SIMU project presentation at the D.A.CH Security 2014
From September 16th to 17th, 2014, the D.A.CH Security conference took place again - this time in Graz at the technical University. Main goal of this conference is to provide an interdisciplinary overview of the current status of IT security in industry, service, administration and science in Germany, Austria and Switzerland. Aspects from the areas of research and development, doctrine and education were presented, relevant application was showed as well as new technology and hence resulted product developments were conceptionally demonstrated. DECOIT GmbH was in Graz in order to present the SIMU project.
The D.A.CH Security conference started with SIEM systems, meaning large databases with upstream analysis systems, which usually offer links to asset inventory data. SIEM systems are used for attack identification, logging of priviliged rights usage, compliance and awareness. Many systems exist on the market, also ones that are based on open source. The main problem is that alarms need to be readable by administrators. If that is not possible, additional risks are created (deficient explanatory power, late reactions, increased damage). Only fast reactions can limit damages effectively (given that statistically 84 % of attackers are successful in intranets within 24 hours). Furthermore, many tracks are damaged without central logging. However, SIEM systems also need continuous care (tuning und customizing). Considerable extra effort is generated by source configuration and data collection. Therefore, the central question was if complexity and speed lead to failure. The response was no, if the SIEM systems is able to run automatically.
DECOIT GmbH presented the SIMU project and showed the technical bachground of a SIEM system. Such a system consists of diverse modules such as Event Correlation, Network Behaviour Anomaly Detection (NBAD), Identity Mapping Key Performance Indication, Compliance Reporting, Application Programming Interface (API) and Role Based Access Control. The IF MAP protocol of the TCG serves as base and covers the consolidation of different log data of all used security components. Different producer solutions that usually were developed as isolated applications constitute one challenge in SIEM projects. Open interfaces and uniform data formats are hardly existent. This problem can be solved by the IF MAP protocol, once all used components have been adapted to it.