First proposal of planned SIEM architecture

On December 19th, 2013, the first proposal of the planned SIEM architecture for the SIMU Project was completed. Main focus was to analyze diverse research project approaches regarding common synergies and to utilize these. Analyzed projects were MASSIF, iMonitor, VisITMeta und VISA all of which have been conducted by Fraunhofer SIT and/or DECOIT GmbH in the past. The result was an amplification of the formerly planned SIMU architecture.

During the meeting Fraunhofer SIT and DECOIT GmbH looked at architectures of the former projects ESUKOM and MASSIF. Although both projects were conducted separately from each other a certain resemblance was noted. Both architectures possess a MAP-server, monitoring and sensor gateways. Both of them provide a good basis for the conception of the SIMU architecture. As the SIMU project results from the ESUKOM project, the partners will extend components that were developed during the ESUKOM project by adding SIEM functionality. Processes between all components have not yet been defined sufficiently though.

After having talked about diverse issues, it was decided to define a light house “use case” which describes how all SIEM components work together. For this purpose MASSIF provides a basis. Furthermore, the specification IF-MAP by the Trusted Computing Group (TCG) will be developed further. This specification is being prepared for a RFC standard and is to be improved regarding the existing SOAP binding process. As these are too powerful especially for mobile devices, the use of other description languages is considered. During the meeting the Alternative Concise Binary Object Representation (CBOR) was discussed which was standardized according RFC-7049. CBOR is significantly slimmer compared to XML and could also be used effectively within SIMU architecture. Evaluation is the next step, usage will be discussed with the TCG directly.

Neue mögliche SIMU-Architektur

At the end of the meeting the first version of SIMU architecture was revised. Now it contains two additional components (see figure), the IO-Toolset and a CBOR proxy. Furthermore, two additional IF-MAP Clients have been added. DECOIT GmbH considers the idea of using the topology editor developed in the VISA project in order to illustrate network topologies for the SIEM-GUI. Furthermore, it is already connected to the IO-Toolset. The extension of existing IF-MAP Clients by adding SIEM functionalities is going to be integrated into the conception.