Computer networks are ubiquitous in modern society, and particularly in the modern workplace. Many businesses and other organizations employ computer networks to enable employees and/or other users to access and store information, use computer software applications to perform a task, or communicate with each other, among other uses. Increasingly, such organizations find it necessary or useful to allow users to access at least portions of their computer network remotely. Employees, customers, clients, vendors, suppliers, and others may be allowed to access an organization's computer network for numerous purposes, such as to communicate or obtain information, place or check the status of an order, check on the availability of product, report a complaint, provide a report of a sales call, etc. Local users of computer networks likewise typically are provided access to online resources outside of their organization via the Internet. Also, many network sites are connected to network sites in other physical and/or geographic locations via a wide area network (WAN), a virtual private network (VPN), or similar services.
Many networks contain a mix of public and private information and resources. For example, a company engaged in electronic commerce might maintain web servers for serving web pages to the public, electronic commerce servers for processing online transactions, and other resources accessible by the public via the Internet. Such systems may comprise data and services, such as customer credit card information, that must be protected against unauthorized access. In the enterprise context, a computer network may house and/or provide access to some of an organization's most sensitive and valuable assets.
In general, each network resource that could be accessed by authorized or unauthorized users, either with or without physical access to the network site, must be protected to varying degrees, depending on the function performed by the resource and the nature of the data and applications that reside thereon, from compromise of the confidentiality and/or integrity of data and applications that reside on the resource and from denial of availability of the resource to those it is intended to serve. For example, while it is not necessary to protect the confidentiality of the public web page content of a web server, it may well be important to protect the integrity of such content (e.g., to protect a company's business reputation or economic opportunities) and the availability of the web server (e.g., to avoid having the web page be inaccessible for viewing).
Point systems have been developed to provide for various aspects of network security. For example, many private networks are protected by one or more firewalls. A firewall is a system interposed between a private network and a public network such as the Internet, which is configured to prevent unauthorized access via the public network to protected resources on the private network. In addition, many network-connected computer systems are protected by anti-virus software designed to protect the system from attack by computer viruses. In the enterprise context, many networks are protected by intrusion detection systems (IDS) and other systems, such as honey pot and deception servers, to protect the network against and monitor for attacks by an unauthorized (typically remote) user, such as a “hacker” or the like. Vulnerability assessment products have been provided to assess network vulnerability to such attacks and provide information about ways to protect against them (e.g., download a security “patch” for a particular piece of software).
The point protection systems described above, and similar products and systems, each may generate security information. In the event of an attack on the security of the network, two or more such point systems may generate large volumes of potentially significant data relating to the attack. To enable network security administrators to coordinate such information, security incident management software has been developed. Such software receives and processes security information received from one or more point systems and/or other sources (such as data entered at a user interface) and provides network security personnel with information and/or tools to enable them to respond appropriately. Such information may include an assigned priority for each security incident and one or more recommended responsive actions. However, the typical security incident management software provided to date focuses primarily on actions that can or should be taken subsequent to an attack to avoid its recurrence. Such information, while important, does not address the many other phases of an attack and recovery. Moreover, the typical security incident management software provides only a static set of priorities and recommendations, and does not adapt to changes in the information relevant to the attack and/or actions taken by network security personnel in response to the attack.
Therefore, there is a need for a way to manage network security incidents that takes into consideration all phases of a security incident and that adapts dynamically as information related to the security incident changes, such as when new data about the incident is received and/or when recommended actions have been completed by network security personnel.