System and method for managing security events on a network

US 7,921,459 B2
Filed: 04/27/2001
Issued: 04/05/2011
Est. Priority Date: 04/28/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for gathering security event data and rendering result data in a manageable format, the method comprising the steps of:

a plurality of security devices generating security event data comprising a plurality of alerts in response to detecting a security event in a distributed computing environment, the security devices being logically coupled to a computer having a display;

the computer presenting a user interface via the display for configuring an event data report that identifies a portion of the security event data;

the computer receiving a selection via the user interface of one or more user-configurable variables operable for filtering the security event data, the user-configurable variables comprising at least one of a location of a security event, a source of a security event, and a destination address of a security event;

the computer collecting the security event data generated by the plurality of security devices;

the computer filtering the collected security event data using the one or more user-configurable variables to produce result data for the event data report, the filtering comprising passing collected security event data that matches the user-configurable variables as result data while blocking collected security event data that does not match the user-configurable variables from the result data;

the computer transmitting the result data to one or more clients; and

the one or more clients displaying the event data report comprising the result data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system for managing security event data collected from a computing network. The system employs an event managing software module that can reside on a computing network that is being monitored with security devices. The event managing software collects security event data from security devices located in the monitored computing network and can process the security event data. In processing the security event data, the event manager module can format the data and create manageable summaries of the data. The event manager also supports storage of the security event data and the results of any processing performed on the data. Security event data can be identified by the event manager for use in responding to a security event.

347 Citations

25 Claims

1. A method for gathering security event data and rendering result data in a manageable format, the method comprising the steps of:
- a plurality of security devices generating security event data comprising a plurality of alerts in response to detecting a security event in a distributed computing environment, the security devices being logically coupled to a computer having a display;
  
  the computer presenting a user interface via the display for configuring an event data report that identifies a portion of the security event data;
  
  the computer receiving a selection via the user interface of one or more user-configurable variables operable for filtering the security event data, the user-configurable variables comprising at least one of a location of a security event, a source of a security event, and a destination address of a security event;
  
  the computer collecting the security event data generated by the plurality of security devices;
  
  the computer filtering the collected security event data using the one or more user-configurable variables to produce result data for the event data report, the filtering comprising passing collected security event data that matches the user-configurable variables as result data while blocking collected security event data that does not match the user-configurable variables from the result data;
  
  the computer transmitting the result data to one or more clients; and
  
  the one or more clients displaying the event data report comprising the result data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein collecting the security event data comprisesa sensor generating security event data;
    - the sensor sending the security event data to a collector coupled to the computer; and
      
      the computer converting the event data to a common format.
  - 3. The method of claim 1, further comprising the computer searching the collected security event data for additional information identifying a security event.
  - 4. The method of claim 1, further comprising the step of the security devices pre-filtering the security event data prior to transmitting the pre-filtered security event data to the computer.
  - 5. The method of claim 1, further comprising the step of performing an analysis on the collected security event data, the analysis comprising at least one of (a) comparing a source address of a first detected security event with a source address of a second detected security event and (b) comparing information associated with each detected security event with information identifying a known vulnerability of the distributed computing environment.
  - 6. The method of claim 1, wherein the user-configurable variables further comprise a network messaging protocol and wherein the computer filtering the collected security event data comprises the computer passing as result data collected security event data resulting from computer network data transmitted using the network messaging protocol while blocking collected security event data resulting from computer network data transmitted using a messaging protocol differing from the network messaging protocol.
  - 7. The method of claim 1, wherein the source of the security event comprises a first division of an organization and the destination address of the security event comprises an address associated with a second division within the organization, and wherein the computer filtering the collected security event data comprises passing as result data collected security event data resulting from computer network traffic originating from a first network node associated with the first division and addressed to a second network associated with the second division.
  - 8. The method of claim 1, wherein the user-configurable variables comprise the source of the security event and the source of the security event comprises a plurality of network addresses and wherein the computer filtering the collected security event data comprises the computer passing as result data the collected security event data originating from a network address that matches one of the plurality of network addresses while blocking collected security event date that does not match any of the plurality of network addresses.

9. A method for managing security event data collected from a plurality of security devices in a distributed computing environment, the method comprising the steps of:
- a plurality of security devices generating security event data in response to detecting a security event in a distributed computing environment, the security event data comprising a plurality of alerts;
  
  the security devices sending the security event data to a computer coupled to a display;
  
  the computer presenting a user interface via the display for configuring an event data report that identifies a portion of the security event data;
  
  the computer receiving a selection via the user interface of one or more user-configurable variables operable for filtering the security event data, the user-configurable variables comprising at least one of a security event type, a priority of a security event, and an identification of a system that detected a security event;
  
  the computer filtering the security event data using the one or more user-configurable variables to produce result data for the event data report, the filtering comprising passing security event data that matches the user-configurable variables as result data while blocking security event data that does not match the user-configurable variables from the result data; and
  
  the computer displaying via the display the event data report and the result data comprising filtered alerts based on the user-configurable variables.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprising the step of the security devices pre-filtering the security event data prior to transmitting the pre-filtered security event data to the computer.
  - 11. The method of claim 9, comprising the step of the computer searching the security event data for additional information identifying a security event.
  - 12. The method of claim 9, further comprising the step of performing an analysis on the security event data, the analysis comprising at least one of (a) comparing a source address of a first detected security event with a source address of a second detected security event and (b) comparing information associated with each detected security event with information identifying a known vulnerability of the distributed computing environment.
  - 13. The method of claim 9, further comprising the step of the computer converting the security event data into a common format.
  - 14. The method of claim 9, wherein the user-configurable variables further comprise a network messaging protocol and wherein the computer filtering the security event data comprises the computer passing as result data security event data resulting from computer network data transmitted using the network messaging protocol while blocking security event data resulting from computer network data transmitted using a messaging protocol differing from the network messaging protocol.
  - 15. The method of claim 9, wherein the user-configurable variables comprise a security event priority variable and wherein the computer filtering the security event data comprises the computer passing as result data security event data having a priority that matches the security event priority variable while blocking security event data having priority that does not match the security event priority variable.

16. A computer program product for gathering security event data and rendering result data in a manageable format, the computer program product comprising:
- a computer-readable tangible storage device and computer-readable program code stored thereon, the computer-readable program code comprising;
  
  computer-readable program code to receive security event data from a plurality of security devices, the security event data comprising a plurality of alerts in response to detecting a security event in a distributed computing environment;
  
  computer-readable program code to present a user interface via a display for configuring an event data report that identifies a portion of the security event data;
  
  computer-readable program code to receive a selection via the user interface of one or more user-configurable variables operable for filtering the security event data, the user-configurable variables comprising at least one of a location of a security event, a source of a security event, and a destination address of a security event;
  
  computer-readable program code to filter the received security event data using the one or more user-configurable variables to produce result data for the event data report, the filtering comprising passing received security event data that matches the user-configurable variables as result data while blocking received security event data that does not match the user-configurable variables from the result data; and
  
  computer-readable program code to display the event data summary comprising the result data.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product of claim 16, further comprising computer-readable program code to convert the received security event data into a common format.
  - 18. The computer program product of claim 16, further comprising computer-readable program code, stored on the computer-readable tangible storage device, to search the received security event data for additional information identifying a security event.
  - 19. The computer program product of claim 16, wherein the received security event data comprises data pre-filtered by at least one of the plurality of security devices.
  - 20. The computer program product of claim 16, further comprising computer-readable program code, stored on the computer-readable tangible storage device, to perform an analysis on the received security event data, the analysis comprising at least one of (a) comparing a source address of a first detected security event with a source address of a second detected security event and (b) comparing information associated with each detected security event with information identifying a known vulnerability of the distributed computing network.

21. A computer program product for managing security event data collected from a plurality of security devices in a distributed computing environment, the computer program product comprising:
- a computer-readable tangible storage device and computer-readable program code stored thereon, the computer-readable program code comprising;
  
  computer-readable program code to receive security event data from a plurality of security devices in response to detecting a security event in a distributed computing environment, the security event data comprising a plurality of alerts;
  
  computer-readable program code to present a user interface via a display for configuring an event data report that identifies a portion of the security event data;
  
  computer-readable program code to receive a selection via the user interface of one or more user-configurable variables operable for filtering the security event data, the user-configurable variables comprising at least one of a security event type, a priority of a security event, and an identification of a system that detected a security event;
  
  computer-readable program code to filter the received security event data using the one or more user-configurable variables to produce result data for the event data report, the filtering comprising passing received security event data that matches the user-configurable variables as result data while blocking received security event data that does not match the user-configurable variables from the result data; and
  
  computer-readable program code to display the event data report and the result data comprising filtered alerts based on the selected variables.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer program product of claim 21, further comprising computer-readable program code, stored on the computer-readable tangible storage device, to convert the received security event data into a common format.
  - 23. The computer program product of claim 21, further comprising computer-readable program code, stored on the computer-readable tangible storage device, to search the received security event data for additional information identifying a security event.
  - 24. The computer program product of claim 21, wherein the received security event data comprises data pre-filtered by at least one of the plurality of security devices.
  - 25. The computer program product of claim 21, further comprising computer-readable program code, stored on the computer-readable tangible storage device, to perform an analysis on the received security event data, the analysis comprising at least one of (a) comparing a source address of a first detected security event with a source address of a second detected security event and (b) comparing information associated with each detected security event with information identifying a known vulnerability of the distributed computing network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Embar, Sridhar, Kobsa, Christian D., Williams, Bryan Douglas, Nikitaides, Michael George, Di Iorio, Matthew Thaddeus, Houston, Gregory Neil
Primary Examiner(s)
Pich; Ponnoreay

Application Number

US09/844,448
Publication Number

US 20020019945A1
Time in Patent Office

3,630 Days
Field of Search

713/201, 713/152, 709/224, 726/22, 726/26
US Class Current

726/22
CPC Class Codes

H04L 41/0604   using filtering, e.g. reduc...

H04L 41/069   using logs of notifications...

H04L 41/22   comprising specially adapte...

H04L 41/28   Restricting access to netwo...

H04L 43/00   Arrangements for monitoring...

H04L 43/028   by filtering

H04L 43/045   for graphical visualisation...

H04L 43/06   Generation of reports

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/18   Protocol analysers

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for managing security events on a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

347 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing security events on a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

347 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links