Tuesday, December 23, 2008

Physical Security Lessons for Digital Security

The newest CSO magazine featured a great article by Bill Brenner on jewelry store security. It's online via PCWorld at How Tech Caught the Jewelry Thief. I'd like to cite several excerpts and relate them to digital security.

It used to be that after a robbery, the police would review a surveillance tape for clues into who broke in, at what time and what the bad guys looked like. Since the thieves would be long gone by the time the tape was reviewed, there would often be little the authorities could do about it.

That sounds like a traditional digital forensics scenario, with the problem that it can be difficult to apprehend criminals well after the crime occurs.

But thanks to 21st-Century technology, the crooks are being watched in real time and, as a result, getting caught a lot more often.

Notice the word "watched" -- this frames the problem as one of faster detection and response.

In this Q&A, Dennis Thomas, regional loss prevention manager and certified field trainer at Zale Corp., explains how the retailer's IT operation is playing an increasingly important role in the physical security effort...

CSO: Your organization seems to be fighting back in more of a real-time fashion, as opposed to surveillance camera recordings where you would see the burglary take place long after the fact.

Thomas: Keep in mind, in the old days a crime could occur in a store with the employees there and they wouldn't always notice what was happening. With remote technology our trained operators at the command center can observe a theft in progress and notify the police in real time with important time-sensitive details like description, method of operation and where the merchandise is on the person. The police in turn are a lot more successful in making an arrest than they were five years ago.


Two points: first, Zale Corp. uses a centralize and specialize method where experts provide a service to the entire company, remotely. Second, the result is removing a threat via police arrest.

The real benefit is the increase in time notification. Let's say the operator doesn't immediately see the theft as it's happening. They can still e-mail camera images to the police, which is still faster than trying to pull video off an old VCR tape.

This sounds like Network Security Monitoring, where prevention eventually fails and sometimes intruders are smarter than you. When you know you were victimized, however, you can review your forensic evidence quickly and efficiently.

CSO: Who are you using as a vendor to operate the command center?

Thomas: We own and operate our own command center.

CSO: So you built the whole thing in house.


Zale Corp. is big enough to staff their own centralized "security operations center (SOC)". Smaller players might want to outsource, but I see more large companies building their own.

Thomas: Exactly. We worked with a local vendor to develop the technology and devised everything right down to the terminology that the operators use to communicate with the stores.

CSO: Did your command center develop gradually and organically, or was it based off of one big plan from the outset?

Thomas: It was a gradual process that took years. There were three phases: developing the technology, implementing the technology and further enhancing the system once it was operational, working out the kinks. We had our challenges as we basically ventured into uncharted territory but the technology was proven and successfully implemented the vision into the business.


No one does this correctly from day one. Developing an effective security operation is a multi-year process.

CSO: How much has this cut down on the time it takes on average to either catch the thief or at least solve a crime?

Thomas: I'll give you two statistics: First: The corporation has achieved record shrink lows for the last seven consecutive years. Second: a significant reduction in shrink [lost merchandise/revenue] as a result of burglaries. You can directly attribute that to the technology we've put in place.


This is a crucial point: Zale Corp's security department has performed a cost-benefit analysis that demonstrates how their security operation is saving money. First they had to quanitfy loss, and now they are showing how their team has reduced that loss. Note that the security team isn't "making money;" they are preventing loss.

There has been a significant increase in the number of criminals apprehended because we can get three to five cruisers out there immediately, because the police know if Zales calls, we are seeing a burglary unfolding before our eyes. We are able to verify to them immediately that it's not a false alarm.

Zale Corp. is avoiding the problem facing many MSSPs. Many MSSPs just call the customer when one of a million Snort alerts appear on an analyst's console. The customer is left to do an investigation to validate the alert. Good MSSPs (including internal ones) use an alert as an indicator to start their own investigation, backed by the necessary actionable evidence to make a decision. Then they call the customer to inform them that a problem is happening, not to ask the customer "is anything wrong?" The customer learns to trust the MSSP, because when the MSSP does call it means something.

CSO: If you are a retailer just coming to the realization that you need to adopt a system like Zale's, what are the first items you should be thinking about?

Thomas: The first thing you need to do is determine where your risk is. Is it the employee? Does the general public have access to your merchandise? Where is your shrink occurring and where will those precious dollars get the most benefit? The second thing you should do is go out and look at what your competitors are doing technologically to ensure security. Then you are able to build your system to meet the specific needs of your organization.


Again, Zale Corp. demonstrates where to begin. You can determine risk by performing preliminary monitoring to observe actual problems before implementing countermeasures. Bruce Schneier calls this monitor first.

Great article Bill Brenner!


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

3 comments:

G said...

Great post Richard... The similarities between NSM and a physical-world SOC are remarkable.

LonerVamp said...

Two comments on your excellent post.

1) "Good MSSPs (including internal ones) use an alert as an indicator to start their own investigation..."

I think this is a key distinction in the future success of MSSPs. It seems hard to allow an MSSP such access and visibility to make proper decisions, at least as long as they are third-party entities.


2) You mention how Zales is able to remove a threat using their technology. I agree with this insight, but I am not quite so sure how that carries over to the digital world for most entities. How does one attempt to remove a threat that may digitally attack from China, Turkey, Zimbabwe, Oklahoma, or Quebec when they are maybe brute forcing FTP accounts, injecting web content, or possibly stealing data while connected into your network? Unless one is a law enforcement, government, or other well-connected entity, that just doesn't seem nearly as feasible as physically capturing a thief.

That is really my basis for not completely buying into threat reduction as a major part of my security focus. I do think it should be considered, but most entities just don't have much remediation digitally.

Marcus J. Carey said...

There problem is since so many "hackers" are beyond our law enforcement jurisdiction (overseas), bringing people to justice in some cases is impossible.