Continuing from part one: During the attack, you hope that your guards and systems perform the way you expect: blocking, inhibiting, controlling, repelling.

• Intrusion detection or intrusion prevention systems are effective. Sensors at the perimeter, guards and dogs patrolling the campus, access control systems all deliver valuable information to the security command center. But good policies. secure locks, and properly configured firewalls on the network are the foundations of a secure site.

• Sniff around for malicious activity. With very well-tuned network intrusion detection from Symantec, IBM, McAfee, Cisco and others, or complementary tools such as Sourcefire's RNA, an organization can find many more bad things on the network than it could without. In the physical domain, complement your guards and locks with video analytics from ioimage, Object Video, Cernium, Mate or others.

• Physical security devices fit in, too. Event logs from physical security devices like IP cameras, card readers, and proximity detectors can show interesting information about malicious or anomalous human behavior, especially if correlated with logical event data. Look to Orsus, SentryPort, and Vidsys to process a wide variety of PSIM data.

In short, have all systems tuned to aggregate, normalize, corrleate and report on the status of all sensors and systems.  That way, the security team has an up-to-the-minute view of the source and impact of attacks as they are happening.

We'll clean up after the attack tomorrow...