Management of Security Information and
Events in Future Internet
Who?
Andrew Hutchison1 Roland Rieke2From?
1T-Systems South Africa2Fraunhofer Institute for Secure Information Technology SIT
Overview
Changes and
developments
Management of Security Information and Events (SIEM) in Future Internet (FI)
Vision
New opportunities & new risksChallenges
Security, resilience, privacySolutions and
implied RTD
needs
Security Information and Event Management
Systems
Product
oriented view
“SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes. ” (Wikipedia, May 2011)“Systems Come in Threes!
. . . ajudgemental system, is involved in determining
whether any particular activity (or inactivity) of asystemin
a givenenvironmentconstitutes or would constitute - from
its viewpoint - a failure.”
(Brian Randell, IFIP WG 10.4, Guadeloupe, 2007)
en viro n m e n t judgementa l s ys te m system
Changes and developments
Future Internet
(FI) is driving a
complete
re-think of the
paradigm
whereby
organisations
deploy and
manage their
own services
and
infrastructure
“Service Models” “Deployment Models” customers
*National Institute of Standards and Technology (NIST)
App
Cloud applications SaaS Public Clouds: Resources and Services from the Internet H b id Cl dPl f
App
– SaaS Cloud platforms P S Private Clouds: Hybrid Clouds: The best of both worlds C itPlatfor
– PaaS Cloud Resources and services from secure sources Community Clouds: Fro special interest groupsInfrastructu
m
infrastructures – IaaS On demand self services Broad network access Resource pooling Rapid Measured Characteristics *Infrastructu
re
Rapidelasticity Measured service
re
Source: T-SystemsServices get outsourced into clouds Infrastructures evolve hybrid - real & virtual
Changes and developments
Cyber-physical
Systems of
Systems (SoS)
get connected
to the Internet
Smart Grid IoT Car-to-X Use of meshed wireless communication structures –> physical actuators get in reach of attackersVision
Services &
infrastructure in
clouds leads to
deployment of
SIEM in clouds
Internet Cloud Campus/Remote Site Internet Gateway Remote Authentication Server Local Authentication Server HIPS Anti-Virus Anti-Spyware Disk Encryption Security Update Repository Data Centre Data Centre Router Security Management Identity Management Mail Content Management: e.g. Anti-Virus, Anti-SpamInternet Content Management: e.g. URL Filtering
Anti-Virus Anti-Spam
Security Operations Centre
Monitoring Event Correlator Vulnerability Analysis HIPS Anti-Virus Anti-Spyware Firewall & IPS
Mail Relay Proxy Server Internet Gateway Router Mail Server Servers SOC Router Firewall & IPS Firewall & IPS Firewall & IPS Site Router Firewall & IPS Source: T-Systems
Managed SIEM Today, multiple sources are collected centrally within the realm of the provider organisation
Vision
Services &
infrastructure in
clouds leads to
deployment of
SIEM in clouds
Source: T-SystemsVision
New
opportunities
Inter-organisational analyses are possible Adaptive countermeasures
IaaS PaaS SaaS
and new Risks
Privacy and integrity of the events of any particular company
Virtualisation layers introduce new vulnerabilities
IoT enables new remote attacks against critical services & infrastructures
Vision
New
opportunities
Inter-organisational analyses are possible Adaptive countermeasures
IaaS PaaS SaaS
and new Risks
Privacy and integrity of the events of any particular company
Virtualisation layers introduce new vulnerabilities
IoT enables new remote attacks against critical services & infrastructures
Vision
New SIEM
deployment
entails different
thinking about
the revenue
model
Source: T-SystemsChallenges
Security,
resilience,
privacy
Security for cloud applications & service infrastructures Intrusion tolerance, self-protection and self-healing QoS guarantees to ensure reliable and timeous arrival of security event information from the sensors
The debate on Internet net-neutrality could also refer here since there could be a case for expediting control traffic such as SIEM event feeds
New cryptographic techniques enabling processing of data in a privacy-preserving manner
Challenges
High-level
situational
security
awareness
Resource IaaS PaaS SaaS Application Attacker SIEM reasoningProvide cross-layer, cross-domain security information
Bgiven that the cloud hides technical delivery of the service from
the SIEM provider (typically increasing for higher level services) SIEM needs limited transparency
Challenges
High-level
situational
security
awareness
Resource IaaS PaaS SaaS Application Attacker SIEM reasoningProvide cross-layer, cross-domain security information
Bgiven that the cloud hides technical delivery of the service from
the SIEM provider (typically increasing for higher level services) SIEM needs limited transparency
Challenges
Adaptive
response
Security Event
Abstraction Process Model Attack Model
Predictive analysis of upcoming security problems
Bgiven that customers have no insights on risk mitigation
mechanisms of cloud providers and overall status Anticipatory impact analysis & decision support Technical but also legal challenges
Solutions and implied RTD needs
Resilient,
trust-enabling
SIEM
architecture
Authenticated component event reporting Information flow defense Unforgeability provisions Trustworthy event collectionTrusted collection of security-relevant data from highly heterogeneous trusted networked devices (IoT) Resilient Internet-based backbone communication
Solutions and implied RTD needs
Scalable
security
situation
assessment
Event Processing Engine SOI Logs SOI Events Service Infrastructure Service Infrastructure Authentication Devices Authentication Events Event Collection Event Correlation External Language Events Internal Language Events Languages Alarms Network Events Network Devices Security Events Security DevicesScalable distribution of acquisition & parallel processing Seamless function splitting core engines/edge collectors Parallel data streaming to SIEM in clouds
Solutions and implied RTD needs
Cross-layer
reasoning &
mitigation
Process Simulation Engine Predictive Alerts Attack Simulation Engine Counter-measure EvaluationMulti-level security event modelling aims at a holistic solution to protect service infrastructures of FI Predictive security monitoring enables to fight attacks proactively by predicting their future actions
A platform
around which
these thoughts
are
crystallizing!
Advanced SIEM Framework
Alert and reaction generation
Scenarios Prototypes
Event and Information Collection Highly-scalable, dependable and
multi-level event collection
Event, Process Models and Attack Models
Predictive security analysis
Multi-domain parallel-running
processes
Process and attack simulation Actions and Counter-measures Security analysis and notification Security-aware processes Olympic Games Mobile money transfer service CI Process Control (Dam) Managed Enterprise Service Infrastructures
Resilient event processing and integration Languages EVENTS RELATIONS POLICIES REACTIONS Multi-level event correlation
Multi-level security event modeling
Trustworthy event collection
Resilient framework architecture
Conclusions
Changes and
developments
B
FI is driving a complete re-think of the paradigm wherebyorganisations deploy and manage their own services and infrastructure
B
Cyber-physical SoS get connected to the InternetVision
B
Services & infrastructure in clouds leads to deployment of SIEM in cloudsB
New opportunities and revenue models & new risksChallenges
B
Security, resilience, privacyB
High-level situational security awarenessB
Adaptive responseSolutions and
implied RTD
needs
B
Resilient, trust-enabling SIEM architectureB
Scalable security situation assessmentB
Cross-layer reasoning & mitigationen viron m e n t judgementa l sy s te m system
