Simple Event Processing != Complex Event Processing

December 16, 2007

One of the brillant minds in the CEP community, Claudio Paniagua Macia, recently posted, Event Stream Processing != Complex Event Processing.   In his post, Claudi draws a bold conclusion:

(1) SQL-based approaches to ESP might have a hard time doing CEP.

(2) No real CEP engine exists today in the marketplace, perhaps not even “off” the marketplace.

Friend, colleague, and co-chair Opher Etzion replied, On Event Stream Processing:

 “CEP engines do exist today, none is perfect, but probably sufficient for big majority of the existing applications today.”

Respectfully, I find it necessary to agree with Claudi and disagree with Opher.   Most of the so-called CEP engines today are solving quite simple event processing problems.   If the CEP engines on the market were truly solving a “majority of the exisiting applications today” then sales would be orders of magnitudes larger.

The fact-of-the-matter is that the current “simple rules-based approach” dominate in today’s marketplace are used to solve problems where rules-based approaches are useful.   Unfortunately, this is just a small fraction of the true potential of the CEP market.

For example (just one example of many), the vast majority of intrusion or fraud detection systems available today use rule-based approaches, and their detection capability, and the confidence in the detection, is quite elementary (poor quality).   If these systems worked well, cyberspace would be a very different and much safer place.  

Yes, it is useful to add another layer of rules, but rules alone will not solve the vast majority of CEP-domain classes of problems.   In addition, the CEP applications that have made the press recently are quite simple, certainly nothing scientifically earth shattering.

So, the sad truth of the matter, from an architectural, scientific and solutions perspective, is exactly as Claudi boldly offered, no real CEP engine exists today.    Furthermore, the vast majority, if not all, CEP applications sold today are used in very simple event processing (SEP) applications.  This is not very “advanced,” but it is a good start.  

What is holding the CEP market back is quite straight forward; the current “engines” are quite elementary (We should call them SEP engines.), relatively speaking, and SEP engines do not have the capability to solve difficult detection-oriented CEP problems in cyberspace.   These difficult problems compose the vast majority of the applications where “true complex event processing” is required.


CEP Center of Excellence for Cybersecurity at Software Park Thailand

December 16, 2007

In July 2007, at InformationSecurityAsia2007,  I unveiled an idea to create a cybersecurity CEP Center of Excellence (COE) in Thailand.  Under the collaborative guidance of Dr. Rom Hiranpruk, Deputy Director, Technology Management Center, National Science and Technology Development Agency (NSTDA), Dr. Prinya Hom-anek, President and Founder, ACIS Professional Center, and Dr. Komain Pipulyarojana, Chief National Security Section, National Electronics and Computer Technology Center (NECTEC), this idea continues to move forward.

Today, in a meeting with Mrs. Suwipa Wanasathop, Director, Software Park Thailand, and her executive team, we reached a tentative agreement to host the CEP COE at Software Park.   

The mission of Software Park Thailand is to be the region’s premier agency supporting entrepreneurs to help create a strong world-class software industry that will enhance the strength and competitiveness of the Thai economy.

Since 2001, Thailand’s software industry has experienced approximately 20% year-over-year (YOY) growth.  Presently, Software Parks Thailand supports a business-technology ecosystem with over 300 active participants employing over 40,000 qualified software engineers across a wide range of technology domains.

I am very pleased that Software Park Thailand is excited about the potential benefits of CEP in the area of cybersecurity and detection-oriented approaches to cyberdefense. The COE will be working with best-of-breed CEP vendors to build, test and refine rule-based (RBS), neural network (NN) based and Bayesian network (BN) based approaches (as well as other detection methods) for cybersecurity.

I will be announcing more details in the future, so stay tuned.  Please feel free to contact me if you have any questions.

The Asia Business Forum: Information Security Risk Assessment and Management (Day Two)

December 13, 2007

Unfortunately, I missed two sessions yesterday (see note); Mr. Kompol Sontanarat, Director, Information Technology Department, Securities and Exchange Commission (SEC) presented Managing Risk By Outsourcing Information Security To Managed Services Provider and Mr. Ruangkrai Rangsiphol, Head of Information and Network Security, True Corporation Public Company Limited, shared a Case Study: Overcoming Obstacles To Information Security Risk Assessment: A Critical Key For Security and Compliance.

Today Mr. Somchai Wiwatwattana, Accounting Department Director, Metropolitan Electric Authority opened the day for Mr. Manit Panichakul, Head of IT Audit Division, United Overseas Bank (Thai) Public Company Limited, who presented A Guide to Evaluate Disaster Planning and Emergency Management (DRP) Implementation in Your Organization. 

Next, my dear friend Dr. Viriya Upatising, Chief Technology Officer, True Internet Company Limited presented a Case Study:  IT Security Management Technology and Risk Protection.  Next, Dr. Woraphon Watunyuta, Senior VP, IT Security, Siam Commercial Bank Public Limited, shared his Case Study: Key Strategies for Planning Information Security Policies to Maximize Company’s Investment.

After a great Thai lunch at the Royal Orchid Sheraton on the Chao Phraya River, Mr. Panom Navanukroh, Senior Information Security Consultant, IBM Thailand Company Limited, talked about Successfully Implementing IT Security Strategy in Your Organization; followed by Dr. Sak Segkhoonthod, Director, Government Information Technology Services (GITS), Ministry of Science and Education, who shared his Proven Tactics to Effectively Execute IT Risk Management By Constructing a Structured and Disciplined Approach.

The closing presentation was by Mr. Chaiyakorn Apiwathanokul, Chief Security Officer,  PTT ICT Solutions Company Limited, who presented a Case Study:  Incorporating Strategies and Countermeasures for Phishing Scams.

Note:  Yesterday was amazing.  If you know the traffic in Bangkok, you will agree that it was amazing that I was able to make it to (1) the Asia Business Forum, then (2) to a meeting with a bank across town, and afterwords (3) move to a new serviced apartment, all in one day!

The Asia Business Forum: Information Security Risk Assessment and Management (Day One)

December 11, 2007

Today is the opening day of the Information Security Risk Assessment and Management conference in Bangkok.   Mr. Charoon Boonsanong, Lecturer, Faculty of Economics, Chulalongkorn University, open the conference.  

Dr. Komain Pipulyarojana, Chief National Security Section, National Electronics and Computer Technology Center, will lead off with a presentation on the Latest Trends, Standards and Threats for Information Security & Future Direction.   Dr. Komain also serves as the lead for ThaiCERT.    

Police General Yanaphon Youngyuen, Deputy Commissioner, Department of Special Investigation, Royal Thai Police, will present Legal Updates: Interacting with Law Enforcement After a Cyber Crime or Systems Intrusion & Its Impact on Todays Business.

The last presentation before lunch is my presentation, CEP and SOA: An Event-Driven Architecture for Operational Risk Management.   

After lunch, Mr. Phillip Chong, Partner, Enterprise Risk Services, Deloitte Touche Tohmatsu Jaiyos Advisory Company Limited, will talk to us about Governance, Risk Management and Compliance (GRC) as a Model for the Management of Corporate Information.

The last presentation before I must rush off to fight the traffic in Bangkok for a cross-town meeting is, Mr. David Old, Partner, Information Risk Management, KPMG Poomchai Business Advisory Limited.

Bare-Bones Requirements for an Event Processing Banking Application

December 8, 2007

I am working on a security-related  event processing banking application for one of the main banks in Thailand.     Here are the basic “must have, bare minimum” requirements:

  —  The event processing engine must run on Linux.

  —  The engine must be configurable and manageable remotely via a web-based interface. (Edit:  A Windows-based fat-client remote manager could also meet this requirement.)

  —  Must have a Windows-based modelling studio for building event logic / rules.

  —  Modelling studio should generate the running code to upload to the engine.

  —  Processing engine must have a UNIX sockets interface (adapter) out-of-the-box.

  —  Must have a data modelling / transformation, mapping tool, such as XPATH, for mapping raw input (in this case a UNIX socket) to event data structure(s).

These are only the bare minimum requirements.

Since I am an ex-TIBCO Principal Global Architect, I was hoping to find other CEP software vendors who have this very basic functionality, because I don’t want to appear to be biased toward TIBCO with the bank.

I tried BEA‘s WebLogic Event Server because they also have a presence in Asia, but their event processsing platform met only one (The Linux Requirement) of the six “bare minimum” requirements above. 

If any CEP vendor can meet the banks “very basic, bare-bones requirements” please comment here on the blog or email directly.

Thank you.

PS:  Latency is less critical than the bare-bones requirements above.  We can easily route the events to instances of the event processing engine, so the main requirements are based on the ease of design (modelling), remote configuration and management and deployment.

The Top Ten Cybersecurity Threats for 2008 – Final Draft

December 6, 2007

As promised, here is the final draft of my perspective on the top ten cybersecurity security threats for 2008. 

I reviewed many prior “top ten” threat lists and noticed most of them accidentally confuse vulnerabilities and threats, listing vulnerabilities as threats.   In my review, I could not find any “top ten” threat lists which attempted to use, or follow, the security professional’s textbook definition of threats.   Even the 2008 McAfee list makes this common mistake, listing Window’s Vista and VoIP as “threats” when, technically speaking, they are vulnerable systems (McAfee’s graph in their PDF has the caption “Windows Vulnerabilities” – this speaks for itself.)

My goal was not to create “yet another vulnerability list.”  Instead, my objective was to create a top ten cybersecurity threat list which actually focuses on threats, not vulnerabilities.  Please feel free to comment, as there is certainly room for improvement.   Your comments are very welcome as we rapidly approach 2008.   Thanks!

Top Ten Cybersecurity Threats for 2008

   — Cyber masquerading to abuse, attack, blackmail, bully, extort, or molest.

   — Password and identity theft from phishing, spyware, malware and theft of hardware.

   — Criminal use of botnets and botnet-like technologies.

   — Cyberbullying, cyberterrorism and other forms of electronic violence.

   — Subversion of democratic political processes.

   — Criminal manipulation and subversion of financial markets.

   — Spying by governments, industry and criminals.

   — Denial-of-service attacks.

   — Sabotage, theft and other attacks by disgruntled employees and insiders.

   — Cyberspace vandalism.

©2007 Tim Bass – All Rights Reserved

The Top Ten Security Threats for 2008 (Part 15) – Insiders

December 6, 2007

Here is my final entry for the 2008 list of top ten cybersecurity threats:

      — Sabotage, theft and other attacks by disgruntled employees and insiders.

The Computer Security Institute and FBI conduct an annual CSI/FBI Computer Crime and Security Survey of U.S. corporations, government agencies, financial institutions, and universities. Eightly percent of the information security professionals who responded indicated that disgruntled and dishonest employees are the greatest threat to their computer systems [reference]. 

This list would not be complete without adding “the insider threat.” Next, I will consolidate and order the list, completing an earlier promise to give my opinion on the top ten cybersecurity threats for 2008.