SIMU project was presented at RSA conference 2015
Since 1993 the RSA conference takes place in San Francisco annually. Hosting 33,000 participants it is one of the largest and most important IT security conferences in the world. This year, April 20th, 490 lectures, keynotes, tutorials and seminars were held on IT security by 700 lecturers. Under the headline „Change: Challenge today’s security thinking“ the conference broached the issue of coping with current challenges within the fast changing IT environment without neglecting security. DECOIT GmbH and the University of Applied Sciences and Arts of Hanover were there to present research results of the SIMU project and discuss solutions with other researchers.
Within the scope of the seminar „TCG: Should We Trust Mobile Computing, IoT and the Cloud? No, But There Are Solutions” DECOIT and University Hanover presented two demo-showcases including results of the SIMU and iMonitor (www.imonitor-project.de) research projects.
The first demo-showcase "Near real-time network security with an IF-MAP based SIEM approach" contained the realization of a SIEM system with the help of the TCG standard IF-MAP. The approach applies the IF-MAP graph as data storage instead of using a classical data base (e.g. SQL) as usual SIEM systems do. With the help of patterns (Pattern Matching) IT security incidents are looked for in the graph. As soon as a pattern is recognized in the graph, the system passes that information on to the SIEM-GUI. The SIEM-GUI then displays a recommended action so that the IT administrator is able to handle the incident without possessing expert knowledge.
The second showcase "BYOD solutions well in hand: standards-based mobile security" dealt with the topic BYOD with the help of IF-MAP and the interoperability with the Policy Enforcement Point (PEP) by Pulse Secure. Main point was to recognize when a mobile device conducts an attack on an internal corporate network. For this purpose login data of devices and data of other network components (Snort, Nagios, DHCP, iptables) are held in one IF-MAP graph and evaluated by correlation. Once an attack or false behavior by a device is recognized, the PEP excludes that device from the internal corporate network.
The RSA conference was successful. Our research results met with a positive response and many interesting talks with participants of the showcases took place. Furthermore, new ideas could be collected during conference lectures.