Techniques for sharing network security event information
First Claim
1. An apparatus comprising:
- at least one computer;
a database representing groups, the database identifying respective clients that are members of each group;
instructions stored on a non-transitory, machine-readable media that when executed cause the at least one computer to;
receive data from a network of a first client via a wide area network, the data received from the network including an operand and a first hash,process the operand iteratively using different cryptographic keys to produce respective second hashes;
identify a match between one of the second hashes and the first hash;
identify one of the groups based at least on the match identified between the one of the second hashes and the first hash;
identify a second client that is a member of the identified group;
query security event data associated with a network of the second client that is a member of the identified group, to detect a correlation with the data from the network of the first client;
responsive to results of the query, identify a threat level associated with the data from the network of the first client; and
report the identified threat level to the first client via the wide area network.
4 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides an architecture for sharing information between network security administrators. Events converted to a normalized data format (CCF) are stored in a manner that can be queried by a third party (e.g., an administrator of another, trusted network). Optionally made available as a service, stored event records can be sanitized for third party queries (e.g., by clients of a service maintaining such a repository). In one embodiment, each contributing network encrypts or signs its (sanitized) records using a symmetric key architecture, the key being unique to the contributing network. This key is used (e.g., by the repository) to index a set of permissions or conditions of the contributing network in servicing any query, e.g., by matching a stored hash of the event record or by decrypting the record. The information sharing service can optionally be provided by a hosted information security service or on a peer-to-peer basis.
98 Citations
19 Claims
-
1. An apparatus comprising:
-
at least one computer; a database representing groups, the database identifying respective clients that are members of each group; instructions stored on a non-transitory, machine-readable media that when executed cause the at least one computer to; receive data from a network of a first client via a wide area network, the data received from the network including an operand and a first hash, process the operand iteratively using different cryptographic keys to produce respective second hashes; identify a match between one of the second hashes and the first hash; identify one of the groups based at least on the match identified between the one of the second hashes and the first hash; identify a second client that is a member of the identified group; query security event data associated with a network of the second client that is a member of the identified group, to detect a correlation with the data from the network of the first client; responsive to results of the query, identify a threat level associated with the data from the network of the first client; and report the identified threat level to the first client via the wide area network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of processing security event data from a first client network, the method comprising causing at least one computer to:
-
maintain a database representing groups, the database identifying respective clients that are members of each group; receive data from a network of a first client via a wide area network, the data received from the network of the first client including an operand and a first hash; process the operand iteratively using different cryptographic keys to produce respective second hashes; identify a match between one of the second hashes and the first hash; identify one of the groups based at least on the match identified between the one of the second hashes and first hash, and identify a second client that is a member of the identified group; query security event data associated with a network of the second client that is a member of the identified group, to detect a correlation with the data from the network of the first client; responsive to results of the query; identify a threat level associated with the data from the network of the first client; and report the identified threat level to the first client via the wide area network. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
a storage device storing a database of information representing groups, where the groups are respective subsets of a set of clients identified by the database; a receiver module configured to receive data from a network of a first client via a wide area network, the data received from the network including an operand and a first hash; an authority module configured to process the operand iteratively using different cryptographic keys to produce respective second hashes, identify a match between one of the second hashes and the first hash, and, responsive to the match, determine a request in the received data is authorized; a query module configured to, responsive to the authorized request, access the database to identify one of the groups in dependence on the received data, identify a second client that is a member of the identified group, and query security event data associated with a network of the second client to detect a correlation with the received; a threat assessment module configured to, responsive to results of the query, determine a threat level associated with the data from the network of the first client; and a response module configured to report the threat level to the first client via the wide area network. - View Dependent Claims (19)
-
Specification