MULTI-TIER SECURITY EVENT CORRELATION AND MITIGATION

US 20090254970A1
Filed: 09/19/2008
Published: 10/08/2009
Est. Priority Date: 04/04/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method, comprising:

receiving, at a policy server and from a protection component, at least one event description, the protection component and policy server being operated by an enterprise;

correlating, by the policy server, the at least one event with a selected rule and/or policy;

determining, as a result of correlating, that a global service is to be notified of the at least one event, the global service being involved in mitigating a type of attack and operated by a vendor different from the enterprise; and

providing, by the policy server, the at least one event description to the global service for analysis.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to the use of a multi-tiered security architecture that includes vendor-operated global security services and policy servers able to exchange security events and mitigation measures.

373 Citations

20 Claims

1. A method, comprising:
- receiving, at a policy server and from a protection component, at least one event description, the protection component and policy server being operated by an enterprise;
  
  correlating, by the policy server, the at least one event with a selected rule and/or policy;
  
  determining, as a result of correlating, that a global service is to be notified of the at least one event, the global service being involved in mitigating a type of attack and operated by a vendor different from the enterprise; and
  
  providing, by the policy server, the at least one event description to the global service for analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - receiving, from the global service, a suggested policy to mitigate a type of attack associated with the at least one event; and
      
      determining, by the policy server, whether or not to implement the suggested policy.
  - 3. The method of claim 1, further comprising:
    - providing, by the enterprise, a plurality of policy servers, each policy server controlling, independent of other policy servers, a set of agents, each agent being located in a host protection component and each set of agents representing a different domain;
      
      when the policy server determines to implement the suggested policy, forwarding, by the policy server, the suggested policy to a respective set of agents, each member of the set of agents being required to apply the suggested policy.
  - 4. The method of claim 1, wherein the at least one event is associated with an attack and further comprising:
    - providing, by the enterprise, a plurality of policy servers, each policy server controlling, independent of other policy servers, a set of agents, each agent being located in a host protection component and each set of agents representing a different domain, the policy server receiving the at least one event description corresponding to a first domain, the first domain including the protection component forwarding the at least one event description;
      
      receiving, at a second policy server and from a second protection component in a second domain corresponding to the second policy server, at least a second event description, the at least a second event description being associated with the attack;
      
      correlating, by the second policy server, the at least one event with a selected second rule and/or policy;
      
      determining, as a result of correlating and by the second policy server, that the global service is to be notified of the at least a second event, the global service being involved in mitigating a type of attack and operated by a vendor different from the enterprise; and
      
      providing, by the policy server, the at least a second event description to the global service for analysis.
  - 5. The method of claim 1, wherein the policy server receiving the at least one event description is in a first domain and further comprising:
    - providing, by the enterprise, a plurality of policy servers, each policy server controlling, independent of other policy servers, a set of agents, each agent being located in a host protection component and each set of agents representing a different domain; and
      
      forwarding, by the policy server, the suggested policy to second policy server in a second domain, the suggested policy not being mandatory to second policy server.
  - 6. The method of claim 1, wherein the selected rule and/or policy comprises at least one scoping tag, the scoping tag describing an object to which the selected rule and/or policy applies, the object comprising one or more of:
    - an identified administrator, an identified global service, an identified policy server, an identified agent in a protection component, and an identified class of agents in multiple protection components.
  - 7. A computer readable medium comprising instructions that, when executed by a processor, perform the steps of claim 1.

8. A method, comprising:
- providing, by the enterprise, a plurality of policy servers, each policy server controlling, independent of other policy servers, a set of agents, each agent being located in a host protection component and each set of agents representing a different domain, a first policy server controlling a first domain, the first domain including at least a first protection component, and a second policy server controlling a second domain, the second domain including at least a second protection component;
  
  receiving, at the first policy server and from the first protection component, at least a first event description, the at least a first event description being associated with an attack;
  
  correlating, by the first policy server, the at least a first event description with a selected first rule and/or policy to produce a first rule and/or policy;
  
  determining, as a result of correlating and by the first policy server, that the first rule and/or policy is to be forwarded to the second policy server; and
  
  forwarding, by the first policy server, the suggested policy to the second policy server, the suggested policy not being mandatory on second policy server.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising:
    - determining, by the first policy server as a result of correlating, that a global service is to be notified of the at least a first event, the global service being involved in mitigating a type of the attack and operated by a vendor different from the enterprise; and
      
      providing, by the first policy server, the at least one event description to the global service for analysis.
  - 10. The method of claim 9, further comprising:
    - receiving, from the global service, a suggested policy to mitigate the type of attack; and
      
      determining, by the first policy server, whether or not to implement the suggested policy.
  - 11. The method of claim 8, wherein each protection component comprises an agent and wherein, when the first policy server determines to implement the suggested policy, forwarding, by the first policy server, the suggested policy to a respective set of agents in the first domain, each member of the set of agents being required to apply the suggested policy.
  - 12. The method of claim 9, further comprising:
    - receiving, at the second policy server and from a second protection component in the second domain, at least a second event description, the at least a second event description being associated with the attack;
      
      correlating, by the second policy server, the at least one event with a selected second rule and/or policy;
      
      determining, as a result of correlating and by the second policy server, that the global service is to be notified of the at least a second event, the global service being involved in mitigating a type of attack and operated by a vendor different from the enterprise; and
      
      providing, by the second policy server, the at least a second event description to the global service for analysis.
  - 13. The method of claim 8, wherein the first rule and/or policy comprises at least one scoping tag, the scoping tag describing an object to which the first rule and/or policy applies, the object comprising one or more of:
    - an identified administrator, an identified global service, an identified policy server, an identified agent in a protection component, and an identified class of agents in multiple protection components.
  - 14. A computer readable medium comprising instructions that, when executed by a processor, perform the steps of claim 8.

15. An enterprise network, comprising:
- (a) a plurality of security agents in communication with a respective protection device, each protection device performing a security function and the plurality of security agents and respective protection device being arranged in a plurality of domains; and
  
  (b) a plurality of policy servers, each policy server controlling the security agents in a respective domain, wherein at least one of the following is true;
  
  (B1) each policy server is operable to correlate a set of events against a policy and, when directed by the policy, provide a description of the set of events to a global service being involved in an attack type associated with the set of events, wherein the global service is operated by a vendor distinct from an enterprise operating the enterprise network; and
  
  (B2) each policy server is operable to correlate a set of events against a policy and derive a rule and, when directed by the policy, provide the derived rule to a different policy server in a different domain, the rule being discretionary to the different policy server.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The network of claim 15, wherein (B1) is true.
  - 17. The network of claim 16, wherein the global service is operable to provide a suggested mitigation measure in response to a common attack to multiple policy servers.
  - 18. The network of claim 15, wherein (B2) is true.
  - 19. The network of claim 18, wherein each policy server is operable to provide the derived rule to a respective set of agents in a respective domain, the derived rule being mandatory to the members of the respective set of agents.
  - 20. The network of claim 15, wherein the policy comprises at least one scoping tag, the at least one scoping tag indicating an object to which the policy applies, the object being at least one of:
    - an identified global service, an identified policy server, an identified agent, and an identified class of agents in multiple protection components.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Zmolek, Andrew, Livingood, Rod, Singh, Navjot, Mani, Mahalingam, Agarwal, Amit, Ahrens, David

Application Number

US12/234,248
Publication Number

US 20090254970A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1425 Traffic logging, e.g. anoma...

MULTI-TIER SECURITY EVENT CORRELATION AND MITIGATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

373 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-TIER SECURITY EVENT CORRELATION AND MITIGATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

373 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links