Second GLACIER project meeting took place in July at the University of Applied Sciences in Hannover

The still quite young BMBF project GLACIER met on 30th July at the research partner University of Applied Sciences in Hannover to discuss the results achieved in the first work packages. DECOIT® GmbH, which is leading this project as consortium leader and development partner, could give a positive summary of the first months. In the meantime, the project website (www.glacier-project.de) has been relaunched, the requirements for a SIEM system have been requested from the associated partners and the selection of software components has begun. The project has therefore started its work at full speed despite the summer holidays.

The agenda of the first work package included the collection of requirements of the associated partners. For this purpose, the Seehausen site of hanseWasser GmbH (www.hansewasser.de) was visited and the first system logs were provided. The requirements were collected, discussed and summarised. A similar procedure was followed with the second associated partner Plate Büromaterial Vertriebs GmbH. The next step will be to prioritize the list of requirements, as not all of the desired functions will see implementation within the limits of the project.

Furthermore, the components that the future architecture of GLACIER will feature have already been tinkered with. Current open source projects are being examined that could be considered for the architecture. The most important criterion here is that the architecture must facilitate the normalization of SIEM data in order to implement a uniform evaluation and assignment of events. Furthermore, an automated installation routine should be included in order to set up the prototype easily and quickly. Previously completed projects have provided the individual partners with a wealth of experience which serves as a basis.

GLACIER aims to improve the anomaly detection in security-relevant network data streams. For this purpose, test data containing anomaly data is required. In order to provide this data, a laboratory environment is currently being set up at the partner rt-solutions GmbH, which, among other components, features so-called honeypots. These collect interesting data about any attacks ran against them and make it available for evaluation purposes. In order to ensure accordance with data protection regulations during data collection, a data protection concept is developed.

Security event data analysis has to be very fast, which we hope to achieve by incorporating dimensional hierarchies into the data. This means that appropriate meta information (e.g. IP address, geolocation) must be stored for each event. It must also be taken into account that not all anomalies pose a threat at the same time.

In the next step, the formulation of a high-level architecture containing various services, functions and databases will be addressed. In addition to the interaction of planned components, normalization and enrichment of events needs to be taken into account. The next consortium meeting is planned for the beginning of November in Cologne at rt-solutions GmbH.