Upload
n467889
View
1.552
Download
3
Tags:
Embed Size (px)
Citation preview
CEP and SOA: An Open Event-Driven Architecture for Risk Management
March 14, 2007 IT Financial Services 2007 Lisbon, Portugal
Tim Bass, CISSP Principal Global Architect, Director Emerging Technologies Group
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.2
Our Agenda
� Key Takeaways, Market and Business Drivers
� TIBCO’S Solution Architecture�Event-Driven Operational Risk Management�Security Event Management and TIBCO BusinessEvents™
�TIBCO’s Reference Architecture for CEP and SEM�Example High Level Architecture
� Wrap Up
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.3
Key Takeaways of Presentation
� Next generation security and enterprise risk management solutions require the fusion of information from numerous event sources across the enterprise:� Model all Security Devices, Log Files, Sniffers, etc. as Sensors and Event
Processors� Use Secure Standards-based Messaging for Communications
� Next-Gen Enterprise Risk Management (ERM) Requires a Number of Technologies:� Distributed Computing, Publish/Subscribe and SOA� Hierarchical, Cooperative Inference Processing� High Speed, Real Time Rules Processing with State Management� Event-Decision Architecture for Identification and Mitigation of Security
Situations
� Solution Expandable to Compliance and Incident Management (BPM)
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.4
� Firewall, IDS, IPS, Cryptography, Access Control are Simply Not Sufficient.
� Malicious Users are Using Legitimate Application Protocols, such as HTTP, HTTPS and SOAP.
� An CSI/FBI Study Showed that Almost 50% of Security Breaches came from Internal Resources.� Recently fired employees� Unscrupulous traders� Compromised partners� And disgruntled or curious employees
Industry and Business DriversA Sample of the Problems with Network Security
malicious usersmalicious users
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.5
Background – the Current state of IDSIntrusion Detection Systems Simply Don’t Work!
“Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.”
- Gartner Group
Most of Firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System) are act at the Network/System Layer, not at the “Application Layer”.
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.6
Risk and Compliance Business Drivers and Market Trends
� Business Drivers: Organizations face mounting pressures driving them toward a structured approach to enterprise risk and compliance management.
� Complexity, diversity and multiplicity of risk
� Increased accountability and regulatory compliance
� Fragmentation and duplication of efforts
� Market Trends: Business drivers resulted in the following trends as organizations begin to build their new approaches to risk and compliance management:
� Adoption of an enterprise risk management framework
� Managed and measured regulatory compliance
� Risk and compliance tool consolidation, application integration and SOA
� Integration into business process management
� Establishment of a chief risk officer
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.7
Our Agenda
� Key Takeaways, Market and Business Drivers
� TIBCO’S Solution Architecture�Event-Driven Operational Risk Management�Security Event Management and TIBCO BusinessEvents™
�TIBCO’s Reference Architecture for CEP and SEM�Example High Level Architecture
� Wrap Up
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.8
Event-Driven Operational Risk ManagementAn Active Predictive Business™ System of Risk and Asset Management
Control evaluation
(SOX)
OperationalRisk
(Basel II)
Security
Outsourcing
Privacy
Business Continuity Planning
Event-Driven Operational Risk Assessment & Management
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.9
How TIBCO Delivers for Customers
Accelerate projects, initiatives, and
go-to-market cycles
Increase operational
efficiency and effectiveness.
Improve operational
visibility, security, collaboration and responsiveness
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.10
Complex Event Processing
"Events in several forms, from simple events to complex events, will become very widely used in business applications during 2004 through 2008"
--- Gartner July 2003
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.11
TIBCO BusinessEvents™ Solutions Overview
BusinessEvents™Solutions Space
Data:Events &Databases
-Real-Time &Historical Data
Models:StatisticalFinancialOptimization
Comms:Pub/SubMessagingQueuesTopicsUIs
Knowledge:Facts & Rules
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.12
Rule-Based Security Event ManagementComplex Event Processing for Enterprise Security Event Integration/Correlation
Rule-Based
Detection Prediction Scheduling
•Pattern Recognition•Anomaly Detection•Track and Trace•Monitoring (BAM)
•Dynamic Resource Allocation•Adaptive Resource Allocation•Constraint Satisfaction (CSP)•Dynamic Control
•Situation Identification•Fraud Prediction•Impact Assessment
•Fraud Detection•Intrusion Detection•Fault Detection
•Rule-Based Access Control•Exception Management•Compliance Work Flow
•Risk Management•Fault Analysis•Impact Assessment
Security Event Management Across the Enterprise
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.13
Event-Driven SOA, CEP and BPMEnterprise Integration, Correlation and Management of Security Events
Two Minute Explainer
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.14
TIBCO’s Real-Time Agent-Based SEM ApproachA Multisensor Data Fusion Approach to Security Event Management
Intrusion and Fraud Detection Systems
DetectionApproach
SystemsProtected Architecture Data
SourcesAnalysisTiming
DetectionActions
IDS FDS Hybrid AuditLogs
NetTraffic
SystemStats
RealTime
DataMining
AnomalyDetection
SignatureDetection Centralized Distributed Active Passive
AgentBased
Next-Generation Fusion of Security “Stovepipes”
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.15
CEP Reference ArchitectureNext-Generation Functional Architecture for SOA / BPM / EDA
24
EVENT PRE-PROCESSING
EVENTSOURCES
EXTERNAL
.
.
.
LEVEL ONE
EVENTTRACKING
Visualization,BAM, UserInteraction
CEP Reference Architecture
DB MANAGEMENT
HistoricalData
Profiles &Patterns
DISTRIBUTED
LOCAL
EVENTSERVICES
.
.EVENT
PROFILES..
DATABASES
.
.OTHER DATA
LEVEL TWO
SITUATIONDETECTION
LEVEL THREE
PREDICTIVEANALYSIS
LEVEL FOUR
ADAPTIVEBPM
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.16
Event-Driven Complex Event Processing
� Multi-level inference in a distributed, event-driven architecture� User Interface
� Human visualization, monitoring, interaction and situation management� Level 4 – Process Refinement
� Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment
� Level 3 – Impact Assessment� Impact assessment, i.e. assess intent on the basis of situation development,
recognition and prediction� Level 2 – Situation Refinement
� Identify situations based on sets of complex events, state estimation, etc.� Level 1 – Event Refinement
� Identify events & make initial decisions based on association and correlation� Level 0 – Event Preprocessing
� Cleansing of event-stream to produce semantically understandable data
Level of Inference
Low
Med
High
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.17
Event-Driven CEP and SEM - Summary
Flexible SOA and Event-Driven Architecture
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.18
Security Event ManagementHigh Level Event-Driven Architecture (EDA) for SEM
JAVA MESSAGING
SERVICE (JMS)
DISTRIBUTEDEVENTS
(TIBCO EMS)
HIGHPERFORMANCERULES-ENGINE
(TIBCO BE)
HIGHPERFORMANCERULES-ENGINE
(TIBCO BE)
HIGHPERFORMANCERULES-ENGINE
(TIBCO BE)
HIGHPERFORMANCERULES-ENGINE
(TIBCO BE)
SENSOR NETWORK
RULES NETWORKFDS BW JMS
LOGFILE JMSBW
LOGFILE JMSBW
LOGFILE JMSBW
IDS JMSBW
FDS JMSBW
SQL DB BW JMSADB
SQL DB BW JMSADB
MESSAGING NETWORK
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.19
Overview of TIBCO’s Solutions Architecture
� Fusion of IDS and FDS information across Customer’s Enterprise, including:
� Log files� Existing Customer’s IDS and FDS (host and network based) devices� Network traffic monitors (as required)� Host statistics (as required)
� Secure, standards-based JAVA Messaging Service (JMS) for messaging:� Events parsed into JMS Application Properties� SSL transport for JMS messages
� TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control
� TIBCO Business Works™ as required, to transform, map or cleanse data� TIBCO BusinessEvents™ for real-time rule-based analytics� TIBCO Active Database Adapter as required
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.20
Potential Extensions to Solutions Architecture
� Extension of EDA/SEM to rules-based access control� Integration of IDS and FDS with access control� TIBCO BusinessEvents™ for rule-based access control
� Extension of EDA/SEM and access control to incident response� Event-triggered work flow � TIBCO iProcess™ BPM for incident response� TIBCO iProcess™ BPM security entitlement work flow
� Extensions for other risk, compliance & reporting requirements� Basel II, SOX, and JSOX - for example
� Extensions for IT management requirements� Monitoring and fault management, service management
© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.21
Key Takeaways of Presentation
� Next generation security and enterprise risk management solutions require the fusion of information from numerous event sources across the enterprise:� Model all Security Devices, Log Files, Sniffers, etc. as Sensors and Event
Processors� Use Secure Standards-based Messaging for Communications
� Next-Gen Enterprise Risk Management (ERM) Requires a Number of Technologies:� Distributed Computing, Publish/Subscribe and SOA� Hierarchical, Cooperative Inference Processing� High Speed, Real Time Rules Processing with State Management� Event-Decision Architecture for Identification and Mitigation of Security
Situations
� Solution Expandable to Compliance and Incident Management (BPM)
Obrigado!
Tim Bass, CISSPPrincipal Global Architect, DirectorEmerging Technologies Group
Event Processing at TIBCO