Adaptive data collection for root-cause analysis and intrusion detection
First Claim
1. A method for performing adaptive data collection in an endpoint of an enterprise security environment, the method comprising the steps of:
- receiving a security assessment at a server that describes an object in the environment, the security assessment being a tentative assignment of security meaning to information relating to the object and further comprising a plurality of fields, at least one of the fields is a fidelity field that is arranged to express a degree of confidence an endpoint has in the security assessment, the security assessment being arranged to provide contextual meaning to the object and being defined with an estimated time interval over which the security assessment is valid;
switching from a first data collection mode to a second data collection mode in the server responsively to the received security assessment, the second data collection mode collecting a larger subset of available data in the environment than is collected while in the first data collection mode;
analyzing the collected larger subset of available data; and
rolling-back to the first data collection mode upon expiration of the estimated time interval.
2 Assignments
0 Petitions
Accused Products
Abstract
Endpoints in an enterprise security environment are configured to adaptively switch from their normal data collection mode to a long-term, detailed data collection mode where advanced analyses are applied to the collected detailed data. Such adaptive data collection and analysis is triggered upon the receipt of a security assessment of a particular type, where a security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information (i.e., data in some context) that is collected about an object of interest. A specialized endpoint is coupled to the security assessment channel and performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to detected security incidents in the environment. The specialized endpoint is arranged to perform various analyses and processes on historical security assessments.
233 Citations
20 Claims
-
1. A method for performing adaptive data collection in an endpoint of an enterprise security environment, the method comprising the steps of:
-
receiving a security assessment at a server that describes an object in the environment, the security assessment being a tentative assignment of security meaning to information relating to the object and further comprising a plurality of fields, at least one of the fields is a fidelity field that is arranged to express a degree of confidence an endpoint has in the security assessment, the security assessment being arranged to provide contextual meaning to the object and being defined with an estimated time interval over which the security assessment is valid; switching from a first data collection mode to a second data collection mode in the server responsively to the received security assessment, the second data collection mode collecting a larger subset of available data in the environment than is collected while in the first data collection mode; analyzing the collected larger subset of available data; and rolling-back to the first data collection mode upon expiration of the estimated time interval. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An enterprise security management product configured to perform adaptive data collection in an endpoint of an enterprise security environment, the product comprising:
-
an endpoint coupled to a security assessment channel, the endpoint including a server, the security assessment channel configured to receive a security assessment that describes an object in the environment, the security assessment being a tentative assignment of security meaning to information relating to the object and further comprising a plurality of fields, at least one of the fields is a fidelity field that is arranged to express a degree of confidence an endpoint has in the security assessment, the security assessment being arranged to provide contextual meaning to the object and being defined with an estimated time interval over which the security assessment is valid; the endpoint configured to switch from a first data collection mode to a second data collection mode responsively to the received security assessment, the second data collection mode collecting a larger subset of available data in the environment than is collected while in the first data collection mode; the endpoint configured to analyze the collected larger subset of available data; and the endpoint configured to roll-back to the first data collection mode upon expiration of the estimated time interval. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An endpoint, comprising:
-
a computer coupled to a security assessment channel, the security assessment channel configured to receive a security assessment at a server that describes an object in the environment, the security assessment being a tentative assignment of security meaning to information relating to the object and further comprising a plurality of fields, at least one of the fields is a fidelity field that is arranged to express a degree of confidence an endpoint has in the security assessment, the security assessment being arranged to provide contextual meaning to the object and being defined with an estimated time interval over which the security assessment is valid; the computer configured to switch from a first data collection mode to a second data collection mode responsively to the received security assessment, the second data collection mode collecting a larger subset of available data in the environment than is collected while in the first data collection mode; the computer configured to analyze the collected larger subset of available data; and the computer configured to roll-back to the first data collection mode upon expiration of the estimated time interval. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification