System and method of securing web applications across an enterprise
First Claim
1. A plurality of networks comprising:
- a security module in one or more of the plurality of networks comprising,a network traffic port adapted to receiving network traffic;
a processor adapted to verify the traffic against a profile of acceptable behavior for a user of the network, identify anomalous user traffic, and to analyze the anomalous traffic by at least one threat-detection engine, wherein results from the at least one threat-detection engine are correlated to determine if there is a threat to the network;
an output configured to communicate security events to a central security manager;
an input configured to receive instructions from the central security manager, wherein the security module responds in accordance with the instructions;
a centralized security manager comprising,an input adapted to receive security events from the security module within one of the plurality of networks;
a processor adapted to analyze the security events from the plurality of networks to identify security threats across the networks and to determine an appropriate response to the threat by the plurality of networks based upon a security policy, wherein the analysis of the security events includes correlating information from the plurality of networks against a profile of acceptable behavior for a user of the network, wherein correlating information from the plurality of networks further comprises aggregating event information from the plurality of networks to determine whether a security threat exists, and wherein the plurality of events when viewed separately are not severe enough to indicate an attack andan output adapted to communicate instructions for responding to the security threat to the security module in network.
15 Assignments
0 Petitions
Accused Products
Abstract
A system and method for protection of Web based applications are described. The techniques described provide an enterprise wide approach to preventing attacks of Web based applications. Individual computer networks within the enterprise monitor network traffic to identify anomalous traffic. The anomalous traffic can be identified by comparing the traffic to a profile of acceptable user traffic when interacting with the application. The anomalous traffic, or security events, identified at the individual computer networks are communicated to a central security manager. The central security manager correlates the security events at the individual computer networks to determine if there is an enterprise wide security threat. The central security manager can then communicate instructions to the individual computer networks so as to provide an enterprise wide solution to the threat.
-
Citations
47 Claims
-
1. A plurality of networks comprising:
-
a security module in one or more of the plurality of networks comprising, a network traffic port adapted to receiving network traffic; a processor adapted to verify the traffic against a profile of acceptable behavior for a user of the network, identify anomalous user traffic, and to analyze the anomalous traffic by at least one threat-detection engine, wherein results from the at least one threat-detection engine are correlated to determine if there is a threat to the network; an output configured to communicate security events to a central security manager; an input configured to receive instructions from the central security manager, wherein the security module responds in accordance with the instructions; a centralized security manager comprising, an input adapted to receive security events from the security module within one of the plurality of networks; a processor adapted to analyze the security events from the plurality of networks to identify security threats across the networks and to determine an appropriate response to the threat by the plurality of networks based upon a security policy, wherein the analysis of the security events includes correlating information from the plurality of networks against a profile of acceptable behavior for a user of the network, wherein correlating information from the plurality of networks further comprises aggregating event information from the plurality of networks to determine whether a security threat exists, and wherein the plurality of events when viewed separately are not severe enough to indicate an attack and an output adapted to communicate instructions for responding to the security threat to the security module in network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A centralized security manager within an enterprise, the security manager comprising:
-
an input adapted to receive information about security events from a plurality of networks; a processor adapted to analyze the information about security events from the plurality of networks to identify security threats across the enterprise and to determine an appropriate response to the threat by the plurality of networks based upon a security policy, wherein the analysis of the security events includes correlating information from the plurality of networks against a profile of acceptable behavior for a user of the network, wherein correlating information from the plurality of networks further comprises aggregating event information from the plurality of networks to determine whether a security threat exists, and wherein the plurality of events when viewed separately are not severe enough to indicate an attack; and an output adapted to communicate instructions for responding to the security threat to the plurality of networks. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A method of securing networks within an enterprise, the method comprising:
-
receiving information about security events from a plurality of networks within the enterprise; analyzing the information about security events from the plurality of networks to identify security threats across the enterprise and determining an appropriate response to the threat by the plurality of networks based upon an enterprise security policy, wherein the analysis includes correlating information from the plurality of networks against a profile of acceptable behavior for a user of the network, wherein correlating information from the plurality of networks further comprises aggregating event information from the plurality of networks to determine whether a security threat exists, and wherein the plurality of events when viewed separately are not severe enough to indicate an attack; and communicating instructions for responding to a security threat to the plurality of computer networks. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A security module within an enterprise, the security module comprising:
-
a network traffic port adapted to receiving network traffic; a processor adapted to verify the traffic against a profile of acceptable behavior for a user of the network, identify anomalous user traffic, and to analyze the anomalous traffic by at least one threat-detection engine, wherein results from the at least one threat-detection engine are correlated to determine if there is a threat to the network, wherein correlating information from the at least one threat-detection engine further comprises aggregating event information from a plurality of networks across the enterprise to determine whether a security threat exists, and wherein the plurality of events when viewed separately are not severe enough to indicate an attack; an output configured to communicate security events to a central security manager; and an input configured to receive instructions from the central security manager, wherein the security module responds in accordance with the instructions. - View Dependent Claims (41, 42)
-
-
43. An enterprise wide network security system comprising:
-
a plurality of networks adapted to identify security events; and a central security manager adapted to receive information about security events from the plurality of networks, to analyze the information about security events and identify security threats across the enterprise, to determine an appropriate response to the threat by the plurality of networks based upon an enterprise security policy, wherein the analysis includes correlating information from the plurality of networks against a profile of acceptable behavior for a user of the network, and to communicate instructions for responding to the security threat to the plurality of computer networks, wherein the central security manager is further adapted to aggregate security event information from the plurality of networks to determine whether a security threat exists, and wherein events within a single network are not severe enough to indicate an attack. - View Dependent Claims (44, 45, 46, 47)
-
Specification