Data security incident correlation and dissemination system and method
First Claim
1. A data security incident correlation and dissemination system, the system comprising:
- a server system that creates aggregated data from incident information received from a set of incident managers at least two of which are operated by different organizations, the server system including an analysis engine that analyzes the aggregated data to create correlated incident records that include incident information from data security incidents at the different organizations that have been determined by the analysis engine to be related, at least one correlated incident record being uniquely associated with a correlation found by the analysis engine and including a nature and relative strength of the correlation, and that provides threat intelligence data to the organizations based on the correlated incident records;
wherein upon detecting that a given number of correlations of a same type within the correlated incident records has occurred and relate to given incident information, the server system is further operative to notify the different organizations that have been affected by the given incident to facilitate a mitigation effort.
3 Assignments
0 Petitions
Accused Products
Abstract
A data security incident correlation and dissemination system and method is disclosed. In an exemplary implementation of the system, a service provider of a managed security service receives incident information regarding data security incidents at different business organizations of the security service. One or more incident managers operated by different organizations send incident information, and a server system within the service provider'"'"'s network creates aggregated data from the incident information received from the incident managers. The server system analyzes the aggregated data to create correlated incident records that include incident information from related data security incidents at the different organizations, and provides threat intelligence data based on the correlated incident records for the organizations. In embodiments, the server system can “push” threat intelligence data to the organizations, or the organizations can request the threat intelligence data from the server system.
30 Citations
20 Claims
-
1. A data security incident correlation and dissemination system, the system comprising:
-
a server system that creates aggregated data from incident information received from a set of incident managers at least two of which are operated by different organizations, the server system including an analysis engine that analyzes the aggregated data to create correlated incident records that include incident information from data security incidents at the different organizations that have been determined by the analysis engine to be related, at least one correlated incident record being uniquely associated with a correlation found by the analysis engine and including a nature and relative strength of the correlation, and that provides threat intelligence data to the organizations based on the correlated incident records; wherein upon detecting that a given number of correlations of a same type within the correlated incident records has occurred and relate to given incident information, the server system is further operative to notify the different organizations that have been affected by the given incident to facilitate a mitigation effort. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A data security dissemination method, the method comprising:
-
receiving incident information from a set of incident managers at least two of which are operated by different organizations; and creating aggregated data from the incident information received from the incident managers, analyzing the aggregated data using an analysis engine to create correlated incident records that include incident information from data security incidents at the different organizations that have been determined by the analysis engine to be related, at least one correlated incident record being uniquely associated with a correlation found by the analysis engine and including a nature and relative strength of the correlation, and providing threat intelligence data based on the correlated incident records to the organizations; and responsive to detecting that a given number of correlations of a same type within the correlated incident records has occurred and relate to given incident information, notifying the different organizations that have been affected by the given incident to facilitate a mitigation effort. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification