obituary

One of the hottest topics at this year's TechSec Solutions conference was the issue of cybersecurity. While it's traditionally the role of IT security to protect a company against cyber attacks, security practitioners have a role to play as well. During his keynote address, Gareth Webley had an interesting point:

"Physical security devices on the network must have the right information security controls. I've found that physical security devices that are IP enabled without the right information security measures are more dangerous than not putting anything on the network."

(You can read more details about his keynote address here.)

In other words, he thinks it's more risky for an organization to put a non-secure video camera on the network than not to have that camera in place at all.

During TechSec, I talked to several attendees about the challenges of educating employees about cybersecurity. One of them told me a story about how one of their executives divulged private information, including login and password information that compromised the company's network. Talk about an IT security manager's nightmare.

Well, apparently even high-ranking government employees are equally susceptible. I just read this CNN story about how two Canadian government agencies were hacked in January due in part to employee negligence:

The hackers took over computers in the executive offices of the Finance Department and the Treasury Board, unnamed sources told the network. They then sent fake e-mails to government computer techs and other employees to get them to divulge sensitive passwords in a technique known as executive spear-phishing.

Apparently, Canadian officials disabled the two departments' internet connections for a time to halt any loss of data, but that's what I would tell the public and media, too. The article suggests China was involved, which is no big surprise.

How worried are you about cybersecurity? Do you think your organization is doing enough to educate employees about security protocol? What's the role of physical security in this or is it just the IT department's problem?

Last session of the conference. Roundtable discussion about video analytics. Panelists are:

Erick Eaton, BRS Labs
Doug Marman, VideoIQ
David McGuinness, ObjectVideo
Carolyn Ramsey, Honeywell
Moti Shabtai, NICE Systems
John Whiteman, ioimage
Sam Pfeifle, Security Systems News (moderator)

Important in understanding video analytics is understanding customers needs.

Sam: Just motion detector with video?
Eric: Analytics describe broad array of how pixels are changing. Other approaches where object tracking and try to establish rules and rules and learning. All different and easy to slap a label on it and sometimes try to distsance ourself from video analytics not specific what trying to do.

Sam: What does algorithms mean and different approaches?
Eric: Misunderstanding what algorithms are. Algorithm is mathematical equation under the hood and built into user friendly tripwire draw on screen. What's difference between vendors? Are different approaches of science toward computer science.

Sam: If difficult to accomplish why proliferation of company and what say to market?
Moti: Has to do difference in implementing in lab and in field. Analytics great value for customer, but to do in lab it's quite easy.

Sam: What is meta-data and how contribute to analytics?
Carolyn: Think can consider separate and apart. Analytics trying to get video from it. Things we can predict in real time, set up a rule to look for certain things, but certain things we can't predict, but would like to know about. So metadata is descripton of things happen in video at any point in time, whether told system or not or just want to file away for later review. Many end users don't ahve time to look at video in real time and enabling them to sift through video and meta-data allows you to select what interesting opposed to digging.

Sam: How apply things? Seems like are sweet spots where people should expect some good results not as experimental. Where analytics work well?

Carolyn: Perimeter with designated time rules. At high level it's about predictability, easy for analytics to definitively say this rule has been broken.

Sam: Baseline for quality of system?
David: Typically 7 frames/second, number of pixels different images.
Indoor applications and think it gets back to resolution figure out how many cameras I need for a space. Those are some considerations. Also gets back to understanding what customer wants to accomplish.

Carolyn: Think it comes down to application. How much do you need to know about what that object is doing that determines how many pixels you need.

Sam: How do you compare different vendors? What data should we have?
Eric: Already asking for lab results in control environment. How effective is technology in field. More than lab test, field test results. Needs to be done by folks in security industry to analyze.

John: If we want to compare technologies I would suggest on probability and false alarm rate. Think important and go into real world and compare side by side and what accomplish and in our world it's vehicles or people or objects and determining what performs better.

Moti: Think way sell system. Company has policy to set expectation. Once realize what customer achieve enough experience and detection than I think set expectations right to avoid disappointment and get value from system. One thing if company is willing to do that exercise and analyze the problem, before buying the system

Carolyn: Think difficult discussion because every customer wants plain and simple. The issue is what trying to do? What's next best alternatives.

Sam: Set up and go, zero configuration. That sounds good to integrators. Installation and configuration are questions that should be asked?
Doug: Doesn't need configuration and learns on its own. Another benefit is if environment changes doesn't matter.

Sam: What get with more sophistication? What's better and value?
Eric: What get from set-up time that putting up? Learns on its own. We're able to alert scene. Help you find things didn't know to look for.

Sam: What about configuration?
John: Each of 40 manufacturers take a different approach. The time up front we have looked at in past automated learning. From ROI standpoint most easily measured, what rich data generating didn't have access to before.

Sam: Hear a lot of: "I could do this." It seems like more theory than practicality?
Carolyn: Our experience that people don't like to be out of comfort zone. Take sales person based on cost successfully and makes quota and ask him to start talking about ROI. Think challenges as offerings become more complex and customers engaged in critical thinking about where spending dollars we have to help customers help themselves.

Sam: Do end users have communication in organizations to be able to convey to the marketing guy?
Moti: Sometimes meet champions have wider scope and open gate could be operations where ROI successful. More see fits in IT more willingness to approach others in businesses.

Doug: Perimeter detection has huge ROI so powerful, remote guarding is similar and remote doing far less expensive.

Sam: Impact on standards? And what most important to you?
Dave: First area of focus working on is events and make sure common outputs that are understandable from system to system. And we're also PSIA has pulled in industry so integrators participate and getting from different groups.

Moti: If industry find way to measure objectively on performance. In UK, put framework on companies with different scenarios like to see something like that going forward.

Carolyn: Don't think tests they put the product through serve 80% of customers. Absolutely critical is end user engagement saying these are the scenarios I face every day. I think if industry had that it would help end users make better, educated decisions.

Sam: How consolidate impact market?
John: Challenging question we are embarking on cooperation strategy. On some level we compete and other ways we bring added value. DVTel acquisition because there are no standards we had embarked on open partnership strategy. None embraced all abilities of technology.

Doug: Like idea of open system really big step but getting lost is dumb cameras attached but losing adding values of intelligent cameras.

Sam: Perception of analytic companies that looking for exit strategies. How deal with that?
David: Just came out of horrific economic times. Think video analytics starting to become strategic and people able to take positions today. We're comfortable with fewer players.

Sam: People say analytics should be a feature, not business alone. Can be business.
Eric: If look at expertise - takes specialized knowledge used to analyze content of video and retaining and innovating is critically important and always capabilities to advance technology.

Sam: Future look. Make some predictions about what see coming down pipeline that don't know now. Also, price. Perception that expensive, what pressures on pricing.

Carolyn: Price is interesting one and I think that people are always going to fight about price if no clear expectation of value. My feeling that in last two years we've heard fewer complaints about price. Interesting in down economy. I contribute to increasing awareness of value and help sales voice talk to specific applications and as soon case, what's next alternative?

Eric: Value proposition is key piece. How much more effective by putting technology in place? Price point components and continue to improve algorithms. Have balancing act that price same I would say in 3 to 5 years.

Moti: More verticalized solutions solving specific customer problems. Trends in price simple and low cost installations and also customers not compromise on solutions. Cost of security system, analytics not that much part.

John: Driving factors and think: Cost effectiveness, ease of use, interoperability and plug and play, liability. Product has to meet expectations and it can't be labwear, has to be proven.

Doug: We take approach we look at future analytics becomes free have cameras and it becomes free and it's just there. That's approach we take is instead as seeing as add on just trying to make smarter camera. In market has to have shake out of technologies that aren't adequate. And consequently installing these systems and having problems and thinking reflection on analytics.

John: For us part of future revolves around work doing at SafeCity and early deployment picking up intrusion and capability of next generation of algorithm to detect crowds and tracking, etc.

Questions:

Next in the TechSec line-up is Bob Beliles with Hirsch Electronics discussion how to extending trust and security to networked physical security.

11:35 The primary question: How can phsycial help secure network? Driving initiatve is FISMA, which is something everyone needs to keep eye on.

11:42 Key point, here is an entity (the fed gov't) and there is a requirement any device on network has to go through battery of test that would basically not harm the network. As a consumer you should look at vendors who have had success in government because their devices tend to be more secure.

What's driving that all devices need to have network security? PSIA, SmartCard Alliance, U.S. government, Trusted Computing Group (which is relatively new to us in physical security). They're publishing a road map and architecture for us. Although there's a plethora of protocols out there, so have architecture that picked support and basically aimed at making sure devices can be trusted and information running on network are secure at rest and when being transmitted through the network.

11:48 Trusted Network Connect (TNC) is an open architecture for network security is completely vendor-neutral. They're devices on network that make decisions based on pre-programmed policies. When putting cameras or server on IP network here are some policies that these devices will have to have:
1. Have to be authenticated with an identity management system that can vary from passwords to smartcards
2. Also check to make sure your device is healthy and run scans and virus protection regularly, patches are up-to-date, firewall is up and running and properly configured
3. Behavior must be acceptable and no port scanning, sending spam
4. Isolate and repair non-compliant endpoint and quarantine and say can't connect to network again until you remediate the problem.

11:53 Data at rest, how is it stored? Is it encrypted so not vulnerable. Take away if want to secure your device you might want to think even when data written to disk, still use technology to encrypt the harddrive and make sure it can't be vulnerable to infection.

12:11 How IT and physical security tends to be silo'd and there's not holistic approach to address a given threat or compliance policy. How do we address some of these problems?

To access the business IP network a user must be authenticated and must be in a valid physical location in addition to a verified identity.

Tailgating is a big issue. You must be badged into building to be able to log into network. Even though in building and connected, but because haven't badged in, not getting network access. As a result you'll see an increase in compliance with policy. Also can do some social reprogramming and being polite and holding door open isn't beneficial.

12:15 Nice thing about approach is physical security folks don't have to feel like IT is taking over. I'm going to send certain information in secure fashion. Both sides should address the issues and be happy.

Also establish rule that must badge out and if trying to come in through VPN.

12:24 In summary, there's lot of concern and execs recognize that there are opportunities to improve security on both the IT and physical side of security. Need to make sure sending secure information, even if it's to your own devices. Make sure all devices are trusted and information is secured.

Lunchtime.

So I hate to brag, but I've gotten pretty good at this live blogging thing. I guess that whole "practice makes perfect" thing really does work. So here we are at TechSec Solutions in Delray Beach, Fla. It's another early morning after a long day of presentations and I'm still processing all the information, but excited to take in more today. The first session of the day is the Lightning Round about JPEG2000 Compression for HD Stream management / Video LifeCycle Management.

8am: Dave Tynan from Avigilon starts us out. A lot of information about JPEG2000 and how this technology has been applied in many different industries. (I think I spoke too early about being a master live blogger. I decided to do this as Dave's presentation was wrapping up. My bad.)

8:16 Charles Foley from Timesight is up. Massive change and I can really relate to the CSI paradigm. Reason because of commodization of technology, which is why there's a proliferation of cameras. Now video is actionable data and it's possible because technology and economically it's feasible. There's a natural lifecycle to video. It becomes less important to customers over time, so don't need to keep over long periods of time. It also becomes too expensive. If it was free would you like to keep it longer? Most security directors say yes. But, the cost to keep the video is constant over time, so now we in security industry need to make it cheaper to keep it over long periods of time. Shrink it down further over time.

If you can afford to have higher resolution cameras you get better data and continue to compress it over time and the result is less storage price and still have usable data.

Customers slash storage costs by 60 to 90 percent is impressive for customers. Bottom line taken technology data centers and we recognize there's a natural life cycle and video declines in value over time and with today's technology video can also follow that life cycle and shrink over time and also you can have better video up front.

8:29 Steven Russell from 3VR is next. Smart recorders from 3VR are on top of video intelligence that are built on video search engine and in addition to storing video also actively analyzing information from video and correlating from other systems (i.e. POS) and all that external data is stored in a search engine and powers other applications.

Able to actively analyze and find tidbits of information that are more important than video itself such as facial recognition. Indexes faces and compare to every other person who walked into that bank, for example. Created a browsable web that allows you to search for faces along with transaction details. Even with a light network (56Kp), customers are able to pull back all the video they need.

8:38 Doug Marman with VideoIQ wraps it up. New trend in intelligent storage. Our industry when comes to IP video always taken approach that centralized storage makes the most sense. Unfortunately assumptions are not correct and create problem such as typical data center many users interacting with centralized area. When take a look at sensor network always better to store data at edge. 99.9 percent of time writing video and only 1% actually looking at video and puts different kind of strain on servers. IT crisis in data center because everyone's coming up with more data.

Often overlooked when take video, streamed, you have to have a certain amount of bandwidth. If you have IP cameras and network goes down you've lost all that video - that's a big risk, so often required different networks for video. Another problem is harddrive failure. When they fail you've lost the footage from how many cameras are recording to that harddrive.

VideoIQ iCVR has storage in cameras and video analytics. Store intelligently and some lifecycle management. Harddrive in camera has lots of storage and not taking up bandwidth with storage. solution to come up with dying harddrive by putting 1GB of flashdrive in it so harddrive is "asleep" 96 percent of time and does cold storage so that increases the life of the harddrive.

8:52 Q&A time:

For Dave: Are most companies supporting JPEG2000?

Dave: We find that most robust combination with JPEG coupled with megapixel cameras so gives most efficient compression technologies.

Q: RAID 5 not being as much of an effective solution?

Doug: Designed to write files. The problem with video streaming is that there isn't a break because always downloading and might not have a break until the harddrive is full and when you find an error you don't have a chance to regather that. When drives as small not such a big deal, but with terabyte showing up more and more often. Casinos, which have a lot of harddrives, we're starting to see issues come up on a regular basis where every few months they have a corruption problem where they lose all their data.

Steven: Straight mirroring. Found it was an education issue, now have RAID 5 not better than RAID 1.

Charles: RAID 5 system that are built for enterprise wouldn't find system have hard time keeping up. It's really the build time and if one fails goes to bigger drives and it takes longer to rebuild that failed drive and if a second fails before first repaired, that's where you're exposed.

Stay away from two terabyte drives, they're not ready for prime time.

Q: Merger of IT and physical of security one thing consider video out to camera level and would lose the storage there, it's cheaper to store but more vulnerable?

Doug: What happens to camera? Sending alarm clip so have redundant backup.

Q: JPEG - in network between cameras and server have 45 megapixel in part of stream?

Dave: You can have x number of cameras feed into server and drawing over to work station only what's necessary to display.

9:00 Session is over. Look at that, we finished up on time. That's a first.

I'm a bit behind in posting my wrap-up of day two of our TechSec Solutions event because I spent most of the day traveling yesterday. I suppose I could have blogged on Wednesday night after the event wrapped-up, but I thought dinner and drinks were more important. Sorry ...

Anyway, day two kicked off with the Technology Lightning Round, a session that gave five manufacturers a chance to showcase their "cool" products to the audience. I was especially impressed with Vumii's camera, and Randall Foster's declaration that the company website is not "a porn site."

Next up was a great presentation by Paul Bodell, chief marketing officer for IQinVision and Bob Hellmuth, director of the Department of School Safety and Security for Montgomery County Public Schools. Bob outlineg the huge security overhaul Montgomery has gone through since it experienced a few issues — once a guy came to the school with roses expecting to meet a girl he met online and another time, a gun went off. Lesichen is working on a story on this for next week's newswire so stay tuned.

Although turnout to the Cyber Insurance session, led by Privaris' Steve McDorman, was light it is my humble opinion that people missed out. Steve talked about how a company's desire to have cyber insurance will affect the physical security of an organization. Although the process to gain this type of coverage is more confusing and cumbersome than I can tackle in this forum, the bottom line is that stronger physical security protocols can equate to lower policy premiums. Rob Zivney said he's going to steal this as a sales tactic.

The final panel of the day was all about standards: ONVIF, PSIA, Smart Card Alliance and SIA. These groups are fighting it out for the title of best standards group but I think it might be best for them to all work together to complete this task. Are many standards better than one? As an end user, do you care about standards? Or do you just care whether or not products are interoperable?

I, along with the rest of the team here, put a lot of work into TechSec over the year (sometimes more work than I put into the book!) and there are always some positive and negatives. The negatives this year? Attendance was down. The positives? Quantity overcame quality. As I look to 2010, all I really want is to figure out how to make people stay for the closing session. And let's be honest, that might be more challenging than figuring out this whole convergence thing.

I just returned from a productive trip to the 2009 Milestone Integration Platform Symposium in Las Vegas. Yes, Vegas was cold (about 50 degrees at the high point) but the Milestone team put on a good event that brought out a "who's who" of the security industry. Today's story on the newswire outlines some of the sessions but I plan to write more for our April issue.

If you remember, I was pretty down on Vegas after my last trip. Well, it's back to having a warm place in my heart again. Red Rock was a neat property but be warned as it is an expensive cab ride from the airport and for some strange reason, all the restaurants in the hotel close at 11 pm. It's not like you can walk to another property next door like you can on the Strip. Thank god room service was still running.

Thanks to Milestone for the invitation — great chance to network and see everyone. Even if I will see them again for TechSec next week. See you there?

I am very pleased to announce that Jack Johnson, the former CSO of the Department of Homeland Security (not the singer), will be the keynote speaker at TechSec Solutions 2009, which will be held, once again, at Dallas' Fairmont Hotel Feb. 23-25.

Today, Johnson is a partner and managing director at PricewaterhouseCoopers' Washington Federal Practice. He has spent a lifetime working in law enforcement and corporate security roles, including stints in the Army, as a Fairfax County detective and more than 20 years in the Secret Service, before taking on his DHS role.

He now advises senior level government officials as a partner with PricewaterhouseCoopers, providing strategic planning for risk management, security technology and intelligence matters.

Johnson spoke at TechSec in 2006, when the event was held in Savannah, Ga., as part of a panel exploring the interaction between IT and security directors. Speaking with Steve Colo, chief security officer at SAIC, Johnson discussed the way that IP has forever changed the organizational framework of the security department and the relationship between physical security and IT.

I am very much looking forward to hearing his perspective in Dallas.

The Alliance for Enterprise Security Risk Management — a partnership of ASIS International and ISACA — is seeking nominations for its third annual AESRM Excellence in Security Convergence and Contribution to Enterprise Risk Management Award. The award was created to honor individuals who are leading the growing field of risk management and convergence.

“Understanding the convergence of physical and information security and how it fits within enterprise risk management is key to expanding the dialogue about security’s role in ERM,” said Emil D’Angelo, chair of AESRM. “Enterprises worldwide are recognizing the importance of collaboration among physical and information security to minimize risks most effectively.”

Individuals nominated for the award should exhibit leadership in improving the understanding of security’s role in enterprise security risk management throughout their organizations. Their work should involve people, processes and technology to manage security risks inside of a holistic model managing the enterprise risks. Additionally, nominees must demonstrate how they have shared their security risk management accomplishments with people outside of their organizations.

Nomination forms are available on the AESRM web site. The deadline for nominations is July 11, 2008. Nominees must be members in good standing of ASIS International or ISACA. Three representatives from each organization will judge the nomination forms.

So you want to know what you get out of it? The winner of the Excellence in Security Convergence and Contribution to ERM Award will receive an expenses-paid trip to the ASIS International 54th Annual Seminar and Exhibits in September. ("You've just won the AESRM Excellence in Convergence Award Bob. What are you going to do now?" "I'm going to ASIS International!"

One of my favorite beer drinkers, Dave Tyson, previously chief security officer for the City of Vancouver, Canada and currently the senior director of information security operations at eBay in San Jose, Calif., is a past winner. He also served as a keynote speaker at TechSec in 2007.

Well, after a very busy week I am back in the office and had the chance this morning to go over some more video from this week's TechSec Solutions conference. We've compiled some clips from Wednesday's educational sessions and exhibit hall as well as an interview from one of our attendees.

I just wanted to take the opportunity to thank everyone who attended this year's event – it could not continue to be a success without the support of our sponsors, speakers, exhibitors and attendees.

Until next year ...