Systems and methods for providing a security information and event management system in a distributed architecture

US 9,813,449 B1
Filed: 08/12/2013
Issued: 11/07/2017
Est. Priority Date: 08/10/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented distributed security information and event management system (DSIEMS) that manages a computer network comprising a plurality of remote nodes configured to collect and process security event information relating to security events occurring on the computer network and provides for dynamic reconfiguration of functionalities of the plurality of remote nodes, comprising:

the plurality of remote nodes within the computer network for executing software modules for implementing one or more of a plurality of selectively configurable security functionalities related to network security monitoring, each remote node comprising a computing device, wherein each node includes core software comprising at least a software agent, an updater, and a client;

the security functionalities including at least a direct node-to-node communication functionality, a collection functionality for collecting security event information, and a correlation functionality that evaluates security event information and generates alerts;

the software agent of a respective remote node comprising an executable responsive to a configuration file received from a central management system to load plugins for a software module, the plugins comprising one or more dynamic link-libraries (DLLs) that effect aspects of at least one selectively configurable functionality on a remote node;

the updater of the respective remote node comprising an executable associated with the software agent of the respective remote node that enables the software agent to install, uninstall, or update plugins for a software module on the respective remote node;

the client of the respective remote node comprising a DLL that effects connectivity between the respective remote node and the central management system and between the respective remote node and another remote node that are both configured with a functionality for direct node-to-node communication;

the central management system for managing the plurality of remote nodes and security event information relating to security events affecting each respective remote node, for providing a configuration file to respective remote nodes to install, uninstall, or update plugins on the respective remote nodes, and for receiving remote node configuration instructions from a user;

a storage system maintained by the central management system that stores security event information identified at each respective remote node;

a communication link between the plurality of remote nodes and the central management system that enables transmission of information between the plurality of remote nodes and the central management system and between nodes that are configured for direct node-to-node communications, and to communicate commands comprising binaries of a software modules to be installed or updated on the remote nodes and configuration files from the central management system to the remote nodes; and

in response to the user interacting with the central management system to specify a particular configurable functionality for a specified remote node, the central management system generating a command to the specified remote node to implement the specified configurable functionality, the command comprising binaries of the software module to be installed or updated on the specified remote node and a configuration file;

in response to receipt at the specified remote node of the command from the central management system to implement the specified configurable functionality, the software agent at the specified remote node processing the command by processing the configuration file and executing the updater in accordance with the configuration file to install the binaries of the software module to be installed or updated to effect the specified configurable functionality at the specified remote node;

in response to execution of an installed software module at a specified remote node for effecting a collection functionality at the specified remote node, collecting security event information at the specified remote node;

in response to execution of an installed software module at the specified remote node for effecting a correlation functionality at the specified remote node, subscribing to a collection software module at another remote node to obtain security event information from said another remote node via the direct node-to-node communication functionality;

in further response to execution of the installed software module at the specified remote node for effecting the correlation functionality at the specified remote node, processing the security event information received from the collection module at the said another remote node to generate an alert; and

in further response to execution of the installed software module at the specified remote node for effecting the correlation functionality at the specified remote node, generating an alert at the specified remote node and communicating the alert to the central management system.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Distributed Security Information and Event Management System (DSIEMS) is a scalable, intelligent, security and fraud management platform that proactively collects information from a network'"'"'s computer systems, applications, users, and external intelligence data feeds, and aggregates the information into a centralized repository where the information can then be analyzed and quickly acted upon when necessary. Further, according to one aspect, a DSIEMS analyzes aggregated information to discern patterns of potential attack, inappropriate data movement, and fraud from normal and legitimate network activity, account activity, user activity, and data access. According to one embodiment, aspects of the present disclosure are implemented in a distributed architecture. In particular, aspects of the present DSIEMS utilize an agent-based architecture in which intelligent software agents are deployed on each node (e.g., endpoint computing device) within the system.

43 Citations

View as Search Results

12 Claims

1. A computer-implemented distributed security information and event management system (DSIEMS) that manages a computer network comprising a plurality of remote nodes configured to collect and process security event information relating to security events occurring on the computer network and provides for dynamic reconfiguration of functionalities of the plurality of remote nodes, comprising:
- the plurality of remote nodes within the computer network for executing software modules for implementing one or more of a plurality of selectively configurable security functionalities related to network security monitoring, each remote node comprising a computing device, wherein each node includes core software comprising at least a software agent, an updater, and a client;
  
  the security functionalities including at least a direct node-to-node communication functionality, a collection functionality for collecting security event information, and a correlation functionality that evaluates security event information and generates alerts;
  
  the software agent of a respective remote node comprising an executable responsive to a configuration file received from a central management system to load plugins for a software module, the plugins comprising one or more dynamic link-libraries (DLLs) that effect aspects of at least one selectively configurable functionality on a remote node;
  
  the updater of the respective remote node comprising an executable associated with the software agent of the respective remote node that enables the software agent to install, uninstall, or update plugins for a software module on the respective remote node;
  
  the client of the respective remote node comprising a DLL that effects connectivity between the respective remote node and the central management system and between the respective remote node and another remote node that are both configured with a functionality for direct node-to-node communication;
  
  the central management system for managing the plurality of remote nodes and security event information relating to security events affecting each respective remote node, for providing a configuration file to respective remote nodes to install, uninstall, or update plugins on the respective remote nodes, and for receiving remote node configuration instructions from a user;
  
  a storage system maintained by the central management system that stores security event information identified at each respective remote node;
  
  a communication link between the plurality of remote nodes and the central management system that enables transmission of information between the plurality of remote nodes and the central management system and between nodes that are configured for direct node-to-node communications, and to communicate commands comprising binaries of a software modules to be installed or updated on the remote nodes and configuration files from the central management system to the remote nodes; and
  
  in response to the user interacting with the central management system to specify a particular configurable functionality for a specified remote node, the central management system generating a command to the specified remote node to implement the specified configurable functionality, the command comprising binaries of the software module to be installed or updated on the specified remote node and a configuration file;
  
  in response to receipt at the specified remote node of the command from the central management system to implement the specified configurable functionality, the software agent at the specified remote node processing the command by processing the configuration file and executing the updater in accordance with the configuration file to install the binaries of the software module to be installed or updated to effect the specified configurable functionality at the specified remote node;
  
  in response to execution of an installed software module at a specified remote node for effecting a collection functionality at the specified remote node, collecting security event information at the specified remote node;
  
  in response to execution of an installed software module at the specified remote node for effecting a correlation functionality at the specified remote node, subscribing to a collection software module at another remote node to obtain security event information from said another remote node via the direct node-to-node communication functionality;
  
  in further response to execution of the installed software module at the specified remote node for effecting the correlation functionality at the specified remote node, processing the security event information received from the collection module at the said another remote node to generate an alert; and
  
  in further response to execution of the installed software module at the specified remote node for effecting the correlation functionality at the specified remote node, generating an alert at the specified remote node and communicating the alert to the central management system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented system of claim 1, wherein the central management system further comprises:
    - (i) an authentication module that performs authentication of the plurality of remote nodes within the computer network; and
      
      (ii) a communication module that handles communications between the plurality of remote nodes and the authentication module.
  - 3. The computer-implemented system of claim 1, further comprising an agent management system that manages a library of plugins for the DSIEMS and effectuates deployment of plugins to the software agents installed on the plurality of remote nodes.
  - 4. The computer-implemented system of claim 3, wherein the agent management system is managed by the central management system.
  - 5. The computer-implemented system of claim 1, wherein one or more of the plurality of remote nodes further comprises a scheduler, wherein the scheduler transmits scheduled commands to software modules maintained within the agent management system that relate to the respective remote node on which the scheduler is installed.
  - 6. The computer-implemented system of claim 1, wherein the plurality of selectively configurable security functionalities for software plugins on the remote nodes is selected from a group comprising but not limited to:
    - data processing, probes, correlation, incident remediation, collection, data storage, communication including direct node-to-node and node-to-central management system, logging, ciphering, XML parsing, authentication, sending/receiving commands, security information functions, event management, fraud management.
  - 7. The computer-implemented system of claim 1, wherein the direct node-to-node communication functionality is effected by a software module installed on one remote node that is able to communicate directly with a software module on another remote node and not necessarily routed through the central management system.
  - 8. The computer-implemented system of claim 1, wherein a correlation module on one remote node receives log messages from one or more collection modules on a plurality of other remote nodes by direct node-to-node communication.
  - 9. The computer-implemented system of claim 8, wherein the correlation module on one remote node transmits a collection subscription command to an agent coordination module at the central management system, wherein the agent coordination module determines connection information relating to the correlation module, wherein the agent coordination module transmits the connection information relating to the correlation module to an authentication module, which then transmits the connection information to the collection modules of the remote nodes connected to the network, whereby the correlation module is thereby able to receive log data from the collection modules.
  - 10. The computer-implemented system of claim 1, further comprising an authentication module associated with the central management system for receiving a request for configuration from a software module at the respective remote node and for communicating a configuration file to the respective remote node in response to a determination that the request from the respective remote node is a configuration request.
  - 11. The computer-implemented system of claim 10, further comprising an agent coordination module associated with the central management system for receiving a configuration request from the authentication module, for determining a proper configuration for the respective remote node that provided the configuration request to the authentication module, retrieving data corresponding to the proper configuration for the requesting respective remote node, and for communicating a configuration file corresponding to the proper configuration for the respective remote node to the authentication module for communication to the requesting respective remote node.
  - 12. The computer-implemented system of claim 10, wherein the software module at the respective remote node provides a configuration request to the authentication module at the central management system upon connection to the DSIEMS for the first time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Grupo S 21 Sec Gestion, S.A. (Thales SA)
Original Assignee
Lookwise SL
Inventors
Buenechea, Igor Unanue, Martinez, Victor Jurado
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Elmore, Gregory M

Application Number

US13/964,809
Time in Patent Office

1,548 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/552   involving long-term monitor...

H04L 41/00   Arrangements for maintenanc...

H04L 41/046   comprising network manageme...

H04L 41/0631   using root cause analysis; ...

H04L 43/12   Network monitoring probes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/34   involving the movement of s...

Systems and methods for providing a security information and event management system in a distributed architecture

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for providing a security information and event management system in a distributed architecture

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links