Security Event Management (SEM) with CEP (Part 5) – SEM Challenges and Shortfalls
In Security Event Management (SEM) with CEP (Part 4), we briefly reviewed the 5 functional principles of SEM. Most, if not all, of the current SEM offerings from security vendors today do not meet the core requirements of a robust SEM architecture.
The graphic below represents a taxonomy view of distributed fraud and/or intrusion detection systems, highlighting how security-oriented solutions tend to be purpose-built solutions which leads to security “stovepipes” that do not share event information.
The chart above illustrates one of the reasons we need the basic 5 functional requirements of SEM in cyberspace – a distributed event-driven architecture that supports heterogeneous event-driven systems with the capability to detect, with high confidence, real threats, prioritize them and kick-off some event-driven workflow that meets corporate risk management and regulatory requirements. All of this must happen in real-time, minmizing false alarms, optimizing resources, and providing decision-support tools, such as visualization, for operators.
I spent quite a bit of time on the net searching for pictures of SEM implementations. There are no shortage of centeralized event aggregators! Here are screen shots of 10 of them:
All of the implements above simply create “yet another security stovepipe” that performs some basic event aggregation and filtering. These “SEM tools” fall far short of accomplishing the 5 principles of SEM we discussed in Part 4. Here are two more “pseudo SEM implementations:”
To make a long story store, as we can see from the three charts above, most, if not all, commercial SEM implementations in the market today fail to meet the 5 key principles of SEM (summarized in part 4). Here are the key shortcomings of these SEM implementations, using the same 5 SEM principles as a backdrop for comparision:
- No ESB – there is no secure, standards-based communications infrastructure for distributed event management in current SEM solutions;
- Weak or no analytics – there is limited capability to detect and refine threat-related situations with high probability using state-of-the-art analytics;
- Weak or no EDA – no standard generated alerts and automated responses to kick off workflow, compliance and other remediation activities;
- Weak Reporting – dashboards and reports tend to be” event aggregators” that do not filter out the “noise”; and,
- Unscaleable, centeralized architectures – current SEM architectures cannot manage millions events in a heterogeneous, distributed architecture.
In my next post in this series, Security Event Management (SEM) with CEP (Part 6), I will begin to discuss about how CEP can be used to help security engineers meet the 5 principles of SEM.
Copyright © 2007 by Tim Bass, All Rights Reserved.