Combating Fraud and Intrusion Threats with Event Processing

  • 3,317 views
Uploaded on

Combating Fraud and Intrusion Threats with Event Processing, TIBCO, TUCON 2007, Tim Bass, CISSP, Principal Global Architect, Director Emerging Technologies Group, TIBCO Software Inc.

Combating Fraud and Intrusion Threats with Event Processing, TIBCO, TUCON 2007, Tim Bass, CISSP, Principal Global Architect, Director Emerging Technologies Group, TIBCO Software Inc.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,317
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
19

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Combating Fraud and Intrusion Threats with Event Processing Tim Bass, CISSP Principal Global Architect, Director Emerging Technologies Group TIBCO Software Inc.
  • 2. TUCON Session Information
    • Fortunately, one of the most promising applications of complex event processing (CEP) is in the area of security event management (SEM), an evolving science that can provide businesses with advanced threat detection and warning capabilities.
    • Learn more about how to apply advanced SEM concepts to the security of your business.
    • Threats to your online business are everywhere!
  • 3. Our Agenda
    • Trends in Cyber attacks, Threats & Vulnerabilities
    • Security Event Management (SEM) Overview
    • How Complex Event Processing (CEP) Helps
    • TIBCO BusinessEvents™ and CEP
    • Question & Answers
  • 4. Threats Are Everywhere! Source: www.cert.org Intruders High Low 1980 1985 1990 1995 2000+ Intruder Knowledge Attack Sophistication cross site scripting password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools “ stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools staged auto coordinated / bots
  • 5. Malicious Code Trends
  • 6. Malicious Code – The Numbers
  • 7. IE Critical Vulnerabilities
  • 8. FireFox Critical Vulnerabilities
  • 9. Global Distribution of On-Line Banking
  • 10. Global Distribution of Phishers
  • 11. Vulnerabilities Exponentially Increasing?
  • 12. Our Agenda
    • Trends in Cyber attacks, Threats & Vulnerabilities
    • Security Event Management (SEM) Overview
    • How Complex Event Processing (CEP) Helps
    • TIBCO BusinessEvents™ and CEP
    • Question & Answers
  • 13. SEM Functionality
    • Log collection from heterogeneous devices - the capability to read, parse, normalize, and gather security events from a variety of heterogeneous event sources
    • Situation detection - the capacity to detect and refine threat-related situations automatically and priorities based on an automatic impact assessment, optimizing staff performance to focus on preventing the most important threats
    • Threat prevention and remediation - generate alerts and automated responses based upon high probability threat scenarios and manage the life cycle of the threat
    • Report generation – automate reports that support post-threat investigation, regulatory compliance and update visualizations and dashboards
    • Scalable, distributed architecture – the architecture must manage millions of logs per day, distribute the processing load, and with service-oriented services for transformation, event tracking, correlation, updates, remediation and visualizations
  • 14. Overview of IDS & FDS Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Security Event “Stovepipes” Centralized Distributed Fraud and Intrusion Detection Systems, Logs Agent Based
  • 15. No Shortage of “Event Aggregators” !
  • 16. What is Missing from this SEM Architecture?
  • 17. SEM Illustrated
  • 18. SEM: Key Take-Aways
    • NO ESB – there is no secure, standards-based communications infrastructure for distributed event management in current SEM solutions
    • WEAK or NO ANALYTICS - there is limited capability to detect and refine threat-related situations with high probability using state-of-the-art analytics
    • WEAK or NO EDA - not standard generated alerts and automated responses to kick off workflow, compliance and other remediation activities
    • WEAK REPORTING – dashboards and reports tend to be" event aggregators” that do not filter out the “noise”
    • UNSCALEABLE, CENTERALIZED ARCHITECTURES – current SEM architectures cannot manage millions events in a heterogeneous, distributed architecture
  • 19. Our Agenda
    • Trends in Cyber attacks, Threats & Vulnerabilities
    • Security Event Management (SEM) Overview
    • How Complex Event Processing (CEP) Helps
    • TIBCO BusinessEvents™ and CEP
    • Question & Answers
  • 20. How Does CEP Helps with SEM?
  • 21. What is an Event?
    • An Event is a significant change in state.
    State 1 State 2 Your on-line banking application is normal A threat to your on-line system was detected Event
  • 22. What is an Event Driven Architecture?
    • EDA is an architectural style that manages and executes rules of the form:
    • WHEN reality deviates from expectations
    • THEN update expectations and initiate response.
  • 23. EDA Characteristics Aggregate events across multiple sources; compare reality with expectations Analyze Detect events across extended environment in real-time Sense Update expectations; Invoke distributed services in real-time Respond
  • 24. Detecting Situations from Events
    • Anticipated event (pattern matching/detection)
      • Specify pattern of the anticipated event and the appropriate response
    • Unanticipated event (anomaly detection)
      • Specify patterns of normality; event is deviation from pattern
      • when reality doesn’t fit “normality” then alert business user.
  • 25. Event Processing Characteristics
    • Asynchronous Timing : The timing of events are not controlled by the enterprise.
    • Noise: External event data is noisy.
    • Complex Event Processing: The significant state-change for the enterprise is detected by fusing data from multiple sources.
  • 26. Managing Uncertainty
    • Asynchronous Timing :
      • Integrate request-response SOA with asynchronous EDA
    • Noise:
      • Manage uncertainty about errors; both false positives and false negatives.
    • Multisensor Event Fusion:
      • Extreme decoupling .
    Houston Denver Edmonton London Sydney NY, NY Trader Dashboards Risk Manager Houston Corporate VP, Risk Risk Management Dashboards Scheduler Dashboards
  • 27. Key Take-Aways on Events
    • Event Processing Characteristics:
    • Sense and Respond : Respond quickly when reality deviates from expectation or plans.
    • Asynchrony : The timing of events are not controlled by the enterprise.
    • Global situational awareness: Can be achieved only by correlating multiple sources of data from outside the enterprise with enterprise data.
    • Errors : Events are “noisy.”
  • 28. CEP Illustrated Detecting Threats with Complex Event Processing
  • 29. Complex Event Processing " Events in several forms, from simple events to complex events, will become very widely used in business applications during 2004 through 2008 " --- Gartner July 2003 Situation Detection
  • 30. Event Processing Reference Architecture 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction Event-Processing Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM
  • 31. Situational Awareness via Event Processing
    • Multi-level inference in a distributed event-decision architectures
      • User Interface (Dashboards, BAM, Visualization, Portals)
        • Human visualization, monitoring, interaction and situation management
      • Level 4 – Process Refinement (Adaptive BPM)
        • Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment
      • Level 3 – Impact Assessment (Predictive Analytics)
        • Impact assessment, i.e. assess intent on the basis of situation development, recognition and prediction
      • Level 2 – Situation Refinement (Situational Detection)
        • Identify situations based on sets of complex events, state estimation, etc.
      • Level 1 – Event Refinement (Event Tracking)
        • Identify events & make initial decisions based on association and correlation
      • Level 0 – Event Preprocessing
        • Cleansing of event-stream to produce semantically understandable data
    Level of Inference Low Med High
  • 32. Event Processing Characteristics
    • Event Processing Agents, Sensors and ESB
    • “System” can “learn” expectations from positive and negative examples
    • Users can specify expectations using:
      • SQL-like queries
      • Fuzzy matches
      • Statistical operators
      • Regular expressions and rules
      • CEP
  • 33. Our Agenda
    • Trends in Cyber attacks, Threats & Vulnerabilities
    • Security Event Management (SEM) Overview
    • How Complex Event Processing (CEP) Helps
    • TIBCO BusinessEvents™ and CEP
    • Question & Answers
  • 34. TIBCO BusinessEvents™ Solutions Overview BusinessEvents™ Solutions Space Data: Events & Databases -Real-Time & Historical Data Models: Statistical Financial Optimization Comms: Pub/Sub Messaging Queues Topics UIs Knowledge: Facts & Rules
  • 35. TIBCO BusinessEvents™ Overview
    • High performance, low latency business rules engine.
    • Top down business process modeling.
    • Real-time event processing.
    • Cross-application and cross-process integration.
    • Analytical and predictive models .
    Modeling Tools, Statefulness, Business Rules and Process Integration UML Conceptual UML State Business Rules Business Users Event Analyzer
  • 36. TIBCO BusinessEvents™ Overview Collection, Normalization Metric of Managed Objects, Normalized Non-Contextual Events Metadata Repository Semantic Model Events Rules Design Environment State Model Event Management, Correlation, Aggregation, Inference and Analysis Correlated, Analyzed, Contextual Dialogue Events Rules, Knowledge, Patterns, Models Visualization, Reporting, Alert Management Application Interface Feeds Visualization: Detection Metrics Agents Synthetic Warehouse Visualization: Process View Dialogue Manager Inference Engine FDS/IDS Logfiles Edge Devs Sensors
  • 37. BusinessEvents™ Components Enterprise Metadata (Concepts, Properties, State Models, XML Schemas, Business Rules) BusinessEvents Workbench (Designtime) BusinessEvents Engine (Runtime) Business User Interface Business User Language Decision Tables Runtime Viewer Management Server
  • 38. Runtime – BusinessEvents™ Engine Engine Inference Engine
    • forward chaining – optimized Rete based rule inferencing
    • history of objects – calculation of real-time time-series
    • persistence – virtual memory, 100% failsafe
    • performance – 10s of 1000s of rules per second
    Models
    • ontology - objects, events, inheritance, relationships, properties
    • state model – objects life cycle, event patterns, time, alerts, reports
    • kpi model - real-time calculation, thresholds / alerts
    Monitor and Management Channels Embedded DB
  • 39. On-Line Fraud Detection Use Case Approx. 12,000 Hits Per Second During Peak Period Across the Three Sites – One Instance Of TIBCO BusinessEvents™ Capable of Handling Maximum Hits Overall 100 Million Hits Handled Between 3PM – 4 PM Peak Approx. 250 Million Hits Per Day Across the Three Sites TIBCO EMS™ TIBCO Business Events™ Session Info Three Server Farms ~600-700 Application Servers
  • 40. Wrap Up: TIBCO’s CEP-Based SEM
    • ESB – a secure, standards-based communications infrastructure for distributed event management for SEM
    • STRONG ANALYTICS - extensible event-driven rules-engine detect and refine threat-related situations with high probability using state-of-the-art analytics
    • EDA - standards compliant messages, ESB, and alerts and automated responses to kick off workflow, compliance and other remediation activities with BPM suite
    • CUSTOM REPORTING – dashboards and reports easily customized with AJAX- based Rich Internet Application (RIA)
    • SCALEABLE, DISTRIBUTED ARCHITECTURE – event-driven, cooperative agents to manage millions events in a heterogeneous, distributed architecture
  • 41. Q & A
    • ?
  • 42. Thank You! Tim Bass, CISSP Principal Global Architect, Director TIBCO Software Inc.