The Predictive Battlespace

Friend and colleague Don Adams, CTO World Wide Public Sector, TIBCO Software, explains how CEP can be used to sense, adapt and respond to complex situations in The “Predictive” Battlespace: Leveraging the Power of Event-Driven Architecture in Defense. 

Open Service Event Management

One of the benefits of working in different countries is to get the perspectives of various client’s event processing problems.    Of interest to event processing professionals, companies are moving away from expensive software solutions and increasingly moving toward experimenting with economical and open software packages to solve complex problems.   

Recently, I was talking with a client about their experience with commercial security event management (SEM) solutions, for example ArcSight.   In his opinion, ArcSight was not an economically viable solution for his company, so he recommended I take a look at Open Service Event Management (OSEM). 
 
OSEM helps organizations collect, filter, and send problem reports for supported systems (ProLiant and Integrity) running compatible agents.   OSEM automatically sends service event notifications when system problems are detected.

I have not had a chance to look under the hood of OSEM and see how it can be used to collect and send events to emerging rule-based event processing engines.    However, this looks like an interesting lab project and I would like to hear from readers who have experimented with this systems architecture.

Coral8: Event Stream Processing and Intrusion Detection

Not quite ready for prime-time, we have been testing our home-grown UNIX domain socket adapter using Coral8 Java APIs.   We are using this adapter to evaluate and demonstrate stream processing with intrusion detection systems (IDS) using event stream processing to reduce false alarms, detect derived situations from the raw intrusion event data, and feed a security management visualization dashboard.

You can click on the teaser image below to see more of our first IDS screenshots from Coral8’s Studio stream visualization tool.

If you click on the image above, you will four additional event stream properties.  For this part of the demo, there are 14 total IDS properties in the event stream, but we only show 5 properties in this cropped screen capture.

I am quite sure that we could do similar integration with other event stream processing engines, but fortunately Coral8 makes it easy to download, start developing and testing. 

Executives are Risk Adverse and Favor Large, Stable Companies

Marco Seiriö asks, To Integrate Or Not? And How? with an underlying message that he thinks it is unwise for RuleCore, as a CEP vendor, to spend development resources on integration and adapters.

I think most small companies in RuleCore’s position would make similar statements for a number of reasons, including Marco’s observation that they are resource constrained.

Unfortunately for these small companies, the flip side of that position is that large software companies with an event processing offering and a complimentary integration platform are favored by most large companies and government organizations.     Remember the old saying that goes something like, “An executive has never been fired by hiring IBM!”   This tongue-in-cheek perspective mirrors the risk adverse position of most company executives.

If you are an executive in a large company you tend to want less contracts to manage, less software licenses to negotiate,  and less companies to try to integrate.   You want large stable companies who will still be in business in 5 years.   You want companies with a proven track record that are part of a larger business ecosystem.   You want companies with a strong professional services organization.  You want companies that can survive the “an executive has never been fired for buying IBM” test.

There are only two companies that fit the executive litmus test that have referenceable customers in the CEP/EP space.  Therefore, it is not by accident that the same two companies happen to be at the top of the list of CEP/EP Reference Customers 2005-2007.

Adapters and Analytics: COTS? NOT!

Marc Adler shows why his musings are rapidly becoming one of my “must read” blogs in his post, CEP Vendors and the Ecosystem.

We have been making similar points in the event processing blogosphere, namely the important of adapters and analytics.   Today, event processing vendors are surprisingly weak in both areas. 

For one thing, there was way much emphasis on rules-based analytics in 2007.  Where are the rest of the plug-and-play commercial analytics end users need for event processing??

And another thing….. 🙂

Why are there so few choices of adapters and why do we have to write our own??

Sometimes I think that if I read another press release on 500,000 events per second I’m going to shout out – the event processing software on the market today cannot even connect to a simple UNIX domain socket out-of-the-box, so how about ZERO events per second!

The bottom line is that the market is still wide open for a software vendor to come to the party with a wide array of plug-and-play, grab-and-go, adapters and analytics.  

Folks are talking COTS, but more often it is NOTS.