1. Field of the Invention
The present invention relates to network security. More specifically, the present invention relates to systems and method for the aggregating and ranking/prioritizing of security event and alert data.
2. Background Information
Current state of the art in Security Incident and Event Management (SIEM) and Data Loss Prevention (DLP) solutions typically involves presenting security practitioners with numerous alerts originating from the myriad systems tasked with collecting event or log data throughout an organization's information technology infrastructure.
These alerts are typically triggered based on whether any given event matches the set of predetermined criteria as specified by the practitioner (or the solution vendor). For example, in situations involving systems that detect anomalies, policy violations, signatures, or classifications, a similar rules-based approach determines whether an observation should be presented as an alert, categorized otherwise, or simply ignored.
Thus, all such systems act as a filter or aggregate, mapping a set of lower level observations onto smaller set of alerts suitable for inspection by human operators. However, despite existing filter and aggregation capabilities, the sheer number of alerts arriving on a daily basis can be overwhelming to analyze and categorize appropriately.
For example, U.S. Pat. No. 7,571,474 describes a system for receiving alerts from multiple security agents, removing duplicates, and sending that to a centralized location. In the system of U.S. Pat. No. 7,571,474 all the aggregated alerts are indistinguishable in severity, and there is no ability to distinguish or quantify between high risk alerts and low risk alerts, and there is no dramatic reduction in the number of alerts from the source agents to the number of alerts in the receiving apparatus.
It is typical for a large organization that processes millions of events daily to result in tens of thousands of alerts daily, an overwhelming amount of information for the human security operators. Specifically, human operators can have difficulty (1) manually processing the large number alerts produced, (2) determining which alerts are valid indicators of a real problem, and (3) determining which alerts should be investigated first. Consequently, important indicators of compromise become lost or overlooked leaving organizations at risk. It is therefore desirable to have an aggregation strategy needs to provide a dramatic, order of magnitude reduction in the volume of alerts (e.g. millions of security events to tens of items to investigate). Further, it is desirable to have a ranking/prioritization applied to the items to investigate, to indicate which items are more probable indicators of true threats, and should be investigated first by human security operators
Accordingly, there is need for systems and method for the aggregation and ranking/prioritizing of security event and alert data.