Thursday, January 08, 2009

Event Processing and Security

What is the relationship between Complex Event Processing (CEP) and Application Security (asks James McGovern)? My answer is that there is not one single relationship, but there may be relationships in both directions.

Perhaps the most obvious relationship is that event processing technologies can be used to support application security, helping to detect security threats and to monitor security compliance.

But there is also a reverse relationship. A CEP system may itself have vulnerabilities, and Application Security principles may be needed to address these vulnerabilities. For example, any event detection system is vulnerable to deceptive events, known as chaff.

Actually, there are two different concepts of chaff at play here. Some CEP experts use the term as it is used in agriculture, to refer to uninteresting or unwanted stuff. For example, see David Luckham and Mark Palmer, Separating Wheat from Chaff (RFID Journal, October 2004).

Meanwhile, security-conscious CEP experts, such as my friend Tim Bass, use the term as it is used in radar defence, to refer to decoy events. Chaff are pieces of metal designed to create misleading information for enemy radar systems. (Interestingly, in the second world war, each side invented this technique but hesitated to deploy it, for fear of revealing the technique to the other side.) For example, see Tim's post on Quintessential Event Processing (November 2008).

Both kinds of chaff increase the level of clutter, thus reducing the accuracy and reliability of event-driven systems. For example, see this article about the effect of clutter on security: Five ways to clean your firewall of clutter and stay secure.

David Luckham (again) mentions clutter as a user design issue (Dashboard Design) but even this kind of clutter has system consequences: it affects the effectiveness of a man-machine system; and this is not so very different from the consequences of (a different kind of) clutter on the effectiveness of a firewall.

From the accounts I have read of the Three Mile Island case, my understanding is that it was something akin to clutter (in David's sense) that made it almost impossible for the operators to respond intelligently and appropriately to a series of system alerts. The Three Mile Island case has important lessons for both event-processing systems and for security.

In terms of the manifold relationships between complex event processing and application security, which was where James' original question led us, I think that one of the possible relationships is that they both rest on the same set of fundamental concepts and theories - for example sociotechnical systems and cybernetics.

To understand these relationships more deeply, we need a general account of (secure event-driven) or (event-driven secure) systems, and this might involve more abstract but rigorous notions of chaff and clutter.

originally posted in the CEP discussion group on Linked-In

No comments: