Computer systems have experienced increased network traffic and evolving threats. In addition, more dynamic devices including wireless devices such as laptops and handhelds, multi-boot computers, virtual machines, etc., are connecting to the networks of computer systems. Due to these and other issues, the quantity and complexity of data required to monitor networked computer systems have rapidly increased. Much of that data is collected from disparate sources that typically have limited commonality between them. Consequently, large volumes of data must be processed and analyzed from multiple sources to monitor the security related issues of a computer system. Frequently, security analysts may encounter a number security issues that require a quick response. However, the security analysts are typically able to use only a small subset of the available data to handle the security issues.
Tools, such as PATCHLINK™ and SOLARWINDS™, can be used to collect information about computer systems. Other tools, such as NetContExt and CiscoWorks, can be used to monitor computer systems. Some prior art systems for monitoring the security of computer systems are known as “security information management” (SIM) or “security event management” (SEM) systems. These prior art systems can process log data in real time against an intelligent rule set or a subsystem that looks for anomalies. Typically, these types of prior art systems require security analysts to perform a number of manual and time consuming tasks to locate and correlate the data. One drawback of these systems is that they are not effective at mapping events to individual devices; in particular, their usefulness is limited to large dynamic environments. Consequently, the security analysts are not readily able to evaluate the information to determine patterns and meaning from the data.
Components of a computer network can be identified using a variety of means. For example, an Internet Protocol (IP) address is an identifier for a computer or other device on a network that uses the TCP/IP protocol. A Media Access Control (MAC) address is a hardware address that uniquely identifies each node of a network. Domain Name System (or Service or Server) (DNS). The DNS is used to translate domain names into IP addresses. Network Basic Input Output System (NetBIOS) defines capabilities of components (e.g., computers) of a network.
The subject matter of the present disclosure is directed to overcoming, or at least reducing the effects of, one or more of the problems set forth above.