×

System and method for auditing governance, risk, and compliance using a pluggable correlation architecture

  • US 10,057,285 B2
  • Filed: 04/15/2009
  • Issued: 08/21/2018
  • Est. Priority Date: 01/30/2009
  • Status: Active Grant
First Claim
Patent Images

1. A method for auditing computer network security risk using an event correlation architecture, comprising:

  • executing, by a computer system, a correlation runtime environment having an extensible service-oriented architecture and comprising a collection manager configured to enforce intrusion detection, data integrity, and network security controls;

    deploying a set of two or more correlation engines into the correlation runtime environment, the set of two or more correlation engines comprising;

    an intrusion detection correlation engine configured to evaluate an event stream in a first format according to first semantics and in view of predefined network security rules; and

    a compliance correlation engine configured to evaluate the event stream in a second format according to second semantics and in view of predefined regulatory rules;

    collecting, by the computer system through the collection manager, information from each of a plurality of disparate sources;

    adding, by the computer system through the collection manager, metadata to the collected information, the metadata defining the respective business relevance for each event of a plurality of events corresponding to the collected information and normalizing the collected information across the plurality of disparate sources into event information based at least partially on a policy-based taxonomy categorizing the collected information as corresponding to one or more events of the plurality of events, wherein the respective business relevance is based at least partially on one or more metadata tags identifying an asset value for the respective event of the plurality of events;

    exposing an application program interface by execution of a configuration module to facilitate pluggable event correlation at least partially by user-customization of the correlation runtime environment via execution of;

    a rule builder receiving rule definitions via the exposed application program interface to define expressions associated with a plurality of rules;

    an action builder receiving action definitions to define actions associated with correlated events;

    the rule builder and the action builder defining rules, expressions, and associated actions based at least partially on the rule definitions and the actions associated with the correlated events via the exposed application program interface, the defined rules and the defined expressions representing patterns of events relating to relationships among events and comprising;

    a first subrule that includes a first filtering expression defined to trigger when a first event of the plurality of events occurs, wherein the first filtering expression comprises determining whether the event information indicates that a severity threshold or a criticality requirement is satisfied for the first event of the plurality of events;

    a second subrule that includes a second filtering expression defined to trigger when a second event occurs, wherein the second filtering expression is different from the first filtering expression;

    a rule contingent on the first subrule and the second subrule, the rule builder facilitating definition of an aggregate rule to trigger upon repeat subrule triggers a specified number of times in a specified time period, a composite rule to trigger upon different subrule triggers within the specified time period, and a sequence rule to trigger upon subrule triggering in a specified sequence;

    deploying the defined rules, the defined expressions, and the defined associated action into the correlation runtime environment so that the set of two or more correlation engines are further configured to evaluate the defined expressions associated with the plurality of rules to determine whether the event stream includes one or more events occur in a predetermined pattern;

    converting, by the computer system through the collection manager using one or more input adapters, the event information corresponding to the plurality of events into different formats, each having different semantics, used by the set of two or more correlation engines, the different formats comprising the first format according to first semantics and the second format according to second semantics;

    correlating, by the computer system through the set of two or more correlation engines, two or more events of the plurality of events based at least partially on the predefined network security rules, the predefined regulatory rules, the defined expressions associated with the plurality of rules, the event information in the different semantic formats, and the metadata added to each event, and determining that the rule contingent on the first subrule and the second subrule has been triggered;

    converting, by the computer system through the collection manager using one or more output adapters, an output, corresponding to the correlated two or more events and the actions defined with the action builder, from one or more of the different formats having the different semantics into another distinct format used by a set of one or more workflow engines;

    generating, by the computer system through the set of one or more workflow engines, a remediation workflow responsive to the output, the remediation workflow to coordinate processes for threat remediation and the remediation workflow specifies the actions defined with the action builder; and

    executing, by the computer system, the actions specified by the remediation workflow to enforce the network security controls, the one or more actions corresponding to denying access to a node or disabling a user account.

View all claims
  • 5 Assignments
Timeline View
Assignment View
    ×
    ×