Cyber security analytics architecture

摘要

Systems and methods are disclosed for responding to security events in real time. The disclosed systems and methods utilize the vast amount of risk and asset knowledge collected in a security data warehouse and aggregated in a security information manager, without the expense and latency associated with performing such calculations in real time. The disclosed systems and methods, thereby, significantly extend the time intervals feasible for temporal analysis.

主权项

1. A computer-implemented method, comprising:
receiving, at a security event manager, computing event data characterizing one or more computing events initiated by one or more computing resources deployed on an internal computer network of an enterprise-wide computing system, wherein the computing event data comprises data including proxy logs, firewall information and other data processed at an asset level by a security system installed at the asset level; transferring, by the security event manager, the computing event data to a security data warehouse, wherein the security data warehouse stores historical computing event data in an unmodified and/or unfiltered form; comparing the computing event data stored at the security data warehouse to information stored in a risk ontology to determine whether to transfer at least a portion of the computing event data to a security information manager, wherein:
the risk ontology comprises a dynamic data model representative of assets, relationships and risk factors between information stored in a plurality of risk ontology data objects where the dynamic data model defines relationships between the computing resources deployed on the internal computer network and users of the computing resources and defines risk factors associated with the computing resources;the plurality of risk ontology data objects comprise a person data object, an access realm data object, an access group data object, an access role data object and a protected resource data object corresponding to a login data object, and a custodian role data object corresponding to a management group data object and a managed resource data object; andthe portion of the computing event data to be transferred to the security information manager comprises data elements located in the risk ontology data objects; receiving, at the security information manager, the portion of the computing event data in response to a comparison of the computing event data to the information stored in the risk ontology; determining, by the security information manager, a security context based on a comparison of the portion of the computing event data to user-defined rules; wherein the security context is determined through analysis of a trend in data received from the security data warehouse to detect an anomaly that is associated with a particular event or threat; transferring, by the security information manager, the security context to the security event manager for use when determining a numerical risk level of a computing event; receiving, in real-time by the security event manager, an indication that the computing event has occurred; determining, in real-time by the security event manager, the numerical risk level of the computing event by comparing a risk score of the computing event to a predefined threshold risk level; and outputting, in real-time by the security event manager, the numerical risk level of the computing event, wherein the numerical risk level indicates an extent to which the computing event constitutes a threat to the enterprise-wide computing system.