Combating Fraud and Intrusion Threats with Event Processing

3,800 views
3,639 views

Published on

Combating Fraud and Intrusion Threats with Event Processing, TIBCO, TUCON 2007, Tim Bass, CISSP, Principal Global Architect, Director Emerging Technologies Group, TIBCO Software Inc.

Published in: Technology

Combating Fraud and Intrusion Threats with Event Processing

  1. 1. Combating Fraud and Intrusion Threats with Event Processing Tim Bass, CISSP Principal Global Architect, Director Emerging Technologies Group TIBCO Software Inc.
  2. 2. TUCON Session Information <ul><li>Fortunately, one of the most promising applications of complex event processing (CEP) is in the area of security event management (SEM), an evolving science that can provide businesses with advanced threat detection and warning capabilities. </li></ul><ul><li>Learn more about how to apply advanced SEM concepts to the security of your business. </li></ul><ul><li>Threats to your online business are everywhere! </li></ul>
  3. 3. Our Agenda <ul><li>Trends in Cyber attacks, Threats & Vulnerabilities </li></ul><ul><li>Security Event Management (SEM) Overview </li></ul><ul><li>How Complex Event Processing (CEP) Helps </li></ul><ul><li>TIBCO BusinessEvents™ and CEP </li></ul><ul><li>Question & Answers </li></ul>
  4. 4. Threats Are Everywhere! Source: www.cert.org Intruders High Low 1980 1985 1990 1995 2000+ Intruder Knowledge Attack Sophistication cross site scripting password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools “ stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools staged auto coordinated / bots
  5. 5. Malicious Code Trends
  6. 6. Malicious Code – The Numbers
  7. 7. IE Critical Vulnerabilities
  8. 8. FireFox Critical Vulnerabilities
  9. 9. Global Distribution of On-Line Banking
  10. 10. Global Distribution of Phishers
  11. 11. Vulnerabilities Exponentially Increasing?
  12. 12. Our Agenda <ul><li>Trends in Cyber attacks, Threats & Vulnerabilities </li></ul><ul><li>Security Event Management (SEM) Overview </li></ul><ul><li>How Complex Event Processing (CEP) Helps </li></ul><ul><li>TIBCO BusinessEvents™ and CEP </li></ul><ul><li>Question & Answers </li></ul>
  13. 13. SEM Functionality <ul><li>Log collection from heterogeneous devices - the capability to read, parse, normalize, and gather security events from a variety of heterogeneous event sources </li></ul><ul><li>Situation detection - the capacity to detect and refine threat-related situations automatically and priorities based on an automatic impact assessment, optimizing staff performance to focus on preventing the most important threats </li></ul><ul><li>Threat prevention and remediation - generate alerts and automated responses based upon high probability threat scenarios and manage the life cycle of the threat </li></ul><ul><li>Report generation – automate reports that support post-threat investigation, regulatory compliance and update visualizations and dashboards </li></ul><ul><li>Scalable, distributed architecture – the architecture must manage millions of logs per day, distribute the processing load, and with service-oriented services for transformation, event tracking, correlation, updates, remediation and visualizations </li></ul>
  14. 14. Overview of IDS & FDS Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Security Event “Stovepipes” Centralized Distributed Fraud and Intrusion Detection Systems, Logs Agent Based
  15. 15. No Shortage of “Event Aggregators” !
  16. 16. What is Missing from this SEM Architecture?
  17. 17. SEM Illustrated
  18. 18. SEM: Key Take-Aways <ul><li>NO ESB – there is no secure, standards-based communications infrastructure for distributed event management in current SEM solutions </li></ul><ul><li>WEAK or NO ANALYTICS - there is limited capability to detect and refine threat-related situations with high probability using state-of-the-art analytics </li></ul><ul><li>WEAK or NO EDA - not standard generated alerts and automated responses to kick off workflow, compliance and other remediation activities </li></ul><ul><li>WEAK REPORTING – dashboards and reports tend to be&quot; event aggregators” that do not filter out the “noise” </li></ul><ul><li>UNSCALEABLE, CENTERALIZED ARCHITECTURES – current SEM architectures cannot manage millions events in a heterogeneous, distributed architecture </li></ul>
  19. 19. Our Agenda <ul><li>Trends in Cyber attacks, Threats & Vulnerabilities </li></ul><ul><li>Security Event Management (SEM) Overview </li></ul><ul><li>How Complex Event Processing (CEP) Helps </li></ul><ul><li>TIBCO BusinessEvents™ and CEP </li></ul><ul><li>Question & Answers </li></ul>
  20. 20. How Does CEP Helps with SEM?
  21. 21. What is an Event? <ul><li>An Event is a significant change in state. </li></ul>State 1 State 2 Your on-line banking application is normal A threat to your on-line system was detected Event
  22. 22. What is an Event Driven Architecture? <ul><li>EDA is an architectural style that manages and executes rules of the form: </li></ul><ul><li>WHEN reality deviates from expectations </li></ul><ul><li>THEN update expectations and initiate response. </li></ul>
  23. 23. EDA Characteristics Aggregate events across multiple sources; compare reality with expectations Analyze Detect events across extended environment in real-time Sense Update expectations; Invoke distributed services in real-time Respond
  24. 24. Detecting Situations from Events <ul><li>Anticipated event (pattern matching/detection) </li></ul><ul><ul><li>Specify pattern of the anticipated event and the appropriate response </li></ul></ul><ul><li>Unanticipated event (anomaly detection) </li></ul><ul><ul><li>Specify patterns of normality; event is deviation from pattern </li></ul></ul><ul><ul><li>when reality doesn’t fit “normality” then alert business user. </li></ul></ul>
  25. 25. Event Processing Characteristics <ul><li>Asynchronous Timing : The timing of events are not controlled by the enterprise. </li></ul><ul><li>Noise: External event data is noisy. </li></ul><ul><li>Complex Event Processing: The significant state-change for the enterprise is detected by fusing data from multiple sources. </li></ul>
  26. 26. Managing Uncertainty <ul><li>Asynchronous Timing : </li></ul><ul><ul><li>Integrate request-response SOA with asynchronous EDA </li></ul></ul><ul><li>Noise: </li></ul><ul><ul><li>Manage uncertainty about errors; both false positives and false negatives. </li></ul></ul><ul><li>Multisensor Event Fusion: </li></ul><ul><ul><li>Extreme decoupling . </li></ul></ul>Houston Denver Edmonton London Sydney NY, NY Trader Dashboards Risk Manager Houston Corporate VP, Risk Risk Management Dashboards Scheduler Dashboards
  27. 27. Key Take-Aways on Events <ul><li>Event Processing Characteristics: </li></ul><ul><li>Sense and Respond : Respond quickly when reality deviates from expectation or plans. </li></ul><ul><li>Asynchrony : The timing of events are not controlled by the enterprise. </li></ul><ul><li>Global situational awareness: Can be achieved only by correlating multiple sources of data from outside the enterprise with enterprise data. </li></ul><ul><li>Errors : Events are “noisy.” </li></ul>
  28. 28. CEP Illustrated Detecting Threats with Complex Event Processing
  29. 29. Complex Event Processing &quot; Events in several forms, from simple events to complex events, will become very widely used in business applications during 2004 through 2008 &quot; --- Gartner July 2003 Situation Detection
  30. 30. Event Processing Reference Architecture 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction Event-Processing Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM
  31. 31. Situational Awareness via Event Processing <ul><li>Multi-level inference in a distributed event-decision architectures </li></ul><ul><ul><li>User Interface (Dashboards, BAM, Visualization, Portals) </li></ul></ul><ul><ul><ul><li>Human visualization, monitoring, interaction and situation management </li></ul></ul></ul><ul><ul><li>Level 4 – Process Refinement (Adaptive BPM) </li></ul></ul><ul><ul><ul><li>Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment </li></ul></ul></ul><ul><ul><li>Level 3 – Impact Assessment (Predictive Analytics) </li></ul></ul><ul><ul><ul><li>Impact assessment, i.e. assess intent on the basis of situation development, recognition and prediction </li></ul></ul></ul><ul><ul><li>Level 2 – Situation Refinement (Situational Detection) </li></ul></ul><ul><ul><ul><li>Identify situations based on sets of complex events, state estimation, etc. </li></ul></ul></ul><ul><ul><li>Level 1 – Event Refinement (Event Tracking) </li></ul></ul><ul><ul><ul><li>Identify events & make initial decisions based on association and correlation </li></ul></ul></ul><ul><ul><li>Level 0 – Event Preprocessing </li></ul></ul><ul><ul><ul><li>Cleansing of event-stream to produce semantically understandable data </li></ul></ul></ul>Level of Inference Low Med High
  32. 32. Event Processing Characteristics <ul><li>Event Processing Agents, Sensors and ESB </li></ul><ul><li>“System” can “learn” expectations from positive and negative examples </li></ul><ul><li>Users can specify expectations using: </li></ul><ul><ul><li>SQL-like queries </li></ul></ul><ul><ul><li>Fuzzy matches </li></ul></ul><ul><ul><li>Statistical operators </li></ul></ul><ul><ul><li>Regular expressions and rules </li></ul></ul><ul><ul><li>CEP </li></ul></ul>
  33. 33. Our Agenda <ul><li>Trends in Cyber attacks, Threats & Vulnerabilities </li></ul><ul><li>Security Event Management (SEM) Overview </li></ul><ul><li>How Complex Event Processing (CEP) Helps </li></ul><ul><li>TIBCO BusinessEvents™ and CEP </li></ul><ul><li>Question & Answers </li></ul>
  34. 34. TIBCO BusinessEvents™ Solutions Overview BusinessEvents™ Solutions Space Data: Events & Databases -Real-Time & Historical Data Models: Statistical Financial Optimization Comms: Pub/Sub Messaging Queues Topics UIs Knowledge: Facts & Rules
  35. 35. TIBCO BusinessEvents™ Overview <ul><li>High performance, low latency business rules engine. </li></ul><ul><li>Top down business process modeling. </li></ul><ul><li>Real-time event processing. </li></ul><ul><li>Cross-application and cross-process integration. </li></ul><ul><li>Analytical and predictive models . </li></ul>Modeling Tools, Statefulness, Business Rules and Process Integration UML Conceptual UML State Business Rules Business Users Event Analyzer
  36. 36. TIBCO BusinessEvents™ Overview Collection, Normalization Metric of Managed Objects, Normalized Non-Contextual Events Metadata Repository Semantic Model Events Rules Design Environment State Model Event Management, Correlation, Aggregation, Inference and Analysis Correlated, Analyzed, Contextual Dialogue Events Rules, Knowledge, Patterns, Models Visualization, Reporting, Alert Management Application Interface Feeds Visualization: Detection Metrics Agents Synthetic Warehouse Visualization: Process View Dialogue Manager Inference Engine FDS/IDS Logfiles Edge Devs Sensors
  37. 37. BusinessEvents™ Components Enterprise Metadata (Concepts, Properties, State Models, XML Schemas, Business Rules) BusinessEvents Workbench (Designtime) BusinessEvents Engine (Runtime) Business User Interface Business User Language Decision Tables Runtime Viewer Management Server
  38. 38. Runtime – BusinessEvents™ Engine Engine Inference Engine <ul><li>forward chaining – optimized Rete based rule inferencing </li></ul><ul><li>history of objects – calculation of real-time time-series </li></ul><ul><li>persistence – virtual memory, 100% failsafe </li></ul><ul><li>performance – 10s of 1000s of rules per second </li></ul>Models <ul><li>ontology - objects, events, inheritance, relationships, properties </li></ul><ul><li>state model – objects life cycle, event patterns, time, alerts, reports </li></ul><ul><li>kpi model - real-time calculation, thresholds / alerts </li></ul>Monitor and Management Channels Embedded DB
  39. 39. On-Line Fraud Detection Use Case Approx. 12,000 Hits Per Second During Peak Period Across the Three Sites – One Instance Of TIBCO BusinessEvents™ Capable of Handling Maximum Hits Overall 100 Million Hits Handled Between 3PM – 4 PM Peak Approx. 250 Million Hits Per Day Across the Three Sites TIBCO EMS™ TIBCO Business Events™ Session Info Three Server Farms ~600-700 Application Servers
  40. 40. Wrap Up: TIBCO’s CEP-Based SEM <ul><li>ESB – a secure, standards-based communications infrastructure for distributed event management for SEM </li></ul><ul><li>STRONG ANALYTICS - extensible event-driven rules-engine detect and refine threat-related situations with high probability using state-of-the-art analytics </li></ul><ul><li>EDA - standards compliant messages, ESB, and alerts and automated responses to kick off workflow, compliance and other remediation activities with BPM suite </li></ul><ul><li>CUSTOM REPORTING – dashboards and reports easily customized with AJAX- based Rich Internet Application (RIA) </li></ul><ul><li>SCALEABLE, DISTRIBUTED ARCHITECTURE – event-driven, cooperative agents to manage millions events in a heterogeneous, distributed architecture </li></ul>
  41. 41. Q & A <ul><li>? </li></ul>
  42. 42. Thank You! Tim Bass, CISSP Principal Global Architect, Director TIBCO Software Inc.

×