|
Taking an inner look at Convergence
Integration, union, and convergence appear to be the most recent key terms in the security industry of today’s world. Nearly 29,000 hits come up when we search the internet with the terms "security convergence." that number climbs to more than 200,000 when you Break the two terms up and search individually for them. The action seems relatively unavailable even though le there is an incredible amount of talk on this subject. The chasm which still exists between the physical security team and the IT security team seems wider than ever, even though the media and analysts have deemed this convergence trend to be a positive move. A considerable portion of the responsibility for the division between the two lies with corporate executives who usually put the network and data security group in the IT department while the physical security group is positioned in the facilities sector. This established a natural blockade which is normally not easy to penetrate. Nevertheless, another portion of the fault also lies with the security professionals on both sides of the equation.
Apparently, the convergence of data and physical security will occur with or without the willing involvement of professionals on both sides of the industry. A major issue of concern in regards to convergence is that it has been driven largely out of the information security side looking to get data from the physical surveillance groups. Although, there are several areas of convergence that can be rapidly taken advantage of, but the most apparent one is balancing the event management (SIEM) and security information technologies that are currently specified for network security and applying them to the physical security showground.
Working the Entire System
A relatively new discipline within IT network security is SIEM. This system was partly created due to information security managers’ desire to have a more comprehensive view of the events that might threaten the information assets their teams are obligated to supervise. Amongst the most repetitive problems encountered by IT organizations is that there are too many devices dealing with too much data to allow a reasonably sized staff to keep an eye on, identify and respond to true security incidents in a timely manner. One can easily imagine a scenario where one can concurrently listen to all of the phone calls being made in a usual day of a typical company. As already expected it would be virtually impossible to make any sense of any single conversation, let alone detecting a conversation that might be dangerous.
Similarly, the same concept applies with computer systems and networks where corporate information flows freely via software programs such as accounting systems and e-mail. The various teams of IT security have spent several years developing methods to hold users of corporate computers and networks responsible for their use and access of critical electronic corporate data. Their main concern was centered primarily on implementing IT controls such as firewalls, user authentication, encryption systems, and other systems. Despite the fact that the purpose of each IT control varies considerably, they all share some general features: for instance, they are required to record all of their procedures. These records or logs represent mini reports of every user’s behavior, including Web sites visited, file accesses, as well as e-mail activity. The quantity of systems and computers that can transmit or store data in a typical device to large corporations makes manual supervision the IT security controls as impracticable as attempting to listen to all the phone calls all at the same time.
Approximately seven years ago The SIEM industry was born out of this frustration. A typical SIEM system is made up of sophisticated software, which regulates the observation process of the various IT security controls, in this manner they enable IT security teams to be notified when doubtful actions may be occurring in their systems, either from external or internal elements. This accomplishment is made possible by SIEM software through taking in all of the security events registered by these systems in real time as they are actually taking place, comparing them to established concerns, associating them with other events and then notifying alert the security team only if a series of events or a single event requires their immediate response. By using this methodology, the IT security team will be much more effective and efficient and will be able to provide a more complete response to incidents as they take place.
The introduction of complete online, state-based incident response workflows has become one of the newest developments in the SIEM space. This new solution enables security teams to uphold an entire audit trail of how an incident was dealt with, including user signoff and time stamps for full remediation and conclusion of the occurrence in question. This method allows the team to keep a standard method of operation towards all suspicious incidents as they take place.
A number individual may immediately start wondering about how this topic relates to convergence of IT and physical security. The regulations related to IT security teams and physical security teams are relatively specialized and should be given exceptional treatment, which is exactly how they have been treated by nearly almost all associations. Despite the fact that the regulations and protocols of the two security organizations warrant separately focused operations, there are some shared traits they have in common. As a start, both share an objective of protecting corporate assets and have carried out measures that offer safe environments for people to work efficiently. In addition, both areas have carried out some method of monitoring to ensure the effectiveness of the controls in place and have detailed response plans that are executed when an occurrence is revealed.
It is easy to see how these controls parallel those of the physical security realm, once someone begins to look at the types of controls that are in place for IT security. Think of the network in terms of a facility in order to better understand how the tools used by the IT security department can be extended to the physical security team. In reality, there are entry points, administered areas inside the property and the ability to see someone move right through it. A network is monitored by a classical SIEM implementation and it searches for unusual patterns of access or unauthorized entry and notifies the IT security team regarding the possible disturbance. It is not difficult to imagine how an SIEM system can monitor activity and alert the physical security team about any access patterns which are of concern to them especially in view of the fact that most physical security systems maintain a log that records entry and exit from the facility and access to controlled areas. Visualize how hard it would be for security personnel to identify an individual that is trying to gain access to multiple controlled vicinities for which they have not been assigned permission to enter.
In reality, it would be extremely intricate to detect that kind of actions rapidly enough to act in response to it. On the other hand, a correlation rule can be developed to look for such a pattern, if a SIEM system were monitoring the log. The security team could be notified in time to dispatch an officer to the last known location of the person to inquire about the activity once a specific suspicious pattern is detected. This is only a small situation where the extension of the IT SIEM system can allow the physical security personnel to be more efficient. One point of convergence which is a viable option today is the cooperation between the two teams in using the tools available to one and extending its use to the other team.
Uncovering Other Territory
The realm of investigations represents another area where there has already been some convergence. The physical security team usually has more experience with performing investigations, preserving and preparing proof for potential examinations. the most effective and complete prosecution of those operations was when the IT security team collaborated directly with a cooperative physical security team this has been proved by the experience with investigations into suspicious internal IT security events and actual incidents of external attempts to steal corporate information. When the common goals of the two distinctly different organizations become a mutually supportive operation to protect a shared valued corporate asset, true convergence occurred.
As a general rule, the members of the physical security team have either direct law enforcement knowledge or no less than, advanced preparation in analytical procedures. This precious understanding should not be ignored by the IT security team that is increasingly called upon to investigate incidents and generate proof appropriate for use in trial. Both security teams can build an approach to incidents that will ensure that all necessary resources are brought to bear in an investigation and that a formal process is followed, decreasing the chances for a loss of evidence due to mishandling. However, this is only possible by working in a cooperative fashion with the physical security team and leveraging the workflow capabilities of a SIEM tool. Furthermore, teams can be more effective in responding to incidents by formalizing the investigative procedure.
Individuals working in IT security have been requested to assist both physical security and law enforcement in collecting electronic evidence required to confirm physical evidence obtained in diverse examinations. In addition, it also has been essential for IT to demand the aid of the physical security team to get hold of evidence in association with IT's electronic proof. In the past several years, an IT security team director at a major corporation reported that the IT security team had obtained data from a concerned department manager that pointed out a potential mishandling of user accounts to a vital financial interface. It was all too obvious that this investigation mandated technology proficiency to research; however the possible internal nature of the threat meant that the human resources organization needed to be included in the dealing with the issue. Furthermore, the legal department also was incorporated as an attempt to make certain that any potential prosecution of an employee was properly grounded in facts so the corporation was guarded against lawsuits.
In addition, the corporate security group was also requested to join the efforts, as well, because it was too clear that regardless of what case the team could manage with only electronic proof was not going to be enough for HR and the legal sector to advance and take the necessary steps. Amazingly, the IT team was able to find out the time frame of the incident, and that a computer inside the facility was used to perform the operation, however they could not determine if the account used was the actual worker assigned or someone else impersonating the certified worker. Comparing the activity logs on the key financial and network systems with the building's badge access logs was the first step of collaboration between the teams. This practice permitted them to establish if the user accounts used in the suspicious incident were used by the genuine employee and if he was outside or inside of the facility. Security had a clear indication that any use of the employee’s account was an impersonator if the badge swipes did not match the access being used. It could be that the imitator got a hold of a password or perhaps the authorized employee left their computer logged in to his account when he left the facility after completing his shift. Doing away with the certified workers as a possible suspect by having obvious proof that they had left the facility when the suspected incident took place on the monitored IT systems permitted the team to focus on finding who was camouflaged as an authorized operator.
Focusing both IT and physical surveillance on a specific office in the building, on the specific computer used to execute the plan, as well as on the true identity of the person illegally accessing critical corporate resources constituted the next step of collaboration between the two teams. All of these measures were carried out because legal members of the incident response team as well as human resources needed solid evidence; they needed to catch the offender red-handed before taking any penalizing action towards him. In order to achieve this goal, a well documented and coordinated effort of physical and technical surveillance was carried out; it mainly focused on observing a security violation in taking place. The security team of the company set up a number of cameras in logistic areas, such as the main office where the source of the accesses had been recognized. Not to mention that the cameras were oriented to see the faces of the users as well as the computer screens and, a technique of time-stamped that is synchronous with the IT system log time stamps was also deployed. The intruder, hired as part of the night cleaning crew, was caught and prosecuted only after relating together the computer and network logs with the badge system logs and the synchronized video. Clearly, this case would have remained unsolved if it was not for the integrated operations as well as the combined skill sets of the IT security team and the corporate security team. This is another example of how the various advancements in technology are helping us to achieve goals that were not possible in the past.
The IT team can gain a lot from the analytical tools and talent resident with the physical security team and the physical security team can benefit from the IT security team after they bring their control systems into the SIEM monitoring and incident alerting system. Despite the fact that complete convergence is a long way off, there are numerous fields where willing contributors from both disciplines can make their programs more effective and efficient by working together.
|
