Enterprises are adopting diverse security equipment to control the realm of physical security. Generally, log storage locations and those who responsible for security related operations are separate, and only fragmentary information for major security issues is collected and reported to security personnel. It’s difficult to operate a preventive, effective, and integrated security system with a small number of security personnel.
- Log from all security equipment is created and stored separately.
- Each piece of security equipment has a separate operator who utilizes it or other systems, while the log is barely used.
- Unusual symptoms during operation are collected and reported regularly to security personnel.
As you see above, each security system has a different operator, and the level of reported symptoms also vary according to each operator’s skill set. For this reason, integrated security management systems are becoming necessary.
① Integrated Security Management, PSIM•SIEM
PSIM (Physical Security Information Management) stands for software which comprehensively manages the situation within a secured area by collecting and analyzing real-time data obtained from building administrative systems including fire alarms and air conditioning systems as well as other security equipment such as access control terminals and video cameras.
It combines data within a single system to manage information for physical security instead of operating each system separately, and collects correlations among different data to predict and prevent risks.
The objectives of PSIM which provides reports in various forms for effective data transmission and system operation while supporting a flow chart for immediate response in case of threat are as follows.
PSIM and SIEM are being used more due to market changes and the corporate need to operate and manage multiple systems with a single platform.
② Development toward “Integrated Log Management” and “Big Data Based Analytics”
Recently, security systems are being developed to collect logs from various kinds of security equipment and data systems and then analyze it through big data, so that unusual symptoms can be detected for intense management and reporting.
This type of integrated management is already being developed quite actively in the IT security field. The financial industry is especially aggressive in adopting it since they were mandated to establish a Fraud Detection System (FDS).
For example, the system detects unusual trades such as when “a stay-at-home mom’s credit card is used at a hostess bar” or when “a credit card is used in Vietnam only three hours after being used in Seoul”.
Many corporate security teams merge IT security equipment logs and physical security equipment logs to be analyzed together. Let’s take a look at some examples.
① Big Data based Security System Analyzing Unusual Symptoms
In order to improve the existing RDB based monitoring solution which showed low performance during large-scale data management (low data processing/search speed) and a high-cost structure compared to the data value, integrated monitoring systems with big data based architecture are being used for low data storage cost and high-performance distributed processing.
The following is an example showing how an unusual symptom/action scenario is established through a physical security system log.
② Utilization on Physical Security Management (Selective Security Search)
The system indexes and manages the security situation from the analysis result on unusual action patterns detected from some IT systems and security logs (security software log in PC, etc.), then identifies patterns with high risk.
If this method is applied to selective security searches for intensive management for high-risk patterns, security searches can be more effectively operated while minimizing inconvenience of users and their hostility toward security searches.
When there is a security offence case, a big data system can be applied by tracking down conspirators through analysis on “correlations” or “intimacy” with the security offender, or by performing extra monitoring on the group showing “similar patterns” to prevent certain types of security incidents.
③ Connecting to Video Security Systems
Mapping the security cameras connected to a Video Management System (VMS) or creating an alarm event log by linking the cameras to an intelligent video surveillance system allow video tracking of unusual symptoms, which helps more specific identification/monitoring of unusual actions such as information breaches.
What’s special about an intelligent video surveillance system is that it not only collects visual data, but also monitors certain objects or actions automatically to warn the user when there is an incident. Once an unusual environment or actions are detected, it alarms the user and connects the alarm event log to the integrated security management system at the same time so that the unusual symptoms can be managed comprehensively.
When this big data based security analysis system is being established, the following elements should be considered.
- Defining establishment methods and controlling levels according to their purpose: Defining the level suited to compliance requirements and the control purposes
- Interlocking and normalizing interpretable log fields: Priorities of log interlock, appropriate selection, and log refinement
- Applying and visualizing analysis rules and threat information: Defining Threat scenarios suited for risks and control purposes
- Establishing big data processing architecture: EPS (Event Per Second), data storage period, network bandwidth, etc.
- Security operation process: Defining analysis organization, personnel, and process
In addition, other interlock items should be created as well to maximize the effectiveness of the integrated security system.
Consistent operation management done through recording occurred incidents as scenarios is important in order to investigate and prevent other similar cases. It is also crucial to elaborate and update scenarios through methods like data mining, to create a better form of integrated security management.
Written by Won-Jib Kim, LG CNS