As usage of computers and the Internet has increased exponentially in recent years, computer viruses, data leaks, network outages, and other results of cyber-attacks have become incredibly significant. These results can yield a wide variety of harmful effects, from user inconvenience to significant financial or physical damage. Enterprises often rely on computer systems for daily transactions and to store sensitive information and/or other potentially valuable information. Such systems and information are key targets for malicious cyber activity. The harmful effects are amplified as the size of the target's computer networks and systems increase. To combat cyber-attacks, these organizations deploy cyber security systems for detecting and mitigating potential cyber-attacks.
Due to the vast array of types of cyber-attacks, cyber security systems and, in particular, cyber security systems of large organizations, include increasing numbers of security controls from a multitude of sources for responding to threats. Each of these controls may be focused on a different aspect of an organization's security and may generate a variety of alerts related to potential security threats. To manage potential security threats, solutions for security information and event management (SIEM) have been developed. SIEM solutions attempt to provide real-time analysis of security alerts including, for example, logs of security events representing potentially malicious activity.
Existing SIEM solutions face challenges in utilizing security alert information to aid in identification and mitigation of ongoing threats. In particular, some existing solutions provide information regarding each generated security alert in a log format. These existing solutions typically result in overly cumbersome amounts of data to be analyzed manually by cyber security experts. The large amounts of data often prominently feature massive amounts of false positives. Therefore, security alerts related to true malicious activity may not be given appropriate attention, and security experts may fail to properly address the malicious activity.
To organize the vast amounts of information provided by SIEM systems and the like, some conventional solutions utilize static rules for aggregating data related to security alerts from different security systems and for organizing the aggregated data. As such, the conventional solutions nevertheless fail to provide truly appropriate responses to ongoing threats because they lack flexibility in organizing the data. Security alerts generated in response to malicious activity that do not meet the requirements of the static rules may be ignored by such systems. Further, such existing solutions are not capable of logically connecting interrelated events. This lack of logical connections may result in data that still includes numerous false positives and does not provide complete information regarding true security threats to cyber security experts.
It would therefore be advantageous to provide a solution that would overcome the deficiencies of the prior art.