Project goals and results
Main goal of the SIMU-project was the development of a
system, similar to SIEM, which significantly improves IT security in a
corporate network without making great effort. In addition to its easy
integration into IT infrastructures of small and medium sized enterprises (SME) and its easy traceability of
relevant events and processes in the network, it can be realized without great
effort of configuration, operation and maintenance. On the functional level
SIMU works like SIEM systems which means it monitors processes and events
within the corporate network and automatically initiates proactive real-time
measures to improve security.
SIMU is especially to be distinguished by the following non-functional characteristics:
- Simple integration into IT infrastructures of SME (characteristic 1): The effort for installation, configuration and maintenance of additional SIMU components is to be minimized by using widely spread standards in communication protocols and data formats which are already implemented in typical network components.
- Easy traceability of relevant events and processes in the network (characteristic 2): Relevant events and processes in the network are to be visualized in an easy way to understand. Hereby the understanding and traceability of processes in the network, and therewith the security, is sustained.
- Small effort for configuration, operation and maintenance (characteristic 3): The SIMU system works with standardized pre-configurations and offers the possibility to deduce guidelines and configurations semi-automatically from the easily understandable visualization of the network. Thus, the effort for configuration, operation and maintenance is greatly reduced compared to conventional SIEM systems.
Overall, the costs for the operation of IT infrastructures are to be reduced by the introduction of SIMU in SME. On the one hand, the introduction and the operation of SIMU will cause costs. But on the other hand it is expected that a more than compensating cost reduction will take place by means of the above mentioned characteristics, especially because of proactive measures and simplification of administration.
Concrete results of the SIMU project are prototypical software components, which realize the functionality of SIMU while being integrated into the IT infrastructure of a corporate network. The prototypical software components can provide a basis for the development of commercial and open-source products. In chapter 1.3, the SIMU components are described in detail.
The project goal was only reachable because it could be built on comprehensive basis technology, which was developed in past and partially still ongoing projects from project partners. The results of this preliminary work were directly integrated into the SIMU project and were adapted and developed further. This preliminary work and basis technology as well as their integration into the SIMU project are described in detail in the following chapter.
Scientific and technical project goals
A first approach for implementation of the SIMU project is shown in the following figure. There, the use of all individual components within the new SIMU architecture is visible.
The SIMU architecture shown in the figure is composed of the following components:
- SIMU collectors and flow controllers: SIMU collectors collect information about end devices and processes within the network and publish these on the MAP-Server. SIMU flow controllers obtain information from the MAP-Server in order to consequently apply security measures automatically if necessary, e.g. set filter rules in order to prevent attacker’s access to intern systems. Individual devices can act either as collector or as flow controller. The producers NCP and macmon will extend their products in a way that these act as SIMU collectors and/or flow controllers. DECOIT will extend several open-source tools (Snort, Nagios etc.) by adding the SIMU capability.
- SIMU engine: DThe SIMU engine
consists of the following components:
- The MAP-Server functions as central data basis for all relevant information. All other SIMU components can store their data there and at the same time subscribe to data from the MAP-Server.
- The detection engine analyses information that is stored on the MAP-Server in order to recognize misbehavior (anomalies) or undesirable conditions which then leads to the release of information on the MAP-Server and consequently to the automatic introduction of security measures. The detection engine works rule-based by means of policies. The policies need to define normal behavior as well as desirable and undesirable conditions along with measures to be taken specifically for each company.
- The SIMU-GUI visualizes the current state of the network on the basis of the data that is stored on the MAP-Server. Furthermore, SIMU-GUI is the starting point for the application of the visual operated rule analysis and generation. Based on a visualized condition a user can deduce policies for the detection engine automatically. Hereby, the task of generating policies, which is generally rather complex, is significantly simplified.
The open-source components irond, irondetect and irongui, which had been developed in predecessor projects by the University of Applied Sciences and Arts Hannover, formed the basis for the components of the SIMU engine. These were extended and adapted by developing new characteristics.
The target SIMU system was to be built on standardized languages and models as far as possible. Thereby, modular tools were used for the collection and analysis of events and for rule management. The core of SIMU has been built by the following elements:
- IF-MAP-Clients as collectors with uniform and standardized transport
- Standardized metadata models for modelling respective networks
- Comprehensible IF-MAP graph to support an intuitive rule creation process
The IF-MAP specification is disseminated on a continuously greater scale due to rapid growth of the Trusted Computing Group (TCG). Meanwhile giants of the network and IT industry can be found among its members e.g. Microsoft, Cisco Systems, Enterasys and Juniper. This growth panders to reach a critical mass which facilitates the use of the IF-MAP protocol substantially in practice. IF-MAP Clients are not only designed for network components by their providers but they are also already available for several additional services (DHCP, RADIUS, Snort, Nagios, Android etc.). In order to be able to use the advantages of the homogeneous transport of events for a SIEM system in SME without great effort the remaining gap of IF-MAP Clients to be implemented needs to be closed.