As technology evolved, so, too, did the controls. Video cameras with the ability to store and review captured footage, programmable locks that could employ rotating codes or time-specific access, and electronic swipe-card technologies were introduced to help expand security coverage within the infrastructure. With increased technology came associated business justification for the reduction of human personnel required to cover the expanded monitoring duties. As coverage expanded and the monitoring duties became overwhelming, customers turned to their technology vendors to help consolidate monitoring.
Unfortunately, unlike in the ESIM world, the desire or capability to consolidate third-party data into a master console was not something many vendors were looking to undertake. This idea of vendor promiscuity and consolidation of disparate data sources created the flourishing ESIM sector and was the basis for the creation of security information and event management (SEIM) and log management products. Technology vendors saw a need to manage the mountains of security-oriented data being generated from any platform as a result of a user, system, or application interaction. Products were developed to collect, interpret, and disseminate the generated information and present it back to the user in a concise and focused manner. The data was capable of being stored for long periods of time, allowing the product to assist in organizational compliance and security initiatives, in addition to providing a long-term reference point for past forensic and incident-response exercises.
Even with the advances in both physical and network-centric security monitoring, the problem remains that we, as a security society, continue to silo both types of monitoring.
Many of the aforementioned physical security products can, or at least have the potential to, generate logs for consumption by third-party ESIM products. Unfortunately, most of these technologies do not expose APIs or present easy methods for obtaining the data outside of the product's own interface. Think of the benefits each silo could bring when stitching together an incident's time line. A malicious user could challenge the evidentiary nature of system logs generated by a system that was used to exfiltrate data from an organization by simply stating that someone may have stolen and used his credentials. However, if you were able to correlate the system logs with physical monitoring data, such as swipe-card access times at various control points or video footage that showed the user in the general vicinity of his computer at the time of the incident, then the evidence would be all that more damning and difficult to refute.
Hopefully, the industry challenges ESIM, technological security, and physical security vendors to dialogue and achieve a state of converged organizational security monitoring. The potential benefits for day-to-day operational security, not to mention forensic and incident-response exercises, could be limitless.
Andrew Hay is senior analyst with The 451 Group's Enterprise Security Practice and is an author of three network security books. Follow him on Twitter: http://twitter.com/andrewsmhay.