The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Many types of organizations today rely on networked systems of computing devices for an increasingly wide variety of business operations. These networked systems often include computing devices ranging from various types of endpoint devices (e.g., desktop computers, workstations, laptop computers, tablet devices, mobile devices, etc.) to network devices and other components (e.g., routers, firewalls, web servers, email servers, etc.). The ever-increasing reliance on these types of systems has placed an importance on the ability to secure the systems against internal and external security threats such as malware, viruses, and network-based attacks.
Endpoint devices, for example, are often highly susceptible to security threats in such computing environments. The task of securing endpoint devices is challenging due in part to a wide variety of endpoint device types and to the wide range of user activities, application activity, and file activity occurring at such devices. Furthermore, a compromised endpoint device in a networked system often poses an immediate threat to the security of other devices on the same network. For example, a malware infection at one endpoint device may cause the device to attempt further spreading the malware or to perform other malicious activity with respect to other devices on the network.
Organizations increasingly rely on security information and event management (SIEM) software, endpoint threat detection and response (ETDR) applications, and other similar applications to monitor endpoint devices and other networked components for potential occurrences of known security threats. However, security threats often are multi-layered (e.g., involving several different types of applications, types network activity, etc.) and may implicate many separate endpoint and non-endpoint components within a system, and efficiently monitoring and remediating these types of complex security threats remains a challenge.