Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/13/2010
09:58 AM
Commentary
Commentary
Commentary
50%
50%

Dragging Physical Security Monitoring Into 2010

It is fairly common to see router, firewall, and intrusion-detection system logs in addition to server, workstation, and application logs consolidated within an enterprise security information management (ESIM) system. Logs generated from network-based devices are generally responsible for the bulk of logs monitored by an ESIM, with the remainder consisting of logs from the various endpoints and software deployed throughout the infrastructure. Perhaps one of the most overlooked sources of data t

It is fairly common to see router, firewall, and intrusion-detection system logs in addition to server, workstation, and application logs consolidated within an enterprise security information management (ESIM) system. Logs generated from network-based devices are generally responsible for the bulk of logs monitored by an ESIM, with the remainder consisting of logs from the various endpoints and software deployed throughout the infrastructure. Perhaps one of the most overlooked sources of data to monitor, however, is that of the physical security controls deployed within an enterprise organization.Before ESIMs (and even IP-based networks) were created, physical security was the only "security" that people knew about. Employees were issued cards or passes to reinforce the trusted nature of their identities, locks were placed on doors to safeguard access, and guards were deployed at choke points to control access to sensitive areas.

As technology evolved, so, too, did the controls. Video cameras with the ability to store and review captured footage, programmable locks that could employ rotating codes or time-specific access, and electronic swipe-card technologies were introduced to help expand security coverage within the infrastructure. With increased technology came associated business justification for the reduction of human personnel required to cover the expanded monitoring duties. As coverage expanded and the monitoring duties became overwhelming, customers turned to their technology vendors to help consolidate monitoring.

Unfortunately, unlike in the ESIM world, the desire or capability to consolidate third-party data into a master console was not something many vendors were looking to undertake. This idea of vendor promiscuity and consolidation of disparate data sources created the flourishing ESIM sector and was the basis for the creation of security information and event management (SEIM) and log management products. Technology vendors saw a need to manage the mountains of security-oriented data being generated from any platform as a result of a user, system, or application interaction. Products were developed to collect, interpret, and disseminate the generated information and present it back to the user in a concise and focused manner. The data was capable of being stored for long periods of time, allowing the product to assist in organizational compliance and security initiatives, in addition to providing a long-term reference point for past forensic and incident-response exercises.

Even with the advances in both physical and network-centric security monitoring, the problem remains that we, as a security society, continue to silo both types of monitoring.

Many of the aforementioned physical security products can, or at least have the potential to, generate logs for consumption by third-party ESIM products. Unfortunately, most of these technologies do not expose APIs or present easy methods for obtaining the data outside of the product's own interface. Think of the benefits each silo could bring when stitching together an incident's time line. A malicious user could challenge the evidentiary nature of system logs generated by a system that was used to exfiltrate data from an organization by simply stating that someone may have stolen and used his credentials. However, if you were able to correlate the system logs with physical monitoring data, such as swipe-card access times at various control points or video footage that showed the user in the general vicinity of his computer at the time of the incident, then the evidence would be all that more damning and difficult to refute.

Hopefully, the industry challenges ESIM, technological security, and physical security vendors to dialogue and achieve a state of converged organizational security monitoring. The potential benefits for day-to-day operational security, not to mention forensic and incident-response exercises, could be limitless.

Andrew Hay is senior analyst with The 451 Group's Enterprise Security Practice and is an author of three network security books. Follow him on Twitter: http://twitter.com/andrewsmhay.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.