August 2009 Archives

Physical/Logical Convergence via SIEM

| 0 Comments | 0 TrackBacks
Convergence Driven by Information Security

When researching a story about how enterprises can achieve a comprehensive, correlated view of their physical and logical security, Security Squared went to a person who wrote the book on the subject. That's Colby DeRodeff, Thumbnail image for ColbyDerodeff.jpga co-author of Physical and Logical Security Convergence: Powered by Enterprise Security Management, and enterprise strategist for ArcSight, the leader in security information and event management (SIEM) tools as per the Gartner Group in June 2009.

SIEM solutions are analogous to physical security information management systems (PSIM), correlating data coming from many logical security tools, such as intrusion detection, antivirus scans, firewalls, routers, etc. In this first part of his conversation with Sharon J. Watson, DeRodeff deals with technical issues for converging physical and logical event data.

What follows is an edited transcription of our conversation, edited for clarity. Part Two will post September 1.


Sharon J. Watson: What has to happen to connect and correlate data you get about logical security events and physical events so you can get a really good look at what is an imminent threat or a threat that's unfolding as well as pull trending data so you can anticipate and stop some things?

Colby DeRodeff: One of the biggest challenges that you have in trying to correlate physical security data with logical data is the disparity between how those different systems identify individuals. An example of that: at the very basic convergence level, you're trying to compare logs from a badge reader to logs from a domain controller that is allowing me to authenticate to the network. When I look at the log from a badge reader, that badge reader system usually will identify Colby as a numbered ID, like 123457. The domain controller that's doing the network authentication will identify Colby as my domain logon ID, ColbyDeRodeff or CDeRodeff, or what have you.

When I try to do a systematic comparison of those two values, they don't really match up.

August 2009 Archives