Automatic analysis of security related incidents in computer networks
First Claim
1. A security server for responding to security-related incidents in a computer network including a plurality of client computers, the security server comprising:
- an event collection module communicatively coupled to the computer network, an event analysis module operatively coupled to the event collection module, and a solution module operatively coupled to the event analysis module;
wherein the event collection module is configured to obtain incident-related information that includes event-level information from at least one client computer of the plurality of client computers, the incident-related information being associated with at least a first incident which was detected by that at least one client computer and provided to the event collection module in response to that detection;
wherein the event analysis module is configured to reconstruct at least one chain of events causally related to the first incident and indicative of a root cause of the first incident based on the incident-related information; and
wherein the solution module is configured to formulate at least one recommendation for automatic implementation by the at least one client computer, the at least one recommendation being based on the at least one chain of events, and including corrective/preventive action particularized for automatically responding to the first incident.
2 Assignments
0 Petitions
Accused Products
Abstract
Solutions for responding to security-related incidents in a computer network, including a security server, and a client-side arrangement. The security server includes an event collection module communicatively coupled to the computer network, an event analysis module operatively coupled to the event collection module, and a solution module operatively coupled to the event analysis module. The event collection module is configured to obtain incident-related information that includes event-level information from at least one client computer of the plurality of client computers, the incident-related information being associated with at least a first incident which was detected by that at least one client computer and provided to the event collection module in response to that detection. The event analysis module is configured to reconstruct at least one chain of events causally related to the first incident and indicative of a root cause of the first incident based on the incident-related information. The solution module is configured to formulate at least one recommendation for use by the at least one client computer, the at least one recommendation being based on the at least one chain of events, and including corrective/preventive action particularized for responding to the first incident.
128 Citations
22 Claims
-
1. A security server for responding to security-related incidents in a computer network including a plurality of client computers, the security server comprising:
an event collection module communicatively coupled to the computer network, an event analysis module operatively coupled to the event collection module, and a solution module operatively coupled to the event analysis module; wherein the event collection module is configured to obtain incident-related information that includes event-level information from at least one client computer of the plurality of client computers, the incident-related information being associated with at least a first incident which was detected by that at least one client computer and provided to the event collection module in response to that detection; wherein the event analysis module is configured to reconstruct at least one chain of events causally related to the first incident and indicative of a root cause of the first incident based on the incident-related information; and wherein the solution module is configured to formulate at least one recommendation for automatic implementation by the at least one client computer, the at least one recommendation being based on the at least one chain of events, and including corrective/preventive action particularized for automatically responding to the first incident. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
15. A machine-implemented method for automatically responding to security-related incidents at a client computer that includes computer hardware operating under program control, the method comprising:
-
operating, by the client computer, at least one protection set module that is adapted to protect information stored at the client computer and to detect occurrences of security-related incidents; logging, by the client computer, event-level records representing activity of the at least one protection set module; detecting, by the at least one protection set module, an incident impacting information security at the client computer, the detecting being performed based on incident detection criteria; in response to the detecting of the incident, associating, by the client computer, selected ones of the event-level records with the incident, the associating being performed based on incident associating criteria; providing, by the client computer, the selected ones of the event-level records to a remote server to be analyzed; receiving, by the client computer, at least one recommendation for corrective action to be automatically carried out at the client computer, the recommendation for corrective action being received from the remote server, and including instructions for resolving the incident; and automatically executing, by the client computer, the instructions for resolving the incident; receiving, by the client computer, an instruction to update at least one of;
the incident detection criteria, the incident associating criteria, or a combination thereof, with a new set of respective criteria. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
Specification