Addressing risks in real time: A convergence example

Due to the continuing rapid advancement of digital technologies, this year my expectations following the ASIS Annual Seminars and Exhibits conference in September were very high for applications that would address risks in ways that previously were not feasible. I kept my eyes and ears open for announcements along that line, and found exactly what I was looking for in a number of products and new product capabilities.

Q: What great convergence technologies or applications did you see at the conference?

One demonstration appealed to me above the others, because the use of two technologies enabled coordinated detection and response for both cyber and physical security threats across the two domains.

Arcsight ( is a visionary company whose Enterprise Security Manager is a leading product in the IT domain. Classified as a security information and event management tool (SIEM), it contains an optional Threat Response Manager module (TRM), that can not only detect new risk conditions in real time, but also take immediate remedial action — all based on rules made specifically for your business and its facilities. For example, if an access-controlled space containing critical data or materials is propped open, TRM can lock down the next layer of doors, extending the access restrictions outwards to the next access control layer, keeping the data or materials safe, and keeping regulatory compliance intact. It can also notify Security of the change — enabling officers to correctly deal with the temporary changes in access privileges. Furthermore, it can also notify Security of individuals who were already inside the newly extended protection zone at the time of the response, providing accurate situational awareness in seconds.

It would be extremely difficult to execute such a response through security officer procedures, and impossible to execute it in the near-immediate time frame of the system’s.

To implement this kind of capability requires that ArcSight’s Enterprise Security Manager is integrated with a physical access control system such as the PL-1000 from PlaSec (, which can exchange data with the system and accept response actions generated by its TRM module.

It’s a Two-Way Street

Responses to events in either domain can trigger an appropriate response from both domains, as the two worlds now have a rules-based correlation.

For example, if an authorized physical access occurred to a network equipment room, followed by an unauthorized logical change (such as a configuration change prohibited by IT policy) to any of the network equipment in that room, the system can lock down the network ports in that room, preventing someone from using a laptop computer to log onto any data systems or networks from inside the room. Furthermore, the system can generate the same kind of response in the PlaSec system (an alarm event on the alarm monitoring screen, and triggering the display related video on the overhead screens) that would automatically occur for a physical access violation or unauthorized access attempt at the network equipment room door.

Thus, security officers would know that an IT security incident was in progress, and could more properly interpret physical events in the vicinity. These examples just scratch the surface of what can be done.

ArcSight has developed a standard for promoting interoperability between various event- or log-generating devices, called the Common Event Format (CEF). It can be readily adopted by vendors of both security and non-security devices. After the ASIS conference, I contacted ArcSight and asked them for information on CEF. In addition to their CEF White Paper, I also received the PlaSec Certified CEF Configuration Guide, which contains three pages of instructions for activating the ArcSight CEF connector, followed by an eight-page listing of how the data fields map from PlaSec events to the ArcSight CEF format. The integration is a snap and can be set up in minutes. The two devices communicate via the network.

The remainder of the work is setting up Enterprise Security Manager and its Threat Response Manager to recognize threats and vulnerabilities (i.e. risk conditions) and define appropriate responses. Planning what to do (i.e. the operational security responses) takes most of the time. After an introduction to the Threat Response Manager, setting up the rules and defining the responses is straightforward.

This is technology that puts you — the security practitioner — in the driver’s seat, with regard to a converged approach to real-time risk detection and response.

New question:

What webinars or educational materials have helped improve your understanding of convergence? If you have experience that relates to this question, or have other convergence experience you want to share, e-mail your answer to me at or call me at 949-831-6788. If you have a question you would like answered, I’d like to see it. We don’t need to reveal your name or company name in the column. I look forward to hearing from you!

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard, a member of the Subject Matter Expert Faculty of the Security Executive Council, is founder and publisher of The Security Minute 60-second newsletter ( For more information about Ray Bernard and RBCS go to or call 949-831-6788.