Security Event Management (SEM) with CEP (Part 5) - SEM Challenges

Posted on June 28th, 2007 by Tim Bass

Security Event Management (SEM) with CEP (Part 5) - SEM Challenges and Shortfalls

In Security Event Management (SEM) with CEP (Part 4), we briefly reviewed the 5 functional principles of SEM. Most, if not all, of the current SEM offerings from security vendors today do not meet the core requirements of a robust SEM architecture.

The graphic below represents a taxonomy view of distributed fraud and/or intrusion detection systems, highlighting how security-oriented solutions tend to be purpose-built solutions which leads to security “stovepipes” that do not share event information.

The chart above illustrates one of the reasons we need the basic 5 functional requirements of SEM in cyberspace - a distributed event-driven architecture that supports heterogeneous event-driven systems with the capability to detect, with high confidence, real threats, prioritize them and kick-off some event-driven workflow that meets corporate risk management and regulatory requirements. All of this must happen in real-time, minmizing false alarms, optimizing resources, and providing decision-support tools, such as visualization, for operators.

I spent quite a bit of time on the net searching for pictures of SEM implementations. There are no shortage of centeralized event aggregators! Here are screen shots of 10 of them:

All of the implements above simply create “yet another security stovepipe” that performs some basic event aggregation and filtering. These “SEM tools” fall far short of accomplishing the 5 principles of SEM we discussed in Part 4. Here are two more “pseudo SEM implementations:”

To make a long story store, as we can see from the three charts above, most, if not all, commercial SEM implementations in the market today fail to meet the 5 key principles of SEM (summarized in part 4). Here are the key shortcomings of these SEM implementations, using the same 5 SEM principles as a backdrop for comparision:

  1. No ESB – there is no secure, standards-based communications infrastructure for distributed event management in current SEM solutions;
  2. Weak or no analytics - there is limited capability to detect and refine threat-related situations with high probability using state-of-the-art analytics;
  3. Weak or no EDA - no standard generated alerts and automated responses to kick off workflow, compliance and other remediation activities;
  4. Weak Reporting – dashboards and reports tend to be” event aggregators” that do not filter out the “noise”; and,
  5. Unscaleable, centeralized architectures – current SEM architectures cannot manage millions events in a heterogeneous, distributed architecture.

In my next post in this series, Security Event Management (SEM) with CEP (Part 6), I will begin to discuss about how CEP can be used to help security engineers meet the 5 principles of SEM.

Copyright © 2007 by Tim Bass, All Rights Reserved.

Share and Enjoy:
  • Digg
  • StumbleUpon
  • del.icio.us
  • Technorati
  • Facebook
  • Mixx
  • Google
  • Slashdot
  • Furl
  • Reddit
  • Spurl
  • LinkedIn

Filed under: Business Events, CEP Tutorials, Complex Event Processing, Cybersecurity, Event Processing, Event-Driven Architecture, Fraud Detection

« Security Event Management (SEM) with CEP (Part 4) - The 5 Principles of SEM BAM to SOA - Da’ Buzzhype Revisited »

Leave a Reply

Copyright © 2007-2008, The CEP Blog, All Rights Reserved.