SlideShare una empresa de Scribd logo

Using Event Processing to Enable Enterprise Security

Tim Bass
Tim Bass

Using Event Processing to Enable Enterprise Security, July 20, 2006, Tim Bass, CISSP, Principal Global Architect, Alan Lundberg, Senior Product Marketing Manage, TIBCO Software Inc.

Tecnología
1 de 23
Using Event Processing to Enable Enterprise Security July 20, 2006 Tim Bass, CISSP Principal Global Architect Alan Lundberg Senior Product Marketing Manager TIBCO Software Inc.
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 2 Key Takeaways of Webinar  Next Generation IDS requires the fusion of information from numerous event sources across the enterprise:  Model all IDS Devices, Log Files, Sniffers, etc. as Sensors  Use Secure Standards-based Messaging for Communications  Next-Gen IDS Requires a Number of Technologies:  Distributed Computing, Publish/Subscribe and SOA  Hierarchical, Cooperative Inference Processing  High Speed, Real Time Rules Processing with State Management  Event-Decision Architecture for Identification and Mitigation of Security Situations  Solution Expandable to Other Security, Compliance and IT Management Areas (as required)
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 3  Firewall, IDS, IPS, Cryptography, Access Control are Simply Not Sufficient.  Malicious Users are Using Legitimate Application Protocols, such as HTTP, HTTPS and SOAP.  An CSI/FBI Study Showed that Almost 50% of Security Breaches came from Internal Resources.  Recently fired employees  Unscrupulous traders  Compromised partners  And disgruntled or curious employees A Sample of the Problems with Network Security malicious users malicious users
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 4 Background – the Current state of IDS “Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.” - Gartner Group Most of Firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System) are act at the Network/System Layer, not at the “Application Layer”.
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 5 Proactive Security  An Attacker will Leave Evidence Before a Successful Break-In:  SSL error log file  Application/XML Firewall log file  Application log files  Correlating those Forensic Events in Real-Time will: Catch the attacker before … they break-in!
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 6 The Requirements “A real-time quick and effective monitoring and response is critical for stopping an ongoing malicious attack and preventing future attacks on the enterprise as an integrated system. “  Enterprises Need Processes and Tools to:  Monitor security events  Correlate thousands of security events into few identifiable critical situations  Be alerted and notified of potential attacks with low false alarm rates  Watch for suspected malicious users on the network  Prevent intrusions and attacks  Identify, assess and manage security breaches  Mitigate, contain and minimize damage  Preserve of intrusion evidence  Manage and track security incidents and investigations  These Tool Should also Integrate with Existing Enterprise Systems Management tools
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 7 Introduction to Intrusion Detection (ID)  Intrusion Detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.  ID is often accomplished by these (overlapping) methods (more on this later):  Audit trail processing  Real-time processing  Profiles of normal behavior  Signatures of abnormal behavior  Parameter pattern matching
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 8 Rapidly detect intrusions with a low false alarm rate and a high intrusion detection rate… Intrusion Detection System Design Goals What are the overall design goals for IDS? (Illustrative Purposes Only)
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 9 Classification of Intrusion Detection Systems Traditional View Before Data Fusion Approach to IDS Intrusion Detection Systems Agent Based Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 10 TIBCO’s Real-Time Agent-Based IDS Approach A Multisensor Data Fusion Approach to IDS Intrusion Detection Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Agent Based Next-Generation Fusion of IDS Sensor Functions
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 11 Intrusion Detection and Data Fusion (2000) Next-Generation Intrusion Detection Systems Source: Bass, T., CACM, 2000
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 12 PredictiveBusinessTM
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 13 Event-Decision Reference Architecture Next-Generation Functional Architecture for Intrusion Detection 24 EVENT PRE- PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction Event-Decision Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 14 Event-Decision High Level Architecture 22 EVENT CLOUD (DISTRIBUTED DATA SET) KS KS KS KS KS KS KS KS KS KS KS KS KS KS Adapted from: Engelmore, R. S., Morgan, A.J., & and Nii, H. P., Blackboard Systems, 1988 & Luckham, D., The Power of Events, 2002
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 15  Sensors • Systems that provide data and events to the inference models and humans  Actuators • Systems that take action based on inference models and human interactions  Knowledge Processors • Systems that take in data and events, process the data and events, and output refined, correlated, or inferred data or events HLA - Knowledge Sources KS KS KS
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 16 Structured Processing for Event-Decision  Multi-level inference in a distributed event-decision architectures  User Interface  Human visualization, monitoring, interaction and situation management  Level 4 – Process Refinement  Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment  Level 3 – Impact Assessment  Impact assessment, i.e. assess intent on the basis of situation development, recognition and prediction  Level 2 – Situation Refinement  Identify situations based on sets of complex events, state estimation, etc.  Level 1 – Event Refinement  Identify events & make initial decisions based on association and correlation  Level 0 – Event Preprocessing  Cleansing of event-stream to produce semantically understandable data Level of Inference Low Med High
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 17 Event-Driven Intrusion Detection Flexible SOA and Event-Driven Architecture
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 18 Next-Gen Intrusion Detection System (NGIDS) High Level Event-Driven Architecture (EDA) – Early Phase JAVA MESSAGING SERVICE (JMS) DISTRIBUTED QUEUES (TIBCO EMS) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) SENSOR NETWORK RULES NETWORK NIDS BW JMS LOGFILE JMS BW LOGFILE JMS BW LOGFILE JMS BW IDS JMS BW HIDS JMS BW SQL DB BW JMS ADB SQL DB BW JMS ADB MESSAGING NETWORK TIBCO PRODUCTS System System System System System System System System
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 19 Characteristics of Solutions Architecture  Fusion of IDS information across Customer’s Enterprise, including:  Log files  Existing Customer’s IDS (host and network based) devices  Network traffic monitors (as required)  Host statistics (as required)  Secure, standards-based JAVA Messaging Service (JMS) for messaging:  Events parsed into JMS Properties (Extended headers)  SSL transport for JMS messages  TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control  TIBCO Business Works™ as required, to transform, map or cleanse data  TIBCO BusinessEvents™ for rule-based IDS analytics  TIBCO Active Database Adapter as required
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 20 Potential Extensions to Solutions Architecture  Extension of IDS to rules-based access control  Integration of IDS with access control  TIBCO BusinessEvents™ for rule-based access control  Extension of IDS and access control to incident response  Event-triggered work flow  TIBCO iProcess™ BPM for incident response  TIBCO iProcess™ BPM security entitlement work flow  TIBCO BusinessEvents™ for rule-based access control  Extensions for other risk and compliance requirements  Basel II, SOX, and JSOX - for example  Other possibilities to be discussed later  Extensions for IT management requirements  Monitoring and fault management, service management, ITIL
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 21 TIBCO’s Vision The Full Range of Business Integration Products and Services
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 22 Key Takeaways of Webinar  Next Generation IDS requires the fusion of information from numerous event sources across the enterprise:  Model all IDS Devices, Log Files, Sniffers, etc. as Sensors  Use Secure Standards-based Messaging for Communications  Next-Gen IDS Requires a Number of Technologies:  Distributed Computing, Publish/Subscribe and SOA  Hierarchical, Cooperative Inference Processing  High Speed, Real Time Rules Processing with State Management  Event-Decision Architecture for Complex Events / Situations  Solution Expandable to Other Security, Compliance and IT Management Areas (as required)
Questions and Answers Tim Bass, CISSP Principal Global Architect tbass@tibco.com Event Processing at TIBCO

Recomendados

Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityNetworkCollaborators
 
IBM Qradar-Advisor
IBM Qradar-AdvisorIBM Qradar-Advisor
IBM Qradar-AdvisorLuigi Perrone
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business CaseEnterprise Technology Management (ETM)
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
Combating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingCombating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingTim Bass
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)MHumaamAl
 

Recomendados

Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityNetworkCollaborators
 
IBM Qradar-Advisor
IBM Qradar-AdvisorIBM Qradar-Advisor
IBM Qradar-AdvisorLuigi Perrone
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business CaseEnterprise Technology Management (ETM)
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
Combating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingCombating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingTim Bass
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)MHumaamAl
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...IBM Security
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapDATA SECURITY SOLUTIONS
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalArrow ECS UK
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Vendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event ManagementVendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event ManagementInfo-Tech Research Group
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
System of security controls
System of security controlsSystem of security controls
System of security controlsS.E. CTS CERT-GOV-MD
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceCamilo Fandiño Gómez
 
IBM Security Intelligence
IBM Security IntelligenceIBM Security Intelligence
IBM Security IntelligenceAnna Landolfi
 
A High Level Blackboard Architecture for Cyber SA
A High Level Blackboard Architecture for Cyber SAA High Level Blackboard Architecture for Cyber SA
A High Level Blackboard Architecture for Cyber SATim Bass
 
A Journey Into Cyberspace
A Journey Into CyberspaceA Journey Into Cyberspace
A Journey Into CyberspaceTim Bass
 
Event Driven Architecture (EDA), November 2, 2006
Event Driven Architecture (EDA), November 2, 2006Event Driven Architecture (EDA), November 2, 2006
Event Driven Architecture (EDA), November 2, 2006Tim Bass
 

Más contenido relacionado

La actualidad más candente

Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...IBM Security
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapDATA SECURITY SOLUTIONS
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalArrow ECS UK
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Vendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event ManagementVendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event ManagementInfo-Tech Research Group
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceCamilo Fandiño Gómez
 
IBM Security Intelligence
IBM Security IntelligenceIBM Security Intelligence
IBM Security IntelligenceAnna Landolfi
 

La actualidad más candente (19)

Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safe
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmap
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Vendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event ManagementVendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event Management
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&A
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
System of security controls
System of security controlsSystem of security controls
System of security controls
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
 
IBM Security Intelligence
IBM Security IntelligenceIBM Security Intelligence
IBM Security Intelligence
 

Más de Tim Bass

A High Level Blackboard Architecture for Cyber SA
A High Level Blackboard Architecture for Cyber SAA High Level Blackboard Architecture for Cyber SA
A High Level Blackboard Architecture for Cyber SATim Bass
 
A Journey Into Cyberspace
A Journey Into CyberspaceA Journey Into Cyberspace
A Journey Into CyberspaceTim Bass
 
Event Driven Architecture (EDA), November 2, 2006
Event Driven Architecture (EDA), November 2, 2006Event Driven Architecture (EDA), November 2, 2006
Event Driven Architecture (EDA), November 2, 2006Tim Bass
 
Mythbusters: Event Stream Processing v. Complex Event Processing
Mythbusters: Event Stream Processing v. Complex Event ProcessingMythbusters: Event Stream Processing v. Complex Event Processing
Mythbusters: Event Stream Processing v. Complex Event ProcessingTim Bass
 
Event Processing Technical Society Event Processing Reference Architecture W...
Event Processing Technical Society Event Processing Reference Architecture W...Event Processing Technical Society Event Processing Reference Architecture W...
Event Processing Technical Society Event Processing Reference Architecture W...Tim Bass
 
Leveraging Business Rules in TIBCO BusinessEvents
Leveraging Business Rules in TIBCO BusinessEventsLeveraging Business Rules in TIBCO BusinessEvents
Leveraging Business Rules in TIBCO BusinessEventsTim Bass
 
Optimizing Your SOA with Event Processing
Optimizing Your SOA with Event ProcessingOptimizing Your SOA with Event Processing
Optimizing Your SOA with Event ProcessingTim Bass
 
Complex Event Processing (CEP) for Next-Generation Security Event Management,...
Complex Event Processing (CEP) for Next-Generation Security Event Management,...Complex Event Processing (CEP) for Next-Generation Security Event Management,...
Complex Event Processing (CEP) for Next-Generation Security Event Management,...Tim Bass
 
CEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementCEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementTim Bass
 
Detecting Opportunities and Threats with Complex Event Processing: Case St...
Detecting Opportunities and Threats with Complex Event Processing: Case St...Detecting Opportunities and Threats with Complex Event Processing: Case St...
Detecting Opportunities and Threats with Complex Event Processing: Case St...Tim Bass
 
Next-Generation IDS: A CEP Use Case in 10 Minutes
Next-Generation IDS: A CEP Use Case in 10 MinutesNext-Generation IDS: A CEP Use Case in 10 Minutes
Next-Generation IDS: A CEP Use Case in 10 MinutesTim Bass
 
A Survey of Event Processing Languages (EPLs), October 7, 2006
A Survey of Event Processing Languages (EPLs), October 7, 2006A Survey of Event Processing Languages (EPLs), October 7, 2006
A Survey of Event Processing Languages (EPLs), October 7, 2006Tim Bass
 
Proposed Event Processing Definitions ,September 20, 2006
Proposed Event Processing Definitions ,September 20, 2006Proposed Event Processing Definitions ,September 20, 2006
Proposed Event Processing Definitions ,September 20, 2006Tim Bass
 
Event Processing Reference Architecture, March 2006
Event Processing Reference Architecture, March 2006Event Processing Reference Architecture, March 2006
Event Processing Reference Architecture, March 2006Tim Bass
 
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006Tim Bass
 
Using Event Processing to Enable Enterprise Security
Using Event Processing to Enable Enterprise SecurityUsing Event Processing to Enable Enterprise Security
Using Event Processing to Enable Enterprise SecurityTim Bass
 
Processing Patterns for PredictiveBusiness
Processing Patterns for PredictiveBusinessProcessing Patterns for PredictiveBusiness
Processing Patterns for PredictiveBusinessTim Bass
 
Adding Rules to Improve Flexibility and Effectively Manage Complex Events
Adding Rules to Improve Flexibility and Effectively Manage Complex EventsAdding Rules to Improve Flexibility and Effectively Manage Complex Events
Adding Rules to Improve Flexibility and Effectively Manage Complex EventsTim Bass
 
Processing Patterns for Predictive Business
Processing Patterns for Predictive BusinessProcessing Patterns for Predictive Business
Processing Patterns for Predictive BusinessTim Bass
 

Más de Tim Bass (19)

A High Level Blackboard Architecture for Cyber SA
A High Level Blackboard Architecture for Cyber SAA High Level Blackboard Architecture for Cyber SA
A High Level Blackboard Architecture for Cyber SA
 
A Journey Into Cyberspace
A Journey Into CyberspaceA Journey Into Cyberspace
A Journey Into Cyberspace
 
Event Driven Architecture (EDA), November 2, 2006
Event Driven Architecture (EDA), November 2, 2006Event Driven Architecture (EDA), November 2, 2006
Event Driven Architecture (EDA), November 2, 2006
 
Mythbusters: Event Stream Processing v. Complex Event Processing
Mythbusters: Event Stream Processing v. Complex Event ProcessingMythbusters: Event Stream Processing v. Complex Event Processing
Mythbusters: Event Stream Processing v. Complex Event Processing
 
Event Processing Technical Society Event Processing Reference Architecture W...
Event Processing Technical Society Event Processing Reference Architecture W...Event Processing Technical Society Event Processing Reference Architecture W...
Event Processing Technical Society Event Processing Reference Architecture W...
 
Leveraging Business Rules in TIBCO BusinessEvents
Leveraging Business Rules in TIBCO BusinessEventsLeveraging Business Rules in TIBCO BusinessEvents
Leveraging Business Rules in TIBCO BusinessEvents
 
Optimizing Your SOA with Event Processing
Optimizing Your SOA with Event ProcessingOptimizing Your SOA with Event Processing
Optimizing Your SOA with Event Processing
 
Complex Event Processing (CEP) for Next-Generation Security Event Management,...
Complex Event Processing (CEP) for Next-Generation Security Event Management,...Complex Event Processing (CEP) for Next-Generation Security Event Management,...
Complex Event Processing (CEP) for Next-Generation Security Event Management,...
 
CEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementCEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk Management
 
Detecting Opportunities and Threats with Complex Event Processing: Case St...
Detecting Opportunities and Threats with Complex Event Processing: Case St...Detecting Opportunities and Threats with Complex Event Processing: Case St...
Detecting Opportunities and Threats with Complex Event Processing: Case St...
 
Next-Generation IDS: A CEP Use Case in 10 Minutes
Next-Generation IDS: A CEP Use Case in 10 MinutesNext-Generation IDS: A CEP Use Case in 10 Minutes
Next-Generation IDS: A CEP Use Case in 10 Minutes
 
A Survey of Event Processing Languages (EPLs), October 7, 2006
A Survey of Event Processing Languages (EPLs), October 7, 2006A Survey of Event Processing Languages (EPLs), October 7, 2006
A Survey of Event Processing Languages (EPLs), October 7, 2006
 
Proposed Event Processing Definitions ,September 20, 2006
Proposed Event Processing Definitions ,September 20, 2006Proposed Event Processing Definitions ,September 20, 2006
Proposed Event Processing Definitions ,September 20, 2006
 
Event Processing Reference Architecture, March 2006
Event Processing Reference Architecture, March 2006Event Processing Reference Architecture, March 2006
Event Processing Reference Architecture, March 2006
 
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
 
Using Event Processing to Enable Enterprise Security
Using Event Processing to Enable Enterprise SecurityUsing Event Processing to Enable Enterprise Security
Using Event Processing to Enable Enterprise Security
 
Processing Patterns for PredictiveBusiness
Processing Patterns for PredictiveBusinessProcessing Patterns for PredictiveBusiness
Processing Patterns for PredictiveBusiness
 
Adding Rules to Improve Flexibility and Effectively Manage Complex Events
Adding Rules to Improve Flexibility and Effectively Manage Complex EventsAdding Rules to Improve Flexibility and Effectively Manage Complex Events
Adding Rules to Improve Flexibility and Effectively Manage Complex Events
 
Processing Patterns for Predictive Business
Processing Patterns for Predictive BusinessProcessing Patterns for Predictive Business
Processing Patterns for Predictive Business
 

Using Event Processing to Enable Enterprise Security

  • 1. Using Event Processing to Enable Enterprise Security July 20, 2006 Tim Bass, CISSP Principal Global Architect Alan Lundberg Senior Product Marketing Manager TIBCO Software Inc.
  • 2. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 2 Key Takeaways of Webinar  Next Generation IDS requires the fusion of information from numerous event sources across the enterprise:  Model all IDS Devices, Log Files, Sniffers, etc. as Sensors  Use Secure Standards-based Messaging for Communications  Next-Gen IDS Requires a Number of Technologies:  Distributed Computing, Publish/Subscribe and SOA  Hierarchical, Cooperative Inference Processing  High Speed, Real Time Rules Processing with State Management  Event-Decision Architecture for Identification and Mitigation of Security Situations  Solution Expandable to Other Security, Compliance and IT Management Areas (as required)
  • 3. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 3  Firewall, IDS, IPS, Cryptography, Access Control are Simply Not Sufficient.  Malicious Users are Using Legitimate Application Protocols, such as HTTP, HTTPS and SOAP.  An CSI/FBI Study Showed that Almost 50% of Security Breaches came from Internal Resources.  Recently fired employees  Unscrupulous traders  Compromised partners  And disgruntled or curious employees A Sample of the Problems with Network Security malicious users malicious users
  • 4. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 4 Background – the Current state of IDS “Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.” - Gartner Group Most of Firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System) are act at the Network/System Layer, not at the “Application Layer”.
  • 5. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 5 Proactive Security  An Attacker will Leave Evidence Before a Successful Break-In:  SSL error log file  Application/XML Firewall log file  Application log files  Correlating those Forensic Events in Real-Time will: Catch the attacker before … they break-in!
  • 6. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 6 The Requirements “A real-time quick and effective monitoring and response is critical for stopping an ongoing malicious attack and preventing future attacks on the enterprise as an integrated system. “  Enterprises Need Processes and Tools to:  Monitor security events  Correlate thousands of security events into few identifiable critical situations  Be alerted and notified of potential attacks with low false alarm rates  Watch for suspected malicious users on the network  Prevent intrusions and attacks  Identify, assess and manage security breaches  Mitigate, contain and minimize damage  Preserve of intrusion evidence  Manage and track security incidents and investigations  These Tool Should also Integrate with Existing Enterprise Systems Management tools
  • 7. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 7 Introduction to Intrusion Detection (ID)  Intrusion Detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.  ID is often accomplished by these (overlapping) methods (more on this later):  Audit trail processing  Real-time processing  Profiles of normal behavior  Signatures of abnormal behavior  Parameter pattern matching
  • 8. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 8 Rapidly detect intrusions with a low false alarm rate and a high intrusion detection rate… Intrusion Detection System Design Goals What are the overall design goals for IDS? (Illustrative Purposes Only)
  • 9. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 9 Classification of Intrusion Detection Systems Traditional View Before Data Fusion Approach to IDS Intrusion Detection Systems Agent Based Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive
  • 10. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 10 TIBCO’s Real-Time Agent-Based IDS Approach A Multisensor Data Fusion Approach to IDS Intrusion Detection Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Agent Based Next-Generation Fusion of IDS Sensor Functions
  • 11. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 11 Intrusion Detection and Data Fusion (2000) Next-Generation Intrusion Detection Systems Source: Bass, T., CACM, 2000
  • 12. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 12 PredictiveBusinessTM
  • 13. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 13 Event-Decision Reference Architecture Next-Generation Functional Architecture for Intrusion Detection 24 EVENT PRE- PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction Event-Decision Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM
  • 14. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 14 Event-Decision High Level Architecture 22 EVENT CLOUD (DISTRIBUTED DATA SET) KS KS KS KS KS KS KS KS KS KS KS KS KS KS Adapted from: Engelmore, R. S., Morgan, A.J., & and Nii, H. P., Blackboard Systems, 1988 & Luckham, D., The Power of Events, 2002
  • 15. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 15  Sensors • Systems that provide data and events to the inference models and humans  Actuators • Systems that take action based on inference models and human interactions  Knowledge Processors • Systems that take in data and events, process the data and events, and output refined, correlated, or inferred data or events HLA - Knowledge Sources KS KS KS
  • 16. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 16 Structured Processing for Event-Decision  Multi-level inference in a distributed event-decision architectures  User Interface  Human visualization, monitoring, interaction and situation management  Level 4 – Process Refinement  Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment  Level 3 – Impact Assessment  Impact assessment, i.e. assess intent on the basis of situation development, recognition and prediction  Level 2 – Situation Refinement  Identify situations based on sets of complex events, state estimation, etc.  Level 1 – Event Refinement  Identify events & make initial decisions based on association and correlation  Level 0 – Event Preprocessing  Cleansing of event-stream to produce semantically understandable data Level of Inference Low Med High
  • 17. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 17 Event-Driven Intrusion Detection Flexible SOA and Event-Driven Architecture
  • 18. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 18 Next-Gen Intrusion Detection System (NGIDS) High Level Event-Driven Architecture (EDA) – Early Phase JAVA MESSAGING SERVICE (JMS) DISTRIBUTED QUEUES (TIBCO EMS) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) SENSOR NETWORK RULES NETWORK NIDS BW JMS LOGFILE JMS BW LOGFILE JMS BW LOGFILE JMS BW IDS JMS BW HIDS JMS BW SQL DB BW JMS ADB SQL DB BW JMS ADB MESSAGING NETWORK TIBCO PRODUCTS System System System System System System System System
  • 19. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 19 Characteristics of Solutions Architecture  Fusion of IDS information across Customer’s Enterprise, including:  Log files  Existing Customer’s IDS (host and network based) devices  Network traffic monitors (as required)  Host statistics (as required)  Secure, standards-based JAVA Messaging Service (JMS) for messaging:  Events parsed into JMS Properties (Extended headers)  SSL transport for JMS messages  TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control  TIBCO Business Works™ as required, to transform, map or cleanse data  TIBCO BusinessEvents™ for rule-based IDS analytics  TIBCO Active Database Adapter as required
  • 20. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 20 Potential Extensions to Solutions Architecture  Extension of IDS to rules-based access control  Integration of IDS with access control  TIBCO BusinessEvents™ for rule-based access control  Extension of IDS and access control to incident response  Event-triggered work flow  TIBCO iProcess™ BPM for incident response  TIBCO iProcess™ BPM security entitlement work flow  TIBCO BusinessEvents™ for rule-based access control  Extensions for other risk and compliance requirements  Basel II, SOX, and JSOX - for example  Other possibilities to be discussed later  Extensions for IT management requirements  Monitoring and fault management, service management, ITIL
  • 21. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 21 TIBCO’s Vision The Full Range of Business Integration Products and Services
  • 22. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary. 22 Key Takeaways of Webinar  Next Generation IDS requires the fusion of information from numerous event sources across the enterprise:  Model all IDS Devices, Log Files, Sniffers, etc. as Sensors  Use Secure Standards-based Messaging for Communications  Next-Gen IDS Requires a Number of Technologies:  Distributed Computing, Publish/Subscribe and SOA  Hierarchical, Cooperative Inference Processing  High Speed, Real Time Rules Processing with State Management  Event-Decision Architecture for Complex Events / Situations  Solution Expandable to Other Security, Compliance and IT Management Areas (as required)
  • 23. Questions and Answers Tim Bass, CISSP Principal Global Architect tbass@tibco.com Event Processing at TIBCO