The document discusses the evolution of next-generation intrusion detection systems (IDS), emphasizing the need for a fusion of data from various sources across an enterprise for effective cybersecurity. Key features include real-time monitoring, low false alarm rates, and integration with existing enterprise systems. It highlights the shortcomings of traditional security measures and advocates for an event-driven architecture to enhance detection and response capabilities.

1. Using Event Processing to Enable Enterprise Security July 20, 2006 Tim Bass, CISSP Principal Global Architect Alan Lundberg Senior Product Marketing Manager TIBCO Software Inc.

2. Key Takeaways of Webinar Next Generation IDS requires the fusion of information from numerous event sources across the enterprise: Model all IDS Devices, Log Files, Sniffers, etc. as Sensors Use Secure Standards-based Messaging for Communications Next-Gen IDS Requires a Number of Technologies: Distributed Computing, Publish/Subscribe and SOA Hierarchical, Cooperative Inference Processing High Speed, Real Time Rules Processing with State Management Event-Decision Architecture for Identification and Mitigation of Security Situations Solution Expandable to Other Security, Compliance and IT Management Areas (as required)

3. Firewall, IDS, IPS, Cryptography, Access Control are Simply Not Sufficient. Malicious Users are Using Legitimate Application Protocols, such as HTTP, HTTPS and SOAP. An CSI/FBI Study Showed that Almost 50% of Security Breaches came from Internal Resources. Recently fired employees Unscrupulous traders Compromised partners And disgruntled or curious employees A Sample of the Problems with Network Security malicious users malicious users

4. Background – the Current state of IDS “ Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.” - Gartner Group Most of Firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System) are act at the Network/System Layer, not at the “ Application Layer ”.

5. Proactive Security An Attacker will Leave Evidence Before a Successful Break-In: SSL error log file Application/XML Firewall log file Application log files Correlating those Forensic Events in Real-Time will: Catch the attacker before … they break-in!

6. The Requirements “ A real-time quick and effective monitoring and response is critical for stopping an ongoing malicious attack and preventing future attacks on the enterprise as an integrated system. “ Enterprises Need Processes and Tools to: Monitor security events Correlate thousands of security events into few identifiable critical situations Be alerted and notified of potential attacks with low false alarm rates Watch for suspected malicious users on the network Prevent intrusions and attacks Identify, assess and manage security breaches Mitigate, contain and minimize damage Preserve of intrusion evidence Manage and track security incidents and investigations These Tool Should also Integrate with Existing Enterprise Systems Management tools

7. Introduction to Intrusion Detection (ID) Intrusion Detection is the process of identifying and responding to malicious activity targeted at computing and networking resources. ID is often accomplished by these (overlapping) methods (more on this later): Audit trail processing Real-time processing Profiles of normal behavior Signatures of abnormal behavior Parameter pattern matching

8. Rapidly detect intrusions with a low false alarm rate and a high intrusion detection rate… Intrusion Detection System Design Goals What are the overall design goals for IDS? (Illustrative Purposes Only)

9. Classification of Intrusion Detection Systems Traditional View Before Data Fusion Approach to IDS Intrusion Detection Systems Agent Based Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive

10. TIBCO’s Real-Time Agent-Based IDS Approach A Multisensor Data Fusion Approach to IDS Intrusion Detection Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Agent Based Next-Generation Fusion of IDS Sensor Functions

11. Intrusion Detection and Data Fusion (2000) Next-Generation Intrusion Detection Systems Source: Bass, T., CACM, 2000

12. PredictiveBusiness TM

13. Event-Decision Reference Architecture Next-Generation Functional Architecture for Intrusion Detection 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction Event-Decision Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM

14. Event-Decision High Level Architecture 22 Adapted from: Engelmore, R. S., Morgan, A.J., & and Nii, H. P., Blackboard Systems, 1988 & Luckham, D., The Power of Events, 2002 EVENT CLOUD (DISTRIBUTED DATA SET) KS KS KS KS KS KS KS KS KS KS KS KS KS KS

15. Sensors Systems that provide data and events to the inference models and humans Actuators Systems that take action based on inference models and human interactions Knowledge Processors Systems that take in data and events, process the data and events, and output refined, correlated, or inferred data or events HLA - Knowledge Sources KS KS KS

16. Structured Processing for Event-Decision Multi-level inference in a distributed event-decision architectures User Interface Human visualization, monitoring, interaction and situation management Level 4 – Process Refinement Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment Level 3 – Impact Assessment Impact assessment, i.e. assess intent on the basis of situation development, recognition and prediction Level 2 – Situation Refinement Identify situations based on sets of complex events, state estimation, etc. Level 1 – Event Refinement Identify events & make initial decisions based on association and correlation Level 0 – Event Preprocessing Cleansing of event-stream to produce semantically understandable data Level of Inference Low Med High

17. Event-Driven Intrusion Detection Flexible SOA and Event-Driven Architecture

18. Next-Gen Intrusion Detection System (NGIDS) High Level Event-Driven Architecture (EDA) – Early Phase JAVA MESSAGING SERVICE (JMS) DISTRIBUTED QUEUES (TIBCO EMS) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE ) SENSOR NETWORK RULES NETWORK NIDS BW JMS LOGFILE JMS BW LOGFILE JMS BW LOGFILE JMS BW IDS JMS BW HIDS JMS BW SQL DB BW JMS ADB SQL DB BW JMS ADB MESSAGING NETWORK TIBCO PRODUCTS System System System System System System System System

19. Characteristics of Solutions Architecture Fusion of IDS information across Customer’s Enterprise, including: Log files Existing Customer’s IDS (host and network based) devices Network traffic monitors (as required) Host statistics (as required) Secure, standards-based JAVA Messaging Service (JMS) for messaging: Events parsed into JMS Properties (Extended headers) SSL transport for JMS messages TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control TIBCO Business Works™ as required, to transform, map or cleanse data TIBCO BusinessEvents™ for rule-based IDS analytics TIBCO Active Database Adapter as required

20. Potential Extensions to Solutions Architecture Extension of IDS to rules-based access control Integration of IDS with access control TIBCO BusinessEvents™ for rule-based access control Extension of IDS and access control to incident response Event-triggered work flow TIBCO iProcess™ BPM for incident response TIBCO iProcess™ BPM security entitlement work flow TIBCO BusinessEvents™ for rule-based access control Extensions for other risk and compliance requirements Basel II, SOX, and JSOX - for example Other possibilities to be discussed later Extensions for IT management requirements Monitoring and fault management, service management, ITIL

21. TIBCO’s Vision The Full Range of Business Integration Products and Services

22. Key Takeaways of Webinar Next Generation IDS requires the fusion of information from numerous event sources across the enterprise: Model all IDS Devices, Log Files, Sniffers, etc. as Sensors Use Secure Standards-based Messaging for Communications Next-Gen IDS Requires a Number of Technologies: Distributed Computing, Publish/Subscribe and SOA Hierarchical, Cooperative Inference Processing High Speed, Real Time Rules Processing with State Management Event-Decision Architecture for Complex Events / Situations Solution Expandable to Other Security, Compliance and IT Management Areas (as required)

23. Questions and Answers Tim Bass, CISSP Principal Global Architect [email_address] Event Processing at TIBCO