Medium to large enterprises spend millions to tens of millions of dollars or more each year on security. The sad part is that much of this can be overcome by social engineering and/or coordinated physical/logical attacks.
Why would a potential commercial, criminal or intelligence attacker try and penetrate through your logical perimeter defenses or try to penetrate your sophisticated electronic badging system when there are so many easy ways in? Instead they could tailgate in a door, install a wireless network device on one of your internal network ports and begin figuring out the internal network. Or, even easier, they would pay one of the janitorial crew to install keyboard loggers on key personnel's desktops, gain all their uids and passwords, read over whatever they have typed in their desktop for the last days, weeks or even months and then begin to prepare an attack.
All of which makes mincemeat of the systems that people like me sell to senior management and then implement as a "secure" system. Many of our security systems are designed for the past and not for the present and the future. This blog will focus on one portion of what I see as the future for security i.e. the need to create an integrated logical/physical incident response system.
Today, in most enterprises, there is the IT security ops system and the physical security ops systems operating separately. This is folly for monitoring combined attacks that occur on the physical and logical systems. An enterprise needs to detect as fast as possible an attack and then take action.
Part of the challenge is figuring out if an attack is an attack. When a network, database, application or content management anomaly is detected, this quickly needs to be tied the identity who is actioning it. In turn, the identity physically has to be located or the IP port that the anomaly is coming from. This means quickly auditing backwards to see which facility, doors, rooms and cubicles the identity or network port is at. Then one can begin to draw conclusions if an attack is in progress or, if it is a workers doing their job with an unusual task.
More than 10 years ago, while I was working under contract at Oblix in California, I had a vision. I saw in my mind an integrated physical and logical security system. There would be a three dimensional map of the planet indicating where an external attack was coming from that would then be displayed against the logical network, databases and applications. Overlaid on this would be a three dimensional display of the physical enterprise.
An incident management person would quickly be able to determine where a logical attack was coming from and then, if there was a physical component, see what rooms or physical network ports were involved. Today, with the advent of good IP based cameras, my vision would expand to allow the incident manager to see if there was any entry to the room, floor or building, look for door adjar and other present or past warnings, quickly go back in time to see who had accessed the area and then to draw conclusions.
This might lead to sending a physical security guard out to inspect or intercept, shutting down logical access, doing nothing but escalating this to senior management while a watch was kept up or many different other actions.
At the time I had my vision, all of this was simply a dream since there was no way to get the log files in real time from all the many different perimeter defenses, physical security systems, applications, databases, identity and access management systems etc. Today, however, it is definitely possible.
Companies like ArcSight and other Security Information Management (SIM) vendors can collect and process many log files in real time. Using products like Quantum Secure it's possible to integrate disparate physical access control (PAC) vendors monitoring and run this to a central location. So, getting the information to a central point is no longer the main obstacle.
Creating the interface is now possible. Recently I saw a short clip taken from a US government sponsored system that shows, in three dimensions, the planet and attacks happening in real time on the perimeter defenses and the internal key apps, infrastructure, databases, etc. So this is now possible.
What remains is to:
* Stitch this all together with an overlay of the physical enterprise
* Then the hard part if creating the incident management logic
I believe the incident management logic will evolve over the next several years. It can be quite complicated. The first thing to do is to create mostly manual based systems where the security ops incident management person/team can draw their own conclusions and then act. Over time, parts of this will, in my own personal opinion, be automated.
I am looking for enterprises who are early adopters and vendors to work with to create my vision. If you're interested, please contact me.