Convergence From the Inside Out

Convergence is the latest trend in the security industry, but does anyone really know the truth behind the trend?

• By Garry Kolb, CISM
• May 01, 2006

CONVERGENCE seems to be the latest buzzword in the security industry. When searching the Internet with the terms "security convergence," one will find nearly 29,000 hits. Break the terms up and search individually and that number climbs to more than 200,000. While there is an incredible amount of talk on this subject, the action seems relatively unavailable. Media and analysts have deemed this to be a good thing, but the chasm which still exists between the physical security team and the IT security team seems wider than ever.

A significant portion of the blame for the separation between the two lies with corporate executives who usually put the network and information security group in the IT department while the physical security group is placed in the facilities department. This creates a natural barrier which is often difficult to penetrate. However, a portion of the blame also lies with the security professionals on both sides of the aisle.

It is obvious that the convergence of physical and information security will happen with or without the willing participation of professionals on both sides of the equation. One of the main issues with convergence is that it has been driven largely out of the information security side looking to get information from the physical security team. There are several areas of convergence that can be quickly taken advantage of, but the most obvious one is leveraging the security information and event management (SIEM) technologies now used for network security and applying them to the physical security arena.

Making It All Work
SIEM is a relatively new discipline within IT network security. It has grown out of the desire of information security managers to have a more comprehensive view of the events that might threaten the information assets their teams are chartered to protect. The most common problem IT organizations have encountered is that there are too many devices churning out too much information to allow a reasonably sized staff to monitor, identify and respond to true security incidents in a reasonable time. Just imagine a scenario where one can simultaneously listen to all of the phone calls being made in a typical company in a typical day. It would be virtually impossible to make sense of any one single conversation, not to mention detecting a conversation that might be suspicious.

The same is true with computer systems and networks where corporate information flows freely via software programs such as e-mail and accounting systems. IT security teams have spent years developing ways to hold users of corporate computers and networks accountable for their access and use of critical electronic corporate information. They have focused primarily on implementing IT controls such as user authentication, encryption systems, firewalls and others. While the purpose of each IT control varies significantly, they all share one common characteristic: They are required to log their actions. These logs are the records of user behaviors, including file accesses, e-mail activity and Web sites visited. The volume of computers and systems that can store or transmit data in a typical medium to large corporations makes manual monitoring the IT security controls as impossible as trying to listen to all the phone calls simultaneously.

The SIEM industry was born out of this frustration approximately seven years ago. A SIEM system is comprised of sophisticated software, which automates the monitoring of the various IT security controls, thereby enabling IT security teams to be alerted when suspicious activity may be taking place in their systems, either from internal or external sources. SIEM software accomplishes this by taking in all of the security events generated by these systems in real time as they are occurring, comparing them to known issues, correlating them with other events and alerting the security team only if an event or series of events requires their action. This makes for a much more efficient and effective IT security team, as well as a more complete response to incidents as they are identified.

One of the newer developments in the SIEM space has been the introduction of complete online, state-based incident response workflows, which enable security teams to maintain a complete audit trail of how an incident was handled, including user signoff and time stamps for full remediation and completion of the given incident. This facilitates a consistent, repeatable process for the handling of all incidents as they are identified.

Some may be wondering what this has to do with the convergence of physical and IT security? The disciplines associated with physical security teams and IT security teams are quite specialized and should be treated uniquely, as they have been by nearly every organization. While the disciplines and operations of the two security organizations warrant separately focused operations, there are some common traits they share. To begin with, both share an objective of protecting corporate assets and have implemented controls that provide safe environments for people to work effectively. Secondly, both areas have implemented some type of monitoring to ensure the effectiveness of the controls in place and have detailed response plans that are executed when an incident is uncovered.

If one begins to look at the types of controls that are in place for IT security, it is easy to see how these controls parallel those of the physical security realm. To better understand how the tools used by the IT security department can be extended to the physical security team, think of the network in terms of a facility. There are entry points, controlled areas inside the facility and the ability to see an individual move throughout it.

A classical SIEM implementation monitors a network looking for unauthorized entry or unusual patterns of access and alerts the IT security team regarding the possible intrusion. Since most physical security systems maintain a log that records entry and exit from the facility and access to controlled areas, it is not difficult to imagine how an SIEM system can monitor activity and alert the physical security team about any access patterns which are of concern to them. Imagine how difficult it would be for a security officer to detect an individual that is trying to gain access to multiple controlled areas for which they have not been granted permission to access.

It would be difficult to detect that kind of activity quickly enough to react. However, if a SIEM system were monitoring the log, a correlation rule can be developed to look for such a pattern. Once that pattern is detected, the security team could be notified in time to dispatch an officer to the last known location of the person to inquire about the activity. This example is merely one scenario where the extension of the IT SIEM system can allow the physical security team to be more effective. Cooperation between the two teams in using the tools available to one and extending its use to the other team is just one point of convergence which is a viable option today.

Discovering Other Realms
Another area where there has already been some convergence is in the realm of investigations. Usually, the physical security team has more experience with performing investigations, preparing and preserving evidence for possible prosecution. Experience with investigations into suspicious internal IT security events and actual incidents of external attempts to steal corporate information has shown that the most effective and complete prosecution of those operations was when the IT security team collaborated directly with a cooperative physical security team. True convergence occurs when the common goals of the two distinctly different organizations become a mutually supportive operation to protect a shared valued corporate asset.

In general, the physical security team has either direct law enforcement experience or at least, advanced training in investigative techniques. This valuable experience should not be overlooked by the IT security team that is increasingly called upon to investigate incidents and produce evidence suitable for use in prosecution. By working in a cooperative fashion with the physical security team and leveraging the workflow capabilities of a SIEM tool, both teams can build an approach to incidents that will ensure that all necessary resources are brought to bear in an investigation and that a formal process is followed, decreasing the chances for a loss of evidence due to mishandling. By formalizing the investigative process, teams can be more effective in responding to incidents.

People involved in IT security have been called upon to assist both physical security and law enforcement in gathering electronic evidence needed to corroborate physical evidence obtained in various investigations. It also has been necessary for IT to request the assistance of the physical security team to obtain evidence in collaboration with IT's electronic evidence.

Years ago, an IT security team leader at a major corporation said the IT security team had received information from a concerned department manager that indicated a potential misuse of user accounts to a critical financial system. Obviously, this investigation required technology expertise to research, but the possible internal nature of the threat meant that the human resources organization needed to be included in the handling of the case. The legal department also was included in an effort to ensure that any potential prosecution of an employee was properly grounded in facts so the corporation was protected from litigation.

The corporate security group was called, as well, because it was clear that whatever case the team could make with only electronic evidence was not going to be sufficient for HR and the legal department to move forward and take the appropriate action. The IT team was able to establish the time frame of the activity, and that it occurred on a computer inside of the facility, but could not determine if the account used was the actual employee assigned or someone else impersonating the authorized employee. The first step of collaboration between the teams was to compare the activity logs on the key financial and network systems with the building's badge access logs. This exercise allowed them to determine if the user accounts used in the suspicious activity were used by the actual employee and if he or she was inside or outside of the building. If the badge swipes did not match the access being used, then security had a clear indication that any use of his or her account was an impersonator. Maybe the impersonator stole a password or maybe the authorized employee left their computer logged in at the end of the day. Eliminating the authorized employee as a possible suspect by having clear evidence that they had left the facility when the suspicious activity occurred on the monitored IT systems enabled the team to focus on finding who was masquerading as an authorized user.

The next step of collaboration was to focus both physical and IT surveillance on a specific office in the building, as well as on a specific computer and on the true identity of the person illegally accessing critical corporate resources. Human resources and legal members of the incident response team needed absolute proof -- they wanted the culprit caught red-handed before taking any disciplinary action. To accomplish this, a coordinated and documented effort of physical and technical surveillance was implemented, focusing on observing a security breach in progress. The corporate security team installed some cameras in strategic locations, including in the office where the source of the accesses had been identified. The cameras were positioned to see the faces and the computer screens and, of course, time-stamped synchronous with the IT system log time stamps. By tying together the computer and network logs with the badge system logs and the synchronized video, the intruder, hired as part of the night cleaning crew, was caught and prosecuted. Without an integrated operation such as this one, there would have been no case without the combined skill sets of the corporate security team and the IT security team. The exploited exposure would have continued on without being stopped.

The IT team can assist the physical security team by bringing its control systems into the SIEM monitoring and incident alerting system, and the IT team can benefit from the investigative talent and tools resident in the physical security team. Complete convergence is a long way off, but there are a number of areas where willing participants from both disciplines can work together to make their programs more effective and efficient.