=Paper=
{{Paper
|id=Vol-3288/paper2
|storemode=property
|title=Enterprise Service Bus Construction in SOA Architecture for SIEM Implementation in Critical Information Infrastructure
|pdfUrl=https://ceur-ws.org/Vol-3288/paper2.pdf
|volume=Vol-3288
|authors=Sergiy Gnatyuk,Rat Berdibayev,Viktoriia Sydorenko,Artem Polozhentsev,Myroslav Ryabyy
|dblpUrl=https://dblp.org/rec/conf/cpits/GnatyukBSPR22
}}
==Enterprise Service Bus Construction in SOA Architecture for SIEM Implementation in Critical Information Infrastructure==
https://ceur-ws.org/Vol-3288/paper2.pdf
Enterprise Service Bus Construction in SOA Architecture
for SIEM Implementation in Critical Information Infrastructure
Sergiy Gnatyuk1, Rat Berdibayev2, Viktoriia Sydorenko1, Artem Polozhentsev1,
and Myroslav Ryabyy1
1
National Aviation University, 1 Liubomyra Huzara ave., Kyiv, 03058, Ukraine
2
Almaty University of Power Engineering and Telecommunication, 126/1 Baytursynuli str., Almaty, 050013,
Kazakhstan
Abstract
The number of cyber threats in ICT is increasing and the development of new security
oriented instrumental tools is very important and relevant scientific task. Security incident
and event management (SIEM) systems are category of such tools, directed on log analysis
and incident management to prevent negative consequences minimize damage of cyber
threats for end user. In the previous works authors have analyzed existed SIEM systems
and database types for them as well as created new architecture of cloud-based SIEM. Next
step of this research project is enterprise service bus architecture justification. The paper
defines the place of distributed data bus in the concept of service oriented architecture,
identifies the functions and benefits. Also authors analyzed most popular up-to-date
enterprise service bus solutions and provides recommendations in context of developed
SIEM implementation in the critical infrastructure. Besides, the data sheet for SIEM in
critical infrastructure was formed and proposed in this paper.
Keywords 1
SIEM, incident management, ESB, cyber threat, cloud-based architecture, SOA.
1. Introduction 2. Analysis of Modern Approaches
and Problem Statement
Nowadays, the number of cyber threats is
increasing, this is due to the development of new In the paper [6] the basic concept of cloud-
information-communication technologies (ICT) based SIEM architecture (Fig. 1) for different
and an insufficiently good level of testing of the sectors of critical infrastructure was proposed.
developed software and physical software, as well This scheme can also be integrated to real ICT
as the lack of maintenance and support for infrastructures with existed SIEM (proposed by
outdated software and server software [1, 2]. various vendors [5]) and other incident
There are various vulnerabilities in protocols, management instrumental tools. The main
software, as well as the architecture of electronic structural units of proposed SIEM are following:
equipment, which affects the cyber security level Horizontal Databases.
[3]. Many various instruments were developed to
Blocks of Analytics and Monitoring.
solve mentioned problems and mitigate threats.
Cloud Storage.
One of them is Security Information and Event
Management (SIEM) [4], that was created to Encryptor.
prevent the future consequences of the Message Broker.
exploitation of vulnerabilities by undesirable Sources (System 1 – System N).
persons, as well as to minimize damage for the
end user [6].
CPITS-2022: Cybersecurity Providing in Information and Telecommunication Systems, October 13, 2022, Kyiv, Ukraine
EMAIL: s.gnatyuk@nau.edu.ua (S. Gnatyuk); r.berdybaev@aues.kz (R. Berdibayev); v.sydorenko@ukr.net (V. Sydorenko);
artem.polozhencev@gmail.com (A. Polozhentsev); m.riabyi@nau.edu.ua (M. Ryabyy)
ORCID: 0000-0003-4992-0564 (S. Gnatyuk); 0000-0002-8341-9645 (R. Berdibayev); 0000-0002-5910-0837 (V. Sydorenko);
0000-0003-0139-0752 (A. Polozhentsev); 0000-0002-9651-9135 (M. Ryabyy)
©️ 2022 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
11
�Figure 1: Proposed cloud-based SIEM architecture concept
One of the most important unit of this system bus justification. It will be the main objective of
is Encryptor, which creates single block Cloud this research paper.
Storage by providing confidentiality of the non-
processed data after its gathering using syslog, 3. ESB Implementation in SOA
NetFlow etc. Besides, the Virtual Box sends
gathered and encrypted data Horizontal Databases
Information Infrastructure
via Message Broker. If there is no connection with
Message Broker, the temporary data storage Service Oriented Architecture (SOA) provides
provides in Cloud Storage. a way to allow multiple usage of software
In [5] the analysis of up-to-date SIEM systems components through service interfaces (Fig. 2)
was carried out; in the paper [6] basic concept of [8]. Such interfaces use common communication
cloud-based SIEM was developed; in the work [7] standards so they can be quickly integrated into
authors analyzed DB types in context of SIEM new applications without the need for in-depth
implementation. Next step is enterprise service integration each time.
Figure 2: Scheme of the SOA construction
12
� The SOA service contains the code and data often made by exporting functions from existing
integrations necessary to perform a particular systems as interfaces.
business function [9]. Service interfaces are In SOA, services can interact with each other
weakly interacted, meaning that they can be used regardless of the type of service. This means that
even with minimal knowledge on how the a particular service may be platform- or protocol-
integration is performed. Services are accessed specific, but SOA allows such services to interact
via standard network protocols, such as SOAP/ and exchange data. This data is exchanged
HTTP or JSON/HTTP, which send read/modify through a distributed data bus or Enterprise
data requests. Services are published in such a Service Bus (ESB) [10], which forms the basis of
way that they allow developers to find and reuse any SOA architecture. Thus, the ESB is a template
them to build new applications quickly. These (Fig. 3) in which a centralized component
services can be created from the ground but are integrates with core systems and then accesses
these integrations as service interfaces.
Figure 3: The ESB bus layout
It provides data model conversions, strong interfaces which is a very time-consuming task
interaction, routing, and even multiple query (even with multiple interfaces), and which will
creation, combining these functions in a single also make future maintenance very difficult. For
service interface that can be repeatedly used by example, ESB can be implemented by using JMS
new applications. Typically, the ESB template is servers and XML/XSD as a means of transferring
implemented with a specially designed integration data between different services. Thus, different
execution environment and tools that are well services will register or connect to these JMS
suited to perform the above functions as servers and exchange data in XML format.
efficiently as possible [11]. Typically, the SOA suite comes with so-called
In principle, SOA can be implemented without adapters that help convert messages to and from a
ESB (Fig. 4), but application owners would have format the service and XML understands.
to find a unique way to provide access to
Figure 4: SOA Comparison with and without ESB
Consider a stock trading system as an example. adapter will convert the FIX message into XML,
Messages from the stock exchange come in using then that xml will be passed to the JSON adapter
the FIX protocol. It’s possible to create an via ESB, which is then converted into JSON as
application that expects JSON. To make both required by your endpoint system. In Fig. 5 is an
systems working, SOA will be used—the FIX example of a JBoss ESB implementation [9].
13
�Figure 5: JBoss ESB implementation example
4. ESB Comparative Analysis most often offered on the Kazakhstan market
(Talend [12], Mule [13], WSO2 [14], Red Hat
Below let’s consider how ESB components are Fuse).
implemented and used in the solutions that are
Table 1
ESB comparative analysis
No. ESB / Talend Mule WSO2 Red Hat Fuse
Criteria
1 Studio + + + ±
2 Message JMS 1.1, Microsoft Anypoint MQ, IBM Amazon SQS, Apache
Broker MQ 3.0, JBoss MQ, JMS support, ActiveMQ,
Support Messaging 1.4.4, Apache Kafka, JMS Apache Kafka Apache Kafka,
IBM MQ 8.0, Apache 1.0.2, 1.1, 2.0 support AWS MQ,
ActiveMQ 5.13.2 RabbitMQ, JMS
support
3 Logging statistics on the logging within each Apache Log4j- Apache Log4j-
execution of tasks integration created in based logging based logging via
and components, Mule: errors and via the Apache Apache Commons
errors, warnings and events mandatory for Commons Logging library,
exceptions at the logging by integration Logging library. SLF4J,
task level, data flow logic; logging starting, System and java.util.logging,
within tasks; logging stopping, deploying, component Elastic
in Elastic, Apache and disconnecting events are
Log4j, Apache Mule services and logged
Commons Logging, integrations separately
Trace Logs
4 Monitoring + + + +
14
� Developers also add Apache Kafka (plus 9. The logic of routes and conversions is set
Kafka Connect) and RabbitMQ message brokers by the operator: the source of information, the
to the list, but these two solutions are not ESB, and purpose of conversion and the place of
it is not reasonable to consider them within the acceptance.
scope of this analysis. As criteria let’s choose the 10. Logs are saved in the message broker. If
basic functional components of data buses: errors or losses occur, it will be possible to
whether the studio is, Message Broker Support, determine the cause of the failure without having
the way of logging and monitoring. to repeat the incident. Accordingly, errors can be
corrected, and data restored quickly and easily.
5. Features of Modern ESB
6. Practical Implementation of ESB
The data bus is a set of software that acts as a for Effective Integration of SIEM
single hub for the exchange of messages between
information systems and applications. The service in Critical Information
bus allows for easy configuration of message Infrastructure
paths, stores the history of messages, and records
the path of each message. The basic principles of The developed platform [6, 15] applies a
it are below: security event correlation mechanism that allows
1. Any upgrade of an item inevitably requires the platform to be used as a dedicated and fully
a large-scale reworking of the integrations. For functional SIEM system. The platform provides
example, an Oracle database update is released, correlation for normalized logs/events,
and all the integrations related to it have to be searches/queries for threat analysis and sources of
reworked. vulnerability factor information and produces
2. Event logging in each of the integrations is risk-aware alarms. The primary objective is to
implemented differently (if implemented). If data collect as many events as possible from the
is lost or comes in with errors, it will be difficult organization's infrastructure [16].
to trace the time and cause of the error. During the digital transformation, companies
3. Each new element of the system requires a (regardless of their size) use multiple information
significant investment in Point-to-Point systems. Frequently, they operate overlapping
integration. For example, to add new trading data arrays. ESB is designed to integrate different
platforms, it will be necessary to integrate them information systems. The data exchange takes
with an online store, CRM, WMS, ERP, PIM, etc. place via ESB, using various protocols and
4. Business intelligence is becoming more formats, allowing to avoid modifications of the
complex: data is stored in different sources, in systems being integrated. The use of ESB for
different formats, or duplicated. Combining them SIEM-class systems is aimed at the balanced
into a convenient tool for making management distribution of the load on services and security of
decisions is a difficult task. data exchange.
5. As the infrastructure increases, the time and Consider how services can communicate
resources required to maintain it increase directly with each other. To retrieve data from an
accordingly. Also, the reserve of resources to application, it is necessary to go through a
improve its work decreases. complex multi-level chain of operations. There
6. ESB-bus combines a few functions, which can be several to dozens or hundreds of such
a “star” topology distributes across integrations or services. The continuous exchange of messages
not implements. between systems can create a heavy load. On the
7. ESB collects information from other user side, it will lead to long latency times and
systems: either related to the company’s IT constant application failures (Fig. 6). It is also
infrastructure or external. The information is worth noting that if one of the systems needs to be
received in the form and formats in which it is updated, changed, or distributed to other
contained in the source system. departments, this will inevitably affect all other
8. Within the ESB, the data are converted into services.
the required formats for transmitting to other
systems.
15
�Figure 6: Interaction of services without a bus
Using ESB for SIEM-class systems The benefits of the solution are as follows: makes
completely changes the organization of processes it easier to integrate applications by implementing
in a company. Namely, applications no longer ESB for SIEM-class systems saves time and
need to communicate directly with each other, resources, improves the functioning of services,
instead, each of them interacts only with the and enhances the organization's efficiency and
integration platform. This instantly eliminates the security.
need for a huge number of accesses methods, as To collect information (events) the system
many interfaces as there are services will be uses its agents installed in monitored subsystems,
needed. If changes need to be made to one of the as well as standard existing mechanisms for
systems, it will not affect the other corporate collecting events (syslog, snmp, etc.). For
applications. The ESB will single-handedly take network control, it can be used as a collector of
on all these tasks (Fig. 7). Thus, this approach, NetFlow statistics received from network
unlike traditional point-to-point architecture equipment. It can also be used to analyze network
(where services interact directly with each other), traffic either by mirroring traffic from network
has more flexibility. Integration scenarios can be equipment or by sending traffic through itself.
modified with minimal developer intervention.
Figure 7: Service interaction with the bus
The system sends events over an encrypted delivery of messages from multiple sources to
channel to the message broker. If there is no multiple recipients. This is an electronic queue
connection to the message broker, it ensures for messages.
temporary storage of data, minimizing the risks of Repository is a special storage of unprocessed
losing critical information. Multiple brokers can records in encrypted form. An important part
be installed in a monitored system. Some for collecting legally relevant evidence for
important concepts: incident investigations.
Message broker should be understood as a Horizontally extensible databases are a
special software which ensures the guaranteed distinctive architectural advantage of the
16
�developed platform. The system uses distributed security violation event. This module has an
databases of different types to solve metrics interactive graphical interface.
control (monitoring) and event control (SIEM) The analytics module is comprehensive event
tasks in parallel [17]: analysis software that performs normalization,
High speed of processing large streams of correlation, and event analysis. It also finds
information. dependencies, defines an event as an incident, and
Minimal delays in data processing. informs other systems. Also, it has an interactive
Minimal delays for building analytical reports graphical interface.
and queries. The service-oriented architecture, of which the
High fault tolerance. developed platform is a part, integrates all APIs,
Storage expandability by adding nodes without which ensures end-to-end integration. An API is a
database downtime. so-called set of rules and conditions for programs
A monitoring module is comprehensive to communicate with each other: input and output
software for controlling metrics. Usually, such data, and types of operations. The use of an API
tasks are called “Monitoring” and are real-time significantly simplifies interaction: it ties together
tracking of quantitative metrics of systems. When the capabilities of different services, forming
metrics enter risk zones, the module creates a interfaces that are accessible to different users
(Fig. 8).
Figure 8. SOA service to bus interaction
Microservice architecture differs from the ments specified in this specification (clauses
traditional ESB approach for SIEM-class systems 11.12 in Table 2).
because its functionality is organized into small The customer provides the allocation of
services, each of them is responsible for a separate resources in accordance with the specified
task, is supported by one team, and can work in calculation, installation and basic
isolation from the others. There is no centralized configuration of operating systems (including
base with this approach. Each service has its configuration of the disk subsystem and
repository of information. The ESB for SIEM- network interfaces) for installing SIEM. The
class systems, however, serves only as a transport, Supplier shall provide the Customer with an
being, in essence, just a message broker. operating system distribution (on media or in
Interaction between the user and the platform the form of a download link) and, if necessary,
services is also performed via API [18]. a license for operating systems.
Taking to account [5–7] SIEM data sheet well The customer provides access from servers to
be following (Table 2). the Internet during the installation and
Additional requirements are following: configuration of SIEM.
The Supplier ensures the installation of SIEM For the entire duration of the SIEM operation,
software on physical servers and/or the the customer provides constant access from the
Customer’s virtualization platform. SIEM servers to the licensing server to control
The supplier provides the Customer with a the license.
calculation of the resource requirements for The Supplier, within 10 (ten) calendar days,
installing SIEM. The calculation is made by completes the installation and configuration of the
the Supplier based on the performance require- SIEM system.
17
�Table 2
Data sheet information security and event management system
N Name Description
Information security event monitoring system and real-time incident detection (SIEM)
1 Special The IS event monitoring system and real-time incident detection (hereinafter
purpose referred to as SIEM) is designed to monitor and analyze IS events and must:
Carry out centralized collection, storage and processing of events of
system logs (logs), as well as network flows from various systems of the
Customer's infrastructure.
Identify important events and IS incidents in the total mass of data, which
should allow the Customer’s IS specialists (hereinafter referred to as the
Customer's personnel) to concentrate on the most serious incidents and
respond to them in a timely manner.
Inform the Customer’s personnel about identified information security
incidents by sending messages to e-mail.
2 Centralized SIEM should provide centralized management of all its components and
Management functionality through a single graphical Web interface.
3 Data SIEM should:
visualization Allow the creation of graphical panels (dashboards) using any events, with
(Dashboards) automatic updating at a given interval.
Support the creation of new graphical panels or modification of existing
ones using a “wizard,” by method that does not require the use of
programming languages.
Allow the saving of graphical panels for collective use. The graphic panels
of the module must support various types of data presentation: tables,
pie and line charts, etc. The graphic panels of the module should function
automatically, without the need for regular maintenance by the operator.
Display graphical panels via WEB.
Interface.
4 API support SIEM should: have an open software interface API for possibility integration
with other Modules.
5 Support for SIEM should support the following methods to provide user authentication
authentication and authorization:
and Local user base.
authorization Active Directory.
LDAP.
Tokens (for API access).
6 Update The SIEM must support the ability to automatically and/or manually update
as new versions are released.
7 Fault The SIEM database must be able to support a cluster organization in the
Tolerance amount of at least two nodes (node)
8 Scaling SIEM should:
▪ Provide horizontal scaling by adding hardware and, if necessary,
purchasing additional licenses for SIEM in accordance with the current (at
the time of scaling) licensing policy.
▪ Have an event storage component (database) in which the following
functions are implemented:
● Scaling without a fixed limit on the volume of event storage (adding
additional equipment if necessary).
● Fault-tolerant implementation.
18
� 9 Collecting and SIEM should:
filtering Support standard methods for collecting event logs: Syslog, Raw/Plaintext,
events GELF, CEF, file event logs (using agents for Linux/Windows).
Provide analysis of events in real time.
Provide filtering, as well as display through the user interface of an event
in real time, where the user can immediately apply filters.
Be able to save search criteria for quick access in the future.
Support search by events using the query language (if you use your own
query language, it should be described in the documentation).
Provide the user with the opportunity to independently connect event
sources that are not supported by default or systems of their own design.
Support data transmission from sources to the control system via a secure
channel (if there is support for secure transmission in the protocol).
Support centralized management of agents through the SIEM interface
(for agents of the Beats family).
10 Account SIEM should:
Management Support a role-based management model with a predefined set of roles.
Requirements Be able to create and use User Groups (Teams).
Have a token management system for authorization in the API.
Performance Requirements
11 Events per Average daily—no more than 200 EPS
second requi- Maximum in the busiest hour—no more than 400 EPS
rements (EPS)
12 Requirements The daily amount of information stored in the event database is no more than
for informa- 4 GB per day.
tion stored in The storage period for events in the database and/or SIEM archive is at least
the database 3 years.
7. Conclusions To implement SIEM in a critical information
infrastructure, a SOA-based distributed data bus
The basis of any SOA architecture is the ESB, is required. The platform uses distributed
the main advantages of which are a wide range of databases of different types to solve metrics and
connectors and scalability of the solution; flexible event control tasks in parallel. This increases
data routing; guaranteed delivery of information parameters by an order of magnitude, providing
messages; organization of a secure transmission processing speed of large flows of information;
channel; centralized management; ability to minimal delays for data processing; minimal
monitor and diagnose the state of transmission; delays for analytical reports and queries; high
possibility of integration with third-party message fault tolerance; storage extensibility by simply
queues. adding nodes without database downtime. The use
The analysis of modern ESB solutions has of API significantly simplifies interaction: it ties
shown that each of the products has its features, together the capabilities of different services,
which form the basis of their fields of usage. If a forming interfaces available to different users.
company wants to use free versions of the After concept and DB development, the ESB
product, Fuse would be the most suitable option was justified as well as data sheet for SIEM in
(but it would be necessary to consult developers critical infrastructure was formed and proposed in
for significant revisions). Talend or Mule are good this paper.
options in the early stages of a company's
development. WSO2 has the best balance of 8. Acknowledgment
functionality and ease of calculating the cost of
the license. This work is carried out within the framework
of research grant #АР06851243 “Methods,
19
�models and tools for security events and incidents IEEE International Symposium on Service-
management for detecting and preventing cyber- Oriented System Engineering, 2008, pp.
attacks on critical infrastructures of digital 160–165, doi: 10.1109/SOSE.2008.15.
economics” (2020–2022), funded by the Ministry [9] W. Li, Design and Implementation of
of Digital Development, Innovation and Software Testing Platform for SOA-Based
Aerospace Industry of the Republic of System, in IEEE 6th Int. Conf. on Comp. and
Kazakhstan. Commun. Syst., 2021, pp. 1094–1098, doi:
10.1109/icccs52626.2021.9449221.
9. References [10] ESB (Enterprise Service Bus),
https://www.ibm.com/cloud/learn/esb.
[1] V. Grechaninov, et al., Decentralized Access [11] P. Dai, Design and implementation of ESB
Demarcation System Construction in based on SOA in power system, in 4th
Situational Center Network, in Cybersecurity International Conference on Electric Utility
Providing in Information and Deregulation and Restructuring and Power
Telecommunication Systems II, vol. 3188, Technologies (DRPT), 2011, pp. 519–522,
no. 2, 2022, pp. 197–206. doi: 10.1109/drpt.2011.5993946.
[2] V. Grechaninov, et al., Formation of [12] J. Sreemathy, et al., Data Integration in ETL
Dependability and Cyber Protection Model Using TALEND, in 6th International
in Information Systems of Situational Conference on Advanced Computing and
Center, in Emerging Technology Trends on Communication Systems, 2020, pp. 1444–
the Smart Industry and the Internet of Things, 1448, doi: 10.1109/ICACCS48705.2020.
vol. 3149, 2022, pp. 107–117. 9074186.
[3] V. Buriachok, V. Sokolov, P. Skladannyi, [13] X. Mkhwanazi, H. Le, E. Blake, Clustering
Security rating metrics for distributed between Data Mules for Better Message
wireless systems, in 8th International Delivery, in 26th Int. Conf. on Advanced
Conference on “Mathematics. Information Information Networking and Applications
Technologies. Education:” Modern Machine Workshops, 2012, pp. 209–214.
Learning Technologies and Data Science [14] I. Kumara, C. Gamage, Towards Reusing
(MoMLeT and DS), vol. 2386, 2019, pp. ESB Services in Different ESB
222–233. Architectures, in IEEE 34th Annual
[4] A. Skendžić, B. Kovačić, B. Balon, Computer Software and Applications
Management and Monitoring Security Conference Workshops, 2010, pp. 25–30,
Events in a Business Organization—SIEM doi: 10.1109/compsacw.2010.15.
system, in 45th Jubilee International [15] S. Gnatyuk, et al., Cloud-Based Cyber
Convention on Information, Communication Incidents Response System and Software
and Electronic Technology (MIPRO), 2022, Tools, Communications in Computer and
pp. 1203–1208, doi: 10.23919/mipro55190. Information Science, vol. 1486, 2021,
2022.9803428. pp. 169–184.
[5] S. Gnatyuk, et al., Modern SIEM Analysis [16] T. Laue, et al., A SIEM Architecture for
and Critical Requirements Definition in the Multidimensional Anomaly Detection, in
Context of Information Warfare, in CEUR 11th IEEE International Conference on
Workshop Proceedings, 2021, vol. 3188, pp. Intelligent Data Acquisition and Advanced
149–166. Computing Systems: Technology and
[6] R. Berdibayev, et al., A Concept of the Applications (IDAACS), 2021, pp. 136–142,
Architecture and Creation for SIEM System doi: 10.1109/IDAACS53288.2021.9660903.
in Critical Infrastructure, Studies in Systems, [17] P. Asef, et al., SIEMS: A Secure Intelligent
Decision and Control, vol. 346, 2021, Energy Management System for Industrial
pp. 221–242. IoT applications, in IEEE Transactions on
[7] S. Gnatyuk, et al., Modern Types of Industrial Informatics, doi: 10.1109/tii.2022.
Databases for SIEM System Development, 3165890.
CEUR Workshop Proceedings, vol. 3187, [18] M. Orsós, et al., Log Collection and SIEM
2021, pp. 127–138. for 5G SOC, in IEEE 20th Jubilee World
[8] Z. Jin, H. Zhu, A Framework for Agent- Symposium on Applied Machine Intelligen-
Based Service-Oriented Modelling, 2008 ce and Informatics (SAMI), 2022, pp. 147–
152, doi: 10.1109/sami54271.2022.9780759.
20
�