130 likes | 207 Views
Next-Generation IDS: A CEP Use Case in 10 Minutes. 3rd Draft – November 8, 2006 2nd Event Processing Symposium Redwood Shores, California
E N D
Next-Generation IDS: A CEP Use Case in 10 Minutes 3rd Draft – November 8, 2006 2nd Event Processing Symposium Redwood Shores, California Tim Bass, CISSP Principal Global Architect, Director TIBCO Software Inc.
Our Agenda • The Problem • The Approach • Conclusions • Appendix: The Format of the Case Study
Detection Approach Systems Protected Architecture Data Sources Detection Actions Analysis Timing HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive The ProblemWhat business problem motivated the development of an event processing solution? Intrusion Detection Systems Agent Based
The ProblemWhat were the overall design goals the approach? (Illustrative Purposes Only) Rapidly detect intrusions with a low false alarm rate and a high intrusion detection rate…
The ApproachSummarize the overall design of the solution. Source: Bass, T., CACM, 2000
Intrusion Detection Systems Detection Approach Systems Protected Architecture Data Sources Detection Actions Analysis Timing HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Next-Generation Fusion of IDS Sensor Functions Agent Based The ApproachSummarize the overall design of the solution.
EVENT SOURCES EVENT PRE-PROCESSING Event-Decision Architecture EXTERNAL DISTRIBUTED LEVEL ONE EVENTTRACKING LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVEANALYSIS Visualization, BAM, User Interaction LOCAL EVENTSERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA . . . DB MANAGEMENT Historical Data Profiles & Patterns LEVEL FOUR ADAPTIVE BPM The ApproachSummarize the overall design of the solution. 24
The ApproachSummarize the overall design of the solution. Flexible SOA and Event-Driven Architecture
The Approach - Phase IEvent Sources and Commercial Products SOURCE LOGFILE BW JMS JAVA MESSAGINGSERVICE (JMS) DISTRIBUTEDQUEUES (TIBCO EMS) MESSAGING NETWORK HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) SOURCE LOGFILE BW JMS TIBCO PRODUCTS SOURCE LOGFILE BW JMS HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) SENSOR NETWORK SOURCE IDS BW JMS HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) SOURCE HIDS BW JMS SOURCE NIDS BW JMS RULES NETWORK SOURCE SQL DB ADB BW JMS HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) SOURCE SQL DB ADB BW JMS
The ApproachEvent Sources and Commercial Products • Fusion of IDS information from across client event sources including: • Log files • Existing client IDS (host and network based) devices • Network traffic monitors (as required) • Host statistics (as required) • Secure, standards-based JAVA Messaging Service (JMS) for messaging: • Events parsed into JMS Application Properties • SSL transport for JMS messages • TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control • TIBCO Business Works™ as required, to transform, map or cleanse data • TIBCO BusinessEvents™ for rule-based IDS analytics • TIBCO Active Database Adapter as required
Conclusions & Lesson Learned What Other Features Would Have Helped. • Future Extension of IDS to rules-based access control • Integration of IDS with access control • TIBCO BusinessEvents™ for rule-based access control • Future Extension of IDS and access control to incident response • Event-triggered work flow • TIBCO iProcess™ BPM for incident response • TIBCO iProcess™ BPM security entitlement work flow • TIBCO BusinessEvents™ for rule-based access control • Future Extensions for other risk and compliance requirements • Basel II, SOX, and JSOX - for example • Future Extensions for IT management requirements • Monitoring and fault management, service management, ITIL
Thank You! Tim Bass, CISSP Principal Global Architect, Director tbass@tibco.com Event Processing at TIBCO
The Case Study Format • The Problem • What business problem motivated the development of an event processing solution? (What is the purpose of the application)? • The Approach • Summarize the overall design of the solution. • Event sources: What types of events are used (e.g., time-ordered event streams? other?)? How many event types are involved? • What are the sources of the events? • Event processing: What types of filtering, correlation and aggregation are performed? What event processing style, event processing language and types of rules are used? • Responses: How are the results of event processing applied? Is an action or business process triggered? Are people notified? Is a dashboard or other business activity monitoring (BAM) alert distribution channel used? • What commercial software tools were applied to each stage? • Results, Costs and Benefits • (this section is optional and may be skipped if there is not enough time) • Conclusions • Would different software tools have helped? What other features would have helped? • What were the lessons learned? (What advice would you give to someone undertaking a similar project?)