EVENT INTEGRATION FRAMEWORKS

US 20140096181A1
Filed: 09/28/2012
Published: 04/03/2014
Est. Priority Date: 09/28/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

by computing hardware;

inputting compliance data indicating a compliance status of one or more nodes in an information technology (“

IT”

) network relative to one or more compliance policies;

inputting historical compliance data, the historical compliance data indicating the compliance status of the one or more nodes in the IT network at an earlier time;

computing compliance change data from the compliance data and the historical compliance data, the compliance change data comprising data indicative of the degree of compliance changes between the compliance data and the historical compliance data; and

generating an output message in a message format adapted for use with a security information and event management (“

SIEM”

) tool or logging tool, the output message including the compliance change data.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are representative embodiments of methods, apparatus, and systems for processing and managing information from a compliance and configuration control (“CCC”) tool and generating information for a security information and event management (“SIEM”) tool based on the information from the CCC tool. For example, in one exemplary embodiment, information from a CCC tool is transferred to a SIEM tool or logging tool by receiving the information from the CCC tool in a format that is not recognized by the SIEM tool or logging tool, and generating an output message in a message format that is recognized by the SIEM tool or logging tool. In particular embodiments, the message format is a customizable message format that is adaptable to multiple different SIEM tools or logging tools. In further embodiments, the data transferred to the SIEM tool comprises data indicative of compliance policy changes.

66 Citations

View as Search Results

22 Claims

1. A computer-implemented method, comprising:
- by computing hardware;
  
  inputting compliance data indicating a compliance status of one or more nodes in an information technology (“
  
  IT”
  
  ) network relative to one or more compliance policies;
  
  inputting historical compliance data, the historical compliance data indicating the compliance status of the one or more nodes in the IT network at an earlier time;
  
  computing compliance change data from the compliance data and the historical compliance data, the compliance change data comprising data indicative of the degree of compliance changes between the compliance data and the historical compliance data; and
  
  generating an output message in a message format adapted for use with a security information and event management (“
  
  SIEM”
  
  ) tool or logging tool, the output message including the compliance change data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the message format comprises a single line event.
  - 3. The method of claim 1, wherein the generating the output message comprises loading customizable message format data from a configuration file, the customizable message format data defining the message format.
  - 4. The method of claim 1, wherein the compliance change data comprises data identifying a name of a node that has changed and data identifying a name of a policy that has a detected change.
  - 5. The method of claim 1, wherein the computing the compliance change data comprises computing a change to a compliance score between the compliance data and the historical compliance data for one or more nodes, and wherein the output message comprises the changes to the compliance score for the one or more nodes.
  - 6. The method of claim 1, wherein the computing the compliance change data comprises computing a change to a number of nodes that passed or failed a compliance test, and wherein the output message comprises the change to the number of nodes that passed or failed the compliance test.
  - 7. The method of claim 1, wherein the computing the compliance change data comprises computing a number of changes detected at multiple different severity levels, and wherein the output message comprises the number of changes detected at each of the severity levels.
  - 8. The method of claim 1, wherein the inputting comprises receiving the compliance data from a compliance and configuration control tool.
  - 9. One or more non-transitory computer-readable media storing computer-executable instructions which when executed by a computer cause the computer to perform the method of claim 1.

10. A computer-implemented method, comprising:
- by computing hardware;
  
  transferring information from a compliance and configuration control (“
  
  CCC”
  
  ) tool to a security information and event management (“
  
  SIEM”
  
  ) tool or logging tool, wherein the CCC tool monitors multiple nodes in an information technology (“
  
  IT”
  
  ) infrastructure, and wherein the transferring comprises;
  
  receiving the information from the CCC tool in a format that is not recognized by the SIEM tool or logging tool; and
  
  generating an output message in a message format that is recognized by the SIEM tool or logging tool, the message format of the output message further being a customizable message format that is adaptable to multiple different SIEM tools or logging tools.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 21, 22)
- - 11. The method of claim 10, further comprising loading customizable message format data, the customizable message format data defining the message format.
  - 12. The method of claim 11, wherein the customizable message format data further includes data identifying one or more parsers with which the message format is to be used.
  - 13. The method of claim 11, wherein the customizable message format data comprises one or more variable field components, one or more static field components, and a delimiter component.
  - 14. The method of claim 11, wherein the customizable message format data comprises one or more variable field components, the one or more variable field components including a variable for indicating a change to a compliance score for an individual node.
  - 15. The method of claim 10, wherein the customizable message format comprises one or more variable field components, the one or more variable field components including variables for indicating a number of changes detected at multiple different severity levels.
  - 16. The method of claim 10, further comprising comparing the information from the CCC tool to a previously stored version of the information from the CCC tool to compute compliance behavior at one or more of the nodes in the IT network.
  - 17. The method of claim 16, wherein the customizable message format comprises one or more settings that control whether or not to generate the output message based on the compliance behavior at a respective node.
  - 18. The method of claim 16, wherein the customizable message format comprises one or more settings that indicate that compliance data from the CCC tool is to be sent to the SIEM tool or logging tool only when the compliance behavior indicates less compliance at the one or more of the nodes.
  - 19. One or more non-transitory computer-readable media storing computer-executable instructions which when executed by a computer cause the computer to perform the method of claim 10.
  - 21. The method of claim 16, Wherein the generating further comprises generating the output message in a message format adapted for the SIEM or logging tool.
  - 22. One or more non-transitory computer-readable media storing computer-executable instructions which when executed by a computer cause the computer to perform the method of claim 10.

20. A computer-implemented method, comprising:
- by computing hardware;
  
  inputting compliance data indicating a compliance status of one or more nodes in an information technology (“
  
  IT”
  
  ) network relative to one or more compliance policies;
  
  determining a compliance trend for one or more nodes in the IT network by comparing the compliance data to historical compliance data, the historical compliance data indicating the compliance status of the one or more nodes in the IT network at a different time; and
  
  generating an output message for a SIEM or logging tool only if the compliance trend indicates that the one or more nodes are less compliant than indicated by the historical compliance data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
Tripwire Incorporated (Belden Inc.)
Inventors
Rivers, Stephen

Granted Patent

US 10,382,486 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

H04L 63/20   for managing network securi...

EVENT INTEGRATION FRAMEWORKS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

EVENT INTEGRATION FRAMEWORKS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links