Systems and methods for providing a security information and event management system in a distributed architecture
First Claim
1. A computer-implemented distributed security information and event management system (DSIEMS) that manages a computer network comprising a plurality of remote nodes configured to collect and process security event information relating to security events occurring on the computer network and provides for dynamic reconfiguration of functionalities of the plurality of remote nodes, comprising:
- the plurality of remote nodes within the computer network for executing software modules for implementing one or more of a plurality of selectively configurable security functionalities related to network security monitoring, each remote node comprising a computing device, wherein each node includes core software comprising at least a software agent, an updater, and a client;
the security functionalities including at least a direct node-to-node communication functionality, a collection functionality for collecting security event information, and a correlation functionality that evaluates security event information and generates alerts;
the software agent of a respective remote node comprising an executable responsive to a configuration file received from a central management system to load plugins for a software module, the plugins comprising one or more dynamic link-libraries (DLLs) that effect aspects of at least one selectively configurable functionality on a remote node;
the updater of the respective remote node comprising an executable associated with the software agent of the respective remote node that enables the software agent to install, uninstall, or update plugins for a software module on the respective remote node;
the client of the respective remote node comprising a DLL that effects connectivity between the respective remote node and the central management system and between the respective remote node and another remote node that are both configured with a functionality for direct node-to-node communication;
the central management system for managing the plurality of remote nodes and security event information relating to security events affecting each respective remote node, for providing a configuration file to respective remote nodes to install, uninstall, or update plugins on the respective remote nodes, and for receiving remote node configuration instructions from a user;
a storage system maintained by the central management system that stores security event information identified at each respective remote node;
a communication link between the plurality of remote nodes and the central management system that enables transmission of information between the plurality of remote nodes and the central management system and between nodes that are configured for direct node-to-node communications, and to communicate commands comprising binaries of a software modules to be installed or updated on the remote nodes and configuration files from the central management system to the remote nodes; and
in response to the user interacting with the central management system to specify a particular configurable functionality for a specified remote node, the central management system generating a command to the specified remote node to implement the specified configurable functionality, the command comprising binaries of the software module to be installed or updated on the specified remote node and a configuration file;
in response to receipt at the specified remote node of the command from the central management system to implement the specified configurable functionality, the software agent at the specified remote node processing the command by processing the configuration file and executing the updater in accordance with the configuration file to install the binaries of the software module to be installed or updated to effect the specified configurable functionality at the specified remote node;
in response to execution of an installed software module at a specified remote node for effecting a collection functionality at the specified remote node, collecting security event information at the specified remote node;
in response to execution of an installed software module at the specified remote node for effecting a correlation functionality at the specified remote node, subscribing to a collection software module at another remote node to obtain security event information from said another remote node via the direct node-to-node communication functionality;
in further response to execution of the installed software module at the specified remote node for effecting the correlation functionality at the specified remote node, processing the security event information received from the collection module at the said another remote node to generate an alert; and
in further response to execution of the installed software module at the specified remote node for effecting the correlation functionality at the specified remote node, generating an alert at the specified remote node and communicating the alert to the central management system.
4 Assignments
0 Petitions
Accused Products
Abstract
A Distributed Security Information and Event Management System (DSIEMS) is a scalable, intelligent, security and fraud management platform that proactively collects information from a network'"'"'s computer systems, applications, users, and external intelligence data feeds, and aggregates the information into a centralized repository where the information can then be analyzed and quickly acted upon when necessary. Further, according to one aspect, a DSIEMS analyzes aggregated information to discern patterns of potential attack, inappropriate data movement, and fraud from normal and legitimate network activity, account activity, user activity, and data access. According to one embodiment, aspects of the present disclosure are implemented in a distributed architecture. In particular, aspects of the present DSIEMS utilize an agent-based architecture in which intelligent software agents are deployed on each node (e.g., endpoint computing device) within the system.
-
Citations
12 Claims
-
1. A computer-implemented distributed security information and event management system (DSIEMS) that manages a computer network comprising a plurality of remote nodes configured to collect and process security event information relating to security events occurring on the computer network and provides for dynamic reconfiguration of functionalities of the plurality of remote nodes, comprising:
-
the plurality of remote nodes within the computer network for executing software modules for implementing one or more of a plurality of selectively configurable security functionalities related to network security monitoring, each remote node comprising a computing device, wherein each node includes core software comprising at least a software agent, an updater, and a client; the security functionalities including at least a direct node-to-node communication functionality, a collection functionality for collecting security event information, and a correlation functionality that evaluates security event information and generates alerts; the software agent of a respective remote node comprising an executable responsive to a configuration file received from a central management system to load plugins for a software module, the plugins comprising one or more dynamic link-libraries (DLLs) that effect aspects of at least one selectively configurable functionality on a remote node; the updater of the respective remote node comprising an executable associated with the software agent of the respective remote node that enables the software agent to install, uninstall, or update plugins for a software module on the respective remote node; the client of the respective remote node comprising a DLL that effects connectivity between the respective remote node and the central management system and between the respective remote node and another remote node that are both configured with a functionality for direct node-to-node communication; the central management system for managing the plurality of remote nodes and security event information relating to security events affecting each respective remote node, for providing a configuration file to respective remote nodes to install, uninstall, or update plugins on the respective remote nodes, and for receiving remote node configuration instructions from a user; a storage system maintained by the central management system that stores security event information identified at each respective remote node; a communication link between the plurality of remote nodes and the central management system that enables transmission of information between the plurality of remote nodes and the central management system and between nodes that are configured for direct node-to-node communications, and to communicate commands comprising binaries of a software modules to be installed or updated on the remote nodes and configuration files from the central management system to the remote nodes; and in response to the user interacting with the central management system to specify a particular configurable functionality for a specified remote node, the central management system generating a command to the specified remote node to implement the specified configurable functionality, the command comprising binaries of the software module to be installed or updated on the specified remote node and a configuration file; in response to receipt at the specified remote node of the command from the central management system to implement the specified configurable functionality, the software agent at the specified remote node processing the command by processing the configuration file and executing the updater in accordance with the configuration file to install the binaries of the software module to be installed or updated to effect the specified configurable functionality at the specified remote node; in response to execution of an installed software module at a specified remote node for effecting a collection functionality at the specified remote node, collecting security event information at the specified remote node; in response to execution of an installed software module at the specified remote node for effecting a correlation functionality at the specified remote node, subscribing to a collection software module at another remote node to obtain security event information from said another remote node via the direct node-to-node communication functionality; in further response to execution of the installed software module at the specified remote node for effecting the correlation functionality at the specified remote node, processing the security event information received from the collection module at the said another remote node to generate an alert; and in further response to execution of the installed software module at the specified remote node for effecting the correlation functionality at the specified remote node, generating an alert at the specified remote node and communicating the alert to the central management system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
Specification