SECURITY INFORMATION AND EVENT MANAGEMENT

US 20150106867A1
Filed: 10/12/2013
Published: 04/16/2015
Est. Priority Date: 10/12/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining, by a security information and event management (SIEM) device, a security event;

calculating, by the SIEM device, a risk level of the security event based on at least a correlation of the security event with one or more asset attributes of a network that is managed by the SIEM device; and

when the risk level meets a predetermined or configurable threshold, then causing, by the SIEM device, the security event to be reported to an administrator of the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for conducting correlation analysis for security events with assets attributes of a network by a SIEM device to enable more efficient reporting are provided. According to one embodiment, when a SIEM device obtains a security event, a risk level of the security event is calculated based on at least a correlation of the security event with one or more asset attributes of a network that is managed by the SIEM device. When the risk level meets a predetermined or configurable threshold, the SIEM device causes the security event to be reported to an administrator of the network.

378 Citations

22 Claims

1. A method comprising:
- obtaining, by a security information and event management (SIEM) device, a security event;
  
  calculating, by the SIEM device, a risk level of the security event based on at least a correlation of the security event with one or more asset attributes of a network that is managed by the SIEM device; and
  
  when the risk level meets a predetermined or configurable threshold, then causing, by the SIEM device, the security event to be reported to an administrator of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein said obtaining a security event further comprises:
    - receiving, by SIEM device, a plurality of original events from at least one source;
      
      logically correlating the plurality of original events; and
      
      extracting the security event from the plurality of original events.
  - 3. The method of claim 2, wherein said logically correlating the plurality of original events comprises identifying the security event based on logical relationships of the original events.
  - 4. The method of claim 2, wherein said logically correlating the plurality of original events comprises combining repeated original events into the security event.
  - 5. The method of claim 1, further comprising:
    - setting up an asset table that describes assets contained in the network that are managed by the SIEM device;
      
      setting up an asset value for each asset, wherein the asset value represents a relative importance level of the asset in the network;
      
      mapping a target of the security event to an asset in the asset table;
      
      extracting the asset value of the mapped asset; and
      
      adjusting the risk level of the security event based on the asset value of the mapped asset.
  - 6. The method of claim 5, further comprising decreasing the risk level of the security event if the target of the security event is not mapped to any asset of the network.
  - 7. The method of claim 5, further comprising:
    - setting up an inventory list for each asset of the network, wherein the inventory list describes hardware and software attributes of the asset;
      
      setting up a reliability value for each attribute in the inventory list, wherein the reliability value represents the reliability of the attribute in the asset;
      
      searching an attribute of the security event in the inventory list of the mapped asset;
      
      extracting the reliability value of the attribute;
      
      adjusting the risk level of the security event based on the reliability value.
  - 8. The method of claim 1, further comprising:
    - matching a system vulnerability with the security event;
      
      scanning a target of the security event for the system vulnerability; and
      
      increasing the risk level of the security event if the system vulnerability exists in the target of the security event; and
      
      decreasing the risk level of the security event if the system vulnerability does not exist in the target of the security event.
  - 9. The method of claim 8, wherein said matching a system vulnerability with the security event further comprises matching the system vulnerability based on a common vulnerabilities and exposures (CVE) attribute, a BugTraq attribute or an S3CVE attribute of the security event.
  - 10. The method of claim 8, wherein said matching a system vulnerability with the security event further comprises matching the system vulnerability with the security event based on a local knowledge database.
  - 11. The method of claim 1, further comprising setting up a correlation policy to define a sequence or a combination of correlations of the security event with the asset attributes of the network that is managed by the SIEM device.

12. A computer system comprising:
- a non-transitory storage device having tangibly embodied therein instructions representing a security application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising;
  
  obtaining, by a security information and event management (SIEM) device, a security event;
  
  calculating, by the SIEM device, a risk level of the security event based on at least a correlation of the security event with one or more asset attributes of a network that is managed by the SIEM device; and
  
  when the risk level meets a predetermined or configurable threshold, then causing, by the SIEM device, the security event to be reported to an administrator of the network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer system of claim 12, wherein said obtaining a security event further comprises:
    - receiving, by SIEM device, a plurality of original events from at least one source;
      
      logically correlating the plurality of original events; and
      
      extracting the security event from the plurality of original events.
  - 14. The computer system of claim 13, wherein said logically correlating the plurality of original events comprises identifying the security event based on logical relationships of the original events.
  - 15. The computer system of claim 13, wherein said logically correlating the plurality of original events comprises combining repeated original events into the security event.
  - 16. The computer system of claim 12, wherein the method further comprise:
    - setting up an asset table that describes assets contained in the network that is managed by the SIEM device;
      
      setting up an asset value for each asset, wherein the asset value represents the importance level of the asset in the network;
      
      mapping a target of the security event with an asset in the asset table;
      
      extracting the asset value of the mapped asset; and
      
      adjusting the risk level of the security event based on the asset value of the mapped asset.
  - 17. The computer system of claim 16, wherein the method further comprises decreasing the risk level of the security event when the target of the security event is not mapped to any asset of the network.
  - 18. The computer system of claim 16, wherein the method further comprises:
    - setting up an inventory list for each asset of the network, wherein the inventory list describes hardware and software attributes of the asset;
      
      setting up a reliability value for each attribute in the inventory list, wherein the reliability value represents the reliability of the attribute in the asset;
      
      searching an attribute of the security event in the inventory list of the mapped asset;
      
      extracting the reliability value of the attribute;
      
      adjusting the risk level of the security event based on the reliability value.
  - 19. The computer system of claim 12, wherein the method further comprises:
    - matching a system vulnerability with the security event;
      
      scanning a target of the security event for the system vulnerability; and
      
      increasing the risk level of the security event if the system vulnerability exists in the target of the security event; and
      
      decreasing the risk level of the security event if the system vulnerability does not exist in the target of the security event.
  - 20. The computer system of claim 19, wherein said matching a system vulnerability with the security event further comprises matching the system vulnerability based on a common vulnerabilities and exposures (CVE) attribute, a BugTraq attribute or a S3CVE attribute of the security event.
  - 21. The computer system of claim 19, wherein said matching a system vulnerability with the security event further comprises matching the system vulnerability with the security event based on local knowledge database.
  - 22. The computer system of claim 12, wherein the method further comprises setting up a correlation policy to define a sequence or a combination of correlations of the security event with the asset attributes of the network that is managed by the SIEM device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Liang, Dong

Granted Patent

US 10,616,258 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/1433 Vulnerability analysis

H04L 63/20 for managing network securi...

SECURITY INFORMATION AND EVENT MANAGEMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

378 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY INFORMATION AND EVENT MANAGEMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

378 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links