ENTERPRISE GRAPH METHOD OF THREAT DETECTION
First Claim
1. A method for analyzing security alerts, comprising:
- generating an enterprise graph based on information associated with an enterprise;
utilizing the enterprise graph to identify relationships between computers of the enterprise;
receiving a plurality of security alerts produced by a plurality of security components of the enterprise;
identifying at least one significant relationship between two or more of the plurality of security alerts based on a strength of a relationship identified in the enterprise graph; and
identifying at least one potential security incident based on the at least one significant relationship between the two or more of the plurality of security alerts.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for analyzing security alerts within an enterprise are provided. An enterprise graph is generated based on information such as operational intelligence regarding the enterprise. The enterprise graph identifies relationships between entities of the enterprise and a plurality of security alerts are produced by a plurality of security components of the enterprise. One or more significant relationships are identified between two or more of the plurality of security alerts based on a strength of a relationship identified in the enterprise graph. A significant relationship is utilized to identify a potential security incident between two or more of the security alerts.
31 Citations
20 Claims
-
1. A method for analyzing security alerts, comprising:
-
generating an enterprise graph based on information associated with an enterprise; utilizing the enterprise graph to identify relationships between computers of the enterprise; receiving a plurality of security alerts produced by a plurality of security components of the enterprise; identifying at least one significant relationship between two or more of the plurality of security alerts based on a strength of a relationship identified in the enterprise graph; and identifying at least one potential security incident based on the at least one significant relationship between the two or more of the plurality of security alerts. - View Dependent Claims (2, 3, 4, 5, 6, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for analyzing security alerts, comprising:
-
an enterprise graph service for generating an enterprise graph based on information associated with an enterprise for identifying relationships between computers of the enterprise; a plurality of security components generating a plurality of security alerts regarding the enterprise; a fusion service for identifying significant relationships between security alerts, wherein each significant relationship is identified in the enterprise graph and corresponds with at least two or more security alerts; and a kill chain interpreter for identifying potential security incidents based on significant relationships between two or more of the plurality of security alerts. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A computer-readable storage medium including instructions for analyzing security alerts, which when executed by a processor are operable to:
-
generating an enterprise graph based on information associated with an enterprise; utilizing the enterprise graph to identify relationships between computers of the enterprise; receiving a plurality of security alerts produced by a plurality of security components of the enterprise; identifying at least one significant relationship between two or more of the plurality of security alerts based on a strength of a relationship identified in the enterprise graph; identifying a potential security incident involving two or more entities of the enterprise based on the at least one significant relationship between the two or more of the plurality of security alerts, and wherein the potential security incident corresponds with at least part of a known piece of malicious executable code; indicating the plurality of security alerts of the potential security incident have priority over other security alerts not associated with the identified potential security incident; and concluding that the potential security incident is an actual attack.
-
Specification