Next-Generation IDS: A CEP Use Case in 10 Minutes

3rd Draft – November 8, 2006 2nd Event Processing Symposium Redwood Shores, California

Tim Bass, CISSP Principal Global Architect, Director TIBCO Software Inc.

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.2

Our Agenda

The Problem

The Approach

Conclusions

Appendix: The Format of the Case Study

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.3

The ProblemWhat business problem motivated the development of an event processing solution?

Intrusion Detection Systems

AgentBased

DetectionApproach

SystemsProtected

ArchitectureData

SourcesAnalysisTiming

DetectionActions

HIDS NIDS HybridAuditLogs

NetTraffic

SystemStats

RealTime

DataMining

AnomalyDetection

SignatureDetection

Centralized Distributed Active Passive

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.4

Rapidly detect intrusions with a low false alarm rate and a high intrusion detection rate…

The ProblemWhat were the overall design goals the approach? (Illustrative Purposes Only)

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.5

The ApproachSummarize the overall design of the solution.

Source: Bass, T., CACM, 2000

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.6

The ApproachSummarize the overall design of the solution.

Intrusion Detection Systems

DetectionApproach

SystemsProtected

ArchitectureData

SourcesAnalysisTiming

DetectionActions

HIDS NIDS HybridAuditLogs

NetTraffic

SystemStats

RealTime

DataMining

AnomalyDetection

SignatureDetection

Centralized Distributed Active Passive

AgentBased

Next-Generation Fusion of IDS Sensor Functions

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.7

The ApproachSummarize the overall design of the solution.

24

EVENT PRE-PROCESSING

EVENTSOURCES

EXTERNAL

. . .

LEVEL ONE

EVENTTRACKING

Visualization,

BAM, UserInteraction

Event-Decision Architecture

DB MANAGEMENT

HistoricalData

Profiles &Patterns

DISTRIBUTED

LOCAL

EVENTSERVICES

.

.EVENT

PROFILES..

DATABASES

.

.OTHER DATA

LEVEL TWO

SITUATIONDETECTION

LEVEL THREE

PREDICTIVEANALYSIS

LEVEL FOUR

ADAPTIVEBPM

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.8

The ApproachSummarize the overall design of the solution.

Flexible SOA and Event-Driven Architecture

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.9

The Approach - Phase IEvent Sources and Commercial Products

JAVA MESSAGING

SERVICE (JMS)

DISTRIBUTEDQUEUES

(TIBCO EMS)

HIGHPERFORMANCERULES-ENGINE

(TIBCO BE)

HIGHPERFORMANCERULES-ENGINE

(TIBCO BE)

HIGHPERFORMANCERULES-ENGINE

(TIBCO BE)

HIGHPERFORMANCERULES-ENGINE

(TIBCO BE)

SENSOR NETWORK

RULES NETWORKNIDS BW JMS

LOGFILE JMSBW

LOGFILE JMSBW

LOGFILE JMSBW

IDS JMSBW

HIDS JMSBW

SQL DB BW JMSADB

SQL DB BW JMSADB

MESSAGING NETWORK

TIBCO PRODUCTS

SOURCE

SOURCE

SOURCE

SOURCE

SOURCE

SOURCE

SOURCE

SOURCE

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.10

The Approach Event Sources and Commercial Products

Fusion of IDS information from across client event sources including: Log files

Existing client IDS (host and network based) devices

Network traffic monitors (as required)

Host statistics (as required)

Secure, standards-based JAVA Messaging Service (JMS) for messaging:

Events parsed into JMS Application Properties

SSL transport for JMS messages

TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control

TIBCO Business Works™ as required, to transform, map or cleanse data

TIBCO BusinessEvents™ for rule-based IDS analytics

TIBCO Active Database Adapter as required

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.11

Conclusions & Lesson Learned What Other Features Would Have Helped.

Future Extension of IDS to rules-based access control Integration of IDS with access control

TIBCO BusinessEvents™ for rule-based access control

Future Extension of IDS and access control to incident response Event-triggered work flow

TIBCO iProcess™ BPM for incident response

TIBCO iProcess™ BPM security entitlement work flow

TIBCO BusinessEvents™ for rule-based access control

Future Extensions for other risk and compliance requirements Basel II, SOX, and JSOX - for example

Future Extensions for IT management requirements Monitoring and fault management, service management, ITIL

Thank You!

Tim Bass, CISSPPrincipal Global Architect, Directortbass@tibco.com

Event Processing at TIBCO

© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.13

The Case Study Format

1. The Problem What business problem motivated the development of an event processing solution? (What is the purpose

of the application)?

2. The Approach Summarize the overall design of the solution. Event sources: What types of events are used (e.g., time-ordered event streams? other?)? How many

event types are involved? What are the sources of the events? Event processing: What types of filtering, correlation and aggregation are performed? What event

processing style, event processing language and types of rules are used? Responses: How are the results of event processing applied? Is an action or business process triggered?

Are people notified? Is a dashboard or other business activity monitoring (BAM) alert distribution channel used?

What commercial software tools were applied to each stage?

3. Results, Costs and Benefits (this section is optional and may be skipped if there is not enough time)

4. Conclusions Would different software tools have helped? What other features would have helped? What were the lessons learned? (What advice would you give to someone undertaking a similar project?)