9 questions to ask your vendors at ISC West 2018

April 3, 2018
Asking the right questions can help you cut through marketing jargon to address real security needs, vulnerabilities

Security industry technologies are rapidly advancing in the areas listed below. There are many new entries into the industry, and only a few are included here. Collaboration among technology partners is at an all-time high, as there are more reasons and opportunities for collaboration.

Note that the numbers in parentheses, like (#12345), are the vendor show floor booth numbers.

  • Cybersecurity. Just a few years ago, only one security industry company – Axis Communications – had a product cybersecurity hardening guide. Today, security industry companies are starting to get their “IT act” together, and now 18 more companies provide hardening guidance and product cybersecurity features. The companies are listed in Question #1.
  • Standards. A cybersecurity point of improvement is the use of current (i.e. not outdated) IT standards, such as 256-bit AES encryption (not DES or Triple-DES/3DES), TLS 1.2 for HTTPS communications (not TLS 1.0 or any version of SSL), Simple Network Management Protocol (SNMP) 3.0 (not 1.0 or 2.0). Version numbers for protocols and standards are more important than ever before – and not all companies are keeping their technologies fully up to date. When encryption or network protocols come into the discussion, this is a point to check on.
  • Infrastructure Management. Today’s technology is interconnected and evolves significantly through software and firmware updates. Technology infrastructure becomes a critical issue the larger your deployments are. How do you regularly update firmware on hundreds or thousands of cameras? It requires IT-style automation and diagnostics, which is why Axis Device Manager (#14051) and Viakoo (#32009 with Stanley Security) are two examples of infrastructure management tools that are the way of the future.
  • Facility Physical Access Management. Access management is an area of physical security management that lags way behind the modern tools and approaches of IT. This is one reason why Lenel Systems (#18019) has introduced real-time policy controls for access management into its flagship product OnGuard, as well as many other improvements well worth looking at. Other companies who have already stepped up to that plate are AlertEnterprise (#3077) and RightCrowd (#30092).
  • Open Platforms. Having a published open API (Application Programming Interface – the way two applications talk to each other) is the way forward not just for Amazon, Best Buy, Google, Facebook, IBM, Microsoft, and Netflix, but for the security industry as well, and industry companies are catching on to that fact. I have linked to some of the security industry online Open API documentation as evidence of that progress: BluBØX (#27121), Brivo (#26109), Eagle Eye Networks (#26109 with Brivo), Lenel Systems (#18019), and Open Options (#3103).
  • AI, Big Data, Machine Learning and Robotics. Not all AI is for robotics, but all robotics use AI and machine learning. Check out the robots from Turing Video (#5047). Often big data technologies are involved when there is a lot of data to deal with. The new generation of video analytics uses machine learning to build models of video scenes and eliminate nearly all false positives to provide highly actionable event and activity recognition. Updated analytics from Bosch Security (#11053), Agent Vi (#14051 with Axis), Briefcam (#31086) and IronYun (#22148) are all worth checking out.

This year “artificial intelligence” (AI), “machine learning”, and “open platform” are among the hot buzzwords. While not as hot, “cloud” and “mobile” are two aspects of modern technology that are unavoidable. When you hear those terms, it becomes important to differentiate between yesterday’s technology “re-described” for marketing purposes, and advanced next generation technology that brings valuable new capabilities. The questions below should help.  

This Year’s Vendor Questions

To keep this article simpler than my previous show “questions” articles, I’m no longer making separate questions for end users, integrators and consultants. End users are now more tech-savvy, and integrators and consultants are increasing their understanding of end user needs. One set of questions will work fine now, where a few years ago, that wasn’t the case.

Questions to Ask

1. Cybersecurity. Do you have a system (or product) hardening guide?

A hardening guide recommends cybersecurity measures to apply to the vendor’s product or system.

This remains the top question as cybersecurity is a top concern for end users, integrators, security designers and specifiers. The following companies have published hardening guides or cybersecurity guidance: Avigilon, Axis, Bosch Security, Brivo, Dahua, Eagle Eye, Genetec, Hanwha Techwin, Hikvision, March Networks, Mercury Security, OnSSI, Milestone, Salient, Sony, Johnson Controls (Tyco Security), Viakoo, and Vivotek – and Lenel has a hardening guide under development that will be available this year in Q3.

Update: There is an ISC West panel session titled, "How to Deploy a Cyber 'Hardened' Access Control System for Enhanced Security," on Thursday, April 12, 2018 from 2:30-3:30 p.m. at Sands room 302 on Level 1. The panel moderator is Matt Barnette, President of Mercury Security, and panelists include Bill Bozeman, President and CEO of PSA Security Network, and Sal D’Agostino, founder and CEO of IDmachines. This is a don't miss session for those who are responsible for operating or deploying and maintaining video surveillance systems.

2. Cloud Security. For cloud companies: Do you have a published vulnerability handling policy and documentation describing your company’s product (or cloud service) security program?

Cybersecurity professionals look for the three indicators of a cloud vendor’s cybersecurity maturity:

  • Product hardening guide.
  • Security vulnerability handling policy.
  • Descriptive documentation of the company’s product security program.

You don’t need to ask this question of the companies who have hardening guides. Most of the security industry companies with hardening guides also have published vulnerability handling policies, and many have descriptive documentation about the product security program or internal cybersecurity team. Yet many security industry companies still don’t have a clear idea of what a product security program is. Listen closely to how vendors answer this question, as the differences between answers can give you insights into the relative ranking of vendors.

3. Cloud Characteristics. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

There are several companies who have products that are supported or augmented by cloud-based services, as opposed to companies with fully-cloud based offerings. When you hear the word “cloud” be sure to understand what functionality resides in the cloud and why it is in the cloud. Sometimes the product is cloud-hosted but was not built as a cloud-native application. This question will tell you how well cloud engineering has been applied to the system or application.

4. Risk Scenarios. What types of risk scenarios do your new features address?

Vendors should be able to describe the risk situations that the new features were designed to address. Before the new feature, how did things work? Now how will they work using the new feature? Hopefully, there will be a significant difference.

5. Artificial Intelligence (AI). Ask about AI algorithms and data models.

Some systems use AI in the cloud, and some have it built into product firmware, while some systems utilize both on-site and cloud-based AI.

Where do the AI algorithms reside? Who develops and improves the AI algorithms? How does the product get updated for AI improvements? Does it build a data model? Where does the data model reside? How it is backed up? Who owns the data model that is built with your company’s or your facility’s data? What format is the machine learning data in and how do you back it up?

6. Intelligence Augmentation (IA) and Machine Learning. How does the IA functionality of the system help with security response? What does machine learning to do make the system, and my security personnel, more effective?

Intelligence augmentation (IA) is where humans and computers solve significant problems cooperatively. Two good examples are BriefCam (#31086) video synopsis and the analytics from Qognify (#30056) used at the Miami International Airport and elsewhere. IA is a significant time compressor and force multiplier, whereby a single individual with an IA tool can in minutes do work that without it would take several hours or days.

7. Open Platform. Does the platform have an Open API, meaning that it’s published online and freely available? What type of API is it (such as REST, SOAP, RPC)? What are some examples of its use?

Some platforms are more “open” than others, and some APIs are more mature than others (a function of time and product advancement). It can be helpful to hear about examples of how the API is used for systems integration. Some are mostly used by technology partners, and others are very useful for IT department integrations with customer applications, such as with an Identity Management System for physical/logical access control system integration.

8. Standards. What encryption standard is used or what version of network protocol is used?

The use of outdated encryption and network protocols introduces cybersecurity vulnerabilities. This was a sore point in the industry just a few years ago but is better now and keeps improving. 

9. Infrastructure Management. What new features do you have that improve the management and administration for large-scale deployments?

This is a key question to have if you have multiple facility deployments or sites with high device counts.

About the Author:

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security.