Security of computer networks and of individual computer systems that make up the nodes of the network, is of particular importance in the corporate environment. Leakage of information stored and processed in a company's computer network could lead to massive losses and liability. Accordingly, significant development efforts in information security is being undertaken.
Security personnel and law enforcement agencies must have the proper means to identify and investigate possible security breaches, and find and prosecute malicious actors responsible for those breaches. It is also desirable to prevent similar incidents from being repeated in the future. The investigation of unauthorized acts is carried out in an incident-oriented approach. The essence of this approach is the sampling the input data that preceded, and that may have played a role in the cause of the incident, sorting this data, analyzing it to determine possible causes of the incident, and developing solutions to correct the incident and prevent its recurrence in the future. Conducting this investigation should preferably be prompt and easy to manage.
Systems currently exist which allow for collection of information about events on users' computers, selection of events that may have caused harm, and sending of reports to the security service. However, there are several issues that remain inadequately addressed. One such issue is that existing systems present the data in the form of disparate events, for example, “a virus is found” or “antivirus failure.” This information, without more, is not particularly helpful in determining the root cause of an incident.
Another problem faced by conventional event monitoring systems is that they do not allow certain events to be singled out from among others for ranking purposes. Such a capability would allow for unnecessary information to be removed from the event log and save critical events as long as possible. Experience shows that for the proper investigation of certain incidents the events over a period of several years (2-3 years) must be analyzed. This problem leads to the fact that for the investigation of a particular incident, human experts cannot reasonably expected to take on the review of such a volume of data representing similar incidents over these huge time periods.
Another shortcoming is the inability of systems to integrate into computer networks with a large number of personal computers (PCs), because current records of events, as a result of becoming a large unordered data set, cannot be analyzed by a non-specialist, and would take a specialist a lot of time to analyze.
For these, and other reasons, there remains a need to more efficiently and effectively meet the challenge of investigating security incidents in a computer network.