Vous êtes sur la page 1sur 3


The Convergence of Logical and

Physical Security Solutions
omputer hacks aren’t just about bits viduals accessing Department of Defense sensitivity; and regulatory policy and
C and bytes; they can have real, quantifi-
able and destructive outcomes. Nobody
(DoD) systems must possess common
access cards (CAC). These cards, which
• Correlate information, detect anomalies
would contest that organizations require replace traditional identification cards and identify patterns.
physical security; further, very few organi- and feature an imbedded microchip, are • Reduce data overload and false positives.
zations would even consider doing busi- used for physical access to DoD facilities • Render the data through useful visuali-
ness without some type of IT security. as well as information systems — negating zation and reporting capabilities.
Prudence dictates that for physical the use of usernames and passwords. The • Provide advanced real-time and foren-
threats, physical monitoring solutions be card is also being explored for the Guest sics analysis.
leveraged to mitigate risk. If there are Worker Program and for the TSA • Facilitate integrated incident manage-
logical threats, then logical monitoring Registered Traveler Program. ment.
solutions should be used. And, if the Most CAC systems interact with • Allow rapid remediation for incident
threats converge, then the security solu- backed LDAP solutions such as Active response.
tions must converge as well. This sounds Directory. Access to secured networks and
simple, but the disciplines of physical servers will require a CAC. Additionally, As such, ESM is a core ingredient for
and logical security are highly disparate. they can be used for encrypting e-mail and successful convergence.
As such, getting the technology and the other logical security functions. The phys- Physical security groups are often for-
individuals to work synergistically can ical security and logical security informa- mer law enforcement, secret service,
be challenging. tion are synced through the CAC identifi- security guards and individuals with like
To truly gain a holistic perspective of er, creating a more efficient and scalable backgrounds. They often report through
an organization’s security posture and network infrastructure. For example, if a departments such as facilities, human
provide the right level of incident detec- government worker walked into a build- resources or legal, and focus on protecting
tion, physical and logical security solu- ing in Virginia, then 5 minutes later also property against fire, theft, vandalism
tions must converge. Here are some exam- accesses a sensitive server from a remote and illegal entry. At the core of their
ples of computer hacks that had direct VPN account in Germany, alarms would duties is observation — such as video sur-
repercussions on the physical world. be raised. veillance or hallway patrols — and then
• Armed with only a laptop and a stolen reporting what they observed via a writ-
data radio, an Australian hacker broke ESM Solutions ten summary of events during a shift.
into computerized a SCADA system One of the primary issues in the past Information security professionals usu-
(Supervisory Control And Data was simply trying to find a solution that ally have business and/or technical back-
Acquisition) and released 264,000 gal- could not only collect information from grounds. They typically report to a CIO,
lons of sewage into waterways in 2000. both physical and logical systems, but also CSO or an executive responsible for infor-
• The Davis-Besse nuclear plant in Ohio actually add real value beyond simple log mation security. Given the bifurcation in
had its safety systems disabled by SQL storage. This issue has been remedied IT and physical security backgrounds, the
Slammer for several hours. with the introduction of enterprise securi- varied expertise in each discipline, report-
• The CSX Railroad Corporation halted ty management (ESM) solutions. These ing structures and responsibilities for
passenger and freight train traffic solutions can: these groups, it is plain to see why there
because of a worm infection in their • Collect events from virtually anything hasn’t been a lot of synergy in the past.
telecommunications system. that generates logs and alerts.
• Apply business context, such as physical Collaboration is Crucial
The U.S. government has already locations; user, group and department When IT and telephony began to con-
declared that before August 2006 all indi- information; asset relevance; content verge several years ago, there was a lot of

24 I IT DEFENSE I AUGUST 2006 www.itdefensemag.com


resistance on both sides, but over time,

most learned to co-exist. I can recall an
event early in my career where I was given
the responsibility of trying to track down
all analog phone lines, since they could
provide dial-up modem backdoors into the
corporate network and bypass firewall
controls. The project was called the “unau-
thorized modem abatement project.” It
should have been called “phone guys don’t
play with computer guys.”
Just the politics involved in getting IT
and telephony to work together on this
project took weeks of coaxing and execu-
tive intervention. Since there was no when they see anomalies in badge read- scheduled through e-mail, and that the
source for analog phone line data, a com- er logs such as one ID card being used message must have been a hoax.
bination of war dialers and PBX databases in two separate locations within a short However, when it came time to investi-
were used to find which analog lines were time frame. gate the incident after the fact, the teams
being billed against which departments. did work closely to determine the source
The telephony team had no interest in The Real World of the e-mails and pursue the criminals.
helping IT navigate the complexities of the One place where the need for these Another common issue is that the tech-
PBX. And when it finally came time to synergies became unmistakably apparent nology leveraged for physical and logical
actually start disabling the unnecessary was Guangzhou, China, which is about a security can be very different. Luckily,
analog lines, convincing the telephony 2-hour train ride west of Hong Kong. most modern solutions will generate logs
team to break their golden rule of “cause While there, I was meeting with a manu- and allow some type of integration with
no user disruptions” required more execu- facturing company that had recently expe- networked systems. If they don’t, then
tive sponsorship and coaxing for each line rienced an attack on their facilities. integration will require an upgrade. Also,
that was disconnected. It took almost a full Criminals had e-mailed individuals at the the two groups generally have different
year to disconnect, secure or find alterna- company stating they were representing approaches to technology. While IT
tives for about 1,300 analog lines. the Chinese equivalent of the fire depart- embraces new technologies, physical
Not all cases are this painful, and ment and were going to be conducting security personnel are usually more skep-
collaboration can be quite simple. For tests. The message was sent to the IT team, tical and standoffish about emerging tech-
example, there may need to be weekly which then forwarded it to the entire com- nologies in favor of tried and true meth-
meetings between physical and logical pany. The employees were told to ignore ods. It’s one thing if somebody can’t check
security managers. Tactically, it may any alarms and continue working. Shortly e-mail; it’s a more critical matter entirely if
encompass things such as the informa- after, the building was set afire. they can’t get in the building.
tion security group sending an e-mail Fortunately, after noticing smoke, the Another example: A financial institu-
warning staffers about a fast-moving employees were able to safely evacuate tion is in the midst of upgrading its physi-
Internet virus while the physical security and nobody was harmed. If the IT man- cal security badge readers. The current
group posts signs around the building as a agers had coordinated with the physical solution generates logs; however, it does so
secondary reminder. Or for the IT security security group, they would have discov- in line printer (lpr) format. This means that
team to notify the physical security team ered that these types of tests are never while you can send the lpr output to a

www.itdefensemag.com AUGUST 2006 I IT DEFENSE I 25


syslogNG daemon instead of an actual There are a number of solutions that can be tied
printer, you have to deal with things not
commonly associated with syslogs, such as together, such as RFID, HVAC, burglar/fire alarm
page numbers, hash marks and dashes
everywhere. Typically these issues can be systems, and timesheets, as well as vertical-specific
overcome with mature, enterprise security
monitoring solutions. Once the logs are solutions such as SCADA and fraud detection.
captured and normalized, the data itself
must be valuable.
Again, modern systems provide
valuable data such as time, user ID, loca- server’s OS and application logs on the as well as vertical-specific solutions such
tion, number of attempts, etc. As covered targeted system, an enterprise security as SCADA and fraud detection. Not all
in the CAC example with the DoD, this management (ESM) system correlating integration makes sense for every organi-
ID can be further associated with logical that data can trigger an event that zation, but for almost every organization,
access. With older physical security prompts the video camera to take a snap- convergence at some level can aid in risk
systems, the value of the logs is unclear at shot. The security analyst is alerted to the reduction and increase in operational effi-
best. However, as industry analysts have event, and with a mouse click on their ciencies.
been pointing out, because of increased ESM, they can display the photo. Since Convergence is achieved through
efficiencies and improved security, con- the video surveillance is fed to the physi- endurance; it’s not a sprint. Executive-
vergence is here, and if the current phys- cal security team’s CCTV system, that level sponsorship is a must, and even
ical systems can’t co-exist, they’ll ulti- team can also receive an ESM alert small victories will ultimately ensure that
mately require an upgrade. detailing which camera feed to observe. convergence is successful. For manage-
Another interesting video camera ment, this success will increase opera-
More Synergies example comes from a retailer, which tional efficiencies and mitigate risk, while
Convergence doesn’t stop and start with records countless hours of time-stamped adding to stronger ROI and enhanced
monitoring physical security access video. Since it is nearly impossible to go ROSI. Operationally, both physical and
controls. There are a number of other over every second of video, its main logical security teams will benefit from
areas where organizations have taken purpose is to act as a deterrent. However, broader event collection, incident detec-
advantage of synergies. One organiza- it can also assist in supporting investiga- tion, analysis, reporting, tracking and
tion that I worked with integrated video tions. This organization had cameras remediation. The integration will also
surveillance with traditional logical secu- positioned above point-of-sale (POS) facilitate tighter controls over regulatory
rity products. They have a number of registers. The transaction logs were sent compliance, policy and enhance security
systems that allow remote user access or over the network to an ESM for process- awareness. The net effect: convergence
administration. If somebody has to log ing. If suspicious register activity is will positively amplify your organization’s
on and make changes, they must do from detected within the ESM, the security security posture.
a local keyboard and monitor attached to team will receive an alert. The time-
the server. stamped video surveillance can be used Brian T. Contos, CISSP, is the Chief
This is somewhat common for to substantiate the alert and the IT secu- Security Officer of ArcSight.
mission-critical applications or devices rity team can work with the physical
containing highly sensitive data. These security team to review video.
systems are under 24-hour surveillance These examples only touch a few
by network-enabled cameras that are technologies and synergies that can be
capable of not only video recording, but leveraged with convergence. There
also taking still photographs that can be are a number of solutions that can be
automatically stored on a web server. tied together, such as RFID, HVAC, bur-
Based on suspicious activity derived from glar/fire alarm systems, and timesheets,

26 I IT DEFENSE I AUGUST 2006 www.itdefensemag.com