Real time monitoring and analysis of events from multiple network security devices
First Claim
1. A method for monitoring security of a computer network, the computer network comprising network devices, the method comprising:
- receiving security events generated by the network devices, wherein a security event generated by a network device is in a format used by the network device;
modifying the security events to normalize the security events to a common schema, wherein the common schema includes a category that represents an event name;
selecting one or more of the normalized security events according to a filter; and
cross-correlating the selected security events with a rule, wherein the cross-correlating is performed remotely from the normalizing.
11 Assignments
0 Petitions
Accused Products
Abstract
Security events generated by a number of network devices are gathered and normalized to produce normalized security events in a common schema. The normalized security events are cross-correlated according to rules to generate meta-events. The security events may be gathered remotely from a system at which the cross-correlating is performed. Any meta-events that are generated may be reported by generating alerts for display at one or more computer consoles, or by sending an e-mail message, a pager message, a telephone message, and/or a facsimile message to an operator or other individual. In addition to reporting the meta-events, the present system allows for taking other actions specified by the rules, for example executing scripts or other programs to reconfigure one or more of the network devices, and or to modify or update access lists, etc.
260 Citations
35 Claims
-
1. A method for monitoring security of a computer network, the computer network comprising network devices, the method comprising:
-
receiving security events generated by the network devices, wherein a security event generated by a network device is in a format used by the network device; modifying the security events to normalize the security events to a common schema, wherein the common schema includes a category that represents an event name; selecting one or more of the normalized security events according to a filter; and cross-correlating the selected security events with a rule, wherein the cross-correlating is performed remotely from the normalizing. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for monitoring security of a computer network, the computer network comprising network components, the system comprising:
-
one or more software agents, including a software agent configured to receive event information from one or more network components, wherein event information received from a network component is in a format used by the network component, and further configured to modify the event information to normalize the event information to a common schema and to filter the normalized event information, wherein the common schema includes a category that represents an event name; and a server-based manager configured to receive filtered event information from the one or more software agents and further configured to cross-correlate the filtered event information with a rule. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
-
- 28. A non-transitory computer readable medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to monitor security of a computer network, the computer network comprising network devices, by cross-correlating events with a rule, an event having been received from a network device in a format used by the network device and modified to normalize the event to a common schema and the normalized event selected according to a filter, wherein the common schema includes a category that represents an event name.
- 32. A non-transitory computer readable medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to receive event information from an associated network device, wherein the event information is in a format used by the associated network device, and to modify the event information to normalize the event information to a common schema, and to filter the normalized event information, wherein the common schema includes a category that represents an event name.
Specification