Security Event Management (SEM) with CEP (Part 5) - SEM Challenges

 
Thread Tools Search this Thread
Special Forums News, Links, Events and Announcements Complex Event Processing RSS News Security Event Management (SEM) with CEP (Part 5) - SEM Challenges
# 1  
Old 07-02-2007
Security Event Management (SEM) with CEP (Part 5) - SEM Challenges

Security Event Management (SEM) with CEP (Part 5) - SEM Challenges and Shortfalls
In Security Event Management (SEM) with CEP (Part 4), we briefly reviewed the 5 functional principles of SEM. Most, if not all, of the current SEM offerings from security vendors today do not meet the core requirements of a robust SEM architecture.
The graphic below represents a taxonomy view of distributed fraud and/or intrusion detection systems, highlighting how security-oriented solutions tend to be purpose-built solutions which leads to security “stovepipes” that do not share event information.

Image
The chart above illustrates one of the reasons we need the basic 5 functional requirements of SEM in cyberspace - a distributed event-driven architecture that supports heterogeneous event-driven systems with the capability to detect, with high confidence, real threats, prioritize them and kick-off some event-driven workflow that meets corporate risk management and regulatory requirements. All of this must happen in real-time, minmizing false alarms, optimizing resources, and providing decision-support tools, such as visualization, for operators.
I spent quite a bit of time on the net searching for pictures of SEM implementations. There are no shortage of centeralized event aggregators! Here are screen shots of 10 of them:
Image
All of the implements above simply create “yet another security stovepipe” that performs some basic event aggregation and filtering. These “SEM tools” fall far short of accomplishing the 5 principles of SEM we discussed in Part 4. Here are two more “pseudo SEM implementations:”
Image
Image
To make a long story store, as we can see from the three charts above, most, if not all, commercial SEM implementations in the market today fail to meet the 5 key principles of SEM (summarized in part 4). Here are the key shortcomings of these SEM implementations, using the same 5 SEM principles as a backdrop for comparision:
  1. No ESB - there is no secure, standards-based communications infrastructure for distributed event management in current SEM solutions;
  2. Weak or no analytics - there is limited capability to detect and refine threat-related situations with high probability using state-of-the-art analytics;
  3. Weak or no EDA - no standard generated alerts and automated responses to kick off workflow, compliance and other remediation activities;
  4. Weak Reporting - dashboards and reports tend to be” event aggregators” that do not filter out the “noise”; and,
  5. Unscaleable, centeralized architectures - current SEM architectures cannot manage millions events in a heterogeneous, distributed architecture.
In my next post in this series, Security Event Management (SEM) with CEP (Part 6), I will begin to discuss about how CEP can be used to help security engineers meet the 5 principles of SEM.
Copyright © 2007 by Tim Bass, All Rights Reserved.


More...
Login or Register to Ask a Question

Previous Thread | Next Thread

2 More Discussions You Might Find Interesting

1. Solaris

zone.max-sem-ids -- ???

Hi, OS = Solaris10 Can someone please advise what is the difference between the following two (2) output of the prctl commands? # prctl -n zone.max-sem-ids $$ process: 18782: -sh NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT zone.max-sem-ids ... (0 Replies)
Discussion started by: newbie_01
0 Replies

2. Programming

shm sem fork etc... Please help

:confused: This is already my n-th attempt to write this program. Some help would be appreciated. I have created some children processes, a couple of them writes to a shared memory (array of ints, where the first element is the "counter" of all elements in the array). The other child deletes an... (1 Reply)
Discussion started by: Dana73
1 Replies
Login or Register to Ask a Question