Enterprise Service Bus Construction in SOA Architecture for SIEM Implementation in Critical Information Infrastructure Sergiy Gnatyuk1, Rat Berdibayev2, Viktoriia Sydorenko1, Artem Polozhentsev1, and Myroslav Ryabyy1 1 National Aviation University, 1 Liubomyra Huzara ave., Kyiv, 03058, Ukraine 2 Almaty University of Power Engineering and Telecommunication, 126/1 Baytursynuli str., Almaty, 050013, Kazakhstan Abstract The number of cyber threats in ICT is increasing and the development of new security oriented instrumental tools is very important and relevant scientific task. Security incident and event management (SIEM) systems are category of such tools, directed on log analysis and incident management to prevent negative consequences minimize damage of cyber threats for end user. In the previous works authors have analyzed existed SIEM systems and database types for them as well as created new architecture of cloud-based SIEM. Next step of this research project is enterprise service bus architecture justification. The paper defines the place of distributed data bus in the concept of service oriented architecture, identifies the functions and benefits. Also authors analyzed most popular up-to-date enterprise service bus solutions and provides recommendations in context of developed SIEM implementation in the critical infrastructure. Besides, the data sheet for SIEM in critical infrastructure was formed and proposed in this paper. Keywords 1 SIEM, incident management, ESB, cyber threat, cloud-based architecture, SOA. 1. Introduction 2. Analysis of Modern Approaches and Problem Statement Nowadays, the number of cyber threats is increasing, this is due to the development of new In the paper [6] the basic concept of cloud- information-communication technologies (ICT) based SIEM architecture (Fig. 1) for different and an insufficiently good level of testing of the sectors of critical infrastructure was proposed. developed software and physical software, as well This scheme can also be integrated to real ICT as the lack of maintenance and support for infrastructures with existed SIEM (proposed by outdated software and server software [1, 2]. various vendors [5]) and other incident There are various vulnerabilities in protocols, management instrumental tools. The main software, as well as the architecture of electronic structural units of proposed SIEM are following: equipment, which affects the cyber security level  Horizontal Databases. [3]. Many various instruments were developed to  Blocks of Analytics and Monitoring. solve mentioned problems and mitigate threats.  Cloud Storage. One of them is Security Information and Event Management (SIEM) [4], that was created to  Encryptor. prevent the future consequences of the  Message Broker. exploitation of vulnerabilities by undesirable  Sources (System 1 – System N). persons, as well as to minimize damage for the end user [6]. CPITS-2022: Cybersecurity Providing in Information and Telecommunication Systems, October 13, 2022, Kyiv, Ukraine EMAIL: s.gnatyuk@nau.edu.ua (S. Gnatyuk); r.berdybaev@aues.kz (R. Berdibayev); v.sydorenko@ukr.net (V. Sydorenko); artem.polozhencev@gmail.com (A. Polozhentsev); m.riabyi@nau.edu.ua (M. Ryabyy) ORCID: 0000-0003-4992-0564 (S. Gnatyuk); 0000-0002-8341-9645 (R. Berdibayev); 0000-0002-5910-0837 (V. Sydorenko); 0000-0003-0139-0752 (A. Polozhentsev); 0000-0002-9651-9135 (M. Ryabyy) ©️ 2022 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) 11 Figure 1: Proposed cloud-based SIEM architecture concept One of the most important unit of this system bus justification. It will be the main objective of is Encryptor, which creates single block Cloud this research paper. Storage by providing confidentiality of the non- processed data after its gathering using syslog, 3. ESB Implementation in SOA NetFlow etc. Besides, the Virtual Box sends gathered and encrypted data Horizontal Databases Information Infrastructure via Message Broker. If there is no connection with Message Broker, the temporary data storage Service Oriented Architecture (SOA) provides provides in Cloud Storage. a way to allow multiple usage of software In [5] the analysis of up-to-date SIEM systems components through service interfaces (Fig. 2) was carried out; in the paper [6] basic concept of [8]. Such interfaces use common communication cloud-based SIEM was developed; in the work [7] standards so they can be quickly integrated into authors analyzed DB types in context of SIEM new applications without the need for in-depth implementation. Next step is enterprise service integration each time. Figure 2: Scheme of the SOA construction 12 The SOA service contains the code and data often made by exporting functions from existing integrations necessary to perform a particular systems as interfaces. business function [9]. Service interfaces are In SOA, services can interact with each other weakly interacted, meaning that they can be used regardless of the type of service. This means that even with minimal knowledge on how the a particular service may be platform- or protocol- integration is performed. Services are accessed specific, but SOA allows such services to interact via standard network protocols, such as SOAP/ and exchange data. This data is exchanged HTTP or JSON/HTTP, which send read/modify through a distributed data bus or Enterprise data requests. Services are published in such a Service Bus (ESB) [10], which forms the basis of way that they allow developers to find and reuse any SOA architecture. Thus, the ESB is a template them to build new applications quickly. These (Fig. 3) in which a centralized component services can be created from the ground but are integrates with core systems and then accesses these integrations as service interfaces. Figure 3: The ESB bus layout It provides data model conversions, strong interfaces which is a very time-consuming task interaction, routing, and even multiple query (even with multiple interfaces), and which will creation, combining these functions in a single also make future maintenance very difficult. For service interface that can be repeatedly used by example, ESB can be implemented by using JMS new applications. Typically, the ESB template is servers and XML/XSD as a means of transferring implemented with a specially designed integration data between different services. Thus, different execution environment and tools that are well services will register or connect to these JMS suited to perform the above functions as servers and exchange data in XML format. efficiently as possible [11]. Typically, the SOA suite comes with so-called In principle, SOA can be implemented without adapters that help convert messages to and from a ESB (Fig. 4), but application owners would have format the service and XML understands. to find a unique way to provide access to Figure 4: SOA Comparison with and without ESB Consider a stock trading system as an example. adapter will convert the FIX message into XML, Messages from the stock exchange come in using then that xml will be passed to the JSON adapter the FIX protocol. It’s possible to create an via ESB, which is then converted into JSON as application that expects JSON. To make both required by your endpoint system. In Fig. 5 is an systems working, SOA will be used—the FIX example of a JBoss ESB implementation [9]. 13 Figure 5: JBoss ESB implementation example 4. ESB Comparative Analysis most often offered on the Kazakhstan market (Talend [12], Mule [13], WSO2 [14], Red Hat Below let’s consider how ESB components are Fuse). implemented and used in the solutions that are Table 1 ESB comparative analysis No. ESB / Talend Mule WSO2 Red Hat Fuse Criteria 1 Studio + + + ± 2 Message JMS 1.1, Microsoft Anypoint MQ, IBM Amazon SQS, Apache Broker MQ 3.0, JBoss MQ, JMS support, ActiveMQ, Support Messaging 1.4.4, Apache Kafka, JMS Apache Kafka Apache Kafka, IBM MQ 8.0, Apache 1.0.2, 1.1, 2.0 support AWS MQ, ActiveMQ 5.13.2 RabbitMQ, JMS support 3 Logging statistics on the logging within each Apache Log4j- Apache Log4j- execution of tasks integration created in based logging based logging via and components, Mule: errors and via the Apache Apache Commons errors, warnings and events mandatory for Commons Logging library, exceptions at the logging by integration Logging library. SLF4J, task level, data flow logic; logging starting, System and java.util.logging, within tasks; logging stopping, deploying, component Elastic in Elastic, Apache and disconnecting events are Log4j, Apache Mule services and logged Commons Logging, integrations separately Trace Logs 4 Monitoring + + + + 14 Developers also add Apache Kafka (plus 9. The logic of routes and conversions is set Kafka Connect) and RabbitMQ message brokers by the operator: the source of information, the to the list, but these two solutions are not ESB, and purpose of conversion and the place of it is not reasonable to consider them within the acceptance. scope of this analysis. As criteria let’s choose the 10. Logs are saved in the message broker. If basic functional components of data buses: errors or losses occur, it will be possible to whether the studio is, Message Broker Support, determine the cause of the failure without having the way of logging and monitoring. to repeat the incident. Accordingly, errors can be corrected, and data restored quickly and easily. 5. Features of Modern ESB 6. Practical Implementation of ESB The data bus is a set of software that acts as a for Effective Integration of SIEM single hub for the exchange of messages between information systems and applications. The service in Critical Information bus allows for easy configuration of message Infrastructure paths, stores the history of messages, and records the path of each message. The basic principles of The developed platform [6, 15] applies a it are below: security event correlation mechanism that allows 1. Any upgrade of an item inevitably requires the platform to be used as a dedicated and fully a large-scale reworking of the integrations. For functional SIEM system. The platform provides example, an Oracle database update is released, correlation for normalized logs/events, and all the integrations related to it have to be searches/queries for threat analysis and sources of reworked. vulnerability factor information and produces 2. Event logging in each of the integrations is risk-aware alarms. The primary objective is to implemented differently (if implemented). If data collect as many events as possible from the is lost or comes in with errors, it will be difficult organization's infrastructure [16]. to trace the time and cause of the error. During the digital transformation, companies 3. Each new element of the system requires a (regardless of their size) use multiple information significant investment in Point-to-Point systems. Frequently, they operate overlapping integration. For example, to add new trading data arrays. ESB is designed to integrate different platforms, it will be necessary to integrate them information systems. The data exchange takes with an online store, CRM, WMS, ERP, PIM, etc. place via ESB, using various protocols and 4. Business intelligence is becoming more formats, allowing to avoid modifications of the complex: data is stored in different sources, in systems being integrated. The use of ESB for different formats, or duplicated. Combining them SIEM-class systems is aimed at the balanced into a convenient tool for making management distribution of the load on services and security of decisions is a difficult task. data exchange. 5. As the infrastructure increases, the time and Consider how services can communicate resources required to maintain it increase directly with each other. To retrieve data from an accordingly. Also, the reserve of resources to application, it is necessary to go through a improve its work decreases. complex multi-level chain of operations. There 6. ESB-bus combines a few functions, which can be several to dozens or hundreds of such a “star” topology distributes across integrations or services. The continuous exchange of messages not implements. between systems can create a heavy load. On the 7. ESB collects information from other user side, it will lead to long latency times and systems: either related to the company’s IT constant application failures (Fig. 6). It is also infrastructure or external. The information is worth noting that if one of the systems needs to be received in the form and formats in which it is updated, changed, or distributed to other contained in the source system. departments, this will inevitably affect all other 8. Within the ESB, the data are converted into services. the required formats for transmitting to other systems. 15 Figure 6: Interaction of services without a bus Using ESB for SIEM-class systems The benefits of the solution are as follows: makes completely changes the organization of processes it easier to integrate applications by implementing in a company. Namely, applications no longer ESB for SIEM-class systems saves time and need to communicate directly with each other, resources, improves the functioning of services, instead, each of them interacts only with the and enhances the organization's efficiency and integration platform. This instantly eliminates the security. need for a huge number of accesses methods, as To collect information (events) the system many interfaces as there are services will be uses its agents installed in monitored subsystems, needed. If changes need to be made to one of the as well as standard existing mechanisms for systems, it will not affect the other corporate collecting events (syslog, snmp, etc.). For applications. The ESB will single-handedly take network control, it can be used as a collector of on all these tasks (Fig. 7). Thus, this approach, NetFlow statistics received from network unlike traditional point-to-point architecture equipment. It can also be used to analyze network (where services interact directly with each other), traffic either by mirroring traffic from network has more flexibility. Integration scenarios can be equipment or by sending traffic through itself. modified with minimal developer intervention. Figure 7: Service interaction with the bus The system sends events over an encrypted delivery of messages from multiple sources to channel to the message broker. If there is no multiple recipients. This is an electronic queue connection to the message broker, it ensures for messages. temporary storage of data, minimizing the risks of  Repository is a special storage of unprocessed losing critical information. Multiple brokers can records in encrypted form. An important part be installed in a monitored system. Some for collecting legally relevant evidence for important concepts: incident investigations.  Message broker should be understood as a Horizontally extensible databases are a special software which ensures the guaranteed distinctive architectural advantage of the 16 developed platform. The system uses distributed security violation event. This module has an databases of different types to solve metrics interactive graphical interface. control (monitoring) and event control (SIEM) The analytics module is comprehensive event tasks in parallel [17]: analysis software that performs normalization,  High speed of processing large streams of correlation, and event analysis. It also finds information. dependencies, defines an event as an incident, and  Minimal delays in data processing. informs other systems. Also, it has an interactive  Minimal delays for building analytical reports graphical interface. and queries. The service-oriented architecture, of which the  High fault tolerance. developed platform is a part, integrates all APIs,  Storage expandability by adding nodes without which ensures end-to-end integration. An API is a database downtime. so-called set of rules and conditions for programs A monitoring module is comprehensive to communicate with each other: input and output software for controlling metrics. Usually, such data, and types of operations. The use of an API tasks are called “Monitoring” and are real-time significantly simplifies interaction: it ties together tracking of quantitative metrics of systems. When the capabilities of different services, forming metrics enter risk zones, the module creates a interfaces that are accessible to different users (Fig. 8). Figure 8. SOA service to bus interaction Microservice architecture differs from the ments specified in this specification (clauses traditional ESB approach for SIEM-class systems 11.12 in Table 2). because its functionality is organized into small  The customer provides the allocation of services, each of them is responsible for a separate resources in accordance with the specified task, is supported by one team, and can work in calculation, installation and basic isolation from the others. There is no centralized configuration of operating systems (including base with this approach. Each service has its configuration of the disk subsystem and repository of information. The ESB for SIEM- network interfaces) for installing SIEM. The class systems, however, serves only as a transport, Supplier shall provide the Customer with an being, in essence, just a message broker. operating system distribution (on media or in Interaction between the user and the platform the form of a download link) and, if necessary, services is also performed via API [18]. a license for operating systems. Taking to account [5–7] SIEM data sheet well  The customer provides access from servers to be following (Table 2). the Internet during the installation and Additional requirements are following: configuration of SIEM.  The Supplier ensures the installation of SIEM  For the entire duration of the SIEM operation, software on physical servers and/or the the customer provides constant access from the Customer’s virtualization platform. SIEM servers to the licensing server to control  The supplier provides the Customer with a the license. calculation of the resource requirements for The Supplier, within 10 (ten) calendar days, installing SIEM. The calculation is made by completes the installation and configuration of the the Supplier based on the performance require- SIEM system. 17 Table 2 Data sheet information security and event management system N Name Description Information security event monitoring system and real-time incident detection (SIEM) 1 Special The IS event monitoring system and real-time incident detection (hereinafter purpose referred to as SIEM) is designed to monitor and analyze IS events and must:  Carry out centralized collection, storage and processing of events of system logs (logs), as well as network flows from various systems of the Customer's infrastructure.  Identify important events and IS incidents in the total mass of data, which should allow the Customer’s IS specialists (hereinafter referred to as the Customer's personnel) to concentrate on the most serious incidents and respond to them in a timely manner.  Inform the Customer’s personnel about identified information security incidents by sending messages to e-mail. 2 Centralized SIEM should provide centralized management of all its components and Management functionality through a single graphical Web interface. 3 Data SIEM should: visualization  Allow the creation of graphical panels (dashboards) using any events, with (Dashboards) automatic updating at a given interval.  Support the creation of new graphical panels or modification of existing ones using a “wizard,” by method that does not require the use of programming languages.  Allow the saving of graphical panels for collective use. The graphic panels of the module must support various types of data presentation: tables, pie and line charts, etc. The graphic panels of the module should function automatically, without the need for regular maintenance by the operator.  Display graphical panels via WEB.  Interface. 4 API support SIEM should: have an open software interface API for possibility integration with other Modules. 5 Support for SIEM should support the following methods to provide user authentication authentication and authorization: and  Local user base. authorization  Active Directory.  LDAP.  Tokens (for API access). 6 Update The SIEM must support the ability to automatically and/or manually update as new versions are released. 7 Fault The SIEM database must be able to support a cluster organization in the Tolerance amount of at least two nodes (node) 8 Scaling SIEM should: ▪ Provide horizontal scaling by adding hardware and, if necessary, purchasing additional licenses for SIEM in accordance with the current (at the time of scaling) licensing policy. ▪ Have an event storage component (database) in which the following functions are implemented: ● Scaling without a fixed limit on the volume of event storage (adding additional equipment if necessary). ● Fault-tolerant implementation. 18 9 Collecting and SIEM should: filtering  Support standard methods for collecting event logs: Syslog, Raw/Plaintext, events GELF, CEF, file event logs (using agents for Linux/Windows).  Provide analysis of events in real time.  Provide filtering, as well as display through the user interface of an event in real time, where the user can immediately apply filters.  Be able to save search criteria for quick access in the future.  Support search by events using the query language (if you use your own query language, it should be described in the documentation).  Provide the user with the opportunity to independently connect event sources that are not supported by default or systems of their own design.  Support data transmission from sources to the control system via a secure channel (if there is support for secure transmission in the protocol).  Support centralized management of agents through the SIEM interface (for agents of the Beats family). 10 Account SIEM should: Management  Support a role-based management model with a predefined set of roles. Requirements  Be able to create and use User Groups (Teams).  Have a token management system for authorization in the API. Performance Requirements 11 Events per  Average daily—no more than 200 EPS second requi-  Maximum in the busiest hour—no more than 400 EPS rements (EPS) 12 Requirements The daily amount of information stored in the event database is no more than for informa- 4 GB per day. tion stored in The storage period for events in the database and/or SIEM archive is at least the database 3 years. 7. Conclusions To implement SIEM in a critical information infrastructure, a SOA-based distributed data bus The basis of any SOA architecture is the ESB, is required. The platform uses distributed the main advantages of which are a wide range of databases of different types to solve metrics and connectors and scalability of the solution; flexible event control tasks in parallel. This increases data routing; guaranteed delivery of information parameters by an order of magnitude, providing messages; organization of a secure transmission processing speed of large flows of information; channel; centralized management; ability to minimal delays for data processing; minimal monitor and diagnose the state of transmission; delays for analytical reports and queries; high possibility of integration with third-party message fault tolerance; storage extensibility by simply queues. adding nodes without database downtime. The use The analysis of modern ESB solutions has of API significantly simplifies interaction: it ties shown that each of the products has its features, together the capabilities of different services, which form the basis of their fields of usage. If a forming interfaces available to different users. company wants to use free versions of the After concept and DB development, the ESB product, Fuse would be the most suitable option was justified as well as data sheet for SIEM in (but it would be necessary to consult developers critical infrastructure was formed and proposed in for significant revisions). Talend or Mule are good this paper. options in the early stages of a company's development. WSO2 has the best balance of 8. Acknowledgment functionality and ease of calculating the cost of the license. This work is carried out within the framework of research grant #АР06851243 “Methods, 19 models and tools for security events and incidents IEEE International Symposium on Service- management for detecting and preventing cyber- Oriented System Engineering, 2008, pp. attacks on critical infrastructures of digital 160–165, doi: 10.1109/SOSE.2008.15. economics” (2020–2022), funded by the Ministry [9] W. Li, Design and Implementation of of Digital Development, Innovation and Software Testing Platform for SOA-Based Aerospace Industry of the Republic of System, in IEEE 6th Int. Conf. on Comp. and Kazakhstan. Commun. Syst., 2021, pp. 1094–1098, doi: 10.1109/icccs52626.2021.9449221. 9. References [10] ESB (Enterprise Service Bus), https://www.ibm.com/cloud/learn/esb. [1] V. Grechaninov, et al., Decentralized Access [11] P. Dai, Design and implementation of ESB Demarcation System Construction in based on SOA in power system, in 4th Situational Center Network, in Cybersecurity International Conference on Electric Utility Providing in Information and Deregulation and Restructuring and Power Telecommunication Systems II, vol. 3188, Technologies (DRPT), 2011, pp. 519–522, no. 2, 2022, pp. 197–206. doi: 10.1109/drpt.2011.5993946. [2] V. Grechaninov, et al., Formation of [12] J. Sreemathy, et al., Data Integration in ETL Dependability and Cyber Protection Model Using TALEND, in 6th International in Information Systems of Situational Conference on Advanced Computing and Center, in Emerging Technology Trends on Communication Systems, 2020, pp. 1444– the Smart Industry and the Internet of Things, 1448, doi: 10.1109/ICACCS48705.2020. vol. 3149, 2022, pp. 107–117. 9074186. [3] V. Buriachok, V. Sokolov, P. Skladannyi, [13] X. Mkhwanazi, H. Le, E. Blake, Clustering Security rating metrics for distributed between Data Mules for Better Message wireless systems, in 8th International Delivery, in 26th Int. Conf. on Advanced Conference on “Mathematics. Information Information Networking and Applications Technologies. Education:” Modern Machine Workshops, 2012, pp. 209–214. Learning Technologies and Data Science [14] I. Kumara, C. Gamage, Towards Reusing (MoMLeT and DS), vol. 2386, 2019, pp. ESB Services in Different ESB 222–233. Architectures, in IEEE 34th Annual [4] A. Skendžić, B. Kovačić, B. Balon, Computer Software and Applications Management and Monitoring Security Conference Workshops, 2010, pp. 25–30, Events in a Business Organization—SIEM doi: 10.1109/compsacw.2010.15. system, in 45th Jubilee International [15] S. Gnatyuk, et al., Cloud-Based Cyber Convention on Information, Communication Incidents Response System and Software and Electronic Technology (MIPRO), 2022, Tools, Communications in Computer and pp. 1203–1208, doi: 10.23919/mipro55190. Information Science, vol. 1486, 2021, 2022.9803428. pp. 169–184. [5] S. Gnatyuk, et al., Modern SIEM Analysis [16] T. Laue, et al., A SIEM Architecture for and Critical Requirements Definition in the Multidimensional Anomaly Detection, in Context of Information Warfare, in CEUR 11th IEEE International Conference on Workshop Proceedings, 2021, vol. 3188, pp. Intelligent Data Acquisition and Advanced 149–166. Computing Systems: Technology and [6] R. Berdibayev, et al., A Concept of the Applications (IDAACS), 2021, pp. 136–142, Architecture and Creation for SIEM System doi: 10.1109/IDAACS53288.2021.9660903. in Critical Infrastructure, Studies in Systems, [17] P. Asef, et al., SIEMS: A Secure Intelligent Decision and Control, vol. 346, 2021, Energy Management System for Industrial pp. 221–242. IoT applications, in IEEE Transactions on [7] S. Gnatyuk, et al., Modern Types of Industrial Informatics, doi: 10.1109/tii.2022. Databases for SIEM System Development, 3165890. CEUR Workshop Proceedings, vol. 3187, [18] M. Orsós, et al., Log Collection and SIEM 2021, pp. 127–138. for 5G SOC, in IEEE 20th Jubilee World [8] Z. Jin, H. Zhu, A Framework for Agent- Symposium on Applied Machine Intelligen- Based Service-Oriented Modelling, 2008 ce and Informatics (SAMI), 2022, pp. 147– 152, doi: 10.1109/sami54271.2022.9780759. 20