Adaptive data collection for root-cause analysis and intrusion detection
First Claim
1. A method for performing adaptive data collection in an endpoint of an enterprise security environment, the method comprising the steps of:
- receiving a security assessment that describes an object in the environment, the security assessment being arranged to provide contextual meaning to the object and being defined with a time interval over which the security assessment is valid; and
switching from a first data collection mode to a second data collection mode responsively to the received security assessment, the second data collection mode invoking a method for collecting a larger subset of available data in the environment than is collected while in the first data collection mode.
2 Assignments
0 Petitions
Accused Products
Abstract
Endpoints in an enterprise security environment are configured to adaptively switch from their normal data collection mode to a long-term, detailed data collection mode where advanced analyses are applied to the collected detailed data. Such adaptive data collection and analysis is triggered upon the receipt of a security assessment of a particular type, where a security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information (i.e., data in some context) that is collected about an object of interest. A specialized endpoint is coupled to the security assessment channel and performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to detected security incidents in the environment. The specialized endpoint is arranged to perform various analyses and processes on historical security assessments.
288 Citations
20 Claims
-
1. A method for performing adaptive data collection in an endpoint of an enterprise security environment, the method comprising the steps of:
-
receiving a security assessment that describes an object in the environment, the security assessment being arranged to provide contextual meaning to the object and being defined with a time interval over which the security assessment is valid; and switching from a first data collection mode to a second data collection mode responsively to the received security assessment, the second data collection mode invoking a method for collecting a larger subset of available data in the environment than is collected while in the first data collection mode. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method used by an endpoint for performing analysis of historical data associated with an object in an enterprise security environment, the method comprising the steps of:
-
receiving a security assessment that describes the object, the security assessment being arranged to provide contextual meaning to the object and being defined with a time interval over which the security assessment is valid; storing the received security assessment in a persistent log; and analyzing security assessments in the persistent log, the analyzing including application of a security event-detecting process. - View Dependent Claims (11, 12, 13)
-
-
14. An enterprise security management product, arranged for use with one or more endpoints in an enterprise security environment, and performing a method comprising the steps of:
-
subscribing to security assessments published by the endpoints, the security assessments each comprising a semantic abstraction that describes an object in the environment, the semantic abstraction being categorized by type and being interpreted among the endpoints and the management platform using a commonly-utilized taxonomy; receiving security assessments over a communication layer operating in the environment in accordance with the subscription; and logging the received security assessments to create a security assessment history. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification