The target of the CLEARER is to increase the quality of it-security and it-compliance rules and incidents in order to reduce the effort to interpret incidents as well as the costs to administer the system.
The consortium comprises the DECOIT GmbH and the University of Applied Sciences and Arts Hanover (HsH). The DECOIT has a lot of experience in the open-source sector as well as with it-security and the HsH adds their expertise from the academic environment regarding network security and knowledge on data integration from earlier IF-MAP development. Further cooperation include macmon secure gmbh as a provider for NAC solutions and IT-Security@Work GmbH, whose focus in on it-compliance and its automation.
In earlier research projects, several new challenges have been identified (beside the functional requirements) for a SIEM-like system for small and medium enterprises. For example, the big-data-issues rising with the central integration of all log information and its timely analysis.
The final product is to overcome these requirements and will be a combined prototype from all partners as an extension of a NAC-based system with typical SIEM functionalities, including auditable monitoring and adaptable incident detection and response.
The following main segments can be identified as part of CLEARER:
- Data Acquisition: A broad and comprehensive data basis is needed as a foundation for a correct assessment of a situation. This includes infrastructure information, as well as real-time data from capturing and detection systems. One goal of the CLEARER project is to develop methods and systems to acquire, store and efficiently analyze such information – with regard to it-compliance and audit requirements.
- Data Analysis: Data from many different services on multiple hosts is to be collected and not all data is relevant to every analysis step. Even in smaller environments an overwhelming amount of information is brought together and its evaluation lead to typical big-data-challenges. Especially since the evaluation and detection of incidents is a time-critical process. Appropriate systems and mechanisms need to be employed to correlate and analyze the data in multiple steps to reduce the overall effort.
- Reaction on Incidents: Beside the big-data-issues on the incoming side of data acquisition, the amount of incidents produced by a SIEM-like system can still be immense and this is currently mostly dealt with the use of extensive human resources in an escalation principle. The partial automation of this process is a major challenge and one of the goals for the CLEARER project, in order to further reduce the operational costs.