Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/13/2010
09:58 AM
Commentary
Commentary
Commentary
50%
50%

Dragging Physical Security Monitoring Into 2010

It is fairly common to see router, firewall, and intrusion-detection system logs in addition to server, workstation, and application logs consolidated within an enterprise security information management (ESIM) system. Logs generated from network-based devices are generally responsible for the bulk of logs monitored by an ESIM, with the remainder consisting of logs from the various endpoints and software deployed throughout the infrastructure. Perhaps one of the most overlooked sources of data t

It is fairly common to see router, firewall, and intrusion-detection system logs in addition to server, workstation, and application logs consolidated within an enterprise security information management (ESIM) system. Logs generated from network-based devices are generally responsible for the bulk of logs monitored by an ESIM, with the remainder consisting of logs from the various endpoints and software deployed throughout the infrastructure. Perhaps one of the most overlooked sources of data to monitor, however, is that of the physical security controls deployed within an enterprise organization.Before ESIMs (and even IP-based networks) were created, physical security was the only "security" that people knew about. Employees were issued cards or passes to reinforce the trusted nature of their identities, locks were placed on doors to safeguard access, and guards were deployed at choke points to control access to sensitive areas.

As technology evolved, so, too, did the controls. Video cameras with the ability to store and review captured footage, programmable locks that could employ rotating codes or time-specific access, and electronic swipe-card technologies were introduced to help expand security coverage within the infrastructure. With increased technology came associated business justification for the reduction of human personnel required to cover the expanded monitoring duties. As coverage expanded and the monitoring duties became overwhelming, customers turned to their technology vendors to help consolidate monitoring.

Unfortunately, unlike in the ESIM world, the desire or capability to consolidate third-party data into a master console was not something many vendors were looking to undertake. This idea of vendor promiscuity and consolidation of disparate data sources created the flourishing ESIM sector and was the basis for the creation of security information and event management (SEIM) and log management products. Technology vendors saw a need to manage the mountains of security-oriented data being generated from any platform as a result of a user, system, or application interaction. Products were developed to collect, interpret, and disseminate the generated information and present it back to the user in a concise and focused manner. The data was capable of being stored for long periods of time, allowing the product to assist in organizational compliance and security initiatives, in addition to providing a long-term reference point for past forensic and incident-response exercises.

Even with the advances in both physical and network-centric security monitoring, the problem remains that we, as a security society, continue to silo both types of monitoring.

Many of the aforementioned physical security products can, or at least have the potential to, generate logs for consumption by third-party ESIM products. Unfortunately, most of these technologies do not expose APIs or present easy methods for obtaining the data outside of the product's own interface. Think of the benefits each silo could bring when stitching together an incident's time line. A malicious user could challenge the evidentiary nature of system logs generated by a system that was used to exfiltrate data from an organization by simply stating that someone may have stolen and used his credentials. However, if you were able to correlate the system logs with physical monitoring data, such as swipe-card access times at various control points or video footage that showed the user in the general vicinity of his computer at the time of the incident, then the evidence would be all that more damning and difficult to refute.

Hopefully, the industry challenges ESIM, technological security, and physical security vendors to dialogue and achieve a state of converged organizational security monitoring. The potential benefits for day-to-day operational security, not to mention forensic and incident-response exercises, could be limitless.

Andrew Hay is senior analyst with The 451 Group's Enterprise Security Practice and is an author of three network security books. Follow him on Twitter: http://twitter.com/andrewsmhay.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12848
PUBLISHED: 2020-06-05
In Pydio Cells 2.0.4, once an authenticated user shares a file selecting the create a public link option, a hidden shared user account is created in the backend with a random username. An anonymous user that obtains a valid public link can get the associated hidden account username and password and ...
CVE-2020-12849
PUBLISHED: 2020-06-05
Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user roles. These profile pictures can later be accessed directly with the generated URL by any unauthenticated or authenticated user.
CVE-2020-13842
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
CVE-2020-13843
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
CVE-2020-13839
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).