MULTI-TIER SECURITY EVENT CORRELATION AND MITIGATION
First Claim
Patent Images
1. A method, comprising:
- receiving, at a policy server and from a protection component, at least one event description, the protection component and policy server being operated by an enterprise;
correlating, by the policy server, the at least one event with a selected rule and/or policy;
determining, as a result of correlating, that a global service is to be notified of the at least one event, the global service being involved in mitigating a type of attack and operated by a vendor different from the enterprise; and
providing, by the policy server, the at least one event description to the global service for analysis.
3 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to the use of a multi-tiered security architecture that includes vendor-operated global security services and policy servers able to exchange security events and mitigation measures.
373 Citations
20 Claims
-
1. A method, comprising:
-
receiving, at a policy server and from a protection component, at least one event description, the protection component and policy server being operated by an enterprise; correlating, by the policy server, the at least one event with a selected rule and/or policy; determining, as a result of correlating, that a global service is to be notified of the at least one event, the global service being involved in mitigating a type of attack and operated by a vendor different from the enterprise; and providing, by the policy server, the at least one event description to the global service for analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
providing, by the enterprise, a plurality of policy servers, each policy server controlling, independent of other policy servers, a set of agents, each agent being located in a host protection component and each set of agents representing a different domain, a first policy server controlling a first domain, the first domain including at least a first protection component, and a second policy server controlling a second domain, the second domain including at least a second protection component; receiving, at the first policy server and from the first protection component, at least a first event description, the at least a first event description being associated with an attack; correlating, by the first policy server, the at least a first event description with a selected first rule and/or policy to produce a first rule and/or policy; determining, as a result of correlating and by the first policy server, that the first rule and/or policy is to be forwarded to the second policy server; and forwarding, by the first policy server, the suggested policy to the second policy server, the suggested policy not being mandatory on second policy server. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An enterprise network, comprising:
-
(a) a plurality of security agents in communication with a respective protection device, each protection device performing a security function and the plurality of security agents and respective protection device being arranged in a plurality of domains; and (b) a plurality of policy servers, each policy server controlling the security agents in a respective domain, wherein at least one of the following is true; (B1) each policy server is operable to correlate a set of events against a policy and, when directed by the policy, provide a description of the set of events to a global service being involved in an attack type associated with the set of events, wherein the global service is operated by a vendor distinct from an enterprise operating the enterprise network; and (B2) each policy server is operable to correlate a set of events against a policy and derive a rule and, when directed by the policy, provide the derived rule to a different policy server in a different domain, the rule being discretionary to the different policy server. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification