5 July 2008 Computer Fraud & Security WAR & PEACE IN CYBERSPACE Guaranteeing convergence in security management with consolidated log management The past three years have witnessed the investment of hundreds of millions of dollars by governments and compa- nies (especially in the English speaking world) in the convergence of physical and logical security. As we generally see in the infosecurity field, an initially technology-based approach has made the inevitable shift to higher levels. Hence, in addition to architectural convergence the concept has also sent ripples through the organisational component, with security officers gaining an increasingly high profile and global status during the years 2002−2005. What is the main reason for all of this? It is the need to enhance and ensure security governance at a time when the number of illicit acts committed by insiders is decreas- ing but the impact of each of them is increasing, both financially and legally. Technicalities As we write this, the number of projects requiring correlation of event data obtained via video surveillance, access control (biometric and other), RFID and other security methods are on the increase. This is because the positive attribution of a given event to a specific physical user, instead of an abstract user account, is increasingly required, especially in the legal arena. In terms of architecture, the topic mainly regards the following: Physical access control This refers to events generated by devices ranging from turnstiles to badges used to access various company facilities, areas or rooms. The security analyst generally veri- fies the existence of policies requiring the logging of said events and implements a series of countermeasures regarding the transmission of the data from the reader to the central location. These countermeas- ures are known as “locks”, i.e., anti-tam- pering measures applied to event acquisi- tion, transmission and storage. Additional authentication systems are also usually implemented, such as biometric controls and enhanced badge management. Identity and access management IAM systems are now in wide use. Their most advanced implementations provide substantial integration between physical and logical security systems. While current IAM implementations tend to be tipped in favour of logical security, the most recent genera- tions (and the most far-sighted projects) are designed to integrate with physical devices, thus streamlining authentication operations and allowing the use of the same credentials for different types of entries. Video surveillance This is an extremely promising area for the convergence of the two branches of security. The ability of a video surveil- lance system to integrate with other types of systems depends on what generation it belongs to; it depends on its endowment of data management and storage capabilities, time stamping, etc. The latest generation systems are able to produce information that conforms almost completely to that of “pure” logical applications. This allows events to be correlated and analysed in an organic manner, with the only condition being the implementation of a number of forensic measures, described below. SIM/SEIM These tools identify anomalous events and respond to security incidents in an integrated fashion. These systems come in different types, but their essential function is to perform an organised analysis of the events generated by the various security applications, with the ultimate objective of providing a basis for concrete security governance decisions such as: escalation, incident response, crises, artifact recon- struction, etc. They are very complex tools and are sometimes oversold by marketing personnel (supply side) and overestimated by users (demand side). Nevertheless, this category currently represents the Dario Forte and Richard Power Increases in harmful insider behaviour and fraud are refocusing attention on the need for convergence between physical and logical security. This article examines the various components of the issue, from a high level perspective. Richard Power Dario Forte