Last month Martha Entwistle, editor of Security Systems News posted an interesting article commenting on the nature of PSIM (physical security information management) and a new report by IMS Research. First I’ll comment on the content of the report, and then I’ll comment on the origin of the term PSIM (which she credits to me).
Thanks for writing this article, Martha. As a security industry analyst for the last 15 years, I can say I’m not surprised. I’ve seen reports like IMS’ before. You can’t blame them for confusing the issue, really. Young researchers with no field security experience partially digest and regurgitate conversations with paying vendor marketing executives who have tremendous stake in the status quo.
The article here says “IMS’s Wong notes that products such as VMS and ACS software, which meet some, but not all, of the criteria above, are not considered to be PSIM for the purposes of the report.”
Hmm. I read these functional descriptions and think to myself that simply combining any popular VMS and ACS and you’d have 80% of the functionality IMS declares to be PSIM. So what does that mean? a solution has to have 100% of these technical requirements to be considered PSIM? Does it mean that “real” PSIM is actually and merely the 20% delta of functionality between an access control/video solution and the remaining functions?
Regarding the term PSIM. Yes, I was the first person to publish the term PSIM and launch the global discussion on physical security information management. When Chuck Teubner, CEO of VidSys, was CEO of e-Security (around 2003-04), he and I sat in the e-Security offices and discussed a new idea I was working on in my research: Security Information Management (SIM) for the physical security world. At that time, SIM was a popular concept in IT security management. Sadly, after I left Forrester and could no longer control the Forrester-Gartner debate on the topic, the acronym degraded to the current, utterly ridiculous SIEM. Anyway, I digress.
About the same time, Kobi Huberman of NICE and I drew a PSIM-like diagram on the back of a napkin in London. He was the VP of corporate strategy for NICE. Shortly thereafter, Arcsight, a leading vendor in the IT SIM world, contacted me and we brainstormed about SIM for the physical security world. Then NetIQ guys started talking about a similar concept.
When Chuck Teubner called me again in 2006 and suggested that we name the new concept, PSIM was born. I published it on my blog then. I can also say definitively that VidSys was the first company to clarify the PSIM vision and set the standard for PSIM definition and execution.
As a footnote, NICE later got into the PSIM game by acquiring PSIM vendor Orsus in 2009. NetIQ guys started PSIM-vendor Proximex. ArcSight, dabbled in PSIM but has not yet come up with an effective strategy to penetrate the market.
Please watch securitydreamer.com for more to come on PSIM.
If we limit the conversation just to the technology, you’ll hear me sing the praises of DVTel. The command center console is attractive and intuitive and very functional. I especially liked the simple, centralized management of video, access control, perimeter sensors and the flexible reporting capabilities. DVTel’s iSOC v6 is a refreshing reinvention of the standard command center interface.
A book I contributed to is available on Amazon. Warren Axelrod and Jennifer Bayuk edited this collection of essays on security and privacy.
I think it is a special, unique view of how physical and logical threats, plus dynamic business and compliance trends are changing how security needs to be done. My chapter was on security as it relates to the Transportation industry. I took a logical and physical view of the problem.
Think your company takes data protection seriously? You may need to give it the dumpster diving test. This big bank was pretty surprised what I came up with.
Here is a blog post from HuntBI associate, Jeffrey Stutzman, CISSP. His post makes me wonder how many corporate networks will be infiltrated by malware when Olympics visitors come home and plug back in. -sh
What happens in Vegas stays in Vegas right?
What happens in China won’t necessarily stay in China.
What do I mean by that? In the Navy there was a sea story. It went something like this…
We pulled into <name your favorite port>. When we pulled in, the Captain came over the 1MC (the general shipboard loudspeaker system) and gave us a country brief. He told us to be careful. He told us that if we got into a fight, to win, and to be careful with the women- always. Sexually transmitted diseases ran wild in many of the ‘sailor ports’. The story I remember talked about how the hospital corpsman onboard the ship would use a Sharpie to put the name of the sailor on the pair of syringes used to rid us of whatever we picked up. The syringes were then stuck into a dartboard in the Chief’s Mess. As the story goes, the dartboard was always full.
So here’s the deal….
Chinese cyber spies WILL steal your stuff! When you get to China and use your computers to access the Internet, you will be monitored, and will almost assuredly download, or be pushed, software that will execute on your computer. This software will sit quietly on your computer, will not be detected by anti-virus or intrusion detection/prevention software, and will likely ‘phone home’ –send your data back to intelligence collectors in China. When you return home, that software will likely spread automatically to other computers that you connect to or communicate with via email or through the web. You will be infected. Be ready for it.
The problem? Antivirus vendors don’t have the syringes to fix you. It’s a sad state, but the protections currently loaded on your computers are designed to protect from the common threats –those that infect everybody. When a specific group of users are targeted –Olympic visitors for example, or maybe Olympic visitors staying at a specific hotel, or maybe Olympic visitors who work for or represent certain governments or industries, the methods of infection are not always the same. Smart intelligence collection operators won’t use the same tools on everyone. You know why? They don’t WANT antivirus and intrusion prevention vendors to be able to keep up! Even if they are successful 10% of the time, the number of journalists, politicians, and business people entertaining others will easily afford the cyber spies small pieces of information that they can combine with other small pieces of information to eventually put together the pieces of the puzzle –the BIG piece of information.
You should expect this. It shouldn’t come as a surprise.
A recent interview on CNN disclosed publically (finally!) that over 3500 Chinese front companies exist in the US today solely for the purpose of collecting intelligence. It reported that cyber attacks on the Pentagon (and likely all of DoD) have increased 55% since 2007. References to other Chinese cyber attacks and information gathering run in the thousands on the Internet. A quick Google search for the words “Titan Rain”, the term coined by US Government officials to describe the coordinated information warfare being waged from Chinese sources, yields over four million hits.
Thousands (millions?) of influential people – business managers, politicians, journalists, you name it, have headed to China for the 2008 Summer Games. Don’t be a victim. Don’t allow your home/work networks to be victimized.
Here’s what you can do:
• Think like a spy…
o Leave your computer(s) at home. If you have to have one, take a clean one (one used only for surfing the web and sending emails).
o Use anonymous, encrypted email. The best spies never use computers to relay details of their exploits. If you must use a computer, create two anonymous accounts on an encrypted service such as Hushmail; an encrypted, web-based email service that scrambles your email. Use one account to send, and the other to receive. If you must send data to your company from China, give the second account to the intended recipient before leaving the country. Do not send the account and credentials by email. Kill, or abandon those accounts after you return.
o Do not under any circumstances divulge your identity in email, even when using encrypted communications. This is a sure-fire way to give others those “small pieces of information” that can later be used to target you when you return home.
o Never use HTML formatted email. All communications should be formatted as text only. Graphics and other fancy things that make your email sexy also make it very easy to hide viruses and Trojans in your email –those pieces of software that will later be used to send data back to China once you return home.
o Do not send email directly to a work address. Use the anonymous service. Software may get embedded in your outbound communications. That software will spread once opened by your intended recipient.
o When you do return home, expect to receive more junk e-mail. Spam, phishing, or spearphishing (targeted phishing) are easy ways to get you back into the collection network by embedding malicious software into HTML formatted messages.
o Never forward or respond directly to emails received. If you need to respond to something, start with a fresh email, and format it in text only.
o When you return home, do not, under any circumstances, plug these computers into ANY network without first having it professionally cleaned and reloaded with a fresh version of Windows, or your operating system of choice.
Be safe. Be smart. I really don’t want to hear your IT guy bragging about the number of syringes in his dartboard!
Jeff Kessler’s blog is always informative and insightful. He is one of the most accomplished and recognized financial analysts covering security (while I write from the end user’s perspective). But I wish he posted more often. Jeff, you don’t have to write research papers for every post. Aim for Twitter, not Gone with the Wind. But lovin’ it just the same.
Measuring the business value of security convergence projects ain’t always easy but this discussion is a good start
I recently invited Jan Johansen, CEO of Hi-Tech Stragey Consulting, to join me in a discussion about security convergence. Many of you tried to listen in with no luck. Sorry about the technical difficulties, but now everything is up and running.
Join us as we discover the business value that convergence projects can provide for end-users. From the highest level of sotware and networking combining to do physical security better, all the way down to the people and processes that need to collaborate to work more effectively.
No matter which way you look at integrating IT with Physical Security, it’s a win-win.