Real-time security monitoring using cross-channel event processor
First Claim
1. A computer-implemented method of computer system security monitoring:
- deploying a first event monitoring agent and a second event monitoring agent across an enterprise-wide computing system wherein the first event monitoring agent monitors events occurring at a first event generator accessed by a first device of a first type via a first portal into the enterprise-wide computing system and wherein the second event monitoring agent monitors events occurring at a second event generator accessed by a second device of a second type different from the first type via a second portal into the enterprise-wide computing system;
connecting the first and second event monitoring agents to an event processing server;
receiving, at the event processing server, first event information generated by the first event monitoring agent describing a first event that occurred at the first event generator in response to a first communication received from the first device via the first portal;
receiving, at the event processing server, second event information generated by the second event monitoring agent describing a second event that occurred at the second event generator in response to a second communication received from the second device via the second portal;
performing, by the event processing server, a security analysis that comprises applying a security policy to the first event information and the second event information and performing a predictive analysis on the first event information and the second event information to obtain a security prediction score that quantifies a likelihood that the first event and the second event correspond to a potential security issue, wherein performing the predictive analysis includes comparing a sequence of the first event, the first event including a transaction amount at least a predetermined percentage over an average amount of a transaction, and the second event, the second event including a transaction amount at least the predetermined percentage over the average amount of a transaction, and a time between the occurrence of the first event and the second event, to one or more event patterns,wherein the security prediction score is based on a similarity of the first event and the second event to the one or more event patterns;
determining, by the event processing server, that the security prediction score is above a predetermined threshold; and
executing, by the event processing server, a security response based on the security analysis performed and the determining that the security prediction score is above a predetermined threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Aspects described herein provide systems and methods for computer system security monitoring. Multiple event monitoring agents may be deployed across an enterprise-wide computing system such that each event monitoring agent monitors at least one event generator of the enterprise-wide computing system. The event monitoring agents may be connected to an event processing server. The event processing server may receive event information generated by the event monitoring agents that describe events occurring at the event generators. The event processing server may perform a security analysis on at least a portion of the event information received that includes applying a security policy to the event information. The event processing server may execute a security response based on the security analysis performed such as, for example, a response specified in the security policy applied.
-
Citations
14 Claims
-
1. A computer-implemented method of computer system security monitoring:
-
deploying a first event monitoring agent and a second event monitoring agent across an enterprise-wide computing system wherein the first event monitoring agent monitors events occurring at a first event generator accessed by a first device of a first type via a first portal into the enterprise-wide computing system and wherein the second event monitoring agent monitors events occurring at a second event generator accessed by a second device of a second type different from the first type via a second portal into the enterprise-wide computing system; connecting the first and second event monitoring agents to an event processing server; receiving, at the event processing server, first event information generated by the first event monitoring agent describing a first event that occurred at the first event generator in response to a first communication received from the first device via the first portal; receiving, at the event processing server, second event information generated by the second event monitoring agent describing a second event that occurred at the second event generator in response to a second communication received from the second device via the second portal; performing, by the event processing server, a security analysis that comprises applying a security policy to the first event information and the second event information and performing a predictive analysis on the first event information and the second event information to obtain a security prediction score that quantifies a likelihood that the first event and the second event correspond to a potential security issue, wherein performing the predictive analysis includes comparing a sequence of the first event, the first event including a transaction amount at least a predetermined percentage over an average amount of a transaction, and the second event, the second event including a transaction amount at least the predetermined percentage over the average amount of a transaction, and a time between the occurrence of the first event and the second event, to one or more event patterns, wherein the security prediction score is based on a similarity of the first event and the second event to the one or more event patterns; determining, by the event processing server, that the security prediction score is above a predetermined threshold; and executing, by the event processing server, a security response based on the security analysis performed and the determining that the security prediction score is above a predetermined threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for computer system security monitoring comprising:
-
a plurality of event generators operating at an enterprise-wide computing system, the plurality of event generators comprising a first event generator accessed by a first device of a first type via a first portal into the enterprise-wide computing system and a second event generator accessed by a second device of a second type different from the first type via a second portal into the enterprise-wide computing system; a first event monitoring agent that monitors events occurring at the first event generator; a second event monitoring agent that monitors events occurring at the second event generator; and an event processing server in signal communication with the first and second event monitoring agents wherein the event processing server comprises memory storing computer-readable instructions that, when executed, cause the event processing server to; i) receive first event information generated by the first event monitoring agent that describes a first event that occurred at the first event generator, ii) receive second event information generated by the second event monitoring agent that describes a second event that occurred at the second event generator, iii) perform a security analysis that includes applying a security policy to the first event information and the second event information, and performing predictive analysis on the first event information and the second event information to obtain a security prediction score that quantifies a likelihood that the first event and the second event correspond to a potential security issue, wherein the predictive analysis is performed by comparing a sequence of the first event, the first event including a transaction amount at least a predetermined percentage over an average amount of a transaction, and the second event, the second event including a transaction amount at least the predetermined percentage over the average amount of a transaction, and a time between the occurrence of the first event and the second event to one or more event patterns, and wherein the security prediction score is based on similarity of the first event and the second event to the one or more event patterns, iv) determining that the security prediction score is above a predetermined threshold, v) executing a security response based on the security analysis performed and the determining that the security prediction score is above a predetermined threshold. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification