Part 2: CA Security Management on Converging Physical and Logical Event Data

| 0 Comments | 0 TrackBacks

Page:   1   2  Next  »

Converging Physical Location and Logical Event Data for Tighter Security, Compliance, Enterprise Use

In yesterday's segment of our interview with Dave Hansen, corporate senior vice president and general manager of CA Security Management, Hansen (pictured)HansenCAFinal.jpg talked about a vision for proactive, policy-based alarming built into security information and event management (SIEM) systems. He also discussed adding location data from physical access control systems to logical event data - such as noting when and where people are working - to achieve tighter physical access control policies as well as potential creative new business applications.

We pick up discussing practical solutions for connecting SIEM and systems generating physical event data.

Sharon J. Watson: There are analogous systems - physical security information management [PSIM] systems - pulling in the feeds from physical security systems. I'm wondering, Dave, if you see a natural marriage down the line between PSIM and SIEM?

Dave Hansen: Yeah, I do. That can be the biggest integration point. The people who are doing a PSIM type solution, they are talking to audio systems, video systems, the badging systems, all those types of things. We'll let those guys do that, that's totally cool....They normalize some of it, they can start propagating up events that already have been filtered to a certain level, they can cut out some of the noise, that makes life a lot easier for us on the logical side.


SJW: On daily basis, how does this work on a practical level?  How do you ensure the data is acted on when it starts to percolate up?

DH: I'm sitting in Islandia [New York], so I'm visualizing how it would work here. I'll speak on two fronts, one as the CA person who ran IT for CA, and I'll speak as one running IT for the pulp and paper industry, which is a little different.

Here absolutely those servers running those systems would be in our data center. There's no grayness about that here, I know that for a fact. Those servers sit in our data center, those things are physically in the same room so that aspect of it is quite simple. It's a matter of just forwarding those logs to an event collection system. It's really not a difficult task. It's a very common practice.

It's really not that hard to tie these pieces together.  It's really making sure the complicated part happens at the normalization and event correlation and defining the use cases you're trying to watch for. That's the tricky part. It can be done, that's the stuff people are working on to make it better and easier.

The other scenario is when you go into heavy manufacturing, not as state of the art or modern, you'll find it's fairly common to have badging systems with the servers sitting under someone's desk in a guard shack. That can happen.  It's still very feasible to [connect to the badging system]. The question becomes 'Are these systems physically connected to the network?'

At my old job, back when I was running pulp and paper, we went through that journey of having these individual security type systems that were spread out through a very, very large plant and modernizing them and putting them on the network and then being able to provide the integration with the other applications and systems. Most people are pretty far down that path, so there isn't a huge technical challenge to do this.

SJW: What about the political challenge? When these two spheres of security start getting together, what are some of the challenges you see prospects and clients facing?

DH: It's tricky. I hear people talk about convergence of the role. I don't see that a lot because I think there's a lot of work to do on both sides. When I sit down with our physical security guys, some of the things they worry about and do, I'm just amazed at. They worry about our global safety, they're involved in watching for pandemics, they worry about things that IT guys kind of worry about but not nearly so much.

Page:   1   2  Next  »

Converging Physical Location and Logical Event Data for Tighter Security, Compliance, Enterprise Use

In yesterday's segment of our interview with Dave Hansen, corporate senior vice president and general manager of CA Security Management, Hansen (pictured)HansenCAFinal.jpg talked about a vision for proactive, policy-based alarming built into security information and event management (SIEM) systems. He also discussed adding location data from physical access control systems to logical event data - such as noting when and where people are working - to achieve tighter physical access control policies as well as potential creative new business applications.

We pick up discussing practical solutions for connecting SIEM and systems generating physical event data.

Sharon J. Watson: There are analogous systems - physical security information management [PSIM] systems - pulling in the feeds from physical security systems. I'm wondering, Dave, if you see a natural marriage down the line between PSIM and SIEM?

Dave Hansen: Yeah, I do. That can be the biggest integration point. The people who are doing a PSIM type solution, they are talking to audio systems, video systems, the badging systems, all those types of things. We'll let those guys do that, that's totally cool....They normalize some of it, they can start propagating up events that already have been filtered to a certain level, they can cut out some of the noise, that makes life a lot easier for us on the logical side.


SJW: On daily basis, how does this work on a practical level?  How do you ensure the data is acted on when it starts to percolate up?

DH: I'm sitting in Islandia [New York], so I'm visualizing how it would work here. I'll speak on two fronts, one as the CA person who ran IT for CA, and I'll speak as one running IT for the pulp and paper industry, which is a little different.

Here absolutely those servers running those systems would be in our data center. There's no grayness about that here, I know that for a fact. Those servers sit in our data center, those things are physically in the same room so that aspect of it is quite simple. It's a matter of just forwarding those logs to an event collection system. It's really not a difficult task. It's a very common practice.

It's really not that hard to tie these pieces together.  It's really making sure the complicated part happens at the normalization and event correlation and defining the use cases you're trying to watch for. That's the tricky part. It can be done, that's the stuff people are working on to make it better and easier.

The other scenario is when you go into heavy manufacturing, not as state of the art or modern, you'll find it's fairly common to have badging systems with the servers sitting under someone's desk in a guard shack. That can happen.  It's still very feasible to [connect to the badging system]. The question becomes 'Are these systems physically connected to the network?'

At my old job, back when I was running pulp and paper, we went through that journey of having these individual security type systems that were spread out through a very, very large plant and modernizing them and putting them on the network and then being able to provide the integration with the other applications and systems. Most people are pretty far down that path, so there isn't a huge technical challenge to do this.

SJW: What about the political challenge? When these two spheres of security start getting together, what are some of the challenges you see prospects and clients facing?

DH: It's tricky. I hear people talk about convergence of the role. I don't see that a lot because I think there's a lot of work to do on both sides. When I sit down with our physical security guys, some of the things they worry about and do, I'm just amazed at. They worry about our global safety, they're involved in watching for pandemics, they worry about things that IT guys kind of worry about but not nearly so much.

<!--nextpage-->

What's happening is that this initial phase is creating opportunities for these people to get into the same room and have these conversations that maybe they hadn't done except [when] reacting to incidents. So they are getting more proactive and opening up the dialogue.

Our physical security guy is great. He is actually out talking to a customer for me tomorrow, getting their thoughts on this to help us. He is the one helping [to push us] further in this space because he sees from his job and in his community of physical security leaders that a lot of people are talking about and doing it.  

So I think there are some politics. I'm an IT guy, and I am going to say that ultimately the data is going to end up going to IT.  I'd doubt that PSIM systems are going to start actually having the integration to the identity side, and the identities are going to be made available to the physical guys. That's Dave's opinion because of my background. The physical guys might have a different viewpoint. Right now, with the controls that are around identity information, I still think it better resides in IT. So IT will be a little more of a controller of that logical data and work within the constraints of the physical access system to tie it together.

I do raise this topic everywhere I go in talking to folks, kind of like you're doing, testing the hypothesis that this is really where people want to go as well as to get the idea of how it works internally between the physical and logical...

SJW: Am I right in thinking if you have good provisioning, then you have a good identity management solution in place, so that's really the underpinning? I'm trying to figure out what the foundation of this [physical-logical connection] is.

DH: I would say yes. It's not that you could not do it but the problem is I don't think you're getting the value. You could have HR put the information in and take it out of the physical system as a new employee came on but if you don't automate that--and the way to automate that is with an identity management system provisioning engine--the companies we work with are just too big to be able to deal with that.

I think that's a very good premise: without having a solid identity management system in place that manages that whole aspect, it's kind of dangerous, both from the adding users and the time it takes to get people provisioned to the time it takes to get them out.

SJW:
What should I be asking that I'm not?

DH: We actually briefed our CEO last month, asking for some additional innovation funds to do some pilots in these three areas that are the things we really talked about today: provisioning/de-provisioning; using our badge as a multifactor authentication; and then taking that same data and being able to tell when something happens from the logical side and tie it to a physical event. I think you're absolutely on track, and those three things are the big nuts to crack.

We're really talking about the maturation of risk assessment and risk within an environment. Everyone is going to look at some of this stuff differently, and depending on the sector, the industry people are in, all those things are going to drive the different levels of maturity that people are at today and using this stuff more aggressively.

I think we're [CA] is in pretty good shape when it comes to a physical system worldwide-- not everyone is that tight on that. A lot of companies have gone through acquisitions-- they don't go out there and change all their badging systems so they have to do all this federation of badging systems behind the scenes. We don't do that. We tried to get everyone on our major system pretty darn quick. It's consistent. I really like that when I travel around the world, my badge works in any CA office in the world. It's pretty cool.

That's why I say getting that [physical location] information...even if my assistant knew where I was, it would probably be helpful for her if I wanted to make that available to her and she needed me. I swipe into Hong Kong and she would get an alert, she knows she can route calls to me if there's an emergency or whatever.

The thing I am getting my head around now is the use cases...for taking that physical data beyond those three big use cases [deprovisioning, badge for multifactor authentication; correlation of physical and logical event data]. How can I use it if I feed it back into a system? Take all the blinders off: if I can give potential location information to any system, would that help? I think that's one thing to keep exploring....

###

Query: What enterprise applications or business issues might benefit from data  held in your physical or logical security event systems?

See also our recent interview with Quantum Secure's Vik Ghai for more on use cases for converged physical/logical event data.

Read our previous interview with Dave Hansen on identity management's role in security and business

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/93

Leave a comment