StreamScan's SIEM architecture selected as the reference by the Cloud Security Alliance (CSA)
StreamScan's SIEM architecture selected as the reference by the Cloud Security Alliance (CSA)
The Cloud Security Alliance (CSA) is the leading international organization for security in the cloud environments.
To enable organizations to properly secure themselves in the cloud, the CSA has created the Security Information and Event Management (SIEM) Implementation Guide for the Cloud. This guide describes, among other things:
- The expected functionality of a cloud-based SIEM
- Considerations and concerns for implementing a SIEM in the cloud
- The conceptual reference architecture of a SIEM
- Etc.
Our SIEM architecture selected as the reference
StreamScan is proud that the conceptual SIEM architecture developed by its founder Karim Ganame (during his PhD in cybersecurity) has been selected by the Cloud Security Alliance as the SIEM reference architecture in the Cloud.
Dr. Karim Ganame's research on security event management has shown that an ideal SIEM architecture should consist of the following elements:
- A data/log collection module using protocol agents. Protocol agents are designed to receive information from specific protocols, such as syslog, snmp, smtp, html, etc. Their purpose is to listen for incoming connections from the monitored systems (computers, servers, telecom equipment, etc.) and make the collected data available to a dispatcher.
- Dispatcher: The purpose of the dispatcher is to determine the type of source of an incoming event, and then forward the original message to the appropriate application agent.
- The application agents receive the messages from the dispatcher and put them in a format that the SIEM can understand. It is this formatted message that the SIEM will analyze to identify malicious activity.
- The database: stores the security events received by the SIEM and formatted by the application agents. It can also be a flat file.
- The SIEM knowledge base stores information about system vulnerabilities, policies and rules created to detect malicious activity, etc.
- The analysis engine: analyzes the events received from each server/computer based on the database and generates alerts in case of detected malicious activities.
- The correlation engine links several events collected by the SIEM and analyzes them to detect more complex attacks (distributed or coordinated attacks, etc.).
- A SIEM management interface that can be web or console based.
- A Reaction module that allows you to take action when an alert is generated: notification by email, sms, blocking the communication in a firewall, etc.
Our SIEM architecture has been presented at international academic conferences. It has also been published in an academic journal specialized in cybersecurity.
You can download it from a link included in the Cloud Security Alliance SIEM guide (see References section). Here is the link to download it from our website.
StreamScan's R&D expertise in cybersecurity and AI is recognized
This is not the first time StreamScan's R&D expertise has been recognized in cybersecurity:
- Our CDS cyber threat detection technology was selected as an Innovation by the Canadian Federal Government through the CCIP program. It uses AI to detect cyber attacks and malicious traffic. We hold a US patent for CDS.
- We have already won a contract from the Royal Canadian Air Force to develop a prototype intrusion detection system targeting its fighter aircraft.
StreamScan is pleased to contribute to international academic and industrial R&D in cybersecurity, in order to have a safer world.
Here is a representation of the Cloud Security Alliance SIEM reference architecture.
Here is our SIEM architecture. For details, see our article A High Performance System for Intrusion Detection and Reaction Management.