Intelligent remediation of security-related events
First Claim
1. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory and implementing an intelligent remediation system in a security operations center, the intelligent remediation system comprising;
a classifier;
a data store comprising a first set of storage locations for storing information identifying previous events designated as false positives, a second set of storage locations for storing information identifying previous events designated as true positives and a third set of storage locations for storing information identifying new events not yet designated by a user as false positives or true positives; and
a user interface;
wherein the classifier is configured to receive one or more new events from one or more event generators associated with one or more processing platforms of information technology infrastructure associated with the security operations center, the event generators being associated with respective products implemented in the information technology infrastructure and the one or more new events being generated based on rules or other triggers associated with the respective products;
wherein the classifier is configured to process the one or more new events to classify each of the one or more new events as one of a true positive event and a true negative event based at least in part on information stored in the first and second sets of storage locations of the data store;
wherein the classifier is configured to generate a risk score for each of the one or more new events, the risk scores being configured to indicate how dissimilar respective ones of the new events are to previous events designated as false positives in the first set of storage locations of the data store and how similar respective ones of the new events are to previous events designated as true positives in the second set of storage locations of the data store;
wherein the classifier is configured to store the one or more new events and their associated risk scores in the third set of storage locations of the data store;
wherein the user interface is configured to present the one or more new events stored in the third set of storage locations of the data store as an ordered list prioritized by risk score;
wherein the user interface provides feedback controls allowing the user to designate respective ones of the new events stored in the third set of storage locations of the data store as one of;
a true positive event associated with a valid incident considered important by the user;
a non issue event associated with a valid incident not considered important by the user; and
a false positive event associated with an incident that is not valid;
wherein responsive to designation of a given one of the new events as a false positive using the feedback controls, information identifying the given event is moved from the third set of storage locations in the data store to the first set of storage locations in the data store; and
wherein responsive to designation of the given new event as a true positive using the feedback controls, information identifying the given event is moved from the third set of storage locations in the data store to the second set of storage locations in the data store.
9 Assignments
0 Petitions
Accused Products
Abstract
An information processing system implements an intelligent remediation system for security-related events. The intelligent remediation system comprises a classifier configured to process information characterizing the events in order to generate respective risk scores, and a data store coupled to the classifier and configured to store feedback from one or more users regarding the risk scores. The classifier is configured to utilize the feedback regarding the risk scores to learn riskiness of particular events and to adjust its operation based on the learned riskiness, such that the risk score generated by the classifier for a given one of the events is based at least in part on the feedback received regarding risk scores generated for one or more previous ones of the events. A user interface is provided to allow one or more users to supply the feedback regarding the risk scores.
-
Citations
20 Claims
-
1. An apparatus comprising:
-
at least one processing device comprising a processor coupled to a memory and implementing an intelligent remediation system in a security operations center, the intelligent remediation system comprising; a classifier; a data store comprising a first set of storage locations for storing information identifying previous events designated as false positives, a second set of storage locations for storing information identifying previous events designated as true positives and a third set of storage locations for storing information identifying new events not yet designated by a user as false positives or true positives; and a user interface; wherein the classifier is configured to receive one or more new events from one or more event generators associated with one or more processing platforms of information technology infrastructure associated with the security operations center, the event generators being associated with respective products implemented in the information technology infrastructure and the one or more new events being generated based on rules or other triggers associated with the respective products; wherein the classifier is configured to process the one or more new events to classify each of the one or more new events as one of a true positive event and a true negative event based at least in part on information stored in the first and second sets of storage locations of the data store; wherein the classifier is configured to generate a risk score for each of the one or more new events, the risk scores being configured to indicate how dissimilar respective ones of the new events are to previous events designated as false positives in the first set of storage locations of the data store and how similar respective ones of the new events are to previous events designated as true positives in the second set of storage locations of the data store; wherein the classifier is configured to store the one or more new events and their associated risk scores in the third set of storage locations of the data store; wherein the user interface is configured to present the one or more new events stored in the third set of storage locations of the data store as an ordered list prioritized by risk score; wherein the user interface provides feedback controls allowing the user to designate respective ones of the new events stored in the third set of storage locations of the data store as one of;
a true positive event associated with a valid incident considered important by the user;
a non issue event associated with a valid incident not considered important by the user; and
a false positive event associated with an incident that is not valid;wherein responsive to designation of a given one of the new events as a false positive using the feedback controls, information identifying the given event is moved from the third set of storage locations in the data store to the first set of storage locations in the data store; and wherein responsive to designation of the given new event as a true positive using the feedback controls, information identifying the given event is moved from the third set of storage locations in the data store to the second set of storage locations in the data store. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method comprising:
-
receiving, at an intelligent remediation system in a security operations center, one or more new events from one or more event generators associated with one or more processing platforms of information technology infrastructure associated with the security operations center, the event generators being associated with respective products implemented in the information technology infrastructure and the one or more new events being generated based on rules or other triggers associated with the respective products; processing the one or more new events to classify each of the one or more new events as one of a true positive event and a true negative event based at least in part on information stored in a first set of storage locations of a data store and information stored in a second set of storage locations of the data store, wherein the first set of storage locations of the data store comprises information identifying previous events designated as false positives and the second set of storage locations of the data store comprises information identifying previous events designated as true positives; generating a risk score for each of the one or more new events, the risk scores being configured to indicate how dissimilar respective ones of the new events are to previous events designated as false positives in the first set of storage locations of the data store and how similar respective ones of the new events are to previous events designated as true positives in the second set of storage locations of the data store; storing the one or more new events and their associated risk scores in a third set of storage locations of the data store, the third set of storage locations of the data store comprising information identifying new events not yet designated by a user as false positives or true positives; presenting, via a user interface of the intelligent remediation system, the one or more new events stored in the third set of storage locations of the data store as an ordered list prioritized by risk score; providing, via the user interface, feedback controls allowing the user to designate respective ones of the new events stored in the third set of storage locations of the data store as one of;
a true positive event associated with a valid incident considered important by the user;
a non issue event associated with a valid incident not considered important by the user; and
a false positive event associated with an incident that is not valid;responsive to designation of a given one of the new events as a false positive using the feedback controls, moving information identifying the given event from the third set of storage locations in the data store to the first set of storage locations in the data store; and responsive to designation of the given new event as a true positive using the feedback controls, moving information identifying the given event from the third set of storage locations in the data store to the second set of storage locations in the data store; wherein the method is performed by at least one processing device comprising a processor coupled to a memory and implementing the intelligent remediation system.
-
-
20. A computer program product comprising a non-transitory processor-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by at least one processing device implementing an intelligent remediation system of a security operations center cause the intelligent remediation system:
-
to receive one or more new events from one or more event generators associated with one or more processing platforms of information technology infrastructure associated with the security operations center, the event generators being associated with respective products implemented in the information technology infrastructure and the one or more new events being generated based on rules or other triggers associated with the respective products; to process the one or more new events to classify each of the one or more new events as one of a true positive event and a true negative event based at least in part on information stored in a first set of storage locations of a data store and information stored in a second set of storage locations of the data store, wherein the first set of storage locations of the data store comprises information identifying previous events designated as false positives and the second set of storage locations of the data store comprises information identifying previous events designated as true positives; to generate a risk score for each of the one or more new events, the risk scores being configured to indicate how dissimilar respective ones of the new events are to previous events designated as false positives in the first set of storage locations of the data store and how similar respective ones of the new events are to previous events designated as true positives in the second set of storage locations of the data store; to store the one or more new events and their associated risk scores in a third set of storage locations of the data store, the third set of storage locations of the data store comprising information identifying new events not yet designated by a user as false positives or true positives; to present, via a user interface, the one or more new events stored in the third set of storage locations of the data store as an ordered list prioritized by risk score; to provide, via the user interface, feedback controls allowing the user to designate respective ones of the new events stored in the third set of storage locations of the data store as one of;
a true positive event associated with a valid incident considered important by the user;
a non issue event associated with a valid incident not considered important by the user; and
a false positive event associated with an incident that is not valid;responsive to designation of a given one of the new events as a false positive using the feedback controls, to move information identifying the given event from the third set of storage locations in the data store to the first set of storage locations in the data store; and responsive to designation of the given new event as a true positive using the feedback controls, to move information identifying the given event from the third set of storage locations in the data store to the second set of storage locations in the data store.
-
Specification