SYSTEM AND METHOD FOR DETECTING REAL-TIME SECURITY THREATS IN A NETWORK DATACENTER
First Claim
1. A system for detecting real-time security threats in a network datacenter, comprising:
- a configuration management database containing information describing every known service endpoint in an information technology datacenter, wherein the information in the configuration management database describing every known service endpoint represents a steady state for the information technology datacenter;
one or more listeners configured to observe traffic in the information technology datacenter in real-time, wherein the one or more listeners detect a network conversation initiating new activity in the information technology datacenter in real-time from the real-time traffic observed in the information technology datacenter; and
a correlation engine that analyzes the network conversation detected with the one or more listeners in real-time, wherein one or more processors cause the correlation engine to;
correlate the new activity initiated in the information technology datacenter with the information in the configuration management database representing the steady state for information technology datacenter, wherein the correlation engine correlates the new activity with the information in the configuration management database in real-time; and
generate a real-time security alert in response to determining that the new activity initiated in the information technology datacenter fails to correlate with any of the known service endpoints described in the configuration management database, wherein the real-time security alert indicates that the detected network conversation initiating the new activity falls out-of-scope from the steady state for the information technology datacenter.
14 Assignments
0 Petitions
Accused Products
Abstract
The system and method described herein may include a configuration management database that describes every known service endpoint in a network datacenter to represent a steady state for the datacenter. One or more listeners may then observe traffic in the datacenter in real-time to detect network conversations initiating new activity in the datacenter, which may be correlated, in real-time, with the information in the configuration management database representing the steady state for the datacenter. Thus, in response to the new activity failing to correlate with the known service endpoints, a real-time security alert may be generated to indicate that any network conversations initiating such activity fall out-of-scope from the steady state for the information technology datacenter.
122 Citations
20 Claims
-
1. A system for detecting real-time security threats in a network datacenter, comprising:
-
a configuration management database containing information describing every known service endpoint in an information technology datacenter, wherein the information in the configuration management database describing every known service endpoint represents a steady state for the information technology datacenter; one or more listeners configured to observe traffic in the information technology datacenter in real-time, wherein the one or more listeners detect a network conversation initiating new activity in the information technology datacenter in real-time from the real-time traffic observed in the information technology datacenter; and a correlation engine that analyzes the network conversation detected with the one or more listeners in real-time, wherein one or more processors cause the correlation engine to; correlate the new activity initiated in the information technology datacenter with the information in the configuration management database representing the steady state for information technology datacenter, wherein the correlation engine correlates the new activity with the information in the configuration management database in real-time; and generate a real-time security alert in response to determining that the new activity initiated in the information technology datacenter fails to correlate with any of the known service endpoints described in the configuration management database, wherein the real-time security alert indicates that the detected network conversation initiating the new activity falls out-of-scope from the steady state for the information technology datacenter. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for detecting real-time security threats in a network datacenter, comprising:
-
populating a configuration management database with information describing every known service endpoint in an information technology datacenter, wherein the information in the configuration management database describing every known service endpoint represents a steady state for the information technology datacenter; observing traffic in the information technology datacenter in real-time with one or more listeners, wherein the one or more listeners detect a network conversation initiating new activity in the information technology datacenter in real-time from the real-time traffic observed in the information technology datacenter; correlating the new activity initiated in the information technology datacenter with the information in the configuration management database representing the steady state for the information technology datacenter, wherein a correlation engine correlates the new activity with the information in the configuration management database in real-time; and generating a real-time security alert in response to the correlation engine determining that the new activity initiated in the information technology datacenter fails to correlate with any of the known service endpoints described in the configuration management database, wherein the real-time security alert indicates that the detected network conversation initiating the new activity falls out-of-scope from the steady state for the information technology datacenter. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification