Made4Biz Dynamic Security Resources

 

Security Convergence Solutions

White Paper

Meeting strategic security requirements with the

Dynamic Security Product family


 

Executive Summary

Security technology for digital information has become an essential part of normal business operations as well as a national priority. The risk increases each year because government and business are increasingly dependent on ICT. New technologies such as Wi-Fi have specific vulnerabilities that increase the exposure. The threat posed by information theft and sabotage has spurred new regulations and standards such as ISO 17799, FISMA and the Sarbanes-Oxley act.

Businesses and government agencies are seeking more effective risk mitigation to protect valuable or sensitive digital assets such as accounting records, customer information, proprietary trade secrets and confidential or classified data. Physical and IT safety products are proliferating to respond to this market. Coordinating the data and control capabilities of these different products and approaches has become a major concern for security management, but true convergent security solutions are lacking. Most security systems implement static access control. Users get the same rights at all times, even during holidays and off-work hours, creating opportunities for identity theft and unauthorized tampering. This creates a dangerous and needless exposure.

Made4Biz’s Dynamic Security systems are the first to seriously address the challenge of security convergence. They provide information security that is comprehensive, flexible and adaptive, encompassing both physical security and IT access security protection. Dynamic security solutions implement security policies that are location and time sensitive, and that can take into account threat levels, Homeland Security information and other data. They allow rapid and automated security incident handling in emergencies, when time and accuracy are essential.

Dynamic security minimizes unnecessary exposure by preventing access to data and facilities at times when access is illogical and unnecessary.

Dynamic Security’s open architecture brings a wide variety of isolated security technologies into a single, integrated framework. Critical alarms and alerts arrive at a single web-based console. All the information is pooled into a single system and used to enforce an adaptive, dynamic security policy. This makes the best use of physical, IT and human security management resources. It provides significantly improved, cost- effective risk mitigation for critical online business resources, assets and processes, from smaller organizations to multinational enterprise operations.

The Challenge

Security breaches are expensive. A recent ASIS report estimates that theft of intellectual property costs about $60 billion annually. A US GAO report (GAO-02-363) singles out identity theft as a major concern. Legislation to protect consumers places an increasingly stringent burden of responsibility on firms to ensure data security. According to AMR, in 2004, legislative compliance costs alone exceeded $10 billion, and that is only the beginning. Tough new legislation enacted in several states in the United States would fine firms tens of thousands of dollars a month for data security breaches Europe, Japan and Canada have enacted similar statutes, and a US federal data protection statute is in the works, in addition to Sarbanes-Oxley, FISMA and other security legislation already in place. The additional legislation, increasing opportunities for theft and mayhem presented by new technologies, and the increasing sophistication of thieves and vandals will require ever increasing investment in security solutions.

Identity Theft and Insider Attacks

Digital information systems are exposed to risk from thieves, embezzlers and saboteurs. These risks escalate with increasing dependence on digital storage, IP networks and wireless technology. The extent of the problem cannot even be properly estimated because of the difficulty of obtaining and pooling the data. A 2005 CSI/FBI study noted that respondents systematically failed to report security breaches for fear of negative impact on their firms' image and stock price.

The number one concerns are identity theft and insider attacks. In 2005, consumer complaints about identity theft accounted for 37% of all complaints according to the FTC. According to the FBI, in over 85% of the cases the thief will use a peer’s credentials to cover up his or her activities, a technique called ‘Internal Identity Theft’. In over 90% of the cases the predator will exercise the ID theft while the peer is off the premises.

Some notable recent examples of identity theft:

  • Insider data theft at Acxiom Corporation cost it 5.8 million of dollars. Contract employee Daniel J. Baas, was sentenced to 45 months in prison in March 2005 for stealing password files.

  • In February 2005, Choicepoint announced that thieves used stolen identities to create dummy businesses that mined identity data of as many as 145,000 people. The announcement caused a 25% drop in Choicepoint shares.

  • In May 2005, Wachovia Corp. and Bank of America Corp announced that financial records of over 100,000 customers had been stolen by bank employees and sold to collection agencies.

  • At CardSystems Solutions Inc, an "unauthorized individual" infiltrated the computer network and may have stolen as many as 40 million credit card numbers.

  • A data aggregator sold data to customers who used stolen identities to open accounts.

  • Thieves got around a data aggregator’s identity systems by using login names of former employees and guessing passwords.

     

    Needless Exposure

    A 2005 study funded by the Department of Homeland Security investigated the characteristics of insider computer crime. The study was conducted by the Secret Service National Threat Assessment Center (NTAC) and Carnegie Mellon University's Computer Emergency Response Team (CERT). You can view the study here - http://www.cert.org/archive/pdf/insidercross051105.pdf .

    Some major relevant findings:

  • 59% the attacks were usually carried out by disgruntled former employees or contractors.

  • The most frequent motive was revenge rather than personal gain.

  • 58% of the attacks took place after working hours

  • Most of the attacks were executed by remote access

  • Steps to terminate the former employee's rights were often incomplete and unsystematic.

  • Most of the insider attacks were only detected after the damage was done, and there was an irregularity in the information system or a system became unavailable.

  • 75% of the attacks could only be detected by painstaking manual forensic examinations.

In summary, employers could have known of the attacks and sometimes did know, and could have prevented the attacks if an efficient mechanism had existed to:

  • Automatically and completely remove all rights of a terminated employee or contractor.

  • Automatically limit remote access (location-based access control).

  • Automatically limit after-hours and holidays access (time-based access control)

  • Automatically detect suspicious behavior patterns.

Rogues, thieves and vandals do not challenge the strong points of the system, which are the points that conventional security systems keep reinforcing. Instead, they identify and challenge the weak points of security systems that are not addressed by conventional security approaches. These are:

  • No coordination between subject location and subject access rights (location-based security).

  • No coordination between time of day and subject access rights (time-based security).

  • No method for systematic close-out of access rights.

  • No way to recognize suspicious usage patterns.

These weaknesses exit because there is no automatic intelligence to tie together disparate bits of information, to discern patterns and to do automatically carry out security procedures.

Diminishing Returns

Behavior of rogues, thieves and vandals is adaptive. Therefore, attacks on the weak points identified above will grow in future, shifting from attacks on areas that are successfully protected by conventional methods. That means there is little point in investing in more security of the same kind, which will deliver less and less protection. Buying additional security by conventional approaches is going to be increasingly more expensive, and not very effective.

Multiple Data sources and Control Interfaces

Organizations use an increasing array of security systems and applications to meet rising IT and physical security needs. Such products include LAN and WAN security, Web security, systems security, applications security, ID management, authorization servers for single sign-on, intrusion detection and firewalls as well as physical access protections using cards and biometric systems. These products do not exchange data, creating security islands that have different control interfaces and that can hide vital information. This "tower of babble" presents a formidable challenge for security management.

Administrators have to be intimately familiar with different:

      • APIs

      • Protocols

      • Platforms

      • Disciplines

      • Credentials

      • Syntaxes

      • Know-how

This chaotic situation damages the organizational:

      • Security implementation quality

      • Time-to-response on security events

      • Security service level

      • Cost of managing the security

Lack of an integrated framework can cause missed alarms and allow suspicious usage patterns to go unnoticed. Administrators miss the Big Picture, unnecessarily exposing the system and increasing vulnerability.

Exposure due to static security implementations

A typical access control system stores security profiles of employees or other subjects that remain essentially unchanged as long as the user is part of the system.

A user has the same access rights during working days and working hours and when he or she is on vacation or traveling on business.

Bogus identities of absent users can be used to abuse the system. Off hours access encourages tampering by rogue employees. Ideally, a security system would "know" when a user is on campus, off campus on business or away on vacation, and could adjust rights accordingly. Likewise, policy enforcement and incident handling may need to be different in normal times and when there are specific alerts. Unfortunately it is usually not practical to implement these adaptive changes with human administrators. The relevant information is not easily available or cannot be easily used for policy implementation.

 

Synergy

The plethora of new security systems and technologies has a great potential for synergistic function, provided they can be made to work together. Preventing identity theft is a perfect example of how synergy between systems can mitigate risk.

If the physical access system "knows" that Joe Smith is not in the office because he checked out, the authorization server can prevent Smith from logging in from office computers, provided there is a smart system that can coordinate between the authorization server and the physical access system. If someone does log in using Smith's ID, this event can be recorded and cause an alert. If the smart system can recognize patterns, it can also detect suspicious events such as attempts by "Joe Smith" to enter the premises when the real Joe Smith has already entered. Since Joe Smith cannot really enter twice, and Joe Smith cannot log in to a computer if he is really at home, these correlations of events implies that identity thefts are in progress and should signal alarms. However, in large campuses, only an intelligent automated system could reliably "remember" and recognize such patterns.

Convergence of information from the different security systems could plug most of the holes currently used for insider attacks and identity thefts.

Security Convergence

Not surprisingly, integration of the different physical and ICT security technologies, or security convergence, is becoming a major concern of security management for ICT systems. To help the different applications communicate, new standards and protocols such as PHYSBITS (Physical Security Bridge to IT Security) SAML (Security Assertion Markup Language) and Global Platform have been proposed or adopted. Convergent applications can also take advantage of increasingly popular open information exchange standards such as SOAP and LDAP.

State of Convergence

Forrester estimated that in 2005, firms would treble spending on integration of physical and IT security systems. Physical Access Control, CCTV, RFID and others will be integrated with Single Sign-On, Identity Management, and security incident management into one holistic security process.

As shown in Table 1, ASIS estimated an increase of more than ten-fold in security convergence projects between 2005 and 2008. About 75% of this investment will be in the public sector. .

Table 1: Forecast: Europe and North America Security Convergence spending

 

2004

2005

2006

2007

2008

Large convergence projects

19

68

175

382

856

Physical/logical access control

50

150

413

903

1,656

Other joint IT-Physical security departments projects

13

45

118

246

406

Public sector: border control and law enforcement security convergence

410

820

1,899

4,202

8,003

Small projects - data center, communications security...

14

40

108

229

369

Total

506

1,123

2,713

5,962

11,289

ASIS November 8, 2005

However, some of this activity may be missing the mark or creating new problems. Surveys showed that a significant percentage of respondents believed there was a fragmentation of risk management activities, which hindered unification of the risk management approach. This danger highlights the need for approaches and technology that can focus and centralize risk management functions.

Meeting the Challenge with Dynamic Security

Dynamic Security implements a different approach to meeting the security challenge. Instead of focusing more and more efforts on plugging the security holes covered in conventional approaches, Dynamic Security brings together the data provided by the different physical and ICT security systems to implement security convergence. In this way, Dynamic Security is able to fill the security breaches that are most frequently exploited by insider attacks and identity theft. Dynamic security brings together physical and IT security information in one system, and subjects security events to the scrutiny of an expert pattern recognition system.

IT-Physical Security Convergence

Security convergence can reduce exposure by

  • Reducing access rights for off-premises employees;

  • Reducing access rights after hours;

  • Raising an alarm when suspicious usage patterns occur, before they can result in system breaches;

  • Automatically ensuring that accounts and rights of terminated employees are closed out; systematically;

  • Relating access rights to forensics information about particular employees.

Dynamic Security Products

Dynamic Security products at present include:

Dynamic Security (DS)

Dynamic Security (DS) helps you meet the challenge posed by convergent security needs. Dynamic Security acquires physical security information, such as entry and exit of employees to or from the campus or secure areas, and ICT events such as employees logging in to their workstations. DS limits access rights according to dynamically configured security profiles. It recognizes suspicious usage patterns, such as attempts to log in using the identities of absent employees, and implements automated security incident management, including barring of access and appropriate alerts and log entries.

Functions

  • Dynamic, rather than static, location-based security

  • Security incident management

  • Correlation, patterns and event management

  • Security policy management

  • Automation of security administration

  • Alignment of policies with Homeland Security (DHS) threat advisory levels

Applications

  • Dynamic Administration of automated security

  • Internal and external identity theft prevention

  • Dynamic IT access control

  • Dynamic control of physical ports and communications channels.

  • Dynamic physical access control for card based, biometric and other systems

  • Inventory control

  • Asset management

  • Device control

  • Forensic investigations

  • Security for rogue Wi-Fi networks

  • Desktop burglary sensor - sense suspicious activation of dormant computers in off-hours and automatically activates security measures.

  • Regulatory and standards compliance:

  • Sarbanes-Oxley

  • FISMA

  • ISO 17799

Features

  • Policy-based security - Flexible policy engine automates policy-based security, based on physical presence, threat levels and business rules.

  • Security Business Process Management (BPM) integrates security incidents and information that originated in disparate security products.

  • Convergence - Isolated islands-of-technology converge into a single coherent security system.

  • Automated Dynamic Provisioning of access rights.

  • Open Architecture - Standards-based technology seamlessly integrates with installed physical and IT security management systems.

  • Web Service and Service Oriented Architecture (SOA) based.

  • Intelligent System - Correlation and Pattern Recognition correlates events related to physical presence and network access.

  • Alarms - triggers alarms and prevents unauthorized use of IT resources.

Security Operations Center

The SOC is the control center of the Dynamic Security system. It is also available as a standalone security integration platform. The SOC allows security personnel to manage the entire campus security system from one place.

Functions

  • Security integration platform

  • Holistic security process management

  • Scheduler (event-driven and time-based)

  • Layout visualization

  • Log management

  • Coming soon - physical security integration

Applications

  • Standalone platform for integrating existing security functions

  • Integration of all the Dynamic product family into one comprehensive security business process

Dynamic Homeland Security*

Dynamic Homeland security adds additional capabilities and functions to DS.

Additional Functions

  • GIS module

  • HTML form generation for Security Incident Reporting

  • Timeline visualization

  • External device integration:

  • Burglary Alarm

  • Fire Alarm

  • CCTV

  • Voice/Video recording and analysis

  • Espionage detection

  • Regional syndication

  • Integration with external systems:

  • Cisco IPICS

  • Any data source via Web services

Applications

  • Regional security

  • Campus physical security

  • Public facilities, enterprises, educational institutions, critical utilities airports, seaports,

  • Employee-vehicle relationship security

  • Visitor security management

  • Multiple site correlation

  • Safety monitoring

  • Visualization of hazardous areas

  • Municipal emergency management

Forensics-Based Investigations*

FBI adds an additional layer of functionality to Dynamic Security, allowing interaction with forensic databases and utilization of forensic information.

Additional Functions and capabilities

  • Hierarchical structured queries

  • Automatic investigation invocation

  • Ad-hoc investigation environment

  • Multi source virtual DBMS (XML, logs, DBMS, WMI, SNMP, LDAP, Search)

Applications

  • Security profiling and investigations

  • Fraud investigations

  • Compliance governance

Standards and Regulatory Compliance

Dynamic Security supports implementation of regulations and standards such as Sarbanes-Oxley, HIPPA, and Basel II, ISO 17799, FISMA etc. These standards require location-based and temporal-oriented security measures, auditing and forensic investigations, a security plan and a method of implementing it. These regulations and standards often include access control provisions that are difficult to implement without Dynamic Security.

Dynamic Security facilitates:

  • Location based security

  • Physical presence

  • Department, machine and port restricted Log-On

  • Temporal oriented security

  • Working days

  • Working shifts

  • Irregular working hours

  • Activity based security

  • What gets done?

  • By whom?

  • Correlation with role description

  • Follows sequence of events that fit known malicious patterns such as frauds

  • Forensic investigations and audit trails

  • Based on data generated by Dynamic Security

  • Based on data accumulated from external system

Dynamic Security Technology

The underlying proprietary technology of Made4Biz includes:

The Security Operations Center (SOC) integrates security data and control of all systems.

The Pattern Recognition Engine detects pre defined events, correlations and patterns within the stream of XML events.

The Business Process Management System (BPM) executes automated, coherent, business processes in response to physical and IT security events. The system supports full workflow process capabilities, including the embedding of human intervention and responses within workflows.

The Job Scheduler automates pre-scheduled time and date-dependent processes. The scheduler automates routines and supports implementation of time-sensitive dynamic security policies.

Context Based Security automates security incident management and the execution of the organizational policies in response to designated patterns of relevant security events. The system responds to the same event in different ways, depending on the alert state of the organization. The alert state can be set to track the DHS Security Alert System, which has already been adopted by a variety of Homeland Security applications.

Forensics-based Investigation (FBI) supports data accumulation and analysis. The system supports multiple logs; facilitate the correlation of multiple data streams. The facility permits an organization to maintain specialized logs that track information relevant for different parties, such as campus security officers or internal auditors.

External Source agents track updates in a database, XML file, Web service or text file (such as logs) and upon detection of such update, parses the log record into an XML message and send it to the Dynamic Security's queue for processing by the event manager. The agent is used mainly for integration of external physical security systems into Dynamic Security's business processes.

About Made4Biz Security

Made4Biz Security Inc. is a solutions supplier of critical industry security needs. The company develops software that automates the administration of organizational security related tasks. The Made4Biz team has broad security expertise and brings an exceptional understanding of the marketplace and business needs to all aspects of security management.


*Starred products are under development and scheduled for release

 

 

Home - Dynamic Security | Privacy Policy | Copyright and Trademark Info