A Scalable SIEM Correlation Engine and Its Application to the Olympic Games IT Infrastructure

Author

Vianello, Valerio ; Gulisano, Vincenzo ; Jimenez-Peris, Ricardo ; Patino-Martinez, Marta ; Torres, Ricardo ; Diaz, Rodolfo ; Prieto, Elsa

Author_Institution

Fac. de Inf., Univ. Politec. de Madrid, Madrid, Spain

fYear

2013

fDate

2-6 Sept. 2013

Firstpage

625

Lastpage

629

Abstract

The security event correlation scalability has become a major concern for security analysts and IT administrators when considering complex IT infrastructures that need to handle gargantuan amounts of events or wide correlation window spans. The current correlation capabilities of Security Information and Event Management (SIEM), based on a single node in centralized servers, have proved to be insufficient to process large event streams. This paper introduces a step forward in the current state of the art to address the aforementioned problems. The proposed model takes into account the two main aspects of this field: distributed correlation and query parallelization. We present a case study of a multiple-step attack on the Olympic Games IT infrastructure to illustrate the applicability of our approach.

Keywords

file servers; query processing; security of data; sport; IT administrators; IT infrastructures; centralized servers; distributed correlation; event streams; multiple-step attack; olympic games IT infrastructure; query parallelization; scalable SIEM correlation engine; security analysts; security event correlation scalability; security information and event management; Correlation; Engines; Force; Games; Security; Semantics; Servers; CEP; Complex Event Processing; Olympic Games; SIEM; Scalability; brute force; low and slow;

fLanguage

English

Publisher

ieee

Conference_Titel

Availability, Reliability and Security (ARES), 2013 Eighth International Conference on

Conference_Location

Regensburg

Type

conf

DOI

10.1109/ARES.2013.82

Filename

6657298