Next-Generation IDS: *A CEP Use Case in 10 Minutes

50 %
50 %
Information about Next-Generation IDS: *A CEP Use Case in 10 Minutes
Technology

Published on November 3, 2008

Author: TimBassCEP

Source: slideshare.net

Description

Next-Generation IDS: A CEP Use Case in 10 Minutes, 3rd Draft – November 8, 2006, 2nd Event Processing Symposium, Redwood Shores, California, Tim Bass, CISSP, Principal Global Architect, Director, TIBCO Software Inc

Next-Generation IDS: A CEP Use Case in 10 Minutes 3rd Draft – November 8, 2006 2nd Event Processing Symposium Redwood Shores, California Tim Bass, CISSP Principal Global Architect, Director TIBCO Software Inc.

Our Agenda The Problem The Approach Conclusions Appendix: The Format of the Case Study

The Problem

The Approach

Conclusions

Appendix: The Format of the Case Study

The Problem What business problem motivated the development of an event processing solution? Intrusion Detection Systems Agent Based Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive

Rapidly detect intrusions with a low false alarm rate and a high intrusion detection rate… The Problem What were the overall design goals the approach? (Illustrative Purposes Only)

Rapidly detect intrusions with a low false alarm rate and a high intrusion detection rate…

The Approach Summarize the overall design of the solution. Source: Bass, T., CACM, 2000

The Approach Summarize the overall design of the solution . Intrusion Detection Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Agent Based Next-Generation Fusion of IDS Sensor Functions

The Approach Summarize the overall design of the solution . 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction Event-Decision Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM

The Approach Summarize the overall design of the solution . Flexible SOA and Event-Driven Architecture

The Approach - Phase I Event Sources and Commercial Products JAVA MESSAGING SERVICE (JMS) DISTRIBUTED QUEUES (TIBCO EMS) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE ) SENSOR NETWORK RULES NETWORK NIDS BW JMS LOGFILE JMS BW LOGFILE JMS BW LOGFILE JMS BW IDS JMS BW HIDS JMS BW SQL DB BW JMS ADB SQL DB BW JMS ADB MESSAGING NETWORK TIBCO PRODUCTS SOURCE SOURCE SOURCE SOURCE SOURCE SOURCE SOURCE SOURCE

The Approach Event Sources and Commercial Products Fusion of IDS information from across client event sources including: Log files Existing client IDS (host and network based) devices Network traffic monitors (as required) Host statistics (as required) Secure, standards-based JAVA Messaging Service (JMS) for messaging: Events parsed into JMS Application Properties SSL transport for JMS messages TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control TIBCO Business Works™ as required, to transform, map or cleanse data TIBCO BusinessEvents™ for rule-based IDS analytics TIBCO Active Database Adapter as required

Fusion of IDS information from across client event sources including:

Log files

Existing client IDS (host and network based) devices

Network traffic monitors (as required)

Host statistics (as required)

Secure, standards-based JAVA Messaging Service (JMS) for messaging:

Events parsed into JMS Application Properties

SSL transport for JMS messages

TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control

TIBCO Business Works™ as required, to transform, map or cleanse data

TIBCO BusinessEvents™ for rule-based IDS analytics

TIBCO Active Database Adapter as required

Conclusions & Lesson Learned What Other Features Would Have Helped. Future Extension of IDS to rules-based access control Integration of IDS with access control TIBCO BusinessEvents™ for rule-based access control Future Extension of IDS and access control to incident response Event-triggered work flow TIBCO iProcess™ BPM for incident response TIBCO iProcess™ BPM security entitlement work flow TIBCO BusinessEvents™ for rule-based access control Future Extensions for other risk and compliance requirements Basel II, SOX, and JSOX - for example Future Extensions for IT management requirements Monitoring and fault management, service management, ITIL

Future Extension of IDS to rules-based access control

Integration of IDS with access control

TIBCO BusinessEvents™ for rule-based access control

Future Extension of IDS and access control to incident response

Event-triggered work flow

TIBCO iProcess™ BPM for incident response

TIBCO iProcess™ BPM security entitlement work flow

TIBCO BusinessEvents™ for rule-based access control

Future Extensions for other risk and compliance requirements

Basel II, SOX, and JSOX - for example

Future Extensions for IT management requirements

Monitoring and fault management, service management, ITIL

Thank You! Tim Bass, CISSP Principal Global Architect, Director [email_address] Event Processing at TIBCO

The Case Study Format The Problem What business problem motivated the development of an event processing solution? (What is the purpose of the application)? The Approach Summarize the overall design of the solution. Event sources: What types of events are used (e.g., time-ordered event streams? other?)? How many event types are involved? What are the sources of the events? Event processing: What types of filtering, correlation and aggregation are performed? What event processing style, event processing language and types of rules are used? Responses: How are the results of event processing applied? Is an action or business process triggered? Are people notified? Is a dashboard or other business activity monitoring (BAM) alert distribution channel used? What commercial software tools were applied to each stage? Results, Costs and Benefits (this section is optional and may be skipped if there is not enough time) Conclusions Would different software tools have helped? What other features would have helped? What were the lessons learned? (What advice would you give to someone undertaking a similar project?)

The Problem

What business problem motivated the development of an event processing solution? (What is the purpose of the application)?

The Approach

Summarize the overall design of the solution.

Event sources: What types of events are used (e.g., time-ordered event streams? other?)? How many event types are involved?

What are the sources of the events?

Event processing: What types of filtering, correlation and aggregation are performed? What event processing style, event processing language and types of rules are used?

Responses: How are the results of event processing applied? Is an action or business process triggered? Are people notified? Is a dashboard or other business activity monitoring (BAM) alert distribution channel used?

What commercial software tools were applied to each stage?

Results, Costs and Benefits

(this section is optional and may be skipped if there is not enough time)

Conclusions

Would different software tools have helped? What other features would have helped?

What were the lessons learned? (What advice would you give to someone undertaking a similar project?)

Add a comment

Related presentations

Related pages

Next-Generation Firewalls 101 - Network Computing

Next-generation firewalls combine application awareness and deep packet ... they tend to use separate internal engines to ... 10 Reasons Data ...
Read more

Cisco Next-Generation Intrusion Prevention System (NGIPS ...

Next Generation Intrusion Prevention System (NGIPS) Hierarchical Navigation. HOME; PRODUCTS & SERVICES. ... Satisfy NGIPS use cases that physical ...
Read more

Applying Drools Fusion Complex Event Processing (CEP) for ...

Complex Event Processing, or CEP, ... FedEx Custom Critical Case Studies ... rule “Average temperature reading for vehicle E1000 over last 10 minutes" when
Read more

Cisco ASA CX Context-Aware Security FAQ - Cisco

A. Yes. Cisco ASA Next-Generation Firewall Services use threat intelligence feeds from Cisco Security Intelligence Operations (SIO), which employ the ...
Read more

Identifying Edible Mushrooms. The Cep - Wild Mushrooms Online

The Cep (Penny Bun, King Bolete) ... A common term in current use is porcini. ... or gills in the case of mushrooms, ...
Read more

Home - IDS Imaging Development Systems GmbH

IDS Imaging Development Systems GmbH We have been shaping the future since 1997
Read more

Next Generation GUI Automation | Automa

... Next Generation GUI Automation Tool. ... A new user should be able to automate a first use case within 20 minutes of ... you can also use Automa's ...
Read more