Workshops‎ > ‎cs-ga-2011‎ > ‎

Andrew Hutchison and Roland Rieke


Biography:

Andrew Hutchinson


Dr Andrew Hutchison is responsible for the corporate Process, Quality and IT (PQIT) activities of the South African business unit of T-Systems. Andrew was previously General Manager of the Telecommunication Services division in South Africa. He has also held executive responsibility for business development in South Africa, as well as for internal IT and corporate Security portfolios.

Prior to joining T-Systems, Andrew was co-founder and director of an IT consulting and training company, Computer Science Institute, which was acquired by the Software Futures Group. Andrew has previously also been a full time member of the academic staff of the Computer Science Department at the University of Cape Town (UCT) and has a PhD in Computer Science from the University of Zurich, which he completed while working at the IBM Zurich Research Laboratory in Switzerland. He has been a visiting scientist at the University of Southern California in Los Angeles, and is currently appointed as an Adjunct Professor in the UCT Computer Science Department from 2009 to 2014.

As a contributor in the international community of IT professionals, Andrew has authored / co-authored some 40 international peer reviewed papers in the areas of telecommunications and security, many of which have been presented in countries including the USA, UK, Australia, Germany, Switzerland, Denmark, The Netherlands and Hungary. He is a regular presenter at conferences / industry seminars and press spokesperson.


Roland Rieke



Roland Rieke works since 1982 as a senior researcher at the Fraunhofer Institute for Secure Information Technology SIT. His research interests are focused on the development of methods and tools for formal security models and application of these techniques for architecting secure and dependable systems. In the project EVITA (E-safety Vehicle Intrusion proTected Applications), for instance, he worked on a method for security requirements elicitation in systems of systems applied in the context of vehicular communication systems. He is currently working on predictive security analysis for event-driven processes in the context of the Internet of things within the project ADiWa (Alliance Digital Product Flow). His recent papers furthermore comprise work on attack graph analysis and on construction principles for dependable and secure parameterised systems. Roland is the research director of the project MASSIF (MAnagement of Security information and events in Service InFrastructures), a large-scale integrating project co-funded by the European Commission. He is member of the strategy board of the Effects+ (European Framework for Future Internet Compliance, Trust, Security and Privacy through effective clustering) project and member of the ERCIM working group on Security and Trust Management.




Abstract:
Management of security information and events in future internet

Security Information and Event Management (SIEM) is a key concept to identify security threats and mitigate their malicious impact. Traditional SIEM deployment occurs within a corporate infrastructure.
Where an SIEM service is provided by an external service provider, it is also generally the case that SIEM deployment is within the realm of the provider organization and that events only pass via internal customer
or service provider links. However, the Infrastructure as a Service (IaaS) model is driving a complete re- think of the paradigm whereby organizations deploy and manage their own infrastructure for many aspects
of their computing needs. This drive also implies a need to consider the implications for deployment of SIEM in the cloud. Following this trend, organizations could avoid Capex investments to deploy their own
analysis modules, through contracting an Opex based SIEM service based on a .xed or variable monthly fee.

Through this likely shift of SIEM service provision, from stand-alone organizational environments to a shared cloud processing facility, there are opportunities to make inter-organisational analyses. This in itself
raises many issues in terms of ensuring privacy and integrity of the events of any particular company, while still gaining the bene.t of being able to spot cross-company trends. The security of a cloud based service is also critical, and a likely stepping stone towards Public based services is that Private cloud services, from reputable large service providers, will be the preferred deployment model. In this mode, service providers
have full oversight and control over event processing, while customers bene.t from a lower cost, on-demand, scalable service.

Another very important upcoming trend to be addressed in Future Internet and IoT SIEM, is the use of meshed wireless communication to connect cyber-physical systems to critical infrastructures and to the
Internet as a whole. This large scale connectivity, not only of sensors but also of actuators, enables totally new types of remote attacks against critical services and infrastructures with potentially very high impact
and Societal cost.

Furthermore, by its very nature the SIEM itself is a potential target for an attacker (for example to intercept or block SIEM event feeds), so an Internet based SIEM cloud type service would have to provide quality of service guarantees to ensure reliable and timeous arrival of security event information from the sensors. The debate on Internet net-neutrality could also refer here since there could be a case for expediting control traffic such as SIEM event feeds.

The project MASSIF (MAnagement of Security information and events in Service InFrastructures ), a large-scale integrating project co-funded by the European Commission, addresses these challenges. The
vision of creating a next-generation Security Incident and Event Management environment drives the development of an architecture which provides for trustworthy and resilient collection of security events
from source systems, processes and applications. A number of novel inspection and analysis techniques are applied to the events collected to provide high-level situational security awareness, not only on the network level but also on the service level where high-level threats such as money laundering appear. An anticipatory impact analysis will predict the outcome of threats and mitigation strategies and thus enable proactive and dynamic response. The balance between the amount of processing, normalization, aggregation and analysis at edge collectors of an SIEM system, and the work done at the central nerve centre are also topics which would have to be re-considered in the context of an Internet type deployment of an SIEM system. A scalable distribution of acquisition and parallel processing, and seamless function-splitting between core engines and edge collectors, is needed.

In essence though, the evolving Internet provides many new questions for SIEM deployment, and from an SIEM perspective reinforces the importance of having an Internet with security and possibly di.erentiated
service for high priority and trustworthy control tra.c such as the events from an SIEM. The commercial models also change since a service fee needs to evolve to scale up/scale down pay-per-use models.


Presentation: