Method and apparatus for exercising and debugging correlations for network security system
First Claim
1. A method, comprising:
- a first device receiving security events, wherein one or more of the security events originated in an event log that was generated by a computer network device;
the first device normalizing the security events to a common event schema;
the first device transmitting the normalized security events to a second device;
the second device receiving the normalized security events and correlating the normalized security events according to a first rule defining a security incident;
the first device transmitting the normalized security events to a computer-readable storage medium;
the first device retrieving one or more of the normalized security events from the computer-readable storage medium;
the first device transmitting the retrieved normalized security events to the second device, wherein the transmission of the retrieved normalized security events to the second device is performed faster than the initial transmission of the normalized security events to the second device;
the second device receiving the retrieved normalized security events and correlating the retrieved normalized security events according to a second rule defining a security incident, wherein the second rule differs from the first rule; and
the second device generating a meta-event when the retrieved normalized security events satisfy a condition associated with the second rule.
11 Assignments
0 Petitions
Accused Products
Abstract
A selected time interval of previously stored security events generated by a number of computer network devices are replayed and cross-correlated according to rules defining security incidents. Meta-events are generated when the security events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the security events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true security event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested and/or debugged against actual security event data).
123 Citations
22 Claims
-
1. A method, comprising:
-
a first device receiving security events, wherein one or more of the security events originated in an event log that was generated by a computer network device; the first device normalizing the security events to a common event schema; the first device transmitting the normalized security events to a second device; the second device receiving the normalized security events and correlating the normalized security events according to a first rule defining a security incident; the first device transmitting the normalized security events to a computer-readable storage medium; the first device retrieving one or more of the normalized security events from the computer-readable storage medium; the first device transmitting the retrieved normalized security events to the second device, wherein the transmission of the retrieved normalized security events to the second device is performed faster than the initial transmission of the normalized security events to the second device; the second device receiving the retrieved normalized security events and correlating the retrieved normalized security events according to a second rule defining a security incident, wherein the second rule differs from the first rule; and the second device generating a meta-event when the retrieved normalized security events satisfy a condition associated with the second rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system, comprising:
-
a first device comprising a hardware processor configured to; receive security events, wherein one or more of the security events originated in an event log that was generated by a computer network device; normalize the security events to a common event schema; transmit the normalized security events to a second device; transmit the normalized security events to a computer-readable storage medium; retrieve one or more of the normalized security events from the computer-readable storage medium; and transmit the retrieved normalized security events to the second device, wherein the transmission of the retrieved normalized security events to the second device is performed faster than the initial transmission of the normalized security events to the second device; and the second device comprising a hardware processor configured to; receive the normalized security events and correlate the normalized security events according to a first rule defining a security incident; receive the retrieved normalized security events and correlate the retrieved normalized security events according to a second rule defining a security incident, wherein the second rule differs from the first rule; and generate a meta-event when the retrieved normalized security events satisfy a condition associated with the second rule. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification