1. Field of the Invention
This invention pertains in general to security information/event management (SIM or SIEM) and in particular to accessing a model of a network node (e.g., the node targeted by an event) so that the model data can be used in conjunction with security information/events.
2. Description of the Related Art
The field of security information/event management (SIM or SIEM) is generally concerned with 1) collecting data from networks and networked devices that reflects network activity and/or operation of the devices and 2) analyzing the data to enhance security. For example, the data can be analyzed to identify an attack on the network or a networked device and determine which user or machine is responsible. If the attack is ongoing, a countermeasure can be performed to thwart the attack or mitigate the damage caused by the attack. The data that is collected usually originates in a message (such as an event, alert, or alarm) or an entry in a log file, which is generated by a networked device.
The message or entry usually indicates one or more computer network devices (“network nodes”) that are involved in the network activity. For example, the message or entry might indicate the node to which the activity was directed (the “target node”) and/or the node from which the activity originated (the “source node”). While it is possible to identify and investigate an attack using only the collected data, it is often helpful to have additional information such as information about the indicated network nodes.
Information about a network node, referred to as an “asset model,” can include, for example, the node's Internet Protocol (IP) address, the node's host name, the network to which the node belongs, the node's role within the enterprise, an open port on the node, software installed on the node (e.g., operating system and applications), and known vulnerabilities or weaknesses of the node (called “exposed vulnerabilities”).
Asset models are accessed during security analysis. Security analysis can be performed in either batch mode or in real-time. In batch mode, when security information/events are received, they are stored. Later, the stored security information/events are analyzed. In real-time mode, when security information/events are received, they are analyzed in real-time or near real-time.
In order for security analysis to take place in real-time (or near real-time), the asset models must be accessed in real-time (or near-real time). This is very difficult to achieve, since thousands of events are generated per minute, and each event indicates one or more nodes. For example, an event rate of 5,000 events/second and 4 nodes/event results in 20,000 nodes/second. For each node, its asset model is identified and accessed.
What is needed is a way to access an asset model in an efficient manner so that the asset model can be used in real-time in conjunction with security information/events.