Convergence From the Inside Out

Convergence is the latest trend in the security industry, but does anyone really know the truth behind the trend?

CONVERGENCE seems to be the latest buzzword in the security industry. When searching the Internet with the terms "security convergence," one will find nearly 29,000 hits. Break the terms up and search individually and that number climbs to more than 200,000. While there is an incredible amount of talk on this subject, the action seems relatively unavailable. Media and analysts have deemed this to be a good thing, but the chasm which still exists between the physical security team and the IT security team seems wider than ever.

A significant portion of the blame for the separation between the two lies with corporate executives who usually put the network and information security group in the IT department while the physical security group is placed in the facilities department. This creates a natural barrier which is often difficult to penetrate. However, a portion of the blame also lies with the security professionals on both sides of the aisle.

It is obvious that the convergence of physical and information security will happen with or without the willing participation of professionals on both sides of the equation. One of the main issues with convergence is that it has been driven largely out of the information security side looking to get information from the physical security team. There are several areas of convergence that can be quickly taken advantage of, but the most obvious one is leveraging the security information and event management (SIEM) technologies now used for network security and applying them to the physical security arena.

Making It All Work
SIEM is a relatively new discipline within IT network security. It has grown out of the desire of information security managers to have a more comprehensive view of the events that might threaten the information assets their teams are chartered to protect. The most common problem IT organizations have encountered is that there are too many devices churning out too much information to allow a reasonably sized staff to monitor, identify and respond to true security incidents in a reasonable time. Just imagine a scenario where one can simultaneously listen to all of the phone calls being made in a typical company in a typical day. It would be virtually impossible to make sense of any one single conversation, not to mention detecting a conversation that might be suspicious.

The same is true with computer systems and networks where corporate information flows freely via software programs such as e-mail and accounting systems. IT security teams have spent years developing ways to hold users of corporate computers and networks accountable for their access and use of critical electronic corporate information. They have focused primarily on implementing IT controls such as user authentication, encryption systems, firewalls and others. While the purpose of each IT control varies significantly, they all share one common characteristic: They are required to log their actions. These logs are the records of user behaviors, including file accesses, e-mail activity and Web sites visited. The volume of computers and systems that can store or transmit data in a typical medium to large corporations makes manual monitoring the IT security controls as impossible as trying to listen to all the phone calls simultaneously.

The SIEM industry was born out of this frustration approximately seven years ago. A SIEM system is comprised of sophisticated software, which automates the monitoring of the various IT security controls, thereby enabling IT security teams to be alerted when suspicious activity may be taking place in their systems, either from internal or external sources. SIEM software accomplishes this by taking in all of the security events generated by these systems in real time as they are occurring, comparing them to known issues, correlating them with other events and alerting the security team only if an event or series of events requires their action. This makes for a much more efficient and effective IT security team, as well as a more complete response to incidents as they are identified.

One of the newer developments in the SIEM space has been the introduction of complete online, state-based incident response workflows, which enable security teams to maintain a complete audit trail of how an incident was handled, including user signoff and time stamps for full remediation and completion of the given incident. This facilitates a consistent, repeatable process for the handling of all incidents as they are identified.

Some may be wondering what this has to do with the convergence of physical and IT security? The disciplines associated with physical security teams and IT security teams are quite specialized and should be treated uniquely, as they have been by nearly every organization. While the disciplines and operations of the two security organizations warrant separately focused operations, there are some common traits they share. To begin with, both share an objective of protecting corporate assets and have implemented controls that provide safe environments for people to work effectively. Secondly, both areas have implemented some type of monitoring to ensure the effectiveness of the controls in place and have detailed response plans that are executed when an incident is uncovered.

If one begins to look at the types of controls that are in place for IT security, it is easy to see how these controls parallel those of the physical security realm. To better understand how the tools used by the IT security department can be extended to the physical security team, think of the network in terms of a facility. There are entry points, controlled areas inside the facility and the ability to see an individual move throughout it.

A classical SIEM implementation monitors a network looking for unauthorized entry or unusual patterns of access and alerts the IT security team regarding the possible intrusion. Since most physical security systems maintain a log that records entry and exit from the facility and access to controlled areas, it is not difficult to imagine how an SIEM system can monitor activity and alert the physical security team about any access patterns which are of concern to them. Imagine how difficult it would be for a security officer to detect an individual that is trying to gain access to multiple controlled areas for which they have not been granted permission to access.

It would be difficult to detect that kind of activity quickly enough to react. However, if a SIEM system were monitoring the log, a correlation rule can be developed to look for such a pattern. Once that pattern is detected, the security team could be notified in time to dispatch an officer to the last known location of the person to inquire about the activity. This example is merely one scenario where the extension of the IT SIEM system can allow the physical security team to be more effective. Cooperation between the two teams in using the tools available to one and extending its use to the other team is just one point of convergence which is a viable option today.

Discovering Other Realms
Another area where there has already been some convergence is in the realm of investigations. Usually, the physical security team has more experience with performing investigations, preparing and preserving evidence for possible prosecution. Experience with investigations into suspicious internal IT security events and actual incidents of external attempts to steal corporate information has shown that the most effective and complete prosecution of those operations was when the IT security team collaborated directly with a cooperative physical security team. True convergence occurs when the common goals of the two distinctly different organizations become a mutually supportive operation to protect a shared valued corporate asset.

In general, the physical security team has either direct law enforcement experience or at least, advanced training in investigative techniques. This valuable experience should not be overlooked by the IT security team that is increasingly called upon to investigate incidents and produce evidence suitable for use in prosecution. By working in a cooperative fashion with the physical security team and leveraging the workflow capabilities of a SIEM tool, both teams can build an approach to incidents that will ensure that all necessary resources are brought to bear in an investigation and that a formal process is followed, decreasing the chances for a loss of evidence due to mishandling. By formalizing the investigative process, teams can be more effective in responding to incidents.

People involved in IT security have been called upon to assist both physical security and law enforcement in gathering electronic evidence needed to corroborate physical evidence obtained in various investigations. It also has been necessary for IT to request the assistance of the physical security team to obtain evidence in collaboration with IT's electronic evidence.

Years ago, an IT security team leader at a major corporation said the IT security team had received information from a concerned department manager that indicated a potential misuse of user accounts to a critical financial system. Obviously, this investigation required technology expertise to research, but the possible internal nature of the threat meant that the human resources organization needed to be included in the handling of the case. The legal department also was included in an effort to ensure that any potential prosecution of an employee was properly grounded in facts so the corporation was protected from litigation.

The corporate security group was called, as well, because it was clear that whatever case the team could make with only electronic evidence was not going to be sufficient for HR and the legal department to move forward and take the appropriate action. The IT team was able to establish the time frame of the activity, and that it occurred on a computer inside of the facility, but could not determine if the account used was the actual employee assigned or someone else impersonating the authorized employee. The first step of collaboration between the teams was to compare the activity logs on the key financial and network systems with the building's badge access logs. This exercise allowed them to determine if the user accounts used in the suspicious activity were used by the actual employee and if he or she was inside or outside of the building. If the badge swipes did not match the access being used, then security had a clear indication that any use of his or her account was an impersonator. Maybe the impersonator stole a password or maybe the authorized employee left their computer logged in at the end of the day. Eliminating the authorized employee as a possible suspect by having clear evidence that they had left the facility when the suspicious activity occurred on the monitored IT systems enabled the team to focus on finding who was masquerading as an authorized user.

The next step of collaboration was to focus both physical and IT surveillance on a specific office in the building, as well as on a specific computer and on the true identity of the person illegally accessing critical corporate resources. Human resources and legal members of the incident response team needed absolute proof -- they wanted the culprit caught red-handed before taking any disciplinary action. To accomplish this, a coordinated and documented effort of physical and technical surveillance was implemented, focusing on observing a security breach in progress. The corporate security team installed some cameras in strategic locations, including in the office where the source of the accesses had been identified. The cameras were positioned to see the faces and the computer screens and, of course, time-stamped synchronous with the IT system log time stamps. By tying together the computer and network logs with the badge system logs and the synchronized video, the intruder, hired as part of the night cleaning crew, was caught and prosecuted. Without an integrated operation such as this one, there would have been no case without the combined skill sets of the corporate security team and the IT security team. The exploited exposure would have continued on without being stopped.

The IT team can assist the physical security team by bringing its control systems into the SIEM monitoring and incident alerting system, and the IT team can benefit from the investigative talent and tools resident in the physical security team. Complete convergence is a long way off, but there are a number of areas where willing participants from both disciplines can work together to make their programs more effective and efficient.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3