System and method for determining and using local reputations of users and hosts to protect information in a network environment

摘要

A method in an example embodiment includes correlating a first set of event data from a private network and determining a local reputation score of a host in the private network based on correlating the first set of event data. The method further includes providing the local reputation score of the host to a security node, which applies a policy, based on the local reputation score of the host, to a network communication associated with the host. In specific embodiments, the local reputation score of the host is mapped to a network address of the host. In further embodiments, the first set of event data includes one or more event indicators representing one or more events, respectively, in the private network. In more specific embodiments, the method includes determining a local reputation score of a user and providing the local reputation score of the user to the security node.

主权项

1. A method comprising:
correlating, by a reputation server, a first set of event data from a private network, wherein the first set of event data identifies one or more host events associated with a network address of a host in the private network; determining a local host reputation score of the host in the private network based on the correlating the first set of event data, wherein the correlating the first set of event data includes determining whether a predetermined threshold number of host events are associated with accessing sensitive data in the private network; correlating, by the reputation server, a second set of event data in the private network, wherein the second set of event data identifies one or more user events associated with a user identifier, wherein, for each user event, the user identifier corresponds to a process running on one of a plurality of hosts in the private network, wherein the correlating the second set of event data includes determining whether a predetermined threshold number of user events are associated with accessing sensitive data in the private network; determining a local user reputation score of the user identifier based on the correlating the second set of event data; and providing the local host reputation score and the local user reputation score to a security node in the private network, wherein the security node applies a policy to a network communication associated with the host, the user identifier, and a network asset, wherein the policy is dynamically selected based on the local user reputation score, the local host reputation score, and a sensitivity level of data in the network asset.