Motivation and background

The threat of cybercrime in Germany grows continuously. That is the conclusion to which the German Federal Office of Criminal Investigation arrives presenting an overview of the situation Cybercrime 2011 in September 2011. According to that overview damages in comparison to year 2010 rose by 16 % to 71.2 million EUR. The dark figure is high. According to the inter-trade organization BITKOM, German medium-sized enterprises are increasingly in focus of attackers. Especially small and medium-sized enterprises (SME) have not yet given adequate consideration to the increasing threat situation. Thereby, the trend towards the commercial use of smartphones, tablets und netbooks plays an important role. According to a survey by BITKOM almost 43 % of ICT-enterprises allow their employees the use of private smartphones, netbooks, or tablet computers. In contrast, almost half (42 %) of the enterprises do not consider mobile end devises in their IT safety concepts at all.

Security systems, such as firewalls, virus scanners, spam filters, VPN gateways are indeed used by SME but work typically isolated of each other. However, many attacks can only be identified by combining data of different systems. Even if an attack has been identified, the counteractions are often carried out too late and the attacker has already disrupted the operation of important systems or has attained sensitive information. Continuative and proactive monitoring of IT systems (clients, servers, components of networks, firewall etc.) as well as of processes and events in the network does usually not take place.

Large enterprises use so called "Security Information and Event Management" (SIEM) components for this surveillance. There, SIEM systems are meanwhile seen as an important component of company networks and IT infrastructure. SIEM systems allow to consolidate and to evaluate messages and alerts of individual components of an IT system. At the same time messages of specialized security systems (firewall-logs, VPN gateways etc.) can be taken into account. However, practice showed that these SIEM systems are extremely complex and only operable with large personnel effort.  Many times SIEM systems are installed but neglected in continuing operation.

SIEM systems are typically not suitable for the use in the SME environment, mainly because of the following reasons:

  1. High costs for installation and maintenance because new components (collectors) of IT infrastructure have to be installed, configured and maintained.
  2. High costs for the operation because extensive expert knowledge for the analysis and the right interpretation of messages and output of SIEM systems are needed.
  3. Deficient scalability to small and medium-sized networks.

Main goal of the SIMU-project was the development of a system, similar to SIEM, which significantly improves IT security in a corporate network without making great effort. In addition to its simple integration into IT infrastructures of SME and its easy traceability of relevant events and processes in the network, it is to be realized without great effort of configuration, operation and maintenance. On the functional level SIMU works like SIEM systems which means it monitors processes and events within the corporate network and automatically initiates proactive real-time measures to improve security.