The document outlines an open event-driven architecture for risk management in financial services, detailing the importance of integrating diverse event sources across enterprises for improved security and compliance. It discusses TIBCO's solutions for complex event processing (CEP) and security event management, emphasizing the need for real-time analytics and adaptive controls to address security breaches. Additionally, it highlights industry drivers, market trends, and challenges within the realm of network security and compliance management.

1. CEP and SOA: An Open Event-Driven Architecture for Risk Management March 14, 2007 IT Financial Services 2007 Lisbon, Portugal Tim Bass, CISSP Principal Global Architect, Director Emerging Technologies Group

2. Our Agenda Key Takeaways, Market and Business Drivers TIBCO’S Solution Architecture Event-Driven Operational Risk Management Security Event Management and TIBCO BusinessEvents™ TIBCO’s Reference Architecture for CEP and SEM Example High Level Architecture Wrap Up

3. Key Takeaways of Presentation Next generation security and enterprise risk management solutions require the fusion of information from numerous event sources across the enterprise: Model all Security Devices, Log Files, Sniffers, etc. as Sensors and Event Processors Use Secure Standards-based Messaging for Communications Next-Gen Enterprise Risk Management (ERM) Requires a Number of Technologies: Distributed Computing, Publish/Subscribe and SOA Hierarchical, Cooperative Inference Processing High Speed, Real Time Rules Processing with State Management Event-Decision Architecture for Identification and Mitigation of Security Situations Solution Expandable to Compliance and Incident Management (BPM)

4. Firewall, IDS, IPS, Cryptography, Access Control are Simply Not Sufficient. Malicious Users are Using Legitimate Application Protocols, such as HTTP, HTTPS and SOAP. An CSI/FBI Study Showed that Almost 50% of Security Breaches came from Internal Resources. Recently fired employees Unscrupulous traders Compromised partners And disgruntled or curious employees Industry and Business Drivers A Sample of the Problems with Network Security malicious users malicious users

5. Background – the Current state of IDS Intrusion Detection Systems Simply Don’t Work! “ Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.” - Gartner Group Most of Firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System) are act at the Network/System Layer, not at the “ Application Layer ”.

6. Risk and Compliance Business Drivers and Market Trends Business Drivers: Organizations face mounting pressures driving them toward a structured approach to enterprise risk and compliance management. Complexity, diversity and multiplicity of risk Increased accountability and regulatory compliance Fragmentation and duplication of efforts Market Trends: Business drivers resulted in the following trends as organizations begin to build their new approaches to risk and compliance management: Adoption of an enterprise risk management framework Managed and measured regulatory compliance Risk and compliance tool consolidation, application integration and SOA Integration into business process management Establishment of a chief risk officer

7. Our Agenda Key Takeaways, Market and Business Drivers TIBCO’S Solution Architecture Event-Driven Operational Risk Management Security Event Management and TIBCO BusinessEvents™ TIBCO’s Reference Architecture for CEP and SEM Example High Level Architecture Wrap Up

8. Event-Driven Operational Risk Management An Active Predictive Business™ System of Risk and Asset Management Control evaluation (SOX) Operational Risk (Basel II) Security Outsourcing Privacy Business Continuity Planning Event-Driven Operational Risk Assessment & Management

9. How TIBCO Delivers for Customers Accelerate projects, initiatives, and go-to-market cycles Increase operational efficiency and effectiveness. Improve operational visibility, security, collaboration and responsiveness

10. Complex Event Processing " Events in several forms, from simple events to complex events, will become very widely used in business applications during 2004 through 2008 " --- Gartner July 2003

11. TIBCO BusinessEvents™ Solutions Overview BusinessEvents™ Solutions Space Data: Events & Databases -Real-Time & Historical Data Models: Statistical Financial Optimization Comms: Pub/Sub Messaging Queues Topics UIs Knowledge: Facts & Rules

12. Rule-Based Security Event Management Complex Event Processing for Enterprise Security Event Integration/Correlation Rule-Based Pattern Recognition Anomaly Detection Track and Trace Monitoring (BAM) Dynamic Resource Allocation Adaptive Resource Allocation Constraint Satisfaction (CSP) Dynamic Control Situation Identification Fraud Prediction Impact Assessment Detection Prediction Scheduling Fraud Detection Intrusion Detection Fault Detection Rule-Based Access Control Exception Management Compliance Work Flow Risk Management Fault Analysis Impact Assessment Security Event Management Across the Enterprise

13. Event-Driven SOA, CEP and BPM Enterprise Integration, Correlation and Management of Security Events Two Minute Explainer

14. TIBCO’s Real-Time Agent-Based SEM Approach A Multisensor Data Fusion Approach to Security Event Management Intrusion and Fraud Detection Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions IDS FDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Agent Based Next-Generation Fusion of Security “Stovepipes”

15. CEP Reference Architecture Next-Generation Functional Architecture for SOA / BPM / EDA 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction CEP Reference Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM

16. Event-Driven Complex Event Processing Multi-level inference in a distributed, event-driven architecture User Interface Human visualization, monitoring, interaction and situation management Level 4 – Process Refinement Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment Level 3 – Impact Assessment Impact assessment, i.e. assess intent on the basis of situation development, recognition and prediction Level 2 – Situation Refinement Identify situations based on sets of complex events, state estimation, etc. Level 1 – Event Refinement Identify events & make initial decisions based on association and correlation Level 0 – Event Preprocessing Cleansing of event-stream to produce semantically understandable data Level of Inference Low Med High

17. Event-Driven CEP and SEM - Summary Flexible SOA and Event-Driven Architecture

18. Security Event Management High Level Event-Driven Architecture (EDA) for SEM JAVA MESSAGING SERVICE (JMS) DISTRIBUTED EVENTS (TIBCO EMS) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE ) SENSOR NETWORK RULES NETWORK FDS BW JMS LOGFILE JMS BW LOGFILE JMS BW LOGFILE JMS BW IDS JMS BW FDS JMS BW SQL DB BW JMS ADB SQL DB BW JMS ADB MESSAGING NETWORK SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM SYSTEM

19. Overview of TIBCO’s Solutions Architecture Fusion of IDS and FDS information across Customer’s Enterprise, including: Log files Existing Customer’s IDS and FDS (host and network based) devices Network traffic monitors (as required) Host statistics (as required) Secure, standards-based JAVA Messaging Service (JMS) for messaging: Events parsed into JMS Application Properties SSL transport for JMS messages TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control TIBCO Business Works™ as required, to transform, map or cleanse data TIBCO BusinessEvents™ for real-time rule-based analytics TIBCO Active Database Adapter as required

20. Potential Extensions to Solutions Architecture Extension of EDA/SEM to rules-based access control Integration of IDS and FDS with access control TIBCO BusinessEvents™ for rule-based access control Extension of EDA/SEM and access control to incident response Event-triggered work flow TIBCO iProcess™ BPM for incident response TIBCO iProcess™ BPM security entitlement work flow Extensions for other risk, compliance & reporting requirements Basel II, SOX, and JSOX - for example Extensions for IT management requirements Monitoring and fault management, service management

21. Key Takeaways of Presentation Next generation security and enterprise risk management solutions require the fusion of information from numerous event sources across the enterprise: Model all Security Devices, Log Files, Sniffers, etc. as Sensors and Event Processors Use Secure Standards-based Messaging for Communications Next-Gen Enterprise Risk Management (ERM) Requires a Number of Technologies: Distributed Computing, Publish/Subscribe and SOA Hierarchical, Cooperative Inference Processing High Speed, Real Time Rules Processing with State Management Event-Decision Architecture for Identification and Mitigation of Security Situations Solution Expandable to Compliance and Incident Management (BPM)

22. RFID for Automatic Baggage Handling & Reconciliation

23. Hong Kong International Airport 2 runways 1 PTB 75 airlines, 143 destinations More than 700 flights per day

24. Airport Profile 41 M passengers (2005) over 110,000 per day 20M departure baggage (2005) 3.4M ton cargo (2005) 2 Runways; single largest terminal building 55,000 staff work for over 240 organisations AA staff - 950

25. HKIA RFID Project - Background In 2003, HKIA adopted to apply RFID t echnology to improve the Baggage Handling and Management System In mid 2004, RFID equipment installation commenced at baggage handling areas In Aug 2005, RFID mode operation in service

26. RFID Components RFID Chip Inlay / Label Reader, Antenna

27. Type of RFID Tags - Wal-Mart HKIA Octopus User Small Small Moderate Size ~1.5m ~ 5 m < 0.7m Read Range Fast Fast Moderate Read Speed 13.56MHz HF 860 – 960MHz UHF 2.45GHz Frequency UHF(2) Type

28. Comparison of UHF RFID Tags √ √ Low cost √ Access security √ √ Kill security √ √ Reads > 500 tags / sec √ Dense-reader operation Proprietary √ Class 0 + Proprietary Class 1 √ Standardization √ Read Write Gen2 Feature

29. RFID benefits Customers Reduce mishandling of bags Airports Lower baggage management cost Enhanced security Airlines Lower loss baggage costs Greater visibility of baggage

30. Hong Kong International Airport Business Case of RFID Lower cost for ABRS (Phase 1 – Read Only RFID) Delay expansion of baggage system (Phase 2 – R/W RFID)

32. BHS Capacity Check-in Transfer primary sorters Early bag store Early bag Baggage Handling System secondary sorters Bag to Lateral 60% Early Bag 15% No-Read Bag 25% Laterals No-read

33. Automatic Baggage Reconciliation System (ABRS) BHS – sort bags to lateral + x-ray screening ABRS – baggage management All screened bags delivered to the loading lateral Baggage loading locations recorded by RF readers automatically Baggage manifest produced using data captured within ABRS

34. Automatic Baggage Reconciliation System (ABRS) Transfer (at Belt A) Primary Sorter No Read MCS Secondary Sorter Lateral Barcode Reader RF Reader Stick RFID Gen 2 Label Check-in Barcode Reader RF Reader CTF MCS Track baggage loading into ULD Read License Plate Number (LPN) Encode in Gen2 Label RF Printer to print LPN in baggage tag with Gen2 inlay X-ray Read Barcode or RF tag For sorting bag

35. Lateral Operation RFID readers Containers RFID Readers at Lateral RFID Reader at Lateral

36. Dual Mode Handheld Terminal

37. RFID System Configuration RF Readers and Antenna 200+ Readers : Symbol AR400 500+ Antennas 200+ Dual Mode Handheld Terminal : Symbol MC9600 Operated with 4 watts power level (HK OFTA) RFID read only tag Class 0 tag with 96 bits pre-encoded UID Adopts frequency band 920 ~ 925 MHz

38. RFID Performance Data RFID operation started at 1-Aug-05 20M Class 0 RFID label used per year 95% - 97% RFID read rate at Induction units 92% RFID read rate at Laterals

39. Challenges Standardization of airline bag tag Ways to affix RFID label on bag Tag quality RF power tuning Cross read RF interference between RF readers

40. Challenge – RF Power Tuning Different RF Coverage caused by type of ULD Absorbed RF reflection in Filled ULD

41. Challenges (Cont’) Old label from multi-trips (additional reader required) Bag content/design i.e. metal, water Learning curve of operator RF health issue

42. Phase 2 Implementation – Gen2 RFID Implement an “open standards” encoding solution using Gen-2 R/W RFID tag Adopt IATA RP1740c, ISO 18000-6C (Gen2) and ISO/IEC 15961 and 15962 Improving the overall RF performance Increasing the overall baggage delivery throughput

43. Phase 2 – Stage 1 Transfer Use 2”x4” Gen2 RFID with label Barcode scanner scans LPN and passes to RFID reader to encode Manual Coding Station to re-encode LPN for exception case RFID readers reads both Class 0 & Gen 2 (memory bank 01 only) RFID tags Operation by Jun-06

44. Phase 2 – Stage 1

45. Phase 2 – Stage 2 Local Check-in Use Gen2 RFID integrated baggage tag Standardize baggage tag as CUSS standard (21” in length) RF Printers encode the LPN & Date RFID readers are operating with all Gen 2 (with memory bank 01 only) RFID tags. Operation by Dec-06

46. Phase 2 – Stage 3 User Data Use Gen2 RFID integrated baggage tag Standardize airlines Pectab RF Printers encode the LPN, Date & User Data Integrated with X-Ray to encode security screening result RFID readers are operating with all Gen 2 (with memory bank 11 field) RFID tags. Operation by Mar-07

47. Future Direction More added values services for passengers and airlines using RFID Cooperation with airport and airlines Bulk purchase of RFID tags

48. Thank You! Tim Bass, CISSP Principal Global Architect, Director Emerging Technologies Group Event Processing at TIBCO