In the prior art, it is common to use a number of different types of devices to monitor enterprises, particularly network enterprises. A firewall device is one example of a device that is used to protect against unauthorized access into intranet and internet-based networks. Other devices may relate to routers, both internal and external, servers, both internal and external, wireless machines such as laptops, IDS′, modems, and the like.
In many instances, these various devices monitor security-related threats and events and produce an output or stream of audit information, i.e., security events or alerts. These streams are received by an information manager, which then normalizes the information and sends the information to a security administrator.
One problem with these systems is that the security administrator is overloaded by the number of security events that are sent from the information manager. FIG. 1 illustrates such a scenario wherein a multitude of events 50 from an enterprise, e.g., security events, are sent to an overworked administrator 51. Even when the events 50 are transformed into neatly organized and normalized data 53, see FIG. 2, the administrator is still overworked with a multitude of modified inputs 55.
Secondly, prior art systems do not effectively link different types of devices together to better ascertain the type and/or source of a security event. For example, a security administrator may receive information from a firewall device, as well as a Linux or Windows NT device of an unauthorized logon to a network. The administrator gets two inputs for the same event, thus complicating the administrator's job in ascertaining the threat.
Consequently, a need exists to improve methods and systems used in the prior art to more effectively communicate alerts that occur within a given enterprise and are deserving of action on the part of an administrator.
The present invention solves this problem by filtering the number of alerts produced by various network devices, while at the same time adding knowledge to the alerts to produce fewer alerts but with more useful information related to each alert.