Validation and Reverse Business Process Documentation of on line services

Similar documents
Security Device Roles

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):ekk.worldtravelink.com

Scan Report Executive Summary

Mechanisms for Database Intrusion Detection and Response. Michael Sintim - Koree SE 521 March 6, 2013.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

WKU-MIS-B10 Data Management: Warehousing, Analyzing, Mining, and Visualization. Management Information Systems

Post-Class Quiz: Access Control Domain

Uniform Resource Locators (URL)

Hawaii Energy and Environmental Technologies (HEET) Initiative

Scan Report Executive Summary

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

CIS Top 20 #13 Data Protection. Lisa Niles: CISSP, Director of Solutions Integration

Scan Report Executive Summary

SOLUTION BRIEF REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

CNIT 121: Computer Forensics. 9 Network Evidence

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

IDP Detector Engine Release Notes

Prof. Ahmet Süerdem Istanbul Bilgi University London School of Economics

MASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY

IBM SmartCloud Notes Security

Data-Driven DevOps: Bringing Visibility to Any Cloud, Any App, & Any Device. Erik Giesa SVP of Marketing and Business Development, ExtraHop Networks

Network Performance Analysis System. White Paper

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Application Firewall-Instant Message Traffic Enforcement

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

CSE 565 Computer Security Fall 2018

RSA NetWitness Suite Respond in Minutes, Not Months

Monitoring the Device

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY. ITU-T X.660 Guidelines for using object identifiers for the Internet of things

CIS Controls Measures and Metrics for Version 7

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

Intrusion Detection Using Data Mining Technique (Classification)

CIS Controls Measures and Metrics for Version 7

Scan Report Executive Summary

C. The system is equally reliable for classifying any one of the eight logo types 78% of the time.

ForeScout App for Splunk

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

CloudSOC and Security.cloud for Microsoft Office 365

TOP SECRET I ICOMINT I IREL TO USA, AUS, CAN, GBR, NZL

The S in IoT is for Security Owning all the Things

CNS-205 Citrix NetScaler 10.5 Essentials and Networking

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

GIN ECSB. Enterprise Content Service Bus

ForeScout Extended Module for VMware AirWatch MDM

Cubro FlowVista Series

ASA Access Control. Section 3

CAN MICROSOFT HELP MEET THE GDPR

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Data Privacy and Protection GDPR Compliance for Databases

Understanding Cisco Cybersecurity Fundamentals

Code No: R Set No. 1

Network Security and Cryptography. 2 September Marking Scheme

Configuring User Defined Patterns

ngenius Products in a GDPR Compliant Environment

Web Programming Paper Solution (Chapter wise)

Configuring Different Modes of Operation

Appendix A GLOSSARY SYS-ED/ COMPUTER EDUCATION TECHNIQUES, INC.

Basic Concepts in Intrusion Detection

HPE Intelligent Management Center

(2½ hours) Total Marks: 75

Data Mining for Improving Intrusion Detection

Stealthwatch and Cognitive Analytics Configuration Guide (for Stealthwatch System v6.10.x)

Tools, Techniques, and Methodologies: A Survey of Digital Forensics for SCADA Systems

GRANDSTREAM PRIVACY STATEMENT

Application Firewall-Instant Message Traffic

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Sophos Mobile Control Technical guide

Managing Microsoft 365 Identity and Access

SAS Event Stream Processing 4.2: Security

Comprehensive Technical SEO Site Audit. PolyTab.com

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Security protocols

IS THERE A HOLE IN YOUR RISC-V SECURITY STACK? JOTHY ROSENBERG DOVER MICROSYSTEMS

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

BIG-IP DataSafe Configuration. Version 13.1

Analogue voice to Analogue voice (Mapped FXS-FXO)

MAIL PLUGIN FOR IBM MASHUP CENTER

Detect Fraud & Financial Crime

Once all of the features of Intel Active Management Technology (Intel

Seceon s Open Threat Management software

NGFW Security Management Center

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Endpoint Security - what-if analysis 1

Web Security, Summer Term 2012

Web Security, Summer Term 2012

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Chapter 2. Switch Concepts and Configuration. Part II

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

ForeScout Extended Module for MaaS360

Administrator's Guide

Inspection of Router-Generated Traffic

Copyright

An Extensive Evaluation of the Internet s Open Proxies

Transcription:

Geneva, Switzerland, 15-16 September 2014 ITU Workshop on ICT Security Standardization for Developing Countries (Geneva, Switzerland, 15-16 September 2014) Validation and Reverse Business Process Documentation of on line services Maurizio Talamo, Full Professor, University of Rome Tor Vergata, maurizio.talamo@uniroma2.it

Business problem overview Problem owner Organizations that provide informational, administrative and economical services over the Internet Issues Business intelligence and analytics on line acquisition and real time integration and processing of information from the services issued over the Internet Decision making improve the decision making activities through real time knowledge of the behavior/status of the services issued over the internet How to effectively implement and use process mining and online data acquisition techniques Geneva, Switzerland, 15-16 September 2014 2

Given a web-service issued over the internet extract process logs directly from the network data Data The elementary items passing through the network, at different level of complexity Services/Security Specific reconstruction activites, starting from the acquired data Transactions Specific discovery activities of the relationships between services issued, where a transaction can be viewed as a composition/sequence of single services Geneva, Switzerland, 15-16 September 2014 3

The Data The elementary items passing through the network, at different level of complexity: Low level communication protocol (MAC address, TCP/IP address and port) High level communication protocol (HTTP host and headers) Application protocol (HTTP URL and Parameters, HTML page items, ) Communication errors/anomalies Geneva, Switzerland, 15-16 September 2014 4

Services/Security As a result of a specific reconstruction activity, starting from the acquired data it is possible to obtain Numerosity of the services issued Quality of services: Response time of the services, data loss, usage statistics of the services issued including user sessions timing, discovery of critical services, discovery of the most/less used services Numerosity of the users who access to the services Security level (security protocols used, controlled access, dynamic pages usage, ) Discovery of DoS attacks of different nature (at tcp level, at http level, fast repetition of patterns, upload of too big files, access to too big URLs, inadequate number of parameters, ) Territorial distribution of the traffic, too big files and data, usage of old communication protocols and languages (HTTP/1.0, HTML 4, XACML 2.0, ) Geneva, Switzerland, 15-16 September 2014 5

Transactions As a result of a specific discovery activity of relationships among services issued, where a transaction is a composition/sequence of single services Certification of the correctly terminated transactions (made by one or more services) Certification of unfinished transactions (when and at which step the transaction has stopped, the user, ) Anomalous behaviours (transactions/services that do no comply with the designed behaviour) Complex security attacks (phishing, identity theft, privilege escalation, ) Archiving of the original logs in an untouched way for auditing, ensuring that one can only access data for which access has been authorized. Geneva, Switzerland, 15-16 September 2014 6

Some technical issues How to manage a large quantity of (real time) logs and how to discover relationships among them. How to enable a fast search (real time) on the logs without modifying them. How to generate patterns and recognize them on the information flow, to be evaluated as anomalies or not. How to maintain original logs in an untouched way for auditing, but, at the same time, build indexes to search them and to avoid exposure to unauthorized users. How to avoid data loss when acquiring logs directly from the networks. How to permit a search of the logs based on complex keywords and structured descriptions of properties where temporal order is important. To query and recognize chains of events occurring at different locations and to relate them using tags directly acquired online. To discover anomalies and errate behavior of the services issued over the internet caused by the customer. To support the technical management of the sites of the customer, including most used pages, IP traffic, territorial distribution of the traffic, too big files and data, usage of old communication protocols or run time libraries, To support the security of the sites, discovering DoS attacks of different nature (at tcp level, at http level, fast repetition of patterns, upload of too big files, access to too big URLs, inadequate number of parameters, ) Geneva, Switzerland, 15-16 September 2014 7

On line data acquisition and processing Frame 1 Frame 2 Frame 3 Frame Frame N Classification Rules (Metatags) Application 1 flow Application 2 flow Application 3 flow Geneva, Switzerland, 15-16 September 2014 8

Basic functional requirements To acquire logs directly from the network the acquiring devices should Automatically reconstruct original applicaton flows from the data frames acquired on the network Sign digitally the original data frames and associate them to the reconstructed application flows, making them usable as proof in criminal or administrative proceedings Associate tags, from a set of selected Metatags, to the entire or parts of the reconstructed application flows Provide a query language for selecting all the reconstructed flows and the original signed and unmodified network frames, based of the associated tags or temporal sequences of tags Geneva, Switzerland, 15-16 September 2014 9

Modular architecture Acquiring devices Key manager History manager Classification Rules (Metatags) Multidimensional data manager Multidimensional tags archive Access manager Operator TS Server Signature Server Multidimensional view manager Geneva, Switzerland, 15-16 September 2014 10

Modular architecture The raw data are aggregated from and classified according to the "Classification Rules" in the system "Multidimensional Data Manager (MDM) The MDM locates in real time the MetaTags in the raw data (defined by the rules of classification), structures them according to a scheme of multidimensional access and associates them with the flow of data related to the process instances The MDM builds and maintains also a multidimensional data structure containing all the meta tags and associated tags used for classification of the application flows The output data from MDM reaches the History Manager, which stores and encrypts all elementary process flows. The History Manager provides on demand the keys, managed by the Key Manager, to decipher the individual elementary frames and produces a "log" of such requests. The tags, organized in multidimensional access structure, are directly usable, through the query language of the View Manager, in order to be queried and to provide the original frames or the resulting classified application flows to the user. Geneva, Switzerland, 15-16 September 2014 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback