A significant problem facing the Internet community is that online businesses and organizations are vulnerable to malicious attacks. Cyber-attacks have been executed using a wide arsenal of attack techniques and tools targeting both the information maintained by the online businesses and their IT infrastructures. Cyber-attacks typically aim to steal data, disable applications or services, or damage online assets of organizations.
The cyber-attacks attempt to exploit any potential vulnerability in systems and networks of an organization. For example, recently identified cyber-attacks have been executed using a combination of attack techniques at the network and application levels. Attackers use different attack tools to execute different attack techniques. Each such attack tool is designed to exploit weaknesses identified in one of the target's defense layers.
In order to protect their online assets, organizations have deployed a variety of security devices and services (collectively referred to as security devices or a security device). The security devices are selected to protect different segments of the networks and handle different types of cyber-attacks. For example, security devices can be utilized to detect intrusion attempts, malwares, bots, execute denial-of-service (DoS) attacks, HTTP or HTTPS flood attacks, attacks against web applications (e.g., XSS, SQL injection, session hijacking and buffer overflows), and so on.
Each such security device generates a high numbers of events. An event may include, for example, detection of an attack, breach of a security policy, detection of suspected behavior, and so on. Due to the high volume of security events, a security administrator in an organization cannot efficiently process and analyze the generated events. In order to ease the management of security events, security information and event management (SIEM) systems have been introduced. Such systems provide a holistic view of an organization's security device by gathering all events from the different devices and reporting the gathered events through a single interface. A SIEM system does not solve the problems related to the high volume of events to be analyzed, as the analysis and monitoring of events should still be performed by a user (e.g., a security administrator). As a result, only a small percentage of the total number of security events generated by the security devices is analyzed.
This relatively low percentage of analysis is a major drawback, as lack of such analysis often results in a high number of false positives, misdetection of attacks, inability to distinguish between critical and uncritical events, and misused investment of detection resources, and so on. Specifically, the lack of events analysis prevents detection of attacks before they occur or causes harm to protected objects of the organization.
Typically, a cyber-attack spans a sequence of actions which amount to an attack incident. The actions may be associated with different stages of the incident or different targets of the attack within an organization. Each stage or part of the attack may be identified and reported as events by a different security device deployed in the network.
As an example, a DDoS burst attack is a sequence of high traffic volumes communicated in bursts. A sequence of actions would include intermittent bursts of attack traffic and then pauses. As another example, a sequence of actions can begin with information gathering, continue with lateral movement, and end in data exfiltration. As yet another example, an attack can start with application scanning, followed by intrusion attempts, and then a DDoS attack.
Existing solutions include security devices that independently report events upon detection of such actions. However, the security devices cannot identify a pattern of an attack as they are not configured to analyze connections of events across different devices. As noted above, such analysis cannot be performed by an administrator due to the high volume of events. As such, cyber-attacks cannot be detected early or predicted. For example, identification of events related to application scanning that is part of an identified pattern can indicate an in-coming DDoS attack. However, current solutions cannot identify such attack patterns based on events and cannot predict cyber-attacks.
Therefore, it would be advantageous to provide an efficient solution that would cure the deficiencies of existing security solutions.