CorpSec, Meet InfoSec. (And Vice Versa)

I once had a neighbor whose dank little basement was finished entirely in particle board. I remember him bragging during a party that the low-density sheets of sawmill shavings were lifted from some poorly monitored warehouse at work. “No one ever goes in there,” he joked, “and these boards would have just been thrown out. So, I figured I’d put ‘em to good use.” Welcome to theft rationalization, New Jersey-style.

As someone who does cyber security for a living, it’s impossible not to wonder how my neighbor, the Particle Board King, might have been prevented from stealing. Cameras, locks, and alarms would be the normal preventive measures – but these are mostly low-tech, and I seem to remember that he was actually part of his employer’s corporate security group. So, my neighbor would be like the fox tending to the lumber henhouse.

A better solution to this type of misuse would use more advanced technology, and would support principles such as segregation of duties and least privilege. Enter Alert Enterprise, a security company with a platform that integrates cyber, physical, and operational security measures. Jasvir Gill, their CEO, was kind enough to meet with me twice, including a detailed summary this past week of his company’s creative offering. Here’s what I learned:

“We focus on making security a true business enabler,” he explained, “by integrating security, risk, and access governance for information technology, physical, and SCADA into a common framework. The resulting span across these business areas creates critical insights into cross-functional activity that was previously invisible. Obviously, this results in a superior solution for protecting the enterprise from misuse.”

The Alert Enterprise architecture tracks Gill’s description. That is, the unifying base supports security, risk, and access governance, with connectors to IT, corporate, and OT protection systems. This seems such an obvious configuration that the uninitiated might wonder why it isn’t present in every corporate enterprise in the world. The answer lies in two big challenges: Normalization and silos. Let’s examine normalization first:

To normalize disparate systems for functions such as payroll protection (part of IT security), facility access control (part of corporate security), and equipment tamper protection (part of OT), the underlying data representations must be common. And while anything is possible, it is likely that these systems, in a typical environment, would have completely different means for representing data, identities, activity, and security rules.

To illustrate, let’s create a factory manager named Bob Smith, and let’s examine how he would interact with these three systems. First, the IT-based employee payroll system would likely represent Bob by an Active Directory-maintained user description. This would include Bob’s employee number, office address, telephone, business unit, supervisor, email address, public key, and so on. IAM protection rules would be established based on this information.

In contrast, the facility access control system would be managed quite differently from any IT system, perhaps via a commercial application running on some facility manager’s PC. Such badge applications are often connected to printers, and Bob’s data would be entered manually based on answers he scribbles onto a paper form. The likelihood for transcription errors is high, and the degree of integration with other IT systems is probably zero.

The OT/SCADA system for equipment tamper protection is probably also disconnected from IT and corporate systems. It might be proprietary to the equipment vendor, and managed by Bob using a special interface. Access to the equipment might be managed through application-defined accounts with no commonality to anything else in the company. If Bob is untrustworthy, it’s unlikely he would be caught tampering.

The Alert Enterprise platform addresses these scenarios by working with clients to normalize these disparate systems into a unified framework with common references. “We work hard to create common representations between these systems,” explained Gill, “but we also coordinate with our clients to help them establish the integration, especially if it involves a unique, proprietary system.”

The second major challenge to an integrated platform involves corporate silos. These are groups (sometimes entire business units) that create barriers around their organizational mission. Such barriers are often created by not sharing information or coordinating with other groups in the organization that might compete for resources. As you’d expect, the basic premise of the Alert Enterprise platform flies in the face of organization silos.

“One of the ways we help break down these silos,” explained Gill, “is by simplifying the process of integrating systems from IT, corporate, and OT into a common platform. We can at least ensure that complexity doesn’t contribute to the problem, and in many ways, by creating a more cooperative platform processing environment, we create a more cooperative work environment between these groups.”

The range of Alert Enterprise cross-functional use-case examples is quite extensive, ranging from detection of employees with too much access, to finding cases of bribery and smuggling. Gill explained that the general strategy is to find so-called outliers in the data. This involves detection of values, relations, or correlations in the data that might suggest something worth more investigation.

I shared with Jasvir Gill my enthusiasm for this approach, and honestly couldn’t think of any reason why a company wouldn’t benefit from such normalization. I did, however, share with him my experiences dealing with strong organization silos driven by differences in culture: CorpSec team in windbreakers drinking coffee from Styrofoam cups, and InfoSec team in jeans drinking lattes from Starbucks. You get the idea.

Nevertheless, this is a powerful concept – and if you are not already trying to normalize your IT, corporate, and OT systems, then give the Alert Enterprise team a call today and ask for a demo and quote. And after you install the system, if a guy from Jersey seems to be nosing around an old warehouse checking out stored planks of wood, you can rest assured that you’ll have a much better chance of catching him!

Please let us know what you learn.