2nd project meeting at DECOIT GmbH in Bremen
The second project meeting of the SIMU project, kicked off in October, took place at DECOIT GmbH in Bremen December 4, 2013. Main topics were the definition of user scenarios, the development of a generic scenario, usable monitoring protocols and systems as well as possibilities of synergies to other R&D projects like MASSIF and iMonitor.
The second project meeting between SIMU partners took place at the building of the BITZ (Innovation and Technology Center Bremen) because the number of participants exceeded the capacity of DECOIT’s available rooms. DECOIT GmbH, consortium manager of the project, was the host of this meeting.
Different scenarios were segmented by SME size which is defined by the European Union. Additionally, experiences of industrial project partners were taken into consideration. Central questions were: Is the segmentation by SME size appropriate, are defined scenarios accurate, should a generic scenario be defined at all and which added values could be created applying SIEM? During the following discussion it was determined that there should not be a generic scenario in order to avoid the creation of unnecessary limits and that the used security components of scenarios should also be listed.
Anomaly recognition constitutes a central requirement. First examinations regarding classification, cluster and statistical processes took place already. In the approach, which is intended to be used, training data is formed to abstract classes thus improving the transmission of policy rules. At the moment many events are connected to a certain insecurity factor. A figure or label of these insecurities would be desirable. Many different SIEM collectors (syslog, nmap, SNMP, Smartphone) that are to be implemented were discussed. These can be built on IF-MAP developments from DECOIT which derived from the ESUKOM project.
Another important topic is the integration of ontologies. The focus lies on knowing what you have in order to know what needs to be done. The automatic implementation of IT infrastructure using meta data is desirable. Collectors can have any sources. The IO-Toolset by Fraunhofer SIT, which was developed further and was already used during the VISA project, can be implemented. IO-Toolset and IF-MAP both use meta data separately from each other which is why a bidirectional gateway should be planned. The integration of IF-MAP collectors into the IO-Toolset is imaginable. Additionally, the ontology base could be used as simulation platform in order to analyze defined scenarios.
Possible monitoring protocols and systems were examined. Mainly open source based approaches were considered because standards and open gateways are of great importance. Regarding protocols syslog, Netflow, IPFIX, SNMP, RMON, SMON and TNC/IF-MAP were examined closely. With regard to systems mainly Icinga (Nagios) and OSSIM come into consideration. While Icinga stands out by its modular structure, very good documentation and diverse plug-ins, OSSIM can counter with the fact that it already is a SIEM system. Unfortunately, OSSIM does neither contain sufficient documentation nor seems producer AlienVault to be interested in further development by third parties. Several inquiries remained unacknowledged which is why the SIMU project partners think about creating an independent SIEM tool.
Finally, several project cooperations (VisITMeta, MASSIF, iMonitor), which help the SIMU project to reach its ambitious goals, were talked about. There are several synergies that can be used. Producers Enterasys Networks und Juniper Networks are cooperating project partners as both are interested to offer their products within the SIEM environment. A commonly held workshop could take place during PlugFest of the Trusted Computing Group in the upcoming spring. As all SIMU Partners are also TCG members, this would be the ideal platform to test new developments and to agree upon further steps.