1. Field of the Invention
The present invention relates in general to computer systems, and more specifically to managing security events that occur in a computing environment.
2. Description of the Related Art
In today's computing environment, threats to the security of computer systems are increasing both in frequency and in complexity. Such threats can arise not only from outside an organization, but also from within even a trusted computing environment.
Unfortunately, an organization can lose assets, time, and even customers due to threats that successfully breach its computing environment or that exploit flaws in its information infrastructure. Because business assets, personnel, and security products constantly change, accurately observing and assessing activities that may threaten the security of the computing environment presents a constant and expanding challenge.
Security addressing certain risks posed by a variety of external events and attackers can be well served by firewalls and other conventional devices. However, insider attacks, such as hacking by employees inside a corporation, are not very well detected by any firewall. Moreover, some more complex security risks, e.g., those representing a more coordinated threat, are not detected by conventional devices.
Furthermore, other types of risks, such as known viruses, can be addressed by application software. For example, various commercially available software applications can provide one or more rules, e.g., as plug-ins, for detecting received files that contain one or more specific viruses.
Consider that the security of an enterprise network conventionally begins with various devices on an organization's network, such as a firewall, a router, an intrusion detection system, a scanner, bridge, router switch, and so on. It would not be unusual for a large installation to have more than two thousand devices included in the security of the network, and each device can be configured in accordance with known techniques to send out security events. Analyzing each and every possible security event can present, at times, an overwhelming task.
The result has been a patchwork of security management efforts, typically applied unevenly throughout a computing environment, where the efforts are directed to certain types of computer security events. Moreover, this patchwork can be awkward to utilize. Additionally, security management efforts that are directed toward more subtle or complex types of security breaches tend to be after-the-fact, and hence are frequently not particularly useful for actively preventing efforts to breach security.
The relevant industry has spent what is likely to be millions of dollars looking for a solution. These have not, however, adequately addressed users' needs for computer security. Users are still searching for a solution to provide an adequate system and method for real-time security event management.