Could IODEF be a model for physec interoperability?

July 22, 2009

I've been reading this morning from the website CoverPages about Incident Object Description and Exchange Format (IODEF) , which " a format for Computer Security Incident Response Teams (CSIRTs) to exchange operational and statistical incident information among themselves, their constituency, and their collaborators. It can also provide the basis for the development of interoperable tools and procedures for incident reporting."

From what I've been reading, this is a common data format for describing computer/network security incidents. Besides the IODEF, there also is the IDMEF, which is the same type of data exchange format, execpt designed specifically for intrusion detection systems (and by intrusion detection systems, they mean the types of intrusion detection systems that identify hackers, not home break-ins).

The IDMEF is apparently a data system for all intrusion detection systems (which support the IDMEF format) to share data on an event. From what I can also tell, the IODEF isn't just for sharing data between automated systems, but it's also for the end users and authorities who have to investigate cyber security incidents, because it's designed to have input coming not only from automated systems, but also from the response teams

I was thinking as I read about this that there could be future applications for physical security event handling if such a data exchange format existed for our industry so that something like a physical intrusion detection system could start a "case file" and provide info on what the system saw (e.g., reporting a sensor tripped at 01:38 a.m., beam estimates intruder between 100-200 pounds, moving at approximately 6-10 mph), and then other systems (video surveillance, access control) could also be creating files on incidents. As an an example: Corridor 24 hallway camera detects motion at 01:39 a.m.. The access control system reports into this common format that a door to Office 118-A was forced open at 1:41 a.m. If done through a common data exchange format, all these separarate reports from these separate systems

In my thinking, there could be some real advantages here:

  • By using a common data format, you could easily export the data into a single case file document after an event. If the data format supported video, you could add video files to the case information.
  • During an event, because it's all in a standard data format, event information from a number of different systems (intrusion, access, video), could be joined together for responder notification. That could be sent to dispatch for security officers investigating active incidents.
  • For security officers, it could become a standardized system which they could add data back to
  • Finally, if such a data exchange format standard existed, you might also see it adopted by physical security information management systems as a way to pull data from systems that are not integrated (and there are a lot of these out there) for response coordination efforts.

Of course, all this would theoretically happen if we could develop a data exchange format standard for physical security events much like the IODEF for data security events. At this point, I'm not aware of any efforts in this direction, but then again, it wasn't long ago that we didn't have any groups working on standards for video surveillance interoperability. Whether this idea goes anywhere (or simply becomes yet another archived blog post), it's at least a pleasant idea to contemplate, as it seems like the kind of interoperability effort that could dramatically improve the efficiency of  our industry.