Your SlideShare is downloading. ×
Using Event Processing to Enable Enterprise Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Using Event Processing to Enable Enterprise Security

999
views

Published on

Webinar: Using Event Processing to Enable Enterprise Security, July 20, 2006, Tim Bass, CISSP, Principal Global Architec Alan Lundberg, Senior Product Marketing Manager, TIBCO Software Inc. …

Webinar: Using Event Processing to Enable Enterprise Security, July 20, 2006, Tim Bass, CISSP, Principal Global Architec Alan Lundberg, Senior Product Marketing Manager, TIBCO Software Inc.

Published in: Technology

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
999
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Using Event Processing to Enable Enterprise Security July 20, 2006 Tim Bass, CISSP Principal Global Architect Alan Lundberg Senior Product Marketing Manager TIBCO Software Inc.
    • 2. Key Takeaways of Webinar
      • Next Generation IDS requires the fusion of information from numerous event sources across the enterprise:
        • Model all IDS Devices, Log Files, Sniffers, etc. as Sensors
        • Use Secure Standards-based Messaging for Communications
      • Next-Gen IDS Requires a Number of Technologies:
        • Distributed Computing, Publish/Subscribe and SOA
        • Hierarchical, Cooperative Inference Processing
        • High Speed, Real Time Rules Processing with State Management
        • Event-Decision Architecture for Identification and Mitigation of Security Situations
      • Solution Expandable to Other Security, Compliance and IT Management Areas (as required)
    • 3.
      • Firewall, IDS, IPS, Cryptography, Access Control are Simply Not Sufficient.
      • Malicious Users are Using Legitimate Application Protocols, such as HTTP, HTTPS and SOAP.
      • An CSI/FBI Study Showed that Almost 50% of Security Breaches came from Internal Resources.
        • Recently fired employees
        • Unscrupulous traders
        • Compromised partners
        • And disgruntled or curious employees
      A Sample of the Problems with Network Security malicious users malicious users
    • 4. Background – the Current state of IDS “ Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.” - Gartner Group Most of Firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System) are act at the Network/System Layer, not at the “ Application Layer ”.
    • 5. Proactive Security
      • An Attacker will Leave Evidence Before a Successful Break-In:
        • SSL error log file
        • Application/XML Firewall log file
        • Application log files
      • Correlating those Forensic Events in Real-Time will:
      Catch the attacker before … they break-in!
    • 6. The Requirements
      • “ A real-time quick and effective monitoring and response is critical for stopping an ongoing malicious attack and preventing future attacks on the enterprise as an integrated system. “
      • Enterprises Need Processes and Tools to:
        • Monitor security events
        • Correlate thousands of security events into few identifiable critical situations
        • Be alerted and notified of potential attacks with low false alarm rates
        • Watch for suspected malicious users on the network
        • Prevent intrusions and attacks
        • Identify, assess and manage security breaches
        • Mitigate, contain and minimize damage
        • Preserve of intrusion evidence
        • Manage and track security incidents and investigations
      • These Tool Should also Integrate with Existing Enterprise Systems Management tools
    • 7. Introduction to Intrusion Detection (ID)
      • Intrusion Detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.
      • ID is often accomplished by these (overlapping) methods (more on this later):
        • Audit trail processing
        • Real-time processing
        • Profiles of normal behavior
        • Signatures of abnormal behavior
        • Parameter pattern matching
    • 8.
      • Rapidly detect intrusions with a low false alarm rate and a high intrusion detection rate…
      Intrusion Detection System Design Goals What are the overall design goals for IDS? (Illustrative Purposes Only)
    • 9. Classification of Intrusion Detection Systems Traditional View Before Data Fusion Approach to IDS Intrusion Detection Systems Agent Based Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive
    • 10. TIBCO’s Real-Time Agent-Based IDS Approach A Multisensor Data Fusion Approach to IDS Intrusion Detection Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Agent Based Next-Generation Fusion of IDS Sensor Functions
    • 11. Intrusion Detection and Data Fusion (2000) Next-Generation Intrusion Detection Systems Source: Bass, T., CACM, 2000
    • 12. PredictiveBusiness TM
    • 13. Event-Decision Reference Architecture Next-Generation Functional Architecture for Intrusion Detection 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction Event-Decision Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM
    • 14. Event-Decision High Level Architecture 22 Adapted from: Engelmore, R. S., Morgan, A.J., & and Nii, H. P., Blackboard Systems, 1988 & Luckham, D., The Power of Events, 2002 EVENT CLOUD (DISTRIBUTED DATA SET) KS KS KS KS KS KS KS KS KS KS KS KS KS KS
    • 15.
      • Sensors
        • Systems that provide data and events to the inference models and humans
      • Actuators
        • Systems that take action based on inference models and human interactions
      • Knowledge Processors
        • Systems that take in data and events, process the data and events, and output refined, correlated, or inferred data or events
      HLA - Knowledge Sources KS KS KS
    • 16. Structured Processing for Event-Decision
      • Multi-level inference in a distributed event-decision architectures
        • User Interface
          • Human visualization, monitoring, interaction and situation management
        • Level 4 – Process Refinement
          • Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment
        • Level 3 – Impact Assessment
          • Impact assessment, i.e. assess intent on the basis of situation development, recognition and prediction
        • Level 2 – Situation Refinement
          • Identify situations based on sets of complex events, state estimation, etc.
        • Level 1 – Event Refinement
          • Identify events & make initial decisions based on association and correlation
        • Level 0 – Event Preprocessing
          • Cleansing of event-stream to produce semantically understandable data
      Level of Inference Low Med High
    • 17. Event-Driven Intrusion Detection Flexible SOA and Event-Driven Architecture
    • 18. Next-Gen Intrusion Detection System (NGIDS) High Level Event-Driven Architecture (EDA) – Early Phase JAVA MESSAGING SERVICE (JMS) DISTRIBUTED QUEUES (TIBCO EMS) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE ) SENSOR NETWORK RULES NETWORK NIDS BW JMS LOGFILE JMS BW LOGFILE JMS BW LOGFILE JMS BW IDS JMS BW HIDS JMS BW SQL DB BW JMS ADB SQL DB BW JMS ADB MESSAGING NETWORK TIBCO PRODUCTS System System System System System System System System
    • 19. Characteristics of Solutions Architecture
      • Fusion of IDS information across Customer’s Enterprise, including:
        • Log files
        • Existing Customer’s IDS (host and network based) devices
        • Network traffic monitors (as required)
        • Host statistics (as required)
      • Secure, standards-based JAVA Messaging Service (JMS) for messaging:
        • Events parsed into JMS Properties (Extended headers)
        • SSL transport for JMS messages
      • TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control
        • TIBCO Business Works™ as required, to transform, map or cleanse data
        • TIBCO BusinessEvents™ for rule-based IDS analytics
        • TIBCO Active Database Adapter as required
    • 20. Potential Extensions to Solutions Architecture
      • Extension of IDS to rules-based access control
        • Integration of IDS with access control
        • TIBCO BusinessEvents™ for rule-based access control
      • Extension of IDS and access control to incident response
        • Event-triggered work flow
        • TIBCO iProcess™ BPM for incident response
        • TIBCO iProcess™ BPM security entitlement work flow
        • TIBCO BusinessEvents™ for rule-based access control
      • Extensions for other risk and compliance requirements
        • Basel II, SOX, and JSOX - for example
        • Other possibilities to be discussed later
      • Extensions for IT management requirements
        • Monitoring and fault management, service management, ITIL
    • 21. TIBCO’s Vision The Full Range of Business Integration Products and Services
    • 22. Key Takeaways of Webinar
      • Next Generation IDS requires the fusion of information from numerous event sources across the enterprise:
        • Model all IDS Devices, Log Files, Sniffers, etc. as Sensors
        • Use Secure Standards-based Messaging for Communications
      • Next-Gen IDS Requires a Number of Technologies:
        • Distributed Computing, Publish/Subscribe and SOA
        • Hierarchical, Cooperative Inference Processing
        • High Speed, Real Time Rules Processing with State Management
        • Event-Decision Architecture for Complex Events / Situations
      • Solution Expandable to Other Security, Compliance and IT Management Areas (as required)
    • 23. Questions and Answers Tim Bass, CISSP Principal Global Architect [email_address] Event Processing at TIBCO