Mais conteúdo relacionado Using Event Processing to Enable Enterprise Security1. Using Event
Processing to Enable
Enterprise Security
July 20, 2006
Tim Bass, CISSP
Principal Global Architect
Alan Lundberg
Senior Product Marketing Manager
TIBCO Software Inc.
2. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
2
Key Takeaways of Webinar
Next Generation IDS requires the fusion of information from
numerous event sources across the enterprise:
Model all IDS Devices, Log Files, Sniffers, etc. as Sensors
Use Secure Standards-based Messaging for Communications
Next-Gen IDS Requires a Number of Technologies:
Distributed Computing, Publish/Subscribe and SOA
Hierarchical, Cooperative Inference Processing
High Speed, Real Time Rules Processing with State Management
Event-Decision Architecture for Identification and Mitigation of
Security Situations
Solution Expandable to Other Security, Compliance and IT
Management Areas (as required)
3. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
3
Firewall, IDS, IPS, Cryptography, Access Control are Simply Not
Sufficient.
Malicious Users are Using Legitimate Application Protocols,
such as HTTP, HTTPS and SOAP.
An CSI/FBI Study Showed that Almost 50% of Security Breaches
came from Internal Resources.
Recently fired employees
Unscrupulous traders
Compromised partners
And disgruntled or curious employees
A Sample of the Problems with Network Security
malicious users
malicious users
4. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
4
Background – the Current state of IDS
“Today over 70% of
attacks against a
company’s website or
web application come
at the ‘Application
Layer’ not the Network
or System layer.”
- Gartner Group
Most of Firewalls, IDS (Intrusion Detection System), IPS (Intrusion
Prevention System) are act at the Network/System Layer, not at the
“Application Layer”.
5. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
5
Proactive Security
An Attacker will Leave Evidence Before a Successful Break-In:
SSL error log file
Application/XML Firewall log file
Application log files
Correlating those Forensic Events in Real-Time will:
Catch the attacker before …
they break-in!
6. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
6
The Requirements
“A real-time quick and effective monitoring and response is critical for
stopping an ongoing malicious attack and preventing future attacks on
the enterprise as an integrated system. “
Enterprises Need Processes and Tools to:
Monitor security events
Correlate thousands of security events into few identifiable critical situations
Be alerted and notified of potential attacks with low false alarm rates
Watch for suspected malicious users on the network
Prevent intrusions and attacks
Identify, assess and manage security breaches
Mitigate, contain and minimize damage
Preserve of intrusion evidence
Manage and track security incidents and investigations
These Tool Should also Integrate with Existing Enterprise Systems
Management tools
7. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
7
Introduction to Intrusion Detection (ID)
Intrusion Detection is the process of
identifying and responding to malicious activity
targeted at computing and networking
resources.
ID is often accomplished by these (overlapping)
methods (more on this later):
Audit trail processing
Real-time processing
Profiles of normal behavior
Signatures of abnormal behavior
Parameter pattern matching
8. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
8
Rapidly detect intrusions with a low
false alarm rate and a high intrusion
detection rate…
Intrusion Detection System Design Goals
What are the overall design goals for IDS? (Illustrative Purposes Only)
9. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
9
Classification of Intrusion Detection Systems
Traditional View Before Data Fusion Approach to IDS
Intrusion Detection Systems
Agent
Based
Detection
Approach
Systems
Protected
Architecture
Data
Sources
Analysis
Timing
Detection
Actions
HIDS NIDS Hybrid
Audit
Logs
Net
Traffic
System
Stats
Real
Time
Data
Mining
Anomaly
Detection
Signature
Detection
Centralized Distributed Active Passive
10. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
10
TIBCO’s Real-Time Agent-Based IDS Approach
A Multisensor Data Fusion Approach to IDS
Intrusion Detection Systems
Detection
Approach
Systems
Protected
Architecture
Data
Sources
Analysis
Timing
Detection
Actions
HIDS NIDS Hybrid
Audit
Logs
Net
Traffic
System
Stats
Real
Time
Data
Mining
Anomaly
Detection
Signature
Detection
Centralized Distributed Active Passive
Agent
Based
Next-Generation Fusion
of IDS Sensor Functions
11. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
11
Intrusion Detection and Data Fusion (2000)
Next-Generation Intrusion Detection Systems
Source: Bass, T., CACM, 2000
12. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
12
PredictiveBusinessTM
13. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
13
Event-Decision Reference Architecture
Next-Generation Functional Architecture for Intrusion Detection
24
EVENT PRE-
PROCESSING
EVENT
SOURCES
EXTERNAL
.
.
.
LEVEL ONE
EVENT
TRACKING
Visualization,
BAM, User
Interaction
Event-Decision Architecture
DB MANAGEMENT
Historical
Data
Profiles &
Patterns
DISTRIBUTED
LOCAL
EVENT
SERVICES
.
.
EVENT
PROFILES
.
.
DATA
BASES
.
.
OTHER
DATA
LEVEL TWO
SITUATION
DETECTION
LEVEL THREE
PREDICTIVE
ANALYSIS
LEVEL FOUR
ADAPTIVE
BPM
14. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
14
Event-Decision High Level Architecture
22
EVENT CLOUD
(DISTRIBUTED DATA SET)
KS
KS KS KS KS
KS KS KS
KS KS KS KS KS KS
Adapted from: Engelmore, R. S., Morgan, A.J., & and Nii, H. P., Blackboard Systems, 1988 &
Luckham, D., The Power of Events, 2002
15. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
15
Sensors
• Systems that provide data and events to the inference models
and humans
Actuators
• Systems that take action based on inference models and human
interactions
Knowledge Processors
• Systems that take in data and events, process the data and
events, and output refined, correlated, or inferred data or events
HLA - Knowledge Sources
KS
KS
KS
16. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
16
Structured Processing for Event-Decision
Multi-level inference in a distributed event-decision architectures
User Interface
Human visualization, monitoring, interaction and situation management
Level 4 – Process Refinement
Decide on control feedback, for example resource allocation, sensor and
state management, parametric and algorithm adjustment
Level 3 – Impact Assessment
Impact assessment, i.e. assess intent on the basis of situation development,
recognition and prediction
Level 2 – Situation Refinement
Identify situations based on sets of complex events, state estimation, etc.
Level 1 – Event Refinement
Identify events & make initial decisions based on association and correlation
Level 0 – Event Preprocessing
Cleansing of event-stream to produce semantically understandable data
Level of
Inference
Low
Med
High
17. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
17
Event-Driven Intrusion Detection
Flexible SOA and Event-Driven Architecture
18. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
18
Next-Gen Intrusion Detection System (NGIDS)
High Level Event-Driven Architecture (EDA) – Early Phase
JAVA
MESSAGING
SERVICE
(JMS)
DISTRIBUTED
QUEUES
(TIBCO EMS)
HIGH
PERFORMANCE
RULES-ENGINE
(TIBCO BE)
HIGH
PERFORMANCE
RULES-ENGINE
(TIBCO BE)
HIGH
PERFORMANCE
RULES-ENGINE
(TIBCO BE)
HIGH
PERFORMANCE
RULES-ENGINE
(TIBCO BE)
SENSOR NETWORK
RULES NETWORK
NIDS BW JMS
LOGFILE JMS
BW
LOGFILE JMS
BW
LOGFILE JMS
BW
IDS JMS
BW
HIDS JMS
BW
SQL DB BW JMS
ADB
SQL DB BW JMS
ADB
MESSAGING
NETWORK
TIBCO PRODUCTS
System
System
System
System
System
System
System
System
19. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
19
Characteristics of Solutions Architecture
Fusion of IDS information across Customer’s Enterprise, including:
Log files
Existing Customer’s IDS (host and network based) devices
Network traffic monitors (as required)
Host statistics (as required)
Secure, standards-based JAVA Messaging Service (JMS) for messaging:
Events parsed into JMS Properties (Extended headers)
SSL transport for JMS messages
TIBCO technology for next-generation detection, prediction, rule-based
intrusion response, and adaptive control
TIBCO Business Works™ as required, to transform, map or cleanse data
TIBCO BusinessEvents™ for rule-based IDS analytics
TIBCO Active Database Adapter as required
20. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
20
Potential Extensions to Solutions Architecture
Extension of IDS to rules-based access control
Integration of IDS with access control
TIBCO BusinessEvents™ for rule-based access control
Extension of IDS and access control to incident response
Event-triggered work flow
TIBCO iProcess™ BPM for incident response
TIBCO iProcess™ BPM security entitlement work flow
TIBCO BusinessEvents™ for rule-based access control
Extensions for other risk and compliance requirements
Basel II, SOX, and JSOX - for example
Other possibilities to be discussed later
Extensions for IT management requirements
Monitoring and fault management, service management, ITIL
21. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
21
TIBCO’s Vision
The Full Range of Business Integration Products and Services
22. © 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
22
Key Takeaways of Webinar
Next Generation IDS requires the fusion of information from
numerous event sources across the enterprise:
Model all IDS Devices, Log Files, Sniffers, etc. as Sensors
Use Secure Standards-based Messaging for Communications
Next-Gen IDS Requires a Number of Technologies:
Distributed Computing, Publish/Subscribe and SOA
Hierarchical, Cooperative Inference Processing
High Speed, Real Time Rules Processing with State Management
Event-Decision Architecture for Complex Events / Situations
Solution Expandable to Other Security, Compliance and IT
Management Areas (as required)