METHODS AND SYSTEMS FOR ANALYZING SECURITY EVENTS

US 20090126014A1
Filed: 12/12/2008
Published: 05/14/2009
Est. Priority Date: 10/21/2002
Status: Abandoned Application

First Claim

Patent Images

1-15. -15. (canceled)

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, the technology relates to a method for analyzing a security event in a distributed fashion. The method includes the steps of detecting an occurrence of a security event within a customer network and querying a first component of the customer network for data in response to the detected occurrence of the security event. The method also includes the steps of receiving, by a data monitor located within the customer network, first data from the component in response to the query and determining, based on the received first data, whether to query for additional data. The method additionally includes querying at least one of the first component and another component of the customer network to obtain the additional data in response to the determining step, and analyzing the security event using at least one of the first data and the additional data.

35 Citations

View as Search Results

34 Claims

1-15. -15. (canceled)

16. An apparatus for analyzing a security event within a customer network comprising:
- (a) a data monitor, positioned within the customer network, to collect data from at least one component of the customer network in response to a query; and
  
  (b) a security analysis module, in communication with the data monitor, to detect an occurrence of the security event, wherein the security analysis module comprises;
  
  (b-a) a receiver for receiving data from the data monitor,(b-b) an analyzer, in communication with the receiver, for analyzing the security event, and(b-c) a querying module, in communication with the analyzer, for querying the data monitor for data repeatedly until the analyzer can analyze the security event using the data.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The apparatus of claim 16 wherein the querying module further comprises at least one of a query processor, an analyst, a message router, and a resolver.
  - 18. The apparatus of claim 16 wherein the component further comprises a client located within the customer network.
  - 19. The apparatus of claim 16 further comprising an analyst to at least one of(i) modify settings of the data monitor in response to at least one of the security event, a query, and the data,(ii) monitor communications between the data monitor and the security analysis module,(iii) initiate the query of the data monitor, and(iv) modify the query of the querying module.
  - 20. The apparatus of claim 16 wherein the security analysis module further comprises at least one of(b-d) an event repository to store information about the security event,(b-e) a message router, in communication with the querying module, to direct and receive at least one of queries and the data, and(b-f) a resolver, in communication with the querying module, to provide a location of at least one of the data monitor and the component to the querying module.
  - 21. The apparatus of claim 20 wherein the resolver further comprises a characteristic table having an attribute of a component in the customer network.
  - 22. The apparatus of claim 21 wherein the attribute of the component further comprises at least one of type of service provided to the component, company that the component resides in, network address of the component, geographic data of the component, security domain of the component, and information of a service level agreement associated with the component.
  - 23. The apparatus of claim 16 further comprising an arbitrator that prioritizes at least one of the security event in a plurality of security events and the data received from the data monitor.
  - 24. The apparatus of claim 23 wherein the arbitrator further comprises at least one of(i) a threat analysis engine analyzing the security event based on a parameter of the security event to determine importance of the security event;
    - (ii) a business asset analysis engine determining an impact of the security event if left unresolved; and
      
      (iii) a service level management engine determining steps needed to resolve the security event.
  - 25. The apparatus of claim 24 wherein the parameter of the security event further comprises at least one of amount of time elapsed since the occurrence of the security event, duration of time of the security event, number of previous occurrences of the security event, communication protocol, and type of security event.
  - 26. The apparatus of claim 24 wherein the impact determined by the business asset analysis engine further comprises at least one of a down time that a component of the customer network may experience in response to the security event, costs associated with the down time, and estimated man-hours to resolve the security event.
  - 27. The apparatus of claim 24 wherein the steps needed to resolve the security event further comprise determining a resolution time for the security event.
  - 28. the apparatus of claim 16 wherein at least one of the security analysis module, the receiver, the analyzer, and the querying module are located on the customer network.
  - 29. The apparatus of claim 16 wherein the data monitor further comprises at least one of(i) a security defense appliance monitoring the customer network,(ii) a security management appliance, in communication with the security defense appliance, receiving a query from the querying module and directing the query to the security defense appliance, and(iii) a security analysis appliance analyzing the data.

30. An apparatus for analyzing a security event within a customer network comprising:
- (a) a data monitor, positioned within the customer network, to collect data from the customer network; and
  
  (b) a security analysis module, in communication with the data monitor, to determine an occurrence of the security event;
  
  (c) a receiver for receiving data from the data monitor,(d) an analyzer, positioned within the customer network, for analyzing the security event, and(e) a querying module, in communication with the analyzer, for querying the data monitor for data repeatedly until the analyzer can analyze the security event using the data.
- View Dependent Claims (31, 32, 33)
- - 31. The apparatus of claim 30 wherein the data monitor further comprises at least one of(i) a security defense appliance monitoring the customer network,(ii) a security management appliance, in communication with the security defense appliance, receiving a query from the querying module and directing the query to the security defense appliance, and(iii) a security analysis appliance analyzing the data.
  - 32. The apparatus of claim 31 wherein the analyzer further comprises the security analysis appliance.
  - 33. The apparatus of claim 31 wherein at least one of the security analysis module, receiver, and querying module are located within the customer network.

34-51. -51. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secureworks Incorporated (Dell Technologies Inc.)
Original Assignee
Versign, Inc.
Inventors
Brady, Gerard Anthony, Sears, Richard Michael

Application Number

US12/334,390
Publication Number

US 20090126014A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

METHODS AND SYSTEMS FOR ANALYZING SECURITY EVENTS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR ANALYZING SECURITY EVENTS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links