Method and system for gathering and contextualizing multiple events to identify potential security incidents
First Claim
Patent Images
1. A method of gathering and contextualizing multiple security events in a fault-tolerant server, comprising:
- collecting a plurality of event logs generated by a plurality of disparate and unrelated event-generation components associated with the fault-tolerant server;
scanning a plurality of data items from the plurality of event logs within the fault-tolerant server and retrieving a plurality of platform-specific data related to the plurality of data items, the platform-specific data comprising user actions and attributes of one or more users and data items other than security events logged by a log generation application or agent running within the fault-tolerant server;
aggregating the plurality of event logs and the plurality of platform-specific data into a plurality of unassociated events data;
routing the plurality of unassociated events data to a security context engine;
contextualizing, by the security context engine, the plurality of unassociated events data to identify a previously unidentified incident pattern in real-time, generating threat assessment rules based on a security context, wherein contextualizing comprises;
parsing the plurality of unassociated events data in real-time to categorize information included within the plurality of unassociated events data into different category types to generate contextualized events data, and sending the contextualized events data to a database; and
applying, by an event profiler, a security context map in real-time to the contextualized events data to identify a security incident and sending the identified security incident to an analysis engine, wherein the security context map identifying relationships between one or more category types and a weighting factor for the one or more category types, wherein the security context map includes a set of relationships between security events data and platform-specific data comprising user actions and events other than security events logged by a log generation application or agent running within the fault-tolerant server;
evaluating, by the analysis engine, the identified security incident against one or more of the threat assessment rules in the database, by;
identifying the one or more threat assessment rules associated with the fault-tolerant server; and
comparing the identified security incident against each of the one or more threat assessment rules; and
generating a security notification if at least one of the one or more of the threat assessment rules indicates a security threat, based on the identified security incident.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for aggregating and correlating disparate and unrelated events to enable faster security event detection. A plurality of event logs generated by a number of disparate, unrelated, independent components of a fault-tolerant server and platform-specific data are contextualized through the use of a security context map, enabling unrelated events to be correlated to identify security incidents indicative of security threats. User- or system-generated rules may then be applied to the contextualized data to enable more sophisticated security breach identification.
25 Citations
15 Claims
-
1. A method of gathering and contextualizing multiple security events in a fault-tolerant server, comprising:
-
collecting a plurality of event logs generated by a plurality of disparate and unrelated event-generation components associated with the fault-tolerant server; scanning a plurality of data items from the plurality of event logs within the fault-tolerant server and retrieving a plurality of platform-specific data related to the plurality of data items, the platform-specific data comprising user actions and attributes of one or more users and data items other than security events logged by a log generation application or agent running within the fault-tolerant server; aggregating the plurality of event logs and the plurality of platform-specific data into a plurality of unassociated events data; routing the plurality of unassociated events data to a security context engine; contextualizing, by the security context engine, the plurality of unassociated events data to identify a previously unidentified incident pattern in real-time, generating threat assessment rules based on a security context, wherein contextualizing comprises; parsing the plurality of unassociated events data in real-time to categorize information included within the plurality of unassociated events data into different category types to generate contextualized events data, and sending the contextualized events data to a database; and applying, by an event profiler, a security context map in real-time to the contextualized events data to identify a security incident and sending the identified security incident to an analysis engine, wherein the security context map identifying relationships between one or more category types and a weighting factor for the one or more category types, wherein the security context map includes a set of relationships between security events data and platform-specific data comprising user actions and events other than security events logged by a log generation application or agent running within the fault-tolerant server; evaluating, by the analysis engine, the identified security incident against one or more of the threat assessment rules in the database, by; identifying the one or more threat assessment rules associated with the fault-tolerant server; and comparing the identified security incident against each of the one or more threat assessment rules; and generating a security notification if at least one of the one or more of the threat assessment rules indicates a security threat, based on the identified security incident. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
Specification