The document discusses the application of Complex Event Processing (CEP) in Security Event Management (SEM) to enhance threat detection and response capabilities for businesses. It outlines the weaknesses in existing SEM architectures, such as lack of secure communication infrastructure and insufficient analytics, while proposing a more scalable and automated framework using CEP. It also highlights the importance of real-time event processing and correlation of data from multiple sources to improve situational awareness and threat management.

1. Combating Fraud and Intrusion Threats with Event Processing Tim Bass, CISSP Principal Global Architect, Director Emerging Technologies Group TIBCO Software Inc.

2. TUCON Session Information Fortunately, one of the most promising applications of complex event processing (CEP) is in the area of security event management (SEM), an evolving science that can provide businesses with advanced threat detection and warning capabilities. Learn more about how to apply advanced SEM concepts to the security of your business. Threats to your online business are everywhere!

3. Our Agenda Trends in Cyber attacks, Threats & Vulnerabilities Security Event Management (SEM) Overview How Complex Event Processing (CEP) Helps TIBCO BusinessEvents™ and CEP Question & Answers

4. Threats Are Everywhere! Source: www.cert.org Intruders High Low 1980 1985 1990 1995 2000+ Intruder Knowledge Attack Sophistication cross site scripting password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools “ stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools staged auto coordinated / bots

5. Malicious Code Trends

6. Malicious Code – The Numbers

7. IE Critical Vulnerabilities

8. FireFox Critical Vulnerabilities

9. Global Distribution of On-Line Banking

10. Global Distribution of Phishers

11. Vulnerabilities Exponentially Increasing?

12. Our Agenda Trends in Cyber attacks, Threats & Vulnerabilities Security Event Management (SEM) Overview How Complex Event Processing (CEP) Helps TIBCO BusinessEvents™ and CEP Question & Answers

13. SEM Functionality Log collection from heterogeneous devices - the capability to read, parse, normalize, and gather security events from a variety of heterogeneous event sources Situation detection - the capacity to detect and refine threat-related situations automatically and priorities based on an automatic impact assessment, optimizing staff performance to focus on preventing the most important threats Threat prevention and remediation - generate alerts and automated responses based upon high probability threat scenarios and manage the life cycle of the threat Report generation – automate reports that support post-threat investigation, regulatory compliance and update visualizations and dashboards Scalable, distributed architecture – the architecture must manage millions of logs per day, distribute the processing load, and with service-oriented services for transformation, event tracking, correlation, updates, remediation and visualizations

14. Overview of IDS & FDS Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Security Event “Stovepipes” Centralized Distributed Fraud and Intrusion Detection Systems, Logs Agent Based

15. No Shortage of “Event Aggregators” !

16. What is Missing from this SEM Architecture?

17. SEM Illustrated

18. SEM: Key Take-Aways NO ESB – there is no secure, standards-based communications infrastructure for distributed event management in current SEM solutions WEAK or NO ANALYTICS - there is limited capability to detect and refine threat-related situations with high probability using state-of-the-art analytics WEAK or NO EDA - not standard generated alerts and automated responses to kick off workflow, compliance and other remediation activities WEAK REPORTING – dashboards and reports tend to be" event aggregators” that do not filter out the “noise” UNSCALEABLE, CENTERALIZED ARCHITECTURES – current SEM architectures cannot manage millions events in a heterogeneous, distributed architecture

19. Our Agenda Trends in Cyber attacks, Threats & Vulnerabilities Security Event Management (SEM) Overview How Complex Event Processing (CEP) Helps TIBCO BusinessEvents™ and CEP Question & Answers

20. How Does CEP Helps with SEM?

21. What is an Event? An Event is a significant change in state. State 1 State 2 Your on-line banking application is normal A threat to your on-line system was detected Event

22. What is an Event Driven Architecture? EDA is an architectural style that manages and executes rules of the form: WHEN reality deviates from expectations THEN update expectations and initiate response.

23. EDA Characteristics Aggregate events across multiple sources; compare reality with expectations Analyze Detect events across extended environment in real-time Sense Update expectations; Invoke distributed services in real-time Respond

24. Detecting Situations from Events Anticipated event (pattern matching/detection) Specify pattern of the anticipated event and the appropriate response Unanticipated event (anomaly detection) Specify patterns of normality; event is deviation from pattern when reality doesn’t fit “normality” then alert business user.

25. Event Processing Characteristics Asynchronous Timing : The timing of events are not controlled by the enterprise. Noise: External event data is noisy. Complex Event Processing: The significant state-change for the enterprise is detected by fusing data from multiple sources.

26. Managing Uncertainty Asynchronous Timing : Integrate request-response SOA with asynchronous EDA Noise: Manage uncertainty about errors; both false positives and false negatives. Multisensor Event Fusion: Extreme decoupling . Houston Denver Edmonton London Sydney NY, NY Trader Dashboards Risk Manager Houston Corporate VP, Risk Risk Management Dashboards Scheduler Dashboards

27. Key Take-Aways on Events Event Processing Characteristics: Sense and Respond : Respond quickly when reality deviates from expectation or plans. Asynchrony : The timing of events are not controlled by the enterprise. Global situational awareness: Can be achieved only by correlating multiple sources of data from outside the enterprise with enterprise data. Errors : Events are “noisy.”

28. CEP Illustrated Detecting Threats with Complex Event Processing

29. Complex Event Processing " Events in several forms, from simple events to complex events, will become very widely used in business applications during 2004 through 2008 " --- Gartner July 2003 Situation Detection

30. Event Processing Reference Architecture 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction Event-Processing Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM

31. Situational Awareness via Event Processing Multi-level inference in a distributed event-decision architectures User Interface (Dashboards, BAM, Visualization, Portals) Human visualization, monitoring, interaction and situation management Level 4 – Process Refinement (Adaptive BPM) Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment Level 3 – Impact Assessment (Predictive Analytics) Impact assessment, i.e. assess intent on the basis of situation development, recognition and prediction Level 2 – Situation Refinement (Situational Detection) Identify situations based on sets of complex events, state estimation, etc. Level 1 – Event Refinement (Event Tracking) Identify events & make initial decisions based on association and correlation Level 0 – Event Preprocessing Cleansing of event-stream to produce semantically understandable data Level of Inference Low Med High

32. Event Processing Characteristics Event Processing Agents, Sensors and ESB “System” can “learn” expectations from positive and negative examples Users can specify expectations using: SQL-like queries Fuzzy matches Statistical operators Regular expressions and rules CEP

33. Our Agenda Trends in Cyber attacks, Threats & Vulnerabilities Security Event Management (SEM) Overview How Complex Event Processing (CEP) Helps TIBCO BusinessEvents™ and CEP Question & Answers

34. TIBCO BusinessEvents™ Solutions Overview BusinessEvents™ Solutions Space Data: Events & Databases -Real-Time & Historical Data Models: Statistical Financial Optimization Comms: Pub/Sub Messaging Queues Topics UIs Knowledge: Facts & Rules

35. TIBCO BusinessEvents™ Overview High performance, low latency business rules engine. Top down business process modeling. Real-time event processing. Cross-application and cross-process integration. Analytical and predictive models . Modeling Tools, Statefulness, Business Rules and Process Integration UML Conceptual UML State Business Rules Business Users Event Analyzer

36. TIBCO BusinessEvents™ Overview Collection, Normalization Metric of Managed Objects, Normalized Non-Contextual Events Metadata Repository Semantic Model Events Rules Design Environment State Model Event Management, Correlation, Aggregation, Inference and Analysis Correlated, Analyzed, Contextual Dialogue Events Rules, Knowledge, Patterns, Models Visualization, Reporting, Alert Management Application Interface Feeds Visualization: Detection Metrics Agents Synthetic Warehouse Visualization: Process View Dialogue Manager Inference Engine FDS/IDS Logfiles Edge Devs Sensors

37. BusinessEvents™ Components Enterprise Metadata (Concepts, Properties, State Models, XML Schemas, Business Rules) BusinessEvents Workbench (Designtime) BusinessEvents Engine (Runtime) Business User Interface Business User Language Decision Tables Runtime Viewer Management Server

38. Runtime – BusinessEvents™ Engine Engine Inference Engine forward chaining – optimized Rete based rule inferencing history of objects – calculation of real-time time-series persistence – virtual memory, 100% failsafe performance – 10s of 1000s of rules per second Models ontology - objects, events, inheritance, relationships, properties state model – objects life cycle, event patterns, time, alerts, reports kpi model - real-time calculation, thresholds / alerts Monitor and Management Channels Embedded DB

39. On-Line Fraud Detection Use Case Approx. 12,000 Hits Per Second During Peak Period Across the Three Sites – One Instance Of TIBCO BusinessEvents™ Capable of Handling Maximum Hits Overall 100 Million Hits Handled Between 3PM – 4 PM Peak Approx. 250 Million Hits Per Day Across the Three Sites TIBCO EMS™ TIBCO Business Events™ Session Info Three Server Farms ~600-700 Application Servers

40. Wrap Up: TIBCO’s CEP-Based SEM ESB – a secure, standards-based communications infrastructure for distributed event management for SEM STRONG ANALYTICS - extensible event-driven rules-engine detect and refine threat-related situations with high probability using state-of-the-art analytics EDA - standards compliant messages, ESB, and alerts and automated responses to kick off workflow, compliance and other remediation activities with BPM suite CUSTOM REPORTING – dashboards and reports easily customized with AJAX- based Rich Internet Application (RIA) SCALEABLE, DISTRIBUTED ARCHITECTURE – event-driven, cooperative agents to manage millions events in a heterogeneous, distributed architecture

41. Q & A ?

42. Thank You! Tim Bass, CISSP Principal Global Architect, Director TIBCO Software Inc.