I think the security industry right now as a whole hasn't done a lot to be very proactive about it--they're more on the reactive side.

Those are the four main components. The first is the systems that are out there; the second is the integrated platform of how to pull stuff together; and then there's the way to intelligently gather the information, in our world we call that the business logic engine; and the last one is the visualization of a centralized console and reporting.

SJW: If you don't have a command center that pulls together IT systems and alerts as well as physical security systems and alerts, how do clients and prospects in today's world relay information and alerts to each other?

LL: Quite honestly, I think in most environments, it's not relayed. It's typically done in an investigative fashion just because the information is so hard today to get. People just often don't do it or will wait. You can't do it in real time. Talking from one department to another department is just too much manual effort. So I'd say today it either doesn't get done or it's a very manual, tedious process.

You can imagine what needs to happen...if you need to do a lookup on a specific person's ID, and all you have in front of you is an access control alarm, somebody went through a door, and I have that person's ID. If you need to make another query, you need to open up another case or call someone in the IT department [to ask] where this person's been, tell me more about this person's background. You need to send out a couple of e-mail messages to get that information back. Then he may not have the right information to correlate that person: there could be more than one John Smith. It could be a pretty tedious process to pull all that information together.

So it turns a lot of what can be solved and resolved in real time into something that has to happen after the fact. You often just can't resolve the issue until after the fact--it becomes a more investigative thing

That's why we really think being able to pull this information together is very, very key. It's taking the monotony or tedious work out of having to correlate information because the information is out there--it's just not extracted or mined out in the proper way. There are databases of information out there but often times they just sit there for somebody to go back and use in an investigative fashion. It's not really being used in real time.

###

Tomorrow, in Part 2 of this conversation, Lien discusses the ways in enterprises are anticipating partnerships between their IT and physical security professionals and the growing demand for and expertise in creating strong businesses cases for converged security/business solutions.


Larry Lien, vice president of product management for Proximex, talks about the issues of sharing data across physical and logical security lines

How can an enterprise achieve an intelligent perspective on its security that encompasses systems, functions and data in both logical and physical worlds? At Security Squared, we're researching that topic for an upcoming feature article. To that end, Sharon J. Watson spoke with Larry Lien (pictured), vice president of product management for PSIM vendor Proximex. In this first part of our conversation, Lien discusses the building blocks of creating centralized security operations as well as some of the obstacles.

What follows is an abridged transcription of our conversation, edited for clarity and length. Part 2 of this conversation posts tomorrow.
LienCrop.jpg

*******
Sharon J. Watson: When I say that, "centralized security operations," what comes to your mind, and what do you think would come to mind for a client or prospect?

Larry Lien: This is the way we see things right now. You typically go into what they call a security operations center, and it is very physically security oriented. They're managing access control, your badges, things like that, and you get alarms that a door's forced open, you might get an intrusion alert--glass is breaking in a particular facility--or they're monitoring video.  When you're talking about security operations, that's what you typically see.

The problem that we see...is that it tends to be [in silos], so they might have four or five different systems there, and they all sit in separate machines, there are separate logins for all of that. I draw a parallel to that as you look at the IT part of the world. There are lots of silos of information as well, and they have a network operations center, or NOC, and they are also managing things, alerts from networking devices, from servers, from databases and all these other types of applications that are running on the IP network. They are all silos; there is an application that sits on top of all that to manage it.

We're drawing a parallel when we look at a security operations center and all the physical security components they monitor. The interesting point is: where does identity fit into all of the applications? When it has to deal with physical security identity, somebody's badge, it typically falls into the security operations center. But when you talk about the logical identity, like using Active Directory or LDAP, to manage somebody's identity, it usually falls into a network operations center.

....So we're at a very, very interesting point: if you're sitting in the security operations center, how do you bring in information that's related to a logical identity--and vice versa as well: A logical intrusion could also be coming from something that happened on the physical side.

SJW: So when people are thinking about centralized security operations, are they thinking of merging physical and logical security systems?

LL: I'd say the more progressive companies are thinking about that, but the large majority are not. A perfect example is one of our customers down in Southern California, Stephen S. Wise schools, they are definitely thinking about converging these two areas. In fact, their CISO is responsible for both physical and logical security. So he has both of those underneath his belt.

I'd say a large majority of the companies out there are thinking about it, they may want to get there in the future, but they're still thinking about what the use cases are, how is their physical security really going to affect their logical security. People are talking about that, they're strategizing about that, but when you go into their environments, you have a plain old security operations center that's very, very physical security focused.

SJW: What would be the broad building blocks of pulling those two sides together?

LL: This comes from talking to a lot of customers, the way we see the architecture coming together. First of all, it's broken down into four major components....You need to have all the systems out there. That's the first part of your building block: getting information from those systems so whether you're getting information from an access control system or replaying video from a video system or pulling information from Active Directory, you have to have systems out there that you want to manage and monitor. That's the first piece.

The second piece is, how do you get that information into a common framework?  The way we looked at it is that it's like middleware, very much like that in the IT part of the world. It's a common way to share information on a common highway.  Today, one access control system doesn't know how to communicate with another access control system nor do they know how to communicate with a video management system. How do you put everything onto a common highway so everyone knows how to communicate with each other, and information can be shared? So that's the second building block

The third part is, how do you actually manage that information once it's there. How do you take that information and start to correlate it and relate it together so that it starts to make sense to people?  An example we like to cite is somebody busts through a door to get either in or out of the building. What are the types of information you want to see? First of all, you get an alarm from the access control system that says, 'hey, this door's been forced open.' Second, you want to pull in some video that relates that alarm to something that someone can visualize. So that might be live or recorded video.

At the same time, you might want to pull information about who were the last five people that went through that door.  That may be pulling [data] from an access control system, then going into an identity management system that looks at that person's history--did he log in and where? So you start to collect a lot of information. But if there is no good way to actually communicate or correlate that information, that information isn't really mined out so that you can make a good decision.

So the third part is very, very important, being able to pull that information together in a very intelligent way.

If you can do the first few steps very effectively, then the last piece is, how do you pool it in a way that somebody can view it and make use of that information.  People talk about a common user interface or centralized user interface...people say, I've got maps, I can pull up the details of the alarms. I think that's important but it's even more than that. It's how do you actually create reports very easily as well. We often see lots of people trying to go between multiple systems, manually pulling out information to put it into an Excel worksheet or Microsoft Word document, or going back and getting video clips from systems. How do you pool all of that information and do some very common reporting but also look at it in a way that's not just reactive but also proactive so that you are actually doing some trending across your environment.

Wouldn't it be great to know, 'Oh, I am getting the most alarms within this area,' or one particular area or one particular door or sensor that's setting off alarms or one particular person who's setting off all those alarms. Those are trends. I think the security industry right now as a whole hasn't done a lot to be very proactive about it--they're more on the reactive side.

Those are the four main components. The first is the systems that are out there; the second is the integrated platform of how to pull stuff together; and then there's the way to intelligently gather the information, in our world we call that the business logic engine; and the last one is the visualization of a centralized console and reporting.

SJW: If you don't have a command center that pulls together IT systems and alerts as well as physical security systems and alerts, how do clients and prospects in today's world relay information and alerts to each other?

LL: Quite honestly, I think in most environments, it's not relayed. It's typically done in an investigative fashion just because the information is so hard today to get. People just often don't do it or will wait. You can't do it in real time. Talking from one department to another department is just too much manual effort. So I'd say today it either doesn't get done or it's a very manual, tedious process.

You can imagine what needs to happen...if you need to do a lookup on a specific person's ID, and all you have in front of you is an access control alarm, somebody went through a door, and I have that person's ID. If you need to make another query, you need to open up another case or call someone in the IT department [to ask] where this person's been, tell me more about this person's background. You need to send out a couple of e-mail messages to get that information back. Then he may not have the right information to correlate that person: there could be more than one John Smith. It could be a pretty tedious process to pull all that information together.

So it turns a lot of what can be solved and resolved in real time into something that has to happen after the fact. You often just can't resolve the issue until after the fact--it becomes a more investigative thing

That's why we really think being able to pull this information together is very, very key. It's taking the monotony or tedious work out of having to correlate information because the information is out there--it's just not extracted or mined out in the proper way. There are databases of information out there but often times they just sit there for somebody to go back and use in an investigative fashion. It's not really being used in real time.

###

Tomorrow, in Part 2 of this conversation, Lien discusses the ways in enterprises are anticipating partnerships between their IT and physical security professionals and the growing demand for and expertise in creating strong businesses cases for converged security/business solutions.

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/77

Leave a comment