1. Field of the Invention
The field of the invention relates to computer-implemented methods for determining computer system aspects, especially security threats; to related systems, especially to security operations center systems, and to related computer program products.
2. Technical Background
Many companies' worst nightmare is already lurking inside what was previously thought to be its perimeter, a sophisticated external attacker or malicious insider. Nowadays, attackers are intelligent, well-funded and their attacks are increasingly complex and well targeted. The common theme of recent, high-profile breaches is that they were carefully planned and went undetected for some time with the attackers moving freely inside the victim's information technology (IT) environment. Malicious insiders hold an advantage over a company's primary security tools in that they are designed to protect against external threats, not against trusted employees. Targeted attacks by humans use a combination of IT vulnerabilities, social engineering and ordinary crime to gain unauthorized access. It means that the new perimeter, where you have to focus, is your users. They should be the new focus of your security measures instead of the infrastructure.
3. Discussion of Related Art
EP1741223(A2) and EP1741223B1 disclose a method, apparatus and computer program for distinguishing relevant network security threats using comparison of refined intrusion detection audits and intelligent security analysis. EP1741223(A2) and EP1741223B1 disclose an apparatus, a method, and a computer program are provided for distinguishing relevant security threats, and that with conventional computer systems, distinguishing security threats from actual security threats is a complex and difficult task because of the general inability to quantify a “threat”, and that by the use of an intelligent conceptual clustering technique, threats can be accurately distinguished from benign behaviors, and that thus, electronic commerce, and Information Technology systems generally, can be made safer without sacrificing efficiency. EP1741223(A2) and EP1741223B1 disclose prior art FIG. 18 in which the reference numeral 300 generally designates a flow chart depicting the method of distinguishing relevant security threats, in step 301, the network intrusion detection devices are audited, in step 302, the network intrusion reports are retrieved, in step 303, 304, and 305, the network intrusion report and the threat assessment are compared, and in steps 306, 307, and 308, the semantic clustering is refined.
However, a system that focuses on more effective identification of intrusive network security threats may be comparatively ineffective at identifying malicious behavior by users of user accounts with high access privileges, for example.