Dragging Physical Security Monitoring Into 2010

It is fairly common to see router, firewall, and intrusion-detection system logs in addition to server, workstation, and application logs consolidated within an enterprise security information management (ESIM) system. Logs generated from network-based devices are generally responsible for the bulk of logs monitored by an ESIM, with the remainder consisting of logs from the various endpoints and software deployed throughout the infrastructure. Perhaps one of the most overlooked sources of data to monitor, however, is that of the physical security controls deployed within an enterprise organization.Before ESIMs (and even IP-based networks) were created, physical security was the only "security" that people knew about. Employees were issued cards or passes to reinforce the trusted nature of their identities, locks were placed on doors to safeguard access, and guards were deployed at choke points to control access to sensitive areas.

As technology evolved, so, too, did the controls. Video cameras with the ability to store and review captured footage, programmable locks that could employ rotating codes or time-specific access, and electronic swipe-card technologies were introduced to help expand security coverage within the infrastructure. With increased technology came associated business justification for the reduction of human personnel required to cover the expanded monitoring duties. As coverage expanded and the monitoring duties became overwhelming, customers turned to their technology vendors to help consolidate monitoring.

Unfortunately, unlike in the ESIM world, the desire or capability to consolidate third-party data into a master console was not something many vendors were looking to undertake. This idea of vendor promiscuity and consolidation of disparate data sources created the flourishing ESIM sector and was the basis for the creation of security information and event management (SEIM) and log management products. Technology vendors saw a need to manage the mountains of security-oriented data being generated from any platform as a result of a user, system, or application interaction. Products were developed to collect, interpret, and disseminate the generated information and present it back to the user in a concise and focused manner. The data was capable of being stored for long periods of time, allowing the product to assist in organizational compliance and security initiatives, in addition to providing a long-term reference point for past forensic and incident-response exercises.

Even with the advances in both physical and network-centric security monitoring, the problem remains that we, as a security society, continue to silo both types of monitoring.

Many of the aforementioned physical security products can, or at least have the potential to, generate logs for consumption by third-party ESIM products. Unfortunately, most of these technologies do not expose APIs or present easy methods for obtaining the data outside of the product's own interface. Think of the benefits each silo could bring when stitching together an incident's time line. A malicious user could challenge the evidentiary nature of system logs generated by a system that was used to exfiltrate data from an organization by simply stating that someone may have stolen and used his credentials. However, if you were able to correlate the system logs with physical monitoring data, such as swipe-card access times at various control points or video footage that showed the user in the general vicinity of his computer at the time of the incident, then the evidence would be all that more damning and difficult to refute.

Hopefully, the industry challenges ESIM, technological security, and physical security vendors to dialogue and achieve a state of converged organizational security monitoring. The potential benefits for day-to-day operational security, not to mention forensic and incident-response exercises, could be limitless.

Andrew Hay is senior analyst with The 451 Group's Enterprise Security Practice and is an author of three network security books. Follow him on Twitter: http://twitter.com/andrewsmhay.