Milestone's Eric Fullerton on Video as Event Data

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

Integrating Video-based Data with other Logical/Physical Event Data for Centralized Security

A wall of video monitors is probably the iconic image of centralized security operations--at least from a physical security event perspective. At Security Squared, we wanted to know how images from IP-based cameras can augment logical security operations as well as physical security.

For answers, we talked with Eric Fullerton, corporate chief sales & marketing officer, Milestone Systems, the international developer of open platform IP video management software. Fullerton (pictured)
Thumbnail image for Efullerton.jpgspoke with Sharon J. Watson about some of the technical challenges of bringing location-based video data into the security data picture, links from video systems to logical event management systems, and which event management systems may own the rules for defining and responding to security events.

The following is a transcription of our conversation, edited for clarity.

****************************

Eric Fullerton:
One of the issues when you start centralizing security is the integration of physical and logical security. You don't always know where an IP address is in your network. It ends at some kind of a MAC address, a media access control address, but the media access control address can move. And that becomes the issue. When you add the video to it, you actually have to know where that logical address is located. If you don't have the physical position of it, then you can't link it to the video.

Have you've ever installed an IP phone system? When you did that, you were supposed to call a 911 service so they knew exactly what physical address that phone number belonged to. The reason you had to do that is the logical address you get with the IP phone system is not paired with your physical address known to the phone network. This is why it has to be logged.

Sharon J. Watson: So the logical IP address stays with the phone, but the 911 system doesn't know the phone is within a particular street address?

EF: Exactly. That's why you have to give your physical address to it. That is one of the keys that needs to be solved in the corporation that wants to link its logical security to its physical security. There are subnet systems that enable you to do this so you would roll out your systems and you know exactly who is where--apart from the laptops. The laptops might log on in different places in the network, and you wouldn't know exactly which room they were in. But all other things that aren't movable would get mapped to a physical map.

Once you've done that, then it's possible for you to link the video together with what's going on in the logical area. There are companies that don't let you log onto the network unless they know from their access control system that you actually entered the building. So they do a video verification of you when you step into the building, and when they know you are actually in the building, you're allowed to log into your computer.

That's another way of linking security to the video, so you actually have video verification that I brought my computer and that I'm actually in the building. Or if I'm in the building, then nobody's allowed to use my laptop from outside the building. The normal case is when people get a laptop from the company, they let their family know what the details are, then the person goes to work and the laptop is used from home. That can now be stopped because you can see through the access control system that the person is at work, not at home.

So those kinds of systems exist today, and they can feed into a higher level security system which can be used to know the people who are authorized to use certain access points are in the right [areas]. But if an intruder of some sort gains a password and identity to a computer that is not linked to a physical access system, then this person could be anywhere. That person could be logging in from outside of the States, logging in from downtown or someone could have physically broken into a house and is logging in.

SJW: Tell me more about that idea of doing a video verification when someone walks in the door before you let them onto the network.

EF: In my previous work, I worked with logical security. There were a few companies that were doing this. They would have a physical whereabouts server that would know when people were in the office or not, and it would know it by using the access control system. Then the access control system could use cards or multiple verification [factors], including video, to know the individuals are either at work or not.

SJW: The video verification part--would that be facial recognition? Would a face have to match data on a card?

EF: No, there are very few people who do that today. The video verification is just something that is stored in the data so when something happens, the guard will be able to go in and see who it was. That's very often used to make sure other people don't give their cards away, especially in remote offices. Today it's not an automatic video verification. The quality of facial recognition has not yet proven to be at such a level you can actually use that as a 'yes' or 'no.'

When I was at Intel back in the late '90s, we installed a facial recognition system that didn't really live up to the standards. It never got put into use because of the lack of quality for yes and no recognition of faces.

SJW: I think I understand the groundwork. Say I have a security information and event management (SIEM) system, and it is scanning logs and notices an anomaly. Based on the roles built into it, it's pretty certain there is a non-authorized person downloading sensitive information. If I understand you correctly, the only way to train a video camera on that location would be if they specifically knew the physical location of that workstation.

EF: Correct.

SJW: Let's say they do know where the workstation is physically. How would the SIEM system communicate to the video system? What would you say today would be the most sensible path?

EF: There are several ways you can do this. A system like ours has a [software development kit] so you can pull video from all the cameras that are in the system, and you'll be able to know this person is in room C22. Then you'll have the cameras that cover room C22 and cover the path to room C22. You'll be able to take the video that has been recorded for the past hour or two, pull it into a database and link it to that event in that SIEM system and say you want to store this for evidence or you want to make it available for a guard so he can prepare himself for what he has to do. So that's relatively simple.

Page:   1   2   3  Next  »

Integrating Video-based Data with other Logical/Physical Event Data for Centralized Security

A wall of video monitors is probably the iconic image of centralized security operations--at least from a physical security event perspective. At Security Squared, we wanted to know how images from IP-based cameras can augment logical security operations as well as physical security.

For answers, we talked with Eric Fullerton, corporate chief sales & marketing officer, Milestone Systems, the international developer of open platform IP video management software. Fullerton (pictured)
Thumbnail image for Efullerton.jpgspoke with Sharon J. Watson about some of the technical challenges of bringing location-based video data into the security data picture, links from video systems to logical event management systems, and which event management systems may own the rules for defining and responding to security events.

The following is a transcription of our conversation, edited for clarity.

****************************

Eric Fullerton:
One of the issues when you start centralizing security is the integration of physical and logical security. You don't always know where an IP address is in your network. It ends at some kind of a MAC address, a media access control address, but the media access control address can move. And that becomes the issue. When you add the video to it, you actually have to know where that logical address is located. If you don't have the physical position of it, then you can't link it to the video.

Have you've ever installed an IP phone system? When you did that, you were supposed to call a 911 service so they knew exactly what physical address that phone number belonged to. The reason you had to do that is the logical address you get with the IP phone system is not paired with your physical address known to the phone network. This is why it has to be logged.

Sharon J. Watson: So the logical IP address stays with the phone, but the 911 system doesn't know the phone is within a particular street address?

EF: Exactly. That's why you have to give your physical address to it. That is one of the keys that needs to be solved in the corporation that wants to link its logical security to its physical security. There are subnet systems that enable you to do this so you would roll out your systems and you know exactly who is where--apart from the laptops. The laptops might log on in different places in the network, and you wouldn't know exactly which room they were in. But all other things that aren't movable would get mapped to a physical map.

Once you've done that, then it's possible for you to link the video together with what's going on in the logical area. There are companies that don't let you log onto the network unless they know from their access control system that you actually entered the building. So they do a video verification of you when you step into the building, and when they know you are actually in the building, you're allowed to log into your computer.

That's another way of linking security to the video, so you actually have video verification that I brought my computer and that I'm actually in the building. Or if I'm in the building, then nobody's allowed to use my laptop from outside the building. The normal case is when people get a laptop from the company, they let their family know what the details are, then the person goes to work and the laptop is used from home. That can now be stopped because you can see through the access control system that the person is at work, not at home.

So those kinds of systems exist today, and they can feed into a higher level security system which can be used to know the people who are authorized to use certain access points are in the right [areas]. But if an intruder of some sort gains a password and identity to a computer that is not linked to a physical access system, then this person could be anywhere. That person could be logging in from outside of the States, logging in from downtown or someone could have physically broken into a house and is logging in.

SJW: Tell me more about that idea of doing a video verification when someone walks in the door before you let them onto the network.

EF: In my previous work, I worked with logical security. There were a few companies that were doing this. They would have a physical whereabouts server that would know when people were in the office or not, and it would know it by using the access control system. Then the access control system could use cards or multiple verification [factors], including video, to know the individuals are either at work or not.

SJW: The video verification part--would that be facial recognition? Would a face have to match data on a card?

EF: No, there are very few people who do that today. The video verification is just something that is stored in the data so when something happens, the guard will be able to go in and see who it was. That's very often used to make sure other people don't give their cards away, especially in remote offices. Today it's not an automatic video verification. The quality of facial recognition has not yet proven to be at such a level you can actually use that as a 'yes' or 'no.'

When I was at Intel back in the late '90s, we installed a facial recognition system that didn't really live up to the standards. It never got put into use because of the lack of quality for yes and no recognition of faces.

SJW: I think I understand the groundwork. Say I have a security information and event management (SIEM) system, and it is scanning logs and notices an anomaly. Based on the roles built into it, it's pretty certain there is a non-authorized person downloading sensitive information. If I understand you correctly, the only way to train a video camera on that location would be if they specifically knew the physical location of that workstation.

EF: Correct.

SJW: Let's say they do know where the workstation is physically. How would the SIEM system communicate to the video system? What would you say today would be the most sensible path?

EF: There are several ways you can do this. A system like ours has a [software development kit] so you can pull video from all the cameras that are in the system, and you'll be able to know this person is in room C22. Then you'll have the cameras that cover room C22 and cover the path to room C22. You'll be able to take the video that has been recorded for the past hour or two, pull it into a database and link it to that event in that SIEM system and say you want to store this for evidence or you want to make it available for a guard so he can prepare himself for what he has to do. So that's relatively simple.

<!--nextpage-->

SJW: Eric, how good are the cameras and the video today for being trigger points? For them noticing anomalous behavior that then triggers activity in the opposite direction that might tell an SIEM system 'you need to shut down access to workstations in the section F because a door got forced.'

EF: All of the systems out there today have what are called I/O triggers and video motion detection. In off hours, when nobody's supposed to be there, you'll be able to see if all of a sudden there's motion on the camera. In order to do that you actually need some light, unless it's an infrared camera, but you can also use infrared tripwires, door open and close, or any combination of those. That would then be able to trigger alarms. They could go directly into the information system and prohibit anyone from logging on in that area.  

SJW: How easy is it to get those alarms to where they need to be? Are these systems all fairly open--both the SIEM systems on the IT and the next generation of video management systems?

EF: If you just talk about open for integration to third parties, that's probably where this industry needs to mature a little bit because there are only a few select video systems are open out there. Most of the others you would have to have the video vendors do this integration for you, you wouldn't be able to do it on your own.

We've been working in the retail sector to get some of these ERP systems and cash register systems as well as access control systems to work, and even though there is an API for most of these systems, it's fairly cumbersome to get access to the APIs and do the integration.

Very often it's something the vendors would like to do themselves so they can go in and control the deal. So they might be open on the technology side but on the behavioral side-- very often the behavior of most of these companies is that they don't make things totally open and free.

SJW: Have you done much integration work up to the SIEM systems? Have you found that to be the case with them as well?

EF: We have done some integration to SIEM, but it has been very limited. We have an OEM partner of ours who has done more integration, it's an access control company that uses our video, and I know one of their products is an integration to an SIEM system.

SJW: One of the things I've been learning about as I've looked more at PSIM systems and SIEM systems is the way you can build rather detailed rules into them about what might constitute a situation or an event that's worthy of an alarm as well as how to address it. How often are rules seated within a video information management system like yours, how often are they in some other security system? What's the division of labor for those policies and rules for how you respond to an event or for how you identify an event?

EF: There is no generalization we can make here. All of this is driven by individuals in organizations. In some organizations, it will be the guy who's come up with that PSIM system who will be the strong person driving it. In others, it will be the SIEM people. It very much depends on which of these applications the end user views as his main application.

<!--nextpage-->

If you take the main application as the PSIM, that will be the one with most of the rules in it. If you take the SIEM system, that will be the one that's more dominant. If you take the video system, and they want to use the video system's GUI, that will be the one. So it really at this point depends on where people are coming from. It's not really driven by a norm in the industry.

SJW: Do you have a preference or do you think there is a technological reason to choose one over another?

EF: No. I think eventually this is where account control is going to happen from vendors. So the vendor that ends up being the one that delivers the GUI where the rules are managed becomes the one is the main application for the end-user, and that leads to account control for whoever delivers.

That means we'll see a convergence of all of these systems in the industry where it's going to be a fight for account control, and that will determine what prevails over time.

SJW: My understanding is that with more intelligence in the cameras and with analytics, video data is becoming more structured--structured being a discrete, describable event. As it becomes more structured, how could that influence how it can be used in both security applications and enterprise applications?

EF: I think today a lot of video is recorded, and very little is ever actually used. Some people say it's less than half of 1 percent, others say it's between one and 2 percent, and some say up to  percent. When I look at the systems we have put in place, it's probably no more than 2 percent that normally gets viewed.

As video analytics mature, you are able to add value to the video that's stored because you'll be able to deal with it in a structured way and search in it much faster.

If you can start having what's called metadata that's linked to the frames and you after the fact have to find out when a yellow truck arrived somewhere, you can now write an algorithm that's looking for a blob which is the yellow truck. You can search through all that video on your disk drive, and it can find all the frames that have yellow trucks.

You can go in and search for the things you didn't know you were going to search for before and find the slices and thus get the evidence.....now you can go back and start searching through your evidence in a much more intelligent way.

What is going to happen with that is the video that gets stored is going to have a higher value. That means it'll be worth using time searching through that data so you don't have to look at all the frames. So you have the intelligence looking for either the big yellow truck or the purple van or for other things and thus make it more valuable.

You can put this into hospitals for taking care of patients, you can put it into retail where you're trying to reduce loss. It's called analytics, but I call it advanced motion detection. People will look at much more video that's stored as advanced motion detection prevails, and they will get much more value out of it.

SJW: I notice you talk a lot about video as something used for forensic purposes. As those advanced motion detection abilities increase, do you see [video's] value increasing even more as it's proactive?

EF: You're still going to need a human being to check what's going on before you let the video itself trigger the proactive part.  We do think video is good for proactive issues but you still need to have human verification before you let the system go off and make decisions on its own.

# # #

Related stories:

Video Analytics for Business Intelligence
Video as an IT intelligence tool case study
SIEM in Converged Security Operations

Other conversations in this series:

CA Security Management GM Dave Hansen on convergence use cases
Alert Enterprise CEO Jasvir Gill on literally picturing risk for business users
Quantum Secure CTO Vik Ghai on gathering business intelligence from security data
Vidsys--The PSIM Perspective
Proximex--The SIEM-PSIM Connection

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/95

Leave a comment