The UNIX and Linux Forums  

Go Back   The UNIX and Linux Forums > Special Forums > UNIX and Linux Applications > Complex Event Processing RSS News
Security Event Management (SEM) with CEP (Part 5) - SEM Challenges Security Event Management (SEM) with CEP (Part 5) - SEM Challenges
.
google unix.com

Forums Register Forum RulesLinksAlbums FAQ Members List Calendar Search Today's Posts Mark Forums Read


Complex Event Processing RSS News Aggregated RSS news on CEP, ESP and EP.

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Security Event Management (SEM) with CEP (Part 4) - The 5 Principles of SEM iBot Complex Event Processing RSS News 0 07-02-2007 02:48 AM
Security Event Management (SEM) with CEP (Part 3) - Trends in Cyberspace iBot Complex Event Processing RSS News 0 07-02-2007 02:48 AM
Security Event Management (SEM) with CEP (Part 2) - Trends in Cyberspace iBot Complex Event Processing RSS News 0 07-02-2007 02:48 AM
Security Event Managment (SEM) with CEP (Part 1) iBot Complex Event Processing RSS News 0 07-02-2007 02:48 AM
Security Event Management (SEM) with CEP (Part 6) - Realizing SEM with CEP iBot Complex Event Processing RSS News 0 07-02-2007 02:48 AM

 
English Japanese Spanish French German Portuguese Italian Dutch Swedish Russian Norwegian Hungarian Hebrew Danish Bulgarian Greek Powered by Powered by Google
 
LinkBack Thread Tools Search this Thread Rate Thread Display Modes
Prev Previous Post   Next Post Next
  #1 (permalink)  
Old 07-02-2007
iBot's Avatar
iBot iBot is offline
Forum Robot Girl
  
 

Join Date: Sep 2000
Posts: 22,272
Security Event Management (SEM) with CEP (Part 5) - SEM Challenges
Security Event Management (SEM) with CEP (Part 5) - SEM Challenges and Shortfalls
In Security Event Management (SEM) with CEP (Part 4), we briefly reviewed the 5 functional principles of SEM. Most, if not all, of the current SEM offerings from security vendors today do not meet the core requirements of a robust SEM architecture.
The graphic below represents a taxonomy view of distributed fraud and/or intrusion detection systems, highlighting how security-oriented solutions tend to be purpose-built solutions which leads to security “stovepipes” that do not share event information.

The chart above illustrates one of the reasons we need the basic 5 functional requirements of SEM in cyberspace - a distributed event-driven architecture that supports heterogeneous event-driven systems with the capability to detect, with high confidence, real threats, prioritize them and kick-off some event-driven workflow that meets corporate risk management and regulatory requirements. All of this must happen in real-time, minmizing false alarms, optimizing resources, and providing decision-support tools, such as visualization, for operators.
I spent quite a bit of time on the net searching for pictures of SEM implementations. There are no shortage of centeralized event aggregators! Here are screen shots of 10 of them:
All of the implements above simply create “yet another security stovepipe” that performs some basic event aggregation and filtering. These “SEM tools” fall far short of accomplishing the 5 principles of SEM we discussed in Part 4. Here are two more “pseudo SEM implementations:”
To make a long story store, as we can see from the three charts above, most, if not all, commercial SEM implementations in the market today fail to meet the 5 key principles of SEM (summarized in part 4). Here are the key shortcomings of these SEM implementations, using the same 5 SEM principles as a backdrop for comparision:
  1. No ESB – there is no secure, standards-based communications infrastructure for distributed event management in current SEM solutions;
  2. Weak or no analytics - there is limited capability to detect and refine threat-related situations with high probability using state-of-the-art analytics;
  3. Weak or no EDA - no standard generated alerts and automated responses to kick off workflow, compliance and other remediation activities;
  4. Weak Reporting – dashboards and reports tend to be” event aggregators” that do not filter out the “noise”; and,
  5. Unscaleable, centeralized architectures – current SEM architectures cannot manage millions events in a heterogeneous, distributed architecture.
In my next post in this series, Security Event Management (SEM) with CEP (Part 6), I will begin to discuss about how CEP can be used to help security engineers meet the 5 principles of SEM.
Copyright © 2007 by Tim Bass, All Rights Reserved.


More...
 

Bookmarks

« - | Apama SIFMA - II »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Threaded Mode Threaded Mode
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -4. The time now is 01:28 PM.

The UNIX and Linux Forums - Learn UNIX and UNIX Commands RSS Feeds - Contact Us - The UNIX and Linux Forums - Learn UNIX and UNIX Commands - Archive - Top

Powered by: vBulletin, Copyright ©2000 - 2006, Jelsoft Enterprises Limited. Language Translations Powered by .
vBCredits v1.4 Copyright ©2007 - 2008, PixelFX Studios
The UNIX and Linux Forums Content Copyright ©1993-2009. All Rights Reserved.Ad Management by RedTyger

Content Relevant URLs by vBSEO 3.2.0