The IT Insider at ASIS 09

| 0 Comments | 0 TrackBacks

Page:   1   2  Next  »

Thinking about SIEM, PSIM and convergence: An analysis

At ASIS International, we expect to see physical security information management (PSIM) vendors well represented. It was a little more surprising, though a definite sign of emerging times, to find ArcSight, a well-known IT-oriented info-security vendor, on the show floor.

In brief, the context of ArcSight's demo at ASIS raised questions for Security Squared about how convergence could be accelerated from the IT department outward and what the impact of more IT convergence activity might mean for certain vendors, systems integrators and users.

HID to PlaSec to ArcSight--and Gartner Group too

ArcSight's market-leading Enterprise Security Manager security information and event management (SIEM) tool was integrated with PlaSec, Inc.'s open platform access control appliance, which was in a kiosk at the HID Global pavilion at ASIS.  ESM was logging events and alarms from demos of PlaSec's appliance--access granted, access denied, door open, door open too long, etc.

Before ASIS, in mid-September, PlaSec CEO Terry Neely had been at ArcSight Protect 2009, a heavily IT-oriented affair, demonstrating the appliance. He'd been to the show two years ago, and said he merely raised eyebrows by displaying his door panel. This year, though, Neely said traffic was steady and the majority of it was from IT professionals wanting to know how his appliance works, both as an access control device and as integrated with ESM.


And on September 1, Gartner Group released a white paper, "SIEM and IAM Technology Integration," by Mark Nicolett and Earl Perkins.  In it, Gartner recommends integrating SIEM tools more closely with identity and access management (IAM) systems. The goal is to enable SIEM to monitor exceptions for security issues as compared to monitoring and correlating daily user activities.  

The Point Being....

What we discern in these different activities is a suggestion that SIEM platforms could be at the heart of security event monitoring--and technically and logically, that could include physical events we would typically imagine PSIM platforms catching and managing.

How? By directly integrating SIEM tools to physical security systems, as in the ArcSight and PlaSec demonstration and/or by incorporating more physical security rules and roles within IAM platforms to which SIEM platforms are integrated.

Here's why: SIEM platforms are best known for their ability to track logins, downloads, application activities, database alterations, emails - virtually all the end user activities many enterprises now must track for compliance purposes. SIEM tools can also contain the intelligence and rules for determining anomalous usage and data patterns and for correlating activities, events and alarms across applications, databases and the enterprise network. (PSIM tools accomplish analogous functions, but across systems monitoring physical events, such as video and access control.)

What Gartner is foreseeing is that with tighter integration between SIEM and IAM systems from such vendors as CA Security Management, IBM Tivoli and Novell (which offer SIEM tools of their own), SIEM platforms can monitor for exceptions instead of millions of end user actions. The key to this approach being effective is having roles-based user provisioning within the IAM systems.

With roles-based provisioning, enterprises create logical access rights and privileges by a job role and/or employee grouping. The role is then assigned to an individual. A well- thought-out role is itself a substantial measure of security, especially with IAM vendors and others, like Alert Enterprise, offering tools to craft and maintain separation of duty rules.

The Gartner paper explains SIEM platforms can draw on this logic to scan for exceptions to role-based activities. In turn, IAM systems can refer to SIEM data to determine whether roles are well crafted or whether a high rate of exceptions and/or alarms means some rule is too restrictive so that users are working around it or whether privileges are being abused.

Now add the physical world...

Here's what the Gartner paper doesn't mention:

First, IAM systems can also contain role-based physical access rights. Our conversation with systems integrator SecureNet covered an example of accomplishing this via Active Directory. PlaSec's appliance could mirror such access rights in its open directory structure. And Quantum Secure's SAFE system implementation at Toronto Pearson International Airport offers another example of roles-based physical access rights.

Second, SIEM tools can collect data about physical events and alarms. That isn't just an ASIS demo: ArcSight's Colby DeRodeff told Security Squared in interviews published in late August and early September that he's seen ESM integrated with glass-break sensors and HVAC systems as well as doors. Similarly, Paul Stamp from RSA, with its competing EnVision SIEM tool, spoke to us about clients using that tool to monitor temperature changes in critical areas.

So if an enterprise has a robust SIEM platform in place, will it require PSIM or one of the new breed of video middleware systems being discussed at ASIS? Or might IT drive integration of a SIEM tool it knows and values with physical systems? DeRodeff told us in his experience, it's been IT security professionals that ask ArcSight to integrate with physical systems.

It's easy to see why linking SIEM to such systems is sensible from an IT perspective: read DeRodeff's book, Physical and Logical Security Convergence, and in most of the examples cited, a physical security violation caught by the access control system is followed by an extended cyber attack that can only be tracked by a SIEM (ArcSight's specialty) correlating the attacker's actions in various applications and databases.

A role for all?

That said, PSIM can complement and augment SIEM. As Michael McMullen, lead program manager at the Port of Long Beach noted, it's not easy to find vendors who can integrate physical security systems outside of video and access control, like radar and sonar.

Plus, as RSA's Paul Stamp told us, PSIM platforms incorporate a certain specialized expertise--namely, what to do as a situation unfolds that might be entirely of a physical security nature, or a blended threat. As Orsus's Rafi Bhonker said, some situations really don't have a security component but nonetheless must be managed, such as a medical emergency or failing industrial equipment.

Where SIEM and PSIM might butt heads is when the physical security systems being integrated are mainly access control and video surveillance/analytics. IT departments are more oriented toward viewing physical events as "data," regardless of their origin.
SIEM systems are robust enough to log literally millions of transactions each day (think of all the daily logins, downloads, application access, changes in databases, emails, in a typical enterprise).

Page:   1   2  Next  »

Thinking about SIEM, PSIM and convergence: An analysis

At ASIS International, we expect to see physical security information management (PSIM) vendors well represented. It was a little more surprising, though a definite sign of emerging times, to find ArcSight, a well-known IT-oriented info-security vendor, on the show floor.

In brief, the context of ArcSight's demo at ASIS raised questions for Security Squared about how convergence could be accelerated from the IT department outward and what the impact of more IT convergence activity might mean for certain vendors, systems integrators and users.

HID to PlaSec to ArcSight--and Gartner Group too

ArcSight's market-leading Enterprise Security Manager security information and event management (SIEM) tool was integrated with PlaSec, Inc.'s open platform access control appliance, which was in a kiosk at the HID Global pavilion at ASIS.  ESM was logging events and alarms from demos of PlaSec's appliance--access granted, access denied, door open, door open too long, etc.

Before ASIS, in mid-September, PlaSec CEO Terry Neely had been at ArcSight Protect 2009, a heavily IT-oriented affair, demonstrating the appliance. He'd been to the show two years ago, and said he merely raised eyebrows by displaying his door panel. This year, though, Neely said traffic was steady and the majority of it was from IT professionals wanting to know how his appliance works, both as an access control device and as integrated with ESM.


And on September 1, Gartner Group released a white paper, "SIEM and IAM Technology Integration," by Mark Nicolett and Earl Perkins.  In it, Gartner recommends integrating SIEM tools more closely with identity and access management (IAM) systems. The goal is to enable SIEM to monitor exceptions for security issues as compared to monitoring and correlating daily user activities.  

The Point Being....

What we discern in these different activities is a suggestion that SIEM platforms could be at the heart of security event monitoring--and technically and logically, that could include physical events we would typically imagine PSIM platforms catching and managing.

How? By directly integrating SIEM tools to physical security systems, as in the ArcSight and PlaSec demonstration and/or by incorporating more physical security rules and roles within IAM platforms to which SIEM platforms are integrated.

Here's why: SIEM platforms are best known for their ability to track logins, downloads, application activities, database alterations, emails - virtually all the end user activities many enterprises now must track for compliance purposes. SIEM tools can also contain the intelligence and rules for determining anomalous usage and data patterns and for correlating activities, events and alarms across applications, databases and the enterprise network. (PSIM tools accomplish analogous functions, but across systems monitoring physical events, such as video and access control.)

What Gartner is foreseeing is that with tighter integration between SIEM and IAM systems from such vendors as CA Security Management, IBM Tivoli and Novell (which offer SIEM tools of their own), SIEM platforms can monitor for exceptions instead of millions of end user actions. The key to this approach being effective is having roles-based user provisioning within the IAM systems.

With roles-based provisioning, enterprises create logical access rights and privileges by a job role and/or employee grouping. The role is then assigned to an individual. A well- thought-out role is itself a substantial measure of security, especially with IAM vendors and others, like Alert Enterprise, offering tools to craft and maintain separation of duty rules.

The Gartner paper explains SIEM platforms can draw on this logic to scan for exceptions to role-based activities. In turn, IAM systems can refer to SIEM data to determine whether roles are well crafted or whether a high rate of exceptions and/or alarms means some rule is too restrictive so that users are working around it or whether privileges are being abused.

Now add the physical world...

Here's what the Gartner paper doesn't mention:

First, IAM systems can also contain role-based physical access rights. Our conversation with systems integrator SecureNet covered an example of accomplishing this via Active Directory. PlaSec's appliance could mirror such access rights in its open directory structure. And Quantum Secure's SAFE system implementation at Toronto Pearson International Airport offers another example of roles-based physical access rights.

Second, SIEM tools can collect data about physical events and alarms. That isn't just an ASIS demo: ArcSight's Colby DeRodeff told Security Squared in interviews published in late August and early September that he's seen ESM integrated with glass-break sensors and HVAC systems as well as doors. Similarly, Paul Stamp from RSA, with its competing EnVision SIEM tool, spoke to us about clients using that tool to monitor temperature changes in critical areas.

So if an enterprise has a robust SIEM platform in place, will it require PSIM or one of the new breed of video middleware systems being discussed at ASIS? Or might IT drive integration of a SIEM tool it knows and values with physical systems? DeRodeff told us in his experience, it's been IT security professionals that ask ArcSight to integrate with physical systems.

It's easy to see why linking SIEM to such systems is sensible from an IT perspective: read DeRodeff's book, Physical and Logical Security Convergence, and in most of the examples cited, a physical security violation caught by the access control system is followed by an extended cyber attack that can only be tracked by a SIEM (ArcSight's specialty) correlating the attacker's actions in various applications and databases.

A role for all?

That said, PSIM can complement and augment SIEM. As Michael McMullen, lead program manager at the Port of Long Beach noted, it's not easy to find vendors who can integrate physical security systems outside of video and access control, like radar and sonar.

Plus, as RSA's Paul Stamp told us, PSIM platforms incorporate a certain specialized expertise--namely, what to do as a situation unfolds that might be entirely of a physical security nature, or a blended threat. As Orsus's Rafi Bhonker said, some situations really don't have a security component but nonetheless must be managed, such as a medical emergency or failing industrial equipment.

Where SIEM and PSIM might butt heads is when the physical security systems being integrated are mainly access control and video surveillance/analytics. IT departments are more oriented toward viewing physical events as "data," regardless of their origin.
SIEM systems are robust enough to log literally millions of transactions each day (think of all the daily logins, downloads, application access, changes in databases, emails, in a typical enterprise).

<!--nextpage-->

From an IT perspective, collecting door entry data, even assigning a video clip to each badge swipe, is a data logging and management task. If a SIEM platform is in place, it could be the cleaner, more elegant solution to tie it to a PACS so the SIEM tool can correlate badge swipes with the network hardware elements and VPNs it already monitors.

And yet we often hear how few enterprises are standardized on one PACS, about how disconnected physical and logical identities and credentials still are (though ArcSight promotes its ability to connect these), about how video is still very unstructured data with many attendant management and storage issues.

Further, physical security is specialized. While DeRodeff's book positions SIEM as the security convergence point, it also points out physical, logical and even network security professionals each have their own expertise. One group does not supplant another. Instead, they are to work more closely, sharing relevant data.

Finally, the IAM function has the potential to do more than simply tell other systems who is an active employee of an enterprise. As roles-based employee provisioning increases, IAMs could be the hubs that contain the data about what rights and permissions staff have in the enterprise's logical and physical worlds. Then that data could propagate to other systems, from access control and video to SCADA and process control to applications, content and databases, making IAM increasingly important in effective security.
 
To that end, it seems sensible for information and physical security professionals to use the systems that help them manage and respond to data generated by the systems they know best. What strikes us as potentially inefficient would be deploying multiple monitoring tools that don't communicate, such as PSIM and SIEM side-by-side and separate, or failing to incorporate IAM roles data. 

That's not impossible: we've heard from most PSIM and SIEM vendors that very few enterprises have integrated their physical and logical security teams and even what enterprises call "centralized security operations" usually refer only to physical security activities.

The bottom line is enterprises will be able to choose from many tools when it comes to addressing their security needs. Vendors may try to make that a contest. Users and their integrators will need to step back, name the business and security goals, then take inventory of what security tools physical teams have or want and do the same with IT and network security.  Then the ideal would be for the teams to work together, sharing assets as appropriate, augmenting their capabilities as necessary. The goal should be selecting the approach and tools that work best for the enterprise, regardless of who "owns" or manages them. Then we might see some truly centralized, comprehensive approaches to convergence.

###

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/124

Leave a comment