Extrusion Detection is Ripe for CEP

The afternoon sessions of InformationSecurityAsia2007 were exceptional.   Dr. Keith White, APAC Security Services Director of Alcatel-Lucent, Australia described how they partnered with Cloudshield to process security events in a distributed SEM environment.   Topics covered included edge processing, content/context based routing and event processing.   After Keith’s excellent presentation I had a chance to speak with him about white-box event processing engines and strategic partnerships.

The next session was really interesting (session info), highlighting a similar situation – the criminals are far ahead of black-box SEM processing engines; and this is readily demonstrated in the emerging domain of extrusion detection.    For those not familiar with this term, extrusion detection is the network traffic inverse of intrusion detection.   In intrusion detection systems the focus is on the detection of threats from the outside of the network, to the inside of the network. 

However, what happens when criminals implant malware, covert tunnels (for example HTTP tunnels or ICMP tunnels), and malicious bot networks inside of organizations, and the detection challenge shifts to detecting outbound traffic from malicious users, malware, and botnets?    This form of criminal activity is evolving so fast that the models to detect extrusions are being formulated and tested in near real-time.   This is where CEP can help.

Imagine a high performance, declarative programming framework that can be used to implement extrusion detection models created by experts, like the cybersecurity experts gathered together at InformationSecurityAsia2007.   On top of that, visualize a design time studio environment that allows these same experts to graphically express their extrusion models in design time, avoiding most of the overhead of code development.   CEP and ESP engines are ripe for assisting security engineers detect the exploding commercialization of criminal extrusions, where, for example,  bot hearders can rent their botnets from $350 to $1000 USD per day.

I spoke to a number experts at InformationSecurityAsia2007 about CEP and I was pleased to learn that they have been considering CEP and ESP engines, including open source software (i.e. Esper) as well as commercial offerings.    We are considering collaborating on a new Center-of-Excellence that combines CEP/ESP engines with extrusion detection models.  Please contact me directly if you would like to participate.

We live in complex times.   Complex times require complex event processing.

More coming from InformationSecurityAsia2007 ….


2 Responses to Extrusion Detection is Ripe for CEP

  1. Robin Smith says:

    Can you contact me? We are releasing the new WebLogic Event Server (Java Container) with integrated CEP services on Monday 7/16. This could be a possible candidate for your Center-of-Excellence.

  2. Alex Vasseur says:

    Thanks Tim for the info on Esper. I trully appreciate especially given our respective somewhat competitive relationship. We are all at rage together making CEP a reality.
    Glad to see my blog in your blogroll there by the way. Need to flesh out my blog design then…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: