CEP and SOA: An Open Event-Driven Architecture for Risk Management

CEP and SOA: An Open Event-Driven Architecture for Risk Management March 14, 2007 IT Financial Services 2007 Lisbon, Portugal Tim Bass, CISSP Principal Global Architect, Director Emerging Technologies Group

Our Agenda

Key Takeaways, Market and Business Drivers

TIBCO’S Solution Architecture

Event-Driven Operational Risk Management

Security Event Management and TIBCO BusinessEvents™

TIBCO’s Reference Architecture for CEP and SEM

Example High Level Architecture

Wrap Up

Key Takeaways of Presentation

Next generation security and enterprise risk management solutions require the fusion of information from numerous event sources across the enterprise:

Model all Security Devices, Log Files, Sniffers, etc. as Sensors and Event Processors

Use Secure Standards-based Messaging for Communications

Next-Gen Enterprise Risk Management (ERM) Requires a Number of Technologies:

Distributed Computing, Publish/Subscribe and SOA

Hierarchical, Cooperative Inference Processing

High Speed, Real Time Rules Processing with State Management

Event-Decision Architecture for Identification and Mitigation of Security Situations

Solution Expandable to Compliance and Incident Management (BPM)

Firewall, IDS, IPS, Cryptography, Access Control are Simply Not Sufficient.

Malicious Users are Using Legitimate Application Protocols, such as HTTP, HTTPS and SOAP.

An CSI/FBI Study Showed that Almost 50% of Security Breaches came from Internal Resources.

Recently fired employees

Unscrupulous traders

Compromised partners

And disgruntled or curious employees

Industry and Business Drivers A Sample of the Problems with Network Security malicious users malicious users

Background – the Current state of IDS Intrusion Detection Systems Simply Don’t Work! “ Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.” - Gartner Group Most of Firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System) are act at the Network/System Layer, not at the “ Application Layer ”.

Risk and Compliance Business Drivers and Market Trends

Business Drivers: Organizations face mounting pressures driving them toward a structured approach to enterprise risk and compliance management.

Complexity, diversity and multiplicity of risk

Increased accountability and regulatory compliance

Fragmentation and duplication of efforts

Market Trends: Business drivers resulted in the following trends as organizations begin to build their new approaches to risk and compliance management:

Adoption of an enterprise risk management framework

Managed and measured regulatory compliance

Risk and compliance tool consolidation, application integration and SOA

Integration into business process management

Establishment of a chief risk officer

Our Agenda

Key Takeaways, Market and Business Drivers

TIBCO’S Solution Architecture

Event-Driven Operational Risk Management

Security Event Management and TIBCO BusinessEvents™

TIBCO’s Reference Architecture for CEP and SEM

Example High Level Architecture

Wrap Up

Event-Driven Operational Risk Management An Active Predictive Business™ System of Risk and Asset Management Control evaluation (SOX) Operational Risk (Basel II) Security Outsourcing Privacy Business Continuity Planning Event-Driven Operational Risk Assessment & Management

How TIBCO Delivers for Customers Accelerate projects, initiatives, and go-to-market cycles Increase operational efficiency and effectiveness. Improve operational visibility, security, collaboration and responsiveness

Complex Event Processing " Events in several forms, from simple events to complex events, will become very widely used in business applications during 2004 through 2008 " --- Gartner July 2003

TIBCO BusinessEvents™ Solutions Overview BusinessEvents™ Solutions Space Data: Events & Databases -Real-Time & Historical Data Models: Statistical Financial Optimization Comms: Pub/Sub Messaging Queues Topics UIs Knowledge: Facts & Rules

Rule-Based Security Event Management Complex Event Processing for Enterprise Security Event Integration/Correlation Rule-Based

Pattern Recognition

Anomaly Detection

Track and Trace

Monitoring (BAM)

Dynamic Resource Allocation

Adaptive Resource Allocation

Constraint Satisfaction (CSP)

Dynamic Control

Situation Identification

Fraud Prediction

Impact Assessment

Detection Prediction Scheduling

Fraud Detection

Intrusion Detection

Fault Detection

Rule-Based Access Control

Exception Management

Compliance Work Flow

Risk Management

Fault Analysis

Impact Assessment

Security Event Management Across the Enterprise

Event-Driven SOA, CEP and BPM Enterprise Integration, Correlation and Management of Security Events Two Minute Explainer

TIBCO’s Real-Time Agent-Based SEM Approach A Multisensor Data Fusion Approach to Security Event Management Intrusion and Fraud Detection Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions IDS FDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Agent Based Next-Generation Fusion of Security “Stovepipes”

CEP Reference Architecture Next-Generation Functional Architecture for SOA / BPM / EDA 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction CEP Reference Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM

Event-Driven Complex Event Processing

Multi-level inference in a distributed, event-driven architecture

User Interface

Human visualization, monitoring, interaction and situation management

Level 4 – Process Refinement

Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment

Level 3 – Impact Assessment

Impact assessment, i.e. assess intent on the basis of situation development, recognition and prediction

Level 2 – Situation Refinement

Identify situations based on sets of complex events, state estimation, etc.

Level 1 – Event Refinement

Identify events & make initial decisions based on association and correlation

Level 0 – Event Preprocessing

Cleansing of event-stream to produce semantically understandable data

Level of Inference Low Med High

Event-Driven CEP and SEM - Summary Flexible SOA and Event-Driven Architecture

Security Event Management High Level Event-Driven Architecture (EDA) for SEM JAVA MESSAGING SERVICE (JMS) DISTRIBUTED EVENTS (TIBCO EMS) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE ) SENSOR NETWORK RULES NETWORK FDS BW JMS LOGFILE JMS BW LOGFILE JMS BW LOGFILE JMS BW IDS JMS BW FDS JMS BW SQL DB BW JMS ADB SQL DB BW JMS ADB MESSAGING NETWORK SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM

Overview of TIBCO’s Solutions Architecture

Fusion of IDS and FDS information across Customer’s Enterprise, including:

Log files

Existing Customer’s IDS and FDS (host and network based) devices

Network traffic monitors (as required)

Host statistics (as required)

Secure, standards-based JAVA Messaging Service (JMS) for messaging:

Events parsed into JMS Application Properties

SSL transport for JMS messages

TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control

TIBCO Business Works™ as required, to transform, map or cleanse data

TIBCO BusinessEvents™ for real-time rule-based analytics

TIBCO Active Database Adapter as required

Potential Extensions to Solutions Architecture

Extension of EDA/SEM to rules-based access control

Integration of IDS and FDS with access control

TIBCO BusinessEvents™ for rule-based access control

Extension of EDA/SEM and access control to incident response

Event-triggered work flow

TIBCO iProcess™ BPM for incident response

TIBCO iProcess™ BPM security entitlement work flow

Extensions for other risk, compliance & reporting requirements

Basel II, SOX, and JSOX - for example

Extensions for IT management requirements

Monitoring and fault management, service management

Key Takeaways of Presentation

Next generation security and enterprise risk management solutions require the fusion of information from numerous event sources across the enterprise:

Model all Security Devices, Log Files, Sniffers, etc. as Sensors and Event Processors

Use Secure Standards-based Messaging for Communications

Next-Gen Enterprise Risk Management (ERM) Requires a Number of Technologies:

Distributed Computing, Publish/Subscribe and SOA

Hierarchical, Cooperative Inference Processing

High Speed, Real Time Rules Processing with State Management

Event-Decision Architecture for Identification and Mitigation of Security Situations

Solution Expandable to Compliance and Incident Management (BPM)

RFID for Automatic Baggage Handling & Reconciliation

Hong Kong International Airport

2 runways

1 PTB

75 airlines, 143 destinations

More than 700 flights per day

Airport Profile

41 M passengers (2005) over 110,000 per day

20M departure baggage (2005)

3.4M ton cargo (2005)

2 Runways; single largest terminal building

55,000 staff work for over 240 organisations

AA staff - 950

HKIA RFID Project - Background

In 2003, HKIA adopted to apply RFID t echnology to improve the Baggage Handling and Management System

In mid 2004, RFID equipment installation commenced at baggage handling areas

In Aug 2005, RFID mode operation in service

RFID Components RFID Chip Inlay / Label Reader, Antenna

Type of RFID Tags - Wal-Mart HKIA Octopus User Small Small Moderate Size ~1.5m ~ 5 m < 0.7m Read Range Fast Fast Moderate Read Speed 13.56MHz HF 860 – 960MHz UHF 2.45GHz Frequency UHF(2) Type

Comparison of UHF RFID Tags √ √ Low cost √ Access security √ √ Kill security √ √ Reads > 500 tags / sec √ Dense-reader operation Proprietary √ Class 0 + Proprietary Class 1 √ Standardization √ Read Write Gen2 Feature

RFID benefits

Customers

Reduce mishandling of bags

Airports

Lower baggage management cost

Enhanced security

Airlines

Lower loss baggage costs

Greater visibility of baggage

Hong Kong International Airport Business Case of RFID

Lower cost for ABRS

(Phase 1 – Read Only RFID)

Delay expansion of baggage system

(Phase 2 – R/W RFID)

BHS Capacity Check-in Transfer primary sorters Early bag store Early bag Baggage Handling System secondary sorters Bag to Lateral 60% Early Bag 15% No-Read Bag 25% Laterals No-read

Automatic Baggage Reconciliation System (ABRS)

BHS – sort bags to lateral + x-ray screening

ABRS – baggage management

All screened bags delivered to the loading lateral

Baggage loading locations recorded by RF readers automatically

Baggage manifest produced using data captured within ABRS

Automatic Baggage Reconciliation System (ABRS) Transfer (at Belt A) Primary Sorter No Read MCS Secondary Sorter Lateral Barcode Reader RF Reader Stick RFID Gen 2 Label Check-in Barcode Reader RF Reader CTF MCS Track baggage loading into ULD Read License Plate Number (LPN) Encode in Gen2 Label RF Printer to print LPN in baggage tag with Gen2 inlay X-ray Read Barcode or RF tag For sorting bag

Lateral Operation RFID readers Containers RFID Readers at Lateral RFID Reader at Lateral

Dual Mode Handheld Terminal

RFID System Configuration

RF Readers and Antenna

200+ Readers : Symbol AR400

500+ Antennas

200+ Dual Mode Handheld Terminal : Symbol MC9600

Operated with 4 watts power level (HK OFTA)

RFID read only tag

Class 0 tag with 96 bits pre-encoded UID

Adopts frequency band 920 ~ 925 MHz

RFID Performance Data

RFID operation started at 1-Aug-05

20M Class 0 RFID label used per year

95% - 97% RFID read rate at Induction units

92% RFID read rate at Laterals

Challenges

Standardization of airline bag tag

Ways to affix RFID label on bag

Tag quality

RF power tuning

Cross read

RF interference between RF readers

Challenge – RF Power Tuning

Different RF Coverage caused by type of ULD

Absorbed RF reflection in Filled ULD

Challenges (Cont’)

Old label from multi-trips (additional reader required)

Bag content/design i.e. metal, water

Learning curve of operator

RF health issue

Phase 2 Implementation – Gen2 RFID

Implement an “open standards” encoding solution using Gen-2 R/W RFID tag

Adopt IATA RP1740c, ISO 18000-6C (Gen2) and ISO/IEC 15961 and 15962

Improving the overall RF performance

Increasing the overall baggage delivery throughput

Phase 2 – Stage 1 Transfer

Use 2”x4” Gen2 RFID with label

Barcode scanner scans LPN and passes to RFID reader to encode

Manual Coding Station to re-encode LPN for exception case

RFID readers reads both Class 0 & Gen 2 (memory bank 01 only) RFID tags

Operation by Jun-06

Phase 2 – Stage 1

Phase 2 – Stage 2 Local Check-in

Use Gen2 RFID integrated baggage tag

Standardize baggage tag as CUSS standard (21” in length)

RF Printers encode the LPN & Date

RFID readers are operating with all Gen 2 (with memory bank 01 only) RFID tags.

Operation by Dec-06

Phase 2 – Stage 3 User Data

Use Gen2 RFID integrated baggage tag

Standardize airlines Pectab

RF Printers encode the LPN, Date & User Data

Integrated with X-Ray to encode security screening result

RFID readers are operating with all Gen 2 (with memory bank 11 field) RFID tags.

Operation by Mar-07

Future Direction

More added values services for passengers and airlines using RFID

Cooperation with airport and airlines

Bulk purchase of RFID tags

Thank You! Tim Bass, CISSP Principal Global Architect, Director Emerging Technologies Group Event Processing at TIBCO

CEP and SOA: An Open Event-Driven Architecture for Risk Management

1 comments

Notes on slide 1

7 Favorites