TIBCO CEP And SOA

CEP and SOA: An Open Event-Driven Architecture for Risk Management

March 14, 2007 IT Financial Services 2007 Lisbon, Portugal

Tim Bass, CISSP Principal Global Architect, Director Emerging Technologies Group

© 2007 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.2

Our Agenda

� Key Takeaways, Market and Business Drivers

� TIBCO’S Solution Architecture�Event-Driven Operational Risk Management�Security Event Management and TIBCO BusinessEvents™

�TIBCO’s Reference Architecture for CEP and SEM�Example High Level Architecture

� Wrap Up


Key Takeaways of Presentation

� Next generation security and enterprise risk management solutions require the fusion of information from numerous event sources across the enterprise:� Model all Security Devices, Log Files, Sniffers, etc. as Sensors and Event

Processors� Use Secure Standards-based Messaging for Communications

� Next-Gen Enterprise Risk Management (ERM) Requires a Number of Technologies:� Distributed Computing, Publish/Subscribe and SOA� Hierarchical, Cooperative Inference Processing� High Speed, Real Time Rules Processing with State Management� Event-Decision Architecture for Identification and Mitigation of Security

Situations

� Solution Expandable to Compliance and Incident Management (BPM)


� Firewall, IDS, IPS, Cryptography, Access Control are Simply Not Sufficient.

� Malicious Users are Using Legitimate Application Protocols, such as HTTP, HTTPS and SOAP.

� An CSI/FBI Study Showed that Almost 50% of Security Breaches came from Internal Resources.� Recently fired employees� Unscrupulous traders� Compromised partners� And disgruntled or curious employees

Industry and Business DriversA Sample of the Problems with Network Security

malicious usersmalicious users


Background – the Current state of IDSIntrusion Detection Systems Simply Don’t Work!

“Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.”

- Gartner Group

Most of Firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System) are act at the Network/System Layer, not at the “Application Layer”.


Risk and Compliance Business Drivers and Market Trends

� Business Drivers: Organizations face mounting pressures driving them toward a structured approach to enterprise risk and compliance management.

� Complexity, diversity and multiplicity of risk

� Increased accountability and regulatory compliance

� Fragmentation and duplication of efforts

� Market Trends: Business drivers resulted in the following trends as organizations begin to build their new approaches to risk and compliance management:

� Adoption of an enterprise risk management framework

� Managed and measured regulatory compliance

� Risk and compliance tool consolidation, application integration and SOA

� Integration into business process management

� Establishment of a chief risk officer


Our Agenda

� Key Takeaways, Market and Business Drivers

� TIBCO’S Solution Architecture�Event-Driven Operational Risk Management�Security Event Management and TIBCO BusinessEvents™

�TIBCO’s Reference Architecture for CEP and SEM�Example High Level Architecture

� Wrap Up


Event-Driven Operational Risk ManagementAn Active Predictive Business™ System of Risk and Asset Management

Control evaluation

(SOX)

OperationalRisk

(Basel II)

Security

Outsourcing

Privacy

Business Continuity Planning

Event-Driven Operational Risk Assessment & Management


How TIBCO Delivers for Customers

Accelerate projects, initiatives, and

go-to-market cycles

Increase operational

efficiency and effectiveness.

Improve operational

visibility, security, collaboration and responsiveness


Complex Event Processing

"Events in several forms, from simple events to complex events, will become very widely used in business applications during 2004 through 2008"

--- Gartner July 2003


TIBCO BusinessEvents™ Solutions Overview

BusinessEvents™Solutions Space

Data:Events &Databases

-Real-Time &Historical Data

Models:StatisticalFinancialOptimization

Comms:Pub/SubMessagingQueuesTopicsUIs

Knowledge:Facts & Rules


Rule-Based Security Event ManagementComplex Event Processing for Enterprise Security Event Integration/Correlation

Rule-Based

Detection Prediction Scheduling

•Pattern Recognition•Anomaly Detection•Track and Trace•Monitoring (BAM)

•Dynamic Resource Allocation•Adaptive Resource Allocation•Constraint Satisfaction (CSP)•Dynamic Control

•Situation Identification•Fraud Prediction•Impact Assessment

•Fraud Detection•Intrusion Detection•Fault Detection

•Rule-Based Access Control•Exception Management•Compliance Work Flow

•Risk Management•Fault Analysis•Impact Assessment

Security Event Management Across the Enterprise


Event-Driven SOA, CEP and BPMEnterprise Integration, Correlation and Management of Security Events

Two Minute Explainer


TIBCO’s Real-Time Agent-Based SEM ApproachA Multisensor Data Fusion Approach to Security Event Management

Intrusion and Fraud Detection Systems

DetectionApproach

SystemsProtected Architecture Data

SourcesAnalysisTiming

DetectionActions

IDS FDS Hybrid AuditLogs

NetTraffic

SystemStats

RealTime

DataMining

AnomalyDetection

SignatureDetection Centralized Distributed Active Passive

AgentBased

Next-Generation Fusion of Security “Stovepipes”


CEP Reference ArchitectureNext-Generation Functional Architecture for SOA / BPM / EDA

24

EVENT PRE-PROCESSING

EVENTSOURCES

EXTERNAL

.

.

.

LEVEL ONE

EVENTTRACKING

Visualization,BAM, UserInteraction

CEP Reference Architecture

DB MANAGEMENT

HistoricalData

Profiles &Patterns

DISTRIBUTED

LOCAL

EVENTSERVICES

.

.EVENT

PROFILES..

DATABASES

.

.OTHER DATA

LEVEL TWO

SITUATIONDETECTION

LEVEL THREE

PREDICTIVEANALYSIS

LEVEL FOUR

ADAPTIVEBPM


Event-Driven Complex Event Processing

� Multi-level inference in a distributed, event-driven architecture� User Interface

� Human visualization, monitoring, interaction and situation management� Level 4 – Process Refinement

� Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment

� Level 3 – Impact Assessment� Impact assessment, i.e. assess intent on the basis of situation development,

recognition and prediction� Level 2 – Situation Refinement

� Identify situations based on sets of complex events, state estimation, etc.� Level 1 – Event Refinement

� Identify events & make initial decisions based on association and correlation� Level 0 – Event Preprocessing

� Cleansing of event-stream to produce semantically understandable data

Level of Inference

Low

Med

High


Event-Driven CEP and SEM - Summary

Flexible SOA and Event-Driven Architecture


Security Event ManagementHigh Level Event-Driven Architecture (EDA) for SEM

JAVA MESSAGING

SERVICE (JMS)

DISTRIBUTEDEVENTS

(TIBCO EMS)

HIGHPERFORMANCERULES-ENGINE

(TIBCO BE)


(TIBCO BE)


(TIBCO BE)


(TIBCO BE)

SENSOR NETWORK

RULES NETWORKFDS BW JMS

LOGFILE JMSBW

LOGFILE JMSBW

LOGFILE JMSBW

IDS JMSBW

FDS JMSBW

SQL DB BW JMSADB

SQL DB BW JMSADB

MESSAGING NETWORK

SYSTEM

SYSTEM

SYSTEM

SYSTEM

SYSTEM

SYSTEM

SYSTEM

SYSTEM


Overview of TIBCO’s Solutions Architecture

� Fusion of IDS and FDS information across Customer’s Enterprise, including:

� Log files� Existing Customer’s IDS and FDS (host and network based) devices� Network traffic monitors (as required)� Host statistics (as required)

� Secure, standards-based JAVA Messaging Service (JMS) for messaging:� Events parsed into JMS Application Properties� SSL transport for JMS messages

� TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control

� TIBCO Business Works™ as required, to transform, map or cleanse data� TIBCO BusinessEvents™ for real-time rule-based analytics� TIBCO Active Database Adapter as required


Potential Extensions to Solutions Architecture

� Extension of EDA/SEM to rules-based access control� Integration of IDS and FDS with access control� TIBCO BusinessEvents™ for rule-based access control

� Extension of EDA/SEM and access control to incident response� Event-triggered work flow � TIBCO iProcess™ BPM for incident response� TIBCO iProcess™ BPM security entitlement work flow

� Extensions for other risk, compliance & reporting requirements� Basel II, SOX, and JSOX - for example

� Extensions for IT management requirements� Monitoring and fault management, service management


Key Takeaways of Presentation

� Next generation security and enterprise risk management solutions require the fusion of information from numerous event sources across the enterprise:� Model all Security Devices, Log Files, Sniffers, etc. as Sensors and Event

Processors� Use Secure Standards-based Messaging for Communications

� Next-Gen Enterprise Risk Management (ERM) Requires a Number of Technologies:� Distributed Computing, Publish/Subscribe and SOA� Hierarchical, Cooperative Inference Processing� High Speed, Real Time Rules Processing with State Management� Event-Decision Architecture for Identification and Mitigation of Security

Situations

� Solution Expandable to Compliance and Incident Management (BPM)

Obrigado!

Tim Bass, CISSPPrincipal Global Architect, DirectorEmerging Technologies Group

Event Processing at TIBCO

Documents

TIBCO CEP And SOA